update tls configuration in helm chart (#900)

* update tls configuration in helm chart * typo fix
2026-01-16 17:20:33 +00:00 · 2025-11-20 22:20:11 +08:00
parent 18cd9a8b46
commit 2b268fdd7f
6 changed files with 51 additions and 26 deletions
--- a/helm/README.md
+++ b/helm/README.md
@@ -1,8 +1,15 @@
-# rustfs-helm
+# RustFS Helm Mode

-You can use this helm chart to deploy rustfs on k8s cluster. The chart supports standalone and distributed mode. For standalone mode, there is only one pod and one pvc; for distributed mode, there are two styles, 4 pods and 16 pvcs(each pod has 4 pvcs), 16 pods and 16 pvcs(each pod has 1 pvc). You should decide which mode and style suits for your situation. You can specify the parameters `mode` and `replicaCount` to install different mode and style.
+RustFS helm chart supports **standalone and distributed mode**. For standalone mode, there is only one pod and one pvc; for distributed mode, there are two styles, 4 pods and 16 pvcs(each pod has 4 pvcs), 16 pods and 16 pvcs(each pod has 1 pvc). You should decide which mode and style suits for your situation. You can specify the parameters `mode` and `replicaCount` to install different mode and style.

-## Parameters Overview
+- **For standalone mode**: Only one pod and one pvc acts as single node single disk; Specify parameters `mode.standalone.enabled="true",mode.distributed.enabled="false"` to install.
+- **For distributed mode**(**default**): Multiple pods and multiple pvcs, acts as multiple nodes multiple disks, there are two styles:
+    - 4 pods and each pods has 4 pvcs(**default**)
+    - 16 pods and each pods has 1 pvc: Specify parameters `replicaCount` with `--set replicaCount="16"` to install.
+
+**NOTE**: Please make sure which mode suits for you situation and specify the right parameter to install rustfs on kubernetes.
+
+# Parameters Overview

 | parameter | description | default value |
 | -- | -- | -- |
@@ -23,12 +30,16 @@ You can use this helm chart to deploy rustfs on k8s cluster. The chart supports
 kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.32/deploy/local-path-storage.yaml
 ```

+# Installation
+
 ## Requirement

 * Helm V3
-* RustFS >= 1.0.0-alpha.68
+* RustFS >= 1.0.0-alpha.69

-## Installation
+Due to the traefik and ingress has different session sticky/affinity annotations, and rustfs support both those two controller, you should specify parameter `ingress.className` to select the right one which suits for you.
+
+## Installation with traekfik controller

 If your ingress class is `traefik`, running the command:

@@ -36,15 +47,15 @@ If your ingress class is `traefik`, running the command:
 helm install rustfs -n rustfs --create-namespace ./ --set ingress.className="traefik"
 ```

+## Installation with nginx controller
+
 If your ingress class is `nginx`, running the command:

 ```
 helm install rustfs -n rustfs --create-namespace ./ --set ingress.className="nginx"
 ```

-> `traefik` or `nginx`, the different is the session sticky/affinity annotations.
-
-**NOTE**: If you want to install standalone mode, specify the installation parameter `--set mode.standalone.enabled="true",mode.distributed.enabled="false"`; If you want to install distributed mode with 16 pods, specify the installation parameter `--set replicaCount="16"`.
+# Installation check and rustfs login

 Check the pod status

@@ -69,11 +80,26 @@ Access the rustfs cluster via `https://your.rustfs.com` with the default usernam

 > Replace the `your.rustfs.com` with your own domain as well as the certificates.

-## Uninstall
+# TLS configuration
+
+By default, tls is not enabled.If you want to enable tls(recommendated),you can follow below steps:
+
+* Step 1: Certification generation
+
+You can request cert and key from CA or use the self-signed cert(**not recommendated on prod**),and put those two files(eg, `tls.crt` and `tls.key`) under some directory on server, for example `tls` directory.
+
+* Step 2: Certification specifying
+
+You should use `--set-file` parameter when running `helm install` command, for example, running the below command can enable ingress tls and generate tls secret:
+
+```
+helm install rustfs rustfs/rustfs -n rustfs --set tls.enabled=true,--set-file tls.crt=./tls.crt,--set-file tls.key=./tls.key
+```
+
+# Uninstall

 Uninstalling the rustfs installation with command,

 ```
 helm uninstall rustfs -n rustfs
-```
-
+```
--- a/helm/rustfs/Chart.yaml
+++ b/helm/rustfs/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.0-alpha.69

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.0.0-alpha.69"
--- a/helm/rustfs/templates/secret-tls.yaml
+++ b/helm/rustfs/templates/secret-tls.yaml
@@ -1,10 +1,10 @@
-{{- if .Values.ingress.enabled }}
+{{- if .Values.tls.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "rustfs.fullname" . }}-tls
-type: Opaque
+type: kubernetes.io/tls
 data:
-  tls.crt : {{ .Files.Get "tls/tls.crt" | b64enc | quote }}
-  tls.key : {{ .Files.Get "tls/tls.key" | b64enc | quote }}
-{{- end }}
+  tls.crt : {{ .Values.tls.crt | b64enc | quote }}
+  tls.key : {{ .Values.tls.key | b64enc | quote }}
+{{- end }}
--- a/helm/rustfs/tls/tls.crt
+++ b/helm/rustfs/tls/tls.crt
@@ -1,3 +0,0 @@
-----BEGIN CERTIFICATE-----
-Input your crt content.
-----END CERTIFICATE-----
--- a/helm/rustfs/tls/tls.key
+++ b/helm/rustfs/tls/tls.key
@@ -1,3 +0,0 @@
-----BEGIN PRIVATE KEY-----
-Input your private key.
-----END PRIVATE KEY-----
--- a/helm/rustfs/values.yaml
+++ b/helm/rustfs/values.yaml
@@ -80,7 +80,7 @@ service:
 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
  enabled: true
-  className: "" # Specify the classname, traefik or nginx. Different classname has different annotations for session sticky.
+  className: "traefik" # Specify the classname, traefik or nginx. Different classname has different annotations for session sticky.
  traefikAnnotations:
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
@@ -101,7 +101,12 @@ ingress:
  tls:
    - secretName: rustfs-tls
      hosts:
-        - xmg.rustfs.com
+        - your.rustfs.com
+
+tls:
+  enabled: false
+  crt: tls.crt
+  key: tls.key

 resources:
  # We usually recommend not to specify default resources and to leave this as a conscious