6928221b56
Signed-off-by: Arthur Darcet <arthur.darcet@mistral.ai> Co-authored-by: majinghe <42570491+majinghe@users.noreply.github.com> Co-authored-by: houseme <housemecn@gmail.com>
RustFS Helm Mode
RustFS helm chart supports standalone and distributed mode. For standalone mode, there is only one pod and one pvc; for distributed mode, there are two styles, 4 pods and 16 pvcs(each pod has 4 pvcs), 16 pods and 16 pvcs(each pod has 1 pvc). You should decide which mode and style suits for your situation. You can specify the parameters mode and replicaCount to install different mode and style.
- For standalone mode: Only one pod and one pvc acts as single node single disk; Specify parameters
mode.standalone.enabled="true",mode.distributed.enabled="false"to install. - For distributed mode(default): Multiple pods and multiple pvcs, acts as multiple nodes multiple disks, there are two styles:
- 4 pods and each pods has 4 pvcs(default)
- 16 pods and each pods has 1 pvc: Specify parameters
replicaCountwith--set replicaCount="16"to install.
NOTE: Please make sure which mode suits for you situation and specify the right parameter to install rustfs on kubernetes.
Parameters Overview
| Parameter | Type | Default value | Description |
|---|---|---|---|
| affinity.nodeAffinity | object | {} |
|
| affinity.podAntiAffinity.enabled | bool | true |
|
| affinity.podAntiAffinity.topologyKey | string | "kubernetes.io/hostname" |
|
| commonLabels | object | {} |
Labels to add to all deployed objects. |
| config.rustfs.address | string | ":9000" |
|
| config.rustfs.console_address | string | ":9001" |
|
| config.rustfs.console_enable | string | "true" |
|
| config.rustfs.log_level | string | "debug" |
|
| config.rustfs.obs_environment | string | "develop" |
|
| config.rustfs.obs_log_directory | string | "/logs" |
|
| config.rustfs.region | string | "us-east-1" |
|
| config.rustfs.rust_log | string | "debug" |
|
| config.rustfs.volumes | string | "" |
|
| containerSecurityContext.capabilities.drop[0] | string | "ALL" |
|
| containerSecurityContext.readOnlyRootFilesystem | bool | true |
|
| containerSecurityContext.runAsNonRoot | bool | true |
|
| enableServiceLinks | bool | false |
|
| extraManifests | list | [] |
List of additional k8s manifests. |
| fullnameOverride | string | "" |
|
| image.pullPolicy | string | "IfNotPresent" |
|
| image.repository | string | "rustfs/rustfs" |
RustFS docker image repository. |
| image.tag | string | "latest" |
The tag for rustfs docker image. |
| imagePullSecrets | list | [] |
A List of secrets to pull image from private registry. |
| imageRegistryCredentials.email | string | "" |
The email to pull rustfs image from private registry. |
| imageRegistryCredentials.enabled | bool | false |
To indicate whether pull image from private registry. |
| imageRegistryCredentials.password | string | "" |
The password to pull rustfs image from private registry. |
| imageRegistryCredentials.registry | string | "" |
Private registry url to pull rustfs image. |
| imageRegistryCredentials.username | string | "" |
The username to pull rustfs image from private registry. |
| ingress.className | string | "traefik" |
Specify the ingress class, traefik or nginx. |
| ingress.enabled | bool | true |
|
| ingress.hosts[0].host | string | "example.rustfs.com" |
|
| ingress.hosts[0].paths[0].path | string | "/" |
|
| ingress.hosts[0].paths[0].pathType | string | "ImplementationSpecific" |
|
| ingress.nginxAnnotations."nginx.ingress.kubernetes.io/affinity" | string | "cookie" |
|
| ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-expires" | string | "3600" |
|
| ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-hash" | string | "sha1" |
|
| ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-max-age" | string | "3600" |
|
| ingress.nginxAnnotations."nginx.ingress.kubernetes.io/session-cookie-name" | string | "rustfs" |
|
| ingress.customAnnotations | dict | {} |
Customize annotations. |
| ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie" | string | "true" |
|
| ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.httponly" | string | "true" |
|
| ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.name" | string | "rustfs" |
|
| ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.samesite" | string | "none" |
|
| ingress.traefikAnnotations."traefik.ingress.kubernetes.io/service.sticky.cookie.secure" | string | "true" |
|
| ingress.tls.enabled | bool | false |
Enable tls and access rustfs via https. |
| ingress.tls.certManager.enabled | string | false |
Enable cert manager support to generate certificate automatically. |
| ingress.tls.crt | string | "" | The content of certificate file. |
| ingress.tls.key | string | "" | The content of key file. |
| livenessProbe.failureThreshold | int | 3 |
|
| livenessProbe.httpGet.path | string | "/health" |
|
| livenessProbe.httpGet.port | string | "endpoint" |
|
| livenessProbe.initialDelaySeconds | int | 10 |
|
| livenessProbe.periodSeconds | int | 5 |
|
| livenessProbe.successThreshold | int | 1 |
|
| livenessProbe.timeoutSeconds | int | 3 |
|
| mode.distributed.enabled | bool | true |
RustFS distributed mode support, namely multiple pod multiple pvc. |
| mode.standalone.enabled | bool | false |
RustFS standalone mode support, namely one pod one pvc. |
| nameOverride | string | "" |
|
| nodeSelector | object | {} |
|
| pdb.create | bool | false |
Enable/disable a Pod Disruption Budget creation |
| pdb.maxUnavailable | string | 1 |
|
| pdb.minAvailable | string | "" |
|
| podAnnotations | object | {} |
|
| podLabels | object | {} |
|
| podSecurityContext.fsGroup | int | 10001 |
|
| podSecurityContext.runAsGroup | int | 10001 |
|
| podSecurityContext.runAsUser | int | 10001 |
|
| readinessProbe.failureThreshold | int | 3 |
|
| readinessProbe.httpGet.path | string | "/health" |
|
| readinessProbe.httpGet.port | string | "endpoint" |
|
| readinessProbe.initialDelaySeconds | int | 30 |
|
| readinessProbe.periodSeconds | int | 5 |
|
| readinessProbe.successThreshold | int | 1 |
|
| readinessProbe.timeoutSeconds | int | 3 |
|
| replicaCount | int | 4 |
Number of cluster nodes. |
| resources.limits.cpu | string | "200m" |
|
| resources.limits.memory | string | "512Mi" |
|
| resources.requests.cpu | string | "100m" |
|
| resources.requests.memory | string | "128Mi" |
|
| secret.existingSecret | string | "" |
Use existing secret with a credentials. |
| secret.rustfs.access_key | string | "rustfsadmin" |
RustFS Access Key ID |
| secret.rustfs.secret_key | string | "rustfsadmin" |
RustFS Secret Key ID |
| service.type | string | "NodePort" |
|
| service.console.nodePort | int | 32001 |
|
| service.console.port | int | 9001 |
|
| service.endpoint.nodePort | int | 32000 |
|
| service.endpoint.port | int | 9000 |
|
| serviceAccount.annotations | object | {} |
|
| serviceAccount.automount | bool | true |
|
| serviceAccount.create | bool | true |
|
| serviceAccount.name | string | "" |
|
| storageclass.dataStorageSize | string | "256Mi" |
The storage size for data PVC. |
| storageclass.logStorageSize | string | "256Mi" |
The storage size for logs PVC. |
| storageclass.name | string | "local-path" |
The name for StorageClass. |
| tolerations | list | [] |
|
| gatewayApi.enabled | bool | false |
To enable/disable gateway api support. |
| gatewayApi.gatewayClass | string | traefik |
Gateway class implementation. |
| gatewayApi.hostname | string | Hostname to access RustFS via gateway api. | |
| gatewayApi.secretName | string | Secret tls to via RustFS using HTTPS. | |
| gatewayApi.existingGateway.name | string | "" |
The existing gateway name, instead of creating a new one. |
| gatewayApi.existingGateway.namespace | string | "" |
The namespace of the existing gateway, if not the local namespace. |
NOTE:
The chart pulls the rustfs image from Docker Hub by default. For private registries, provide either:
-
Existing secrets: Set
imagePullSecretswith an array of secret namesimagePullSecrets: - name: my-existing-secret -
Auto-generated secret: Enable
imageRegistryCredentials.enabled: trueand specify credentials plus your image detailsimageRegistryCredentials: enabled: true registry: myregistry.com username: myuser password: mypass email: user@example.com
Both approaches support pulling from private registries seamlessly and you can also combine them.
