mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-17 20:04:36 -05:00
s3proxy: ship as helm chart
This commit is contained in:
parent
afbe17b796
commit
8ebd813480
9
.github/actions/e2e_s3proxy/action.yml
vendored
9
.github/actions/e2e_s3proxy/action.yml
vendored
@ -56,14 +56,7 @@ runs:
|
|||||||
AWS_ACCESS_KEY_ID: ${{ inputs.s3AccessKey }}
|
AWS_ACCESS_KEY_ID: ${{ inputs.s3AccessKey }}
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ inputs.s3SecretKey }}
|
AWS_SECRET_ACCESS_KEY: ${{ inputs.s3SecretKey }}
|
||||||
run: |
|
run: |
|
||||||
sed -i "s|AWS_ACCESS_KEY_ID: \"replaceme\"|AWS_ACCESS_KEY_ID: \"${AWS_ACCESS_KEY_ID}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$S3_PROXY_IMAGE" --set allowMultipart=true s3proxy/deploy/s3proxy
|
||||||
sed -i "s|AWS_SECRET_ACCESS_KEY: \"replaceme\"|AWS_SECRET_ACCESS_KEY: \"${AWS_SECRET_ACCESS_KEY}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
|
||||||
|
|
||||||
sed -i "s|image: ghcr.io/edgelesssys/constellation/s3proxy:v.*|image: \"${S3_PROXY_IMAGE}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
|
|
||||||
|
|
||||||
yq eval -i '(select(.spec.template.spec.containers.[].name == "s3proxy").spec.template.spec.containers.[].args) = ["--level=-1","--allow-multipart"]' s3proxy/deploy/deployment-s3proxy.yaml
|
|
||||||
|
|
||||||
kubectl apply -f s3proxy/deploy/deployment-s3proxy.yaml
|
|
||||||
|
|
||||||
- name: Run mint
|
- name: Run mint
|
||||||
shell: bash
|
shell: bash
|
||||||
|
10
.github/workflows/release.yml
vendored
10
.github/workflows/release.yml
vendored
@ -175,6 +175,14 @@ jobs:
|
|||||||
# Update version.
|
# Update version.
|
||||||
sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go
|
sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go
|
||||||
git add internal/config/image_enterprise.go
|
git add internal/config/image_enterprise.go
|
||||||
|
|
||||||
|
- name: Update s3proxy Chart version
|
||||||
|
run: |
|
||||||
|
yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml
|
||||||
|
yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml
|
||||||
|
|
||||||
|
git add s3proxy/deploy/s3proxy/Chart.yaml
|
||||||
|
|
||||||
- name: Commit
|
- name: Commit
|
||||||
run: |
|
run: |
|
||||||
git config --global user.name "edgelessci"
|
git config --global user.name "edgelessci"
|
||||||
@ -182,7 +190,7 @@ jobs:
|
|||||||
if git diff-index --quiet HEAD --; then
|
if git diff-index --quiet HEAD --; then
|
||||||
echo "No changes to commit"
|
echo "No changes to commit"
|
||||||
else
|
else
|
||||||
git commit -m "deps: update images to ${VERSION}"
|
git commit -m "deps: update versions to ${VERSION}"
|
||||||
git push
|
git push
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -20,12 +20,12 @@ If you want to use s3proxy but these limitations stop you from doing so, conside
|
|||||||
You can add the s3proxy to your Constellation cluster as follows:
|
You can add the s3proxy to your Constellation cluster as follows:
|
||||||
1. Download the deployment manifest:
|
1. Download the deployment manifest:
|
||||||
```bash
|
```bash
|
||||||
wget https://raw.githubusercontent.com/edgelesssys/constellation/main/s3proxy/deploy/deployment-s3proxy.yaml
|
git clone --depth=1 git@github.com:edgelesssys/constellation.git
|
||||||
```
|
```
|
||||||
2. Replace the values named `replaceme` in `deployment-s3proxy.yaml` with valid AWS credentials. These credentials are used by s3proxy to access your S3 buckets.
|
2. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to valid credentials you want s3proxy to use to interact with S3. Inspect `constellation/s3proxy/deploy/s3proxy/values.yaml` to learn about available deployment options.
|
||||||
3. Deploy s3proxy:
|
3. Deploy s3proxy:
|
||||||
```bash
|
```bash
|
||||||
kubectl apply -f deployment-s3proxy.yaml
|
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" ./constellation/s3proxy/deploy/s3proxy
|
||||||
```
|
```
|
||||||
|
|
||||||
If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example.
|
If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example.
|
||||||
|
@ -5,11 +5,9 @@ The VPN is a feature of Constellation and will not be present by default in othe
|
|||||||
|
|
||||||
Disclaimer: the following steps will be automated next.
|
Disclaimer: the following steps will be automated next.
|
||||||
|
|
||||||
- Within `constellation/build`: `bazel run //:devbuild`
|
- Run `bazel run //bazel/release:s3proxy_push`
|
||||||
- Copy the container name displayed for the s3proxy image. Look for the line starting with `[@//bazel/release:s3proxy_push]`.
|
- Set `IMAGE` to the newly built s3proxy image.
|
||||||
- Replace the image key in `deployment-s3proxy.yaml` with the image value you just copied. Use the sha256 hash instead of the tag to make sure you use the latest image.
|
- `helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$IMAGE" ./s3proxy`
|
||||||
- Replace the `replaceme` values with valid AWS credentials. The s3proxy uses those credentials to access S3.
|
|
||||||
- Run `kubectl apply -f deployment-s3proxy.yaml`
|
|
||||||
|
|
||||||
# Deploying Filestash
|
# Deploying Filestash
|
||||||
|
|
||||||
|
23
s3proxy/deploy/s3proxy/.helmignore
Normal file
23
s3proxy/deploy/s3proxy/.helmignore
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
5
s3proxy/deploy/s3proxy/Chart.yaml
Normal file
5
s3proxy/deploy/s3proxy/Chart.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
name: s3proxy
|
||||||
|
description: Helm chart to deploy s3proxy.
|
||||||
|
type: application
|
||||||
|
version: 0.0.0
|
47
s3proxy/deploy/s3proxy/templates/certificate.yaml
Normal file
47
s3proxy/deploy/s3proxy/templates/certificate.yaml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: selfsigned-ca
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: s3proxy
|
||||||
|
spec:
|
||||||
|
isCA: true
|
||||||
|
commonName: s3proxy-selfsigned-ca
|
||||||
|
secretName: s3proxy-tls
|
||||||
|
privateKey:
|
||||||
|
algorithm: ECDSA
|
||||||
|
size: 256
|
||||||
|
dnsNames:
|
||||||
|
- "s3.us-east-1.amazonaws.com"
|
||||||
|
- "s3.us-east-2.amazonaws.com"
|
||||||
|
- "s3.us-west-1.amazonaws.com"
|
||||||
|
- "s3.us-west-2.amazonaws.com"
|
||||||
|
- "s3.eu-north-1.amazonaws.com"
|
||||||
|
- "s3.eu-south-1.amazonaws.com"
|
||||||
|
- "s3.eu-south-2.amazonaws.com"
|
||||||
|
- "s3.eu-west-1.amazonaws.com"
|
||||||
|
- "s3.eu-west-2.amazonaws.com"
|
||||||
|
- "s3.eu-west-3.amazonaws.com"
|
||||||
|
- "s3.eu-central-1.amazonaws.com"
|
||||||
|
- "s3.eu-central-2.amazonaws.com"
|
||||||
|
- "s3.ap-northeast-1.amazonaws.com"
|
||||||
|
- "s3.ap-northeast-2.amazonaws.com"
|
||||||
|
- "s3.ap-northeast-3.amazonaws.com"
|
||||||
|
- "s3.ap-east-1.amazonaws.com"
|
||||||
|
- "s3.ap-southeast-1.amazonaws.com"
|
||||||
|
- "s3.ap-southeast-2.amazonaws.com"
|
||||||
|
- "s3.ap-southeast-3.amazonaws.com"
|
||||||
|
- "s3.ap-southeast-4.amazonaws.com"
|
||||||
|
- "s3.ap-south-1.amazonaws.com"
|
||||||
|
- "s3.ap-south-2.amazonaws.com"
|
||||||
|
- "s3.me-south-1.amazonaws.com"
|
||||||
|
- "s3.me-central-1.amazonaws.com"
|
||||||
|
- "s3.il-central-1.amazonaws.com"
|
||||||
|
- "s3.af-south-1.amazonaws.com"
|
||||||
|
- "s3.ca-central-1.amazonaws.com"
|
||||||
|
- "s3.sa-east-1.amazonaws.com"
|
||||||
|
issuerRef:
|
||||||
|
name: selfsigned-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
45
s3proxy/deploy/s3proxy/templates/deployment.yaml
Normal file
45
s3proxy/deploy/s3proxy/templates/deployment.yaml
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: s3proxy
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: s3proxy
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.replicaCount }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: s3proxy
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: s3proxy
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: s3proxy
|
||||||
|
image: {{ .Values.image }}
|
||||||
|
args:
|
||||||
|
- "--level=-1"
|
||||||
|
{{- if .Values.allowMultipart }}
|
||||||
|
- "--allow-multipart"
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 4433
|
||||||
|
name: s3proxy-port
|
||||||
|
volumeMounts:
|
||||||
|
- name: tls-cert-data
|
||||||
|
mountPath: /etc/s3proxy/certs/s3proxy.crt
|
||||||
|
subPath: tls.crt
|
||||||
|
- name: tls-cert-data
|
||||||
|
mountPath: /etc/s3proxy/certs/s3proxy.key
|
||||||
|
subPath: tls.key
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: s3-creds
|
||||||
|
volumes:
|
||||||
|
- name: tls-cert-data
|
||||||
|
secret:
|
||||||
|
secretName: s3proxy-tls
|
||||||
|
- name: s3-creds
|
||||||
|
secret:
|
||||||
|
secretName: s3-creds
|
9
s3proxy/deploy/s3proxy/templates/issuer.yaml
Normal file
9
s3proxy/deploy/s3proxy/templates/issuer.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: selfsigned-issuer
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: s3proxy
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
9
s3proxy/deploy/s3proxy/templates/secret.yaml
Normal file
9
s3proxy/deploy/s3proxy/templates/secret.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: s3-creds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
AWS_ACCESS_KEY_ID: {{ .Values.awsAccessKeyID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: {{ .Values.awsSecretAccessKey }}
|
15
s3proxy/deploy/s3proxy/templates/service.yaml
Normal file
15
s3proxy/deploy/s3proxy/templates/service.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: s3proxy-service
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: s3proxy
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app: s3proxy
|
||||||
|
ports:
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: s3proxy-port
|
||||||
|
type: ClusterIP
|
12
s3proxy/deploy/s3proxy/values.yaml
Normal file
12
s3proxy/deploy/s3proxy/values.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# Secrets to use for S3 access.
|
||||||
|
awsAccessKeyID: "replaceme"
|
||||||
|
awsSecretAccessKey: "replaceme"
|
||||||
|
|
||||||
|
# Pod image to deploy.
|
||||||
|
image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.13.0-pre.0.20231031124640-625dc266446d"
|
||||||
|
|
||||||
|
# Control if multipart uploads are blocked.
|
||||||
|
allowMultipart: false
|
||||||
|
|
||||||
|
# Number of pod replicas to deploy.
|
||||||
|
replicaCount: 1
|
Loading…
Reference in New Issue
Block a user