fix(stack/minio-tls): Enable tls and remove broken config (#177)

* fix(stack/minio-tls): Enable tls

This adds a bunch of settings, but also breaks the configuration. The next commit will remove the broken part

* chore(stack/minio-tls): Override command to copy certs to the correct names

* fix(stack/minio-tls): Manually mount certs

- Remove the invalid Secret mount
- Add mounts for secret-operator to store certs
- Override Job commands to place CA certs in the right place

Author: NickLarsenNZ

stacks/_templates/minio-tls/rendered-chart.yaml

@@ -135,7 +135,7 @@ data:
     }
     
     # Try connecting to MinIO instance
-    scheme=http
+    scheme=https
     connectToMinio $scheme
     
     
@@ -223,7 +223,7 @@ data:
     }
     
     # Try connecting to MinIO instance
-    scheme=http
+    scheme=https
     connectToMinio $scheme
     
     
@@ -291,7 +291,7 @@ data:
     }
     
     # Try connecting to MinIO instance
-    scheme=http
+    scheme=https
     connectToMinio $scheme
     
     
@@ -372,7 +372,7 @@ data:
     }
     
     # Try connecting to MinIO instance
-    scheme=http
+    scheme=https
     connectToMinio $scheme
     
     
@@ -418,7 +418,7 @@ data:
     }
     
     # Try connecting to MinIO instance
-    scheme=http
+    scheme=https
     connectToMinio $scheme
 ---
 # Source: minio/templates/pvc.yaml
@@ -452,7 +452,7 @@ spec:
   type: NodePort
   externalTrafficPolicy: "Cluster"
   ports:
-    - name: http
+    - name: https
       port: 9001
       protocol: TCP
       targetPort: 9001
@@ -475,7 +475,7 @@ spec:
   type: NodePort
   externalTrafficPolicy: "Cluster"
   ports:
-    - name: http
+    - name: https
       port: 9000
       protocol: TCP
       targetPort: 9000
@@ -514,7 +514,7 @@ spec:
         stackable.tech/vendor: Stackable
       annotations:
         checksum/secrets: fa63e34a92c817c84057e2d452fa683e66462a57b0529388fb96a57e05f38e57
-        checksum/config: 2b1e6b6d0485236a84032ab7e9eeee4a7bac29d2b63d3b0260bde76e84626730
+        checksum/config: ebea49cc4c1bfbd1b156a58bf770a776ff87fe199f642d31c2816b5515112e72
     spec:
       securityContext:
 
@@ -549,9 +549,9 @@ spec:
             - mountPath: /etc/minio/certs
               name: certs
           ports:
-            - name: http
+            - name: https
               containerPort: 9000
-            - name: http-console
+            - name: https-console
               containerPort: 9001
           env:
             - name: MINIO_ROOT_USER
@@ -579,7 +579,7 @@ spec:
         - name: minio-user
           secret:
             secretName: minio        
-          
+
         - ephemeral:
             volumeClaimTemplate:
               metadata:
@@ -633,12 +633,38 @@ spec:
                   name: minio
               - secret:
                   name: minio
+        - ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/class: tls
+                  secrets.stackable.tech/scope: service=minio
+              spec:
+                accessModes:
+                - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: 1
+                storageClassName: secrets.stackable.tech
+          name: tls
+        - emptyDir:
+            medium: Memory
+            sizeLimit: 5Mi
+          name: certs
       serviceAccountName: minio-sa
       containers:
         - name: minio-make-bucket
           image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z"
           imagePullPolicy: IfNotPresent
-          command: [ "/bin/sh", "/config/initialize" ]
+          command:
+            - "/bin/sh"
+            - "-ce"
+            - |
+              # Copy