s3proxy: ship as helm chart

This commit is contained in:
Otto Bittner 2023-10-27 16:16:31 +02:00
parent afbe17b796
commit 8ebd813480
12 changed files with 181 additions and 17 deletions

View File

@ -56,14 +56,7 @@ runs:
AWS_ACCESS_KEY_ID: ${{ inputs.s3AccessKey }}
AWS_SECRET_ACCESS_KEY: ${{ inputs.s3SecretKey }}
run: |
sed -i "s|AWS_ACCESS_KEY_ID: \"replaceme\"|AWS_ACCESS_KEY_ID: \"${AWS_ACCESS_KEY_ID}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
sed -i "s|AWS_SECRET_ACCESS_KEY: \"replaceme\"|AWS_SECRET_ACCESS_KEY: \"${AWS_SECRET_ACCESS_KEY}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
sed -i "s|image: ghcr.io/edgelesssys/constellation/s3proxy:v.*|image: \"${S3_PROXY_IMAGE}\"|g" s3proxy/deploy/deployment-s3proxy.yaml
yq eval -i '(select(.spec.template.spec.containers.[].name == "s3proxy").spec.template.spec.containers.[].args) = ["--level=-1","--allow-multipart"]' s3proxy/deploy/deployment-s3proxy.yaml
kubectl apply -f s3proxy/deploy/deployment-s3proxy.yaml
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$S3_PROXY_IMAGE" --set allowMultipart=true s3proxy/deploy/s3proxy
- name: Run mint
shell: bash

View File

@ -175,6 +175,14 @@ jobs:
# Update version.
sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go
git add internal/config/image_enterprise.go
- name: Update s3proxy Chart version
run: |
yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml
yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml
git add s3proxy/deploy/s3proxy/Chart.yaml
- name: Commit
run: |
git config --global user.name "edgelessci"
@ -182,7 +190,7 @@ jobs:
if git diff-index --quiet HEAD --; then
echo "No changes to commit"
else
git commit -m "deps: update images to ${VERSION}"
git commit -m "deps: update versions to ${VERSION}"
git push
fi

View File

@ -20,12 +20,12 @@ If you want to use s3proxy but these limitations stop you from doing so, conside
You can add the s3proxy to your Constellation cluster as follows:
1. Download the deployment manifest:
```bash
wget https://raw.githubusercontent.com/edgelesssys/constellation/main/s3proxy/deploy/deployment-s3proxy.yaml
git clone --depth=1 git@github.com:edgelesssys/constellation.git
```
2. Replace the values named `replaceme` in `deployment-s3proxy.yaml` with valid AWS credentials. These credentials are used by s3proxy to access your S3 buckets.
2. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to valid credentials you want s3proxy to use to interact with S3. Inspect `constellation/s3proxy/deploy/s3proxy/values.yaml` to learn about available deployment options.
3. Deploy s3proxy:
```bash
kubectl apply -f deployment-s3proxy.yaml
helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" ./constellation/s3proxy/deploy/s3proxy
```
If you want to run a demo application, check out the [Filestash with s3proxy](../getting-started/examples/filestash-s3proxy.md) example.

View File

@ -5,11 +5,9 @@ The VPN is a feature of Constellation and will not be present by default in othe
Disclaimer: the following steps will be automated next.
- Within `constellation/build`: `bazel run //:devbuild`
- Copy the container name displayed for the s3proxy image. Look for the line starting with `[@//bazel/release:s3proxy_push]`.
- Replace the image key in `deployment-s3proxy.yaml` with the image value you just copied. Use the sha256 hash instead of the tag to make sure you use the latest image.
- Replace the `replaceme` values with valid AWS credentials. The s3proxy uses those credentials to access S3.
- Run `kubectl apply -f deployment-s3proxy.yaml`
- Run `bazel run //bazel/release:s3proxy_push`
- Set `IMAGE` to the newly built s3proxy image.
- `helm install s3proxy --set awsAccessKeyID="$AWS_ACCESS_KEY_ID" --set awsSecretAccessKey="$AWS_SECRET_ACCESS_KEY" --set image="$IMAGE" ./s3proxy`
# Deploying Filestash