-
The chart default pull rustfs image from dockerhub, if your rustfs image stores in private registry, you can use either existing image Pull secrets with parameter
imagePullSecretsor create one settingimageRegistryCredentials.enabledtotrue,and then specify theimageRegistryCredentials.registry/username/password/emailas well asimage.repository,image.tagto pull rustfs image from your private registry. -
The default storageclass is
local-path,if you want to specify your own storageclass, try to set parameterstorageclass.name. -
The default size for data and logs dir is 256Mi which must satisfy the production usage,you should specify
storageclass.dataStorageSizeandstorageclass.logStorageSizeto change the size, for example, 1Ti for data and 1Gi for logs.
Installation
Requirement
- Helm V3
- RustFS >= 1.0.0-alpha.69
Due to the traefik and ingress has different session sticky/affinity annotations, and rustfs support both those two controller, you should specify parameter ingress.className to select the right one which suits for you.
Installation with traefik controller
If your ingress class is traefik, running the command:
helm install rustfs -n rustfs --create-namespace ./ --set ingress.className="traefik"
Installation with nginx controller
If your ingress class is nginx, running the command:
helm install rustfs -n rustfs --create-namespace ./ --set ingress.className="nginx"
Installation check and rustfs login
Check the pod status
kubectl -n rustfs get pods -w
NAME READY STATUS RESTARTS AGE
rustfs-0 1/1 Running 0 2m27s
rustfs-1 1/1 Running 0 2m27s
rustfs-2 1/1 Running 0 2m27s
rustfs-3 1/1 Running 0 2m27s
Check the ingress status
kubectl -n rustfs get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
rustfs nginx example.rustfs.com 10.43.237.152 80, 443 29m
Access the rustfs cluster via https://example.rustfs.com with the default username and password rustfsadmin.
Replace the
example.rustfs.comwith your own domain as well as the certificates.
TLS configuration
By default, tls is not enabled. If you want to enable tls(recommendated),you can follow below steps:
- Step 1: Certification generation
You can request cert and key from CA or use the self-signed cert(not recommendated on prod), and put those two files(eg, tls.crt and tls.key) under some directory on server, for example tls directory.
- Step 2: Certification specifying
You should use --set-file parameter when running helm install command, for example, running the below command can enable ingress tls and generate tls secret:
helm install rustfs rustfs/rustfs -n rustfs --set tls.enabled=true,--set-file tls.crt=./tls.crt,--set-file tls.key=./tls.key
Gateway API support (alpha)
Due to ingress nginx retirement in March 2026, so RustFS adds support for gateway api. Currently, RustFS only supports traefik as gateway class, more and more gateway class support will be added in the future after those classes are tested. If you want to enable gateway api, specify gatewayApi.enabled to true while specify ingress.enabled to false. After installation, you can find the Gateway and HttpRoute resources,
$ kubectl -n rustfs get gateway
NAME CLASS ADDRESS PROGRAMMED AGE
rustfs-gateway traefik True 169m
$ kubectl -n rustfs get httproute
NAME HOSTNAMES AGE
rustfs-route ["example.rustfs.com"] 172m
Then, via RustFS instance via https://example.rustfs.com or http://example.rustfs.com.
Uninstall
Uninstalling the rustfs installation with command,
helm uninstall rustfs -n rustfs