mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
s3proxy: ship as helm chart
This commit is contained in:
parent
afbe17b796
commit
8ebd813480
9
.github/actions/e2e_s3proxy/action.yml
vendored
9
.github/actions/e2e_s3proxy/action.yml
vendored
@ -56,14 +56,7 @@ runs:
|
||||
AWS_ACCESS_KEY_ID: ${{ inputs.s3AccessKey }}
|
||||
AWS_SECRET_ACCESS_KEY: ${{ inputs.s3SecretKey }}
|
||||
run: |
|
||||
sed -i "s|AWS_ACCESS_KEY_ID: \"replaceme\"|AWS_ACCESS_KEY_ID: \"${AWS_ACCESS_KEY_ID}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
||||
sed -i "s|AWS_SECRET_ACCESS_KEY: \"replaceme\"|AWS_SECRET_ACCESS_KEY: \"${AWS_SECRET_ACCESS_KEY}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
||||
|
||||
sed -i "s|image: ghcr.io/edgelesssys/constellation/s3proxy:v.*|image: \"${S3_PROXY_IMAGE}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
||||
|
||||
yq eval -i '(select(.spec.template.spec.containers.[].name == "s3proxy").spec.template.spec.containers.[].args) = ["--level=-1","--allow-multipart"]' s3proxy/deploy/deployment-s3proxy.yaml
|
||||
|
||||
kubectl apply -f s3proxy/deploy/deployment-s3proxy.yaml
|
||||
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$S3_PROXY_IMAGE" --set allowMultipart=true s3proxy/deploy/s3proxy
|
||||
|
||||
- name: Run mint
|
||||
shell: bash
|
||||
|
10
.github/workflows/release.yml
vendored
10
.github/workflows/release.yml
vendored
@ -175,6 +175,14 @@ jobs:
|
||||
# Update version.
|
||||
sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go
|
||||
git add internal/config/image_enterprise.go
|
||||
|
||||
- name: Update s3proxy Chart version
|
||||
run: |
|
||||
yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml
|
||||
yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml
|
||||
|
||||
git add s3proxy/deploy/s3proxy/Chart.yaml
|
||||
|
||||
- name: Commit
|
||||
run: |
|
||||
git config --global user.name "edgelessci"
|
||||
@ -182,7 +190,7 @@ jobs:
|
||||
if git diff-index --quiet HEAD --; then
|
||||
echo "No changes to commit"
|
||||
else
|
||||
git commit -m "deps: update images to ${VERSION}"
|
||||
git commit -m "deps: update versions to ${VERSION}"
|
||||
git push
|
||||
fi
|
||||
|
||||
|
@ -20,12 +20,12 @@ If you want to use s3proxy but these limitations stop you from doing so, conside
|
||||
You can add the s3proxy to your Constellation cluster as follows:
|
||||
1. Download the deployment manifest:
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/edgelesssys/constellation/main/s3proxy/deploy/deployment-s3proxy.yaml
|
||||
git clone --depth=1 git@github.com:edgelesssys/constellation.git
|
||||
```
|
||||
2. Replace the values named `replaceme` in `deployment-s3proxy.yaml` with valid AWS credentials. These credentials are used by s3proxy to access your S3 buckets.
|
||||
2. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to valid credentials you want s3proxy to use to interact with S3. Inspect `constellation/s3proxy/deploy/s3proxy/values.yaml` to learn about available deployment options.
|
||||
3. Deploy s3proxy:
|
||||
```bash
|
||||
kubectl apply -f deployment-s3proxy.yaml
|
||||
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" ./constellation/s3proxy/deploy/s3proxy
|
||||
```
|
||||
|
||||
If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example.
|
||||
|
@ -5,11 +5,9 @@ The VPN is a feature of Constellation and will not be present by default in othe
|
||||
|
||||
Disclaimer: the following steps will be automated next.
|
||||
|
||||
- Within `constellation/build`: `bazel run //:devbuild`
|
||||
- Copy the container name displayed for the s3proxy image. Look for the line starting with `[@//bazel/release:s3proxy_push]`.
|
||||
- Replace the image key in `deployment-s3proxy.yaml` with the image value you just copied. Use the sha256 hash instead of the tag to make sure you use the latest image.
|
||||
- Replace the `replaceme` values with valid AWS credentials. The s3proxy uses those credentials to access S3.
|
||||
- Run `kubectl apply -f deployment-s3proxy.yaml`
|
||||
- Run `bazel run //bazel/release:s3proxy_push`
|
||||
- Set `IMAGE` to the newly built s3proxy image.
|
||||
- `helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$IMAGE" ./s3proxy`
|
||||
|
||||
# Deploying Filestash
|
||||
|
||||
|
23
s3proxy/deploy/s3proxy/.helmignore
Normal file
23
s3proxy/deploy/s3proxy/.helmignore
Normal file
@ -0,0 +1,23 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
5
s3proxy/deploy/s3proxy/Chart.yaml
Normal file
5
s3proxy/deploy/s3proxy/Chart.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
apiVersion: v2
|
||||
name: s3proxy
|
||||
description: Helm chart to deploy s3proxy.
