add cert manager and ingress annotations support (#1206)

README.md

@@ -103,7 +103,7 @@ The RustFS container runs as a non-root user `rustfs` (UID `10001`). If you run
  docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest
 
  # Using specific version
- docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0.alpha.68
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0-alpha.76
 ```
 
 You can also use Docker Compose. Using the `docker-compose.yml` file in the root directory:

helm/README.md

@@ -52,13 +52,17 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m
 | ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-hash" | string | `"sha1"` |  |
 | ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-max-age" | string | `"3600"` |  |
 | ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-name" | string | `"rustfs"` |  |
-| ingress.tls[0].hosts[0] | string | `"your.rustfs.com"` |  |
-| ingress.tls[0].secretName | string | `"rustfs-tls"` |  |
 | ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie" | string | `"true"` |  |
 | ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.httponly" | string | `"true"` |  |
 | ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.name" | string | `"rustfs"` |  |
 | ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.samesite" | string | `"none"` |  |
 | ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.secure" | string | `"true"` |  |
+| ingress.tls.enabled | bool | `false` | Enable tls and access rustfs via https. |
+| ingress.tls.certManager.enabled | string | `false` | Enable cert manager support to generate certificate automatically. |
+| ingress.tls.certManager.issuer.name | string | `false` | The name of cert manager issuer. |
+| ingress.tls.certManager.issuer.kind | string | `false` | The kind of cert manager issuer, issuer or cluster-issuer. |
+| ingress.tls.crt | string | "" | The content of certificate file. |
+| ingress.tls.key | string | "" | The content of key file. |
 | livenessProbe.failureThreshold | int | `3` |  |
 | livenessProbe.httpGet.path | string | `"/health"` |  |
 | livenessProbe.httpGet.port | string | `"endpoint"` |  |
@@ -100,9 +104,6 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m
 | storageclass.dataStorageSize | string | `"256Mi"` | The storage size for data PVC. |
 | storageclass.logStorageSize | string | `"256Mi"` | The storage size for logs PVC. |
 | storageclass.name | string | `"local-path"` | The name for StorageClass. |
-| tls.crt | string | `"tls.crt"` |  |
-| tls.enabled | bool | `false` |  |
-| tls.key | string | `"tls.key"` |  |
 | tolerations | list | `[]` |  |
 
 ---

helm/rustfs/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.3
+version: 0.0.76
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/rustfs/templates/certificate.yml

@@ -0,0 +1,15 @@
+{{- if and .Values.ingress.tls.enabled .Values.ingress.tls.certManager.enabled }}
+{{- $host := index .Values.ingress.hosts 0 }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "rustfs.fullname" . }}-tls
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ .Values.ingress.tls.secretName }}
+  issuerRef:
+    name: {{ .Values.ingress.tls.certManager.issuer.name }}
+    kind: {{ .Values.ingress.tls.certManager.issuer.kind }}
+  dnsNames:
+    - {{ $host.host }}
+{{- end }}

helm/rustfs/templates/ingress.yaml

@@ -1,4 +1,14 @@
 {{- if .Values.ingress.enabled -}}
+{{- $secretName := .Values.ingress.tls.secretName }}
+{{- $ingressAnnotations := dict }}
+{{- if eq .Values.ingress.className "nginx" }}
+  {{- $ingressAnnotations = merge $ingressAnnotations (.Values.ingress.nginxAnnotations | default dict) }}
+{{- else if eq .Values.ingress.className "" }}
+  {{- $ingressAnnotations = merge $ingressAnnotations (.Values.ingress.customAnnoations | default dict) }}
+{{- end }}
+{{- if .Values.ingress.tls.certManager.enabled }}
+  {{- $ingressAnnotations = merge $ingressAnnotations (.Values.ingress.certManagerAnnotations | default dict) }}
+{{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -8,25 +18,23 @@ metadata:
     {{- with .Values.commonLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- if eq .Values.ingress.className "nginx" }}
-  {{- with .Values.ingress.nginxAnnotations }}
+  {{- with $ingressAnnotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- end }}
 spec:
   {{- with .Values.ingress.className }}
   ingressClassName: {{ . }}
   {{- end }}
-  {{- if .Values.tls.enabled }}
+  {{- if .Values.ingress.tls.enabled }}
   tls:
-    {{- range .Values.ingress.tls }}
+    {{- range .Values.ingress.hosts }}
     - hosts:
         {{- range .hosts }}
         - {{ . | quote }}
         {{- end }}
-      secretName: {{ .secretName }}
     {{- end }}
+      secretName: {{ $secretName }}
   {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}

helm/rustfs/templates/secret-tls.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.tls.enabled }}
+{{- if and .Values.ingress.tls.enabled (not .Values.ingress.tls.certManager.enabled) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,6 +7,6 @@ metadata:
     {{- toYaml .Values.commonLabels | nindent 4 }}
 type: kubernetes.io/tls
 data:
-  tls.crt : {{ .Values.tls.crt | b64enc | quote }}
-  tls.key : {{ .Values.tls.key | b64enc | quote }}
+  tls.crt : {{ .Values.ingress.tls.crt | b64enc | quote }}
+  tls.key : {{ .Values.ingress.tls.key | b64enc | quote }}
 {{- end }}

helm/rustfs/values.yaml

@@ -11,7 +11,7 @@ image:
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: "1.0.0-alpha.73"
 
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []
@@ -97,7 +97,7 @@ service:
 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
   enabled: true
-  className: "traefik" # Specify the classname, traefik or nginx. Different classname has different annotations for session sticky.
+  className: "nginx" # Specify the classname, traefik or nginx. Different classname has different annotations for session sticky.
   traefikAnnotations:
     traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
     traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
@@ -110,20 +110,26 @@ ingress:
     nginx.ingress.kubernetes.io/session-cookie-hash: sha1
     nginx.ingress.kubernetes.io/session-cookie-max-age: "3600"
     nginx.ingress.kubernetes.io/session-cookie-name: rustfs
+  certManagerAnnotations:
+    {} # Specify cert manager issuer annotations,cert-manager.io/issuer or cert-manager.io/cluster-issuer.
+    # cert-manager.io/issuer: "letsencrypt-staging"
+  customAnnotations: # Specify custom annotations
+    {} # Customize annotations
   hosts:
-    - host: your.rustfs.com
+    - host: xmg.rustfs.com
       paths:
         - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - secretName: rustfs-tls
-      hosts:
-        - your.rustfs.com
-
-tls:
-  enabled: false
-  crt: tls.crt
-  key: tls.key
+          pathType: Prefix
+  tls: 
+    enabled: false # Enable tls and access rustfs via https.
+    certManager:
+      enabled: false # Enable certmanager to generate certificate for rustfs, default false.
+      issuer:
+        name: letsencrypt-staging # Specify cert manager issuer name
+        kind: Issuer # Specify cert manager issuer kind, Issuer or ClusterIssuer.
+    secretName: secret-tls
+    crt: tls.crt
+    key: tls.key
 
 resources:
   # We usually recommend not to specify default resources and to leave this as a conscious