View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

View File

@ -0,0 +1,5 @@
apiVersion: v2
name: s3proxy
description: Helm chart to deploy s3proxy.
type: application
version: 0.0.0

View File

@ -0,0 +1,47 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-ca
namespace: {{ .Release.Namespace }}
labels:
app: s3proxy
spec:
isCA: true
commonName: s3proxy-selfsigned-ca
secretName: s3proxy-tls
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- "s3.us-east-1.amazonaws.com"
- "s3.us-east-2.amazonaws.com"
- "s3.us-west-1.amazonaws.com"
- "s3.us-west-2.amazonaws.com"
- "s3.eu-north-1.amazonaws.com"
- "s3.eu-south-1.amazonaws.com"
- "s3.eu-south-2.amazonaws.com"
- "s3.eu-west-1.amazonaws.com"
- "s3.eu-west-2.amazonaws.com"
- "s3.eu-west-3.amazonaws.com"
- "s3.eu-central-1.amazonaws.com"
- "s3.eu-central-2.amazonaws.com"
- "s3.ap-northeast-1.amazonaws.com"
- "s3.ap-northeast-2.amazonaws.com"
- "s3.ap-northeast-3.amazonaws.com"
- "s3.ap-east-1.amazonaws.com"
- "s3.ap-southeast-1.amazonaws.com"
- "s3.ap-southeast-2.amazonaws.com"
- "s3.ap-southeast-3.amazonaws.com"
- "s3.ap-southeast-4.amazonaws.com"
- "s3.ap-south-1.amazonaws.com"
- "s3.ap-south-2.amazonaws.com"
- "s3.me-south-1.amazonaws.com"
- "s3.me-central-1.amazonaws.com"
- "s3.il-central-1.amazonaws.com"
- "s3.af-south-1.amazonaws.com"
- "s3.ca-central-1.amazonaws.com"
- "s3.sa-east-1.amazonaws.com"
issuerRef:
name: selfsigned-issuer
kind: Issuer
group: cert-manager.io

View File

@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: s3proxy
namespace: {{ .Release.Namespace }}
labels:
app: s3proxy
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: s3proxy
template:
metadata:
labels:
app: s3proxy
spec:
containers:
- name: s3proxy
image: {{ .Values.image }}
args:
- "--level=-1"
{{- if .Values.allowMultipart }}
- "--allow-multipart"
{{- end }}
ports:
- containerPort: 4433
name: s3proxy-port
volumeMounts:
- name: tls-cert-data
mountPath: /etc/s3proxy/certs/s3proxy.crt
subPath: tls.crt
- name: tls-cert-data
mountPath: /etc/s3proxy/certs/s3proxy.key
subPath: tls.key
envFrom:
- secretRef:
name: s3-creds
volumes:
- name: tls-cert-data
secret:
secretName: s3proxy-tls
- name: s3-creds
secret:
secretName: s3-creds

View File

@ -0,0 +1,9 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: {{ .Release.Namespace }}
labels:
app: s3proxy
spec:
selfSigned: {}

View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: s3-creds
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: {{ .Values.awsAccessKeyID }}
AWS_SECRET_ACCESS_KEY: {{ .Values.awsSecretAccessKey }}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: s3proxy-service
namespace: {{ .Release.Namespace }}
labels:
app: s3proxy
spec:
selector:
app: s3proxy
ports:
- name: https
port: 443
targetPort: s3proxy-port
type: ClusterIP

View File

@ -0,0 +1,12 @@
# Secrets to use for S3 access.
awsAccessKeyID: "replaceme"
awsSecretAccessKey: "replaceme"
# Pod image to deploy.
image: "ghcr.io/edgelesssys/constellation/s3proxy:v2.13.0-pre.0.20231031124640-625dc266446d"
# Control if multipart uploads are blocked.
allowMultipart: false
# Number of pod replicas to deploy.
replicaCount: 1