|
||||
type: application
|
||||
version: 0.0.0
|
47
s3proxy/deploy/s3proxy/templates/certificate.yaml
Normal file
47
s3proxy/deploy/s3proxy/templates/certificate.yaml
Normal file
@ -0,0 +1,47 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: selfsigned-ca
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: s3proxy
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: s3proxy-selfsigned-ca
|
||||
secretName: s3proxy-tls
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
dnsNames:
|
||||
- "s3.us-east-1.amazonaws.com"
|
||||
- "s3.us-east-2.amazonaws.com"
|
||||
- "s3.us-west-1.amazonaws.com"
|
||||
- "s3.us-west-2.amazonaws.com"
|
||||
- "s3.eu-north-1.amazonaws.com"
|
||||
- "s3.eu-south-1.amazonaws.com"
|
||||
- "s3.eu-south-2.amazonaws.com"
|
||||
- "s3.eu-west-1.amazonaws.com"
|
||||
- "s3.eu-west-2.amazonaws.com"
|
||||
- "s3.eu-west-3.amazonaws.com"
|
||||
- "s3.eu-central-1.amazonaws.com"
|
||||
- "s3.eu-central-2.amazonaws.com"
|
||||
- "s3.ap-northeast-1.amazonaws.com"
|
||||
- "s3.ap-northeast-2.amazonaws.com"
|
||||
- "s3.ap-northeast-3.amazonaws.com"
|
||||
- "s3.ap-east-1.amazonaws.com"
|
||||
- "s3.ap-southeast-1.amazonaws.com"
|
||||
- "s3.ap-southeast-2.amazonaws.com"
|
||||
- "s3.ap-southeast-3.amazonaws.com"
|
||||
- "s3.ap-southeast-4.amazonaws.com"
|
||||
- "s3.ap-south-1.amazonaws.com"
|
||||
- "s3.ap-south-2.amazonaws.com"
|
||||
- "s3.me-south-1.amazonaws.com"
|
||||
- "s3.me-central-1.amazonaws.com"
|
||||
- "s3.il-central-1.amazonaws.com"
|
||||
- "s3.af-south-1.amazonaws.com"
|
||||
- "s3.ca-central-1.amazonaws.com"
|
||||
- "s3.sa-east-1.amazonaws.com"
|
||||
issuerRef:
|
||||
name: selfsigned-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
45
s3proxy/deploy/s3proxy/templates/deployment.yaml
Normal file
45
s3proxy/deploy/s3proxy/templates/deployment.yaml
Normal file
@ -0,0 +1,45 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: s3proxy
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: s3proxy
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: s3proxy
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: s3proxy
|
||||
spec:
|
||||
containers:
|
||||
- name: s3proxy
|
||||
image: {{ .Values.image }}
|
||||
args:
|
||||
- "--level=-1"
|
||||
{{- if .Values.allowMultipart }}
|
||||
- "--allow-multipart"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 4433
|
||||
name: s3proxy-port
|
||||
volumeMounts:
|
||||
- name: tls-cert-data
|
||||
mountPath: /etc/s3proxy/certs/s3proxy.crt
|
||||
subPath: tls.crt
|
||||
- name: tls-cert-data
|
||||
mountPath: /etc/s3proxy/certs/s3proxy.key
|
||||
subPath: tls.key
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: s3-creds
|
||||
volumes:
|
||||
- name: tls-cert-data
|
||||
secret:
|
||||
secretName: s3proxy-tls
|
||||
- name: s3-creds
|
||||
secret:
|
||||
secretName: s3-creds
|
9
s3proxy/deploy/s3proxy/templates/issuer.yaml
Normal file
9
s3proxy/deploy/s3proxy/templates/issuer.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: selfsigned-issuer
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: s3proxy
|
||||
spec:
|
||||
selfSigned: {}
|
9
s3proxy/deploy/s3proxy/templates/secret.yaml
Normal file
9
s3proxy/deploy/s3proxy/templates/secret.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: s3-creds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
type: Opaque
|
||||
stringData:
|
||||
AWS_ACCESS_KEY_ID: {{ .Values.awsAccessKeyID }}
|
||||
AWS_SECRET_ACCESS_KEY: {{ .Values.awsSecretAccessKey }}
|
15
s3proxy/deploy/s3proxy/templates/service.yaml
Normal file
15
s3proxy/deploy/s3proxy/templates/service.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: s3proxy-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: s3proxy
|
||||
spec:
|
||||
selector:
|
||||
app: s3proxy
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: s3proxy-port
|
||||
type: ClusterIP
|
12
s3proxy/deploy/s3proxy/values.yaml
Normal file
12
s3proxy/deploy/s3proxy/values.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
# Secrets to use for S3 access.
|
||||
awsAccessKeyID: "replaceme"
|
||||
awsSecretAccessKey: "replaceme"
|
||||
|
||||
# Pod image to deploy.
|
||||
image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.13.0-pre.0.20231031124640-625dc266446d"
|
||||
|
||||
# Control if multipart uploads are blocked.
|
||||
allowMultipart: false
|
||||
|
||||
# Number of pod replicas to deploy.
|
||||
replicaCount: 1
|
Loading…
Reference in New Issue
Block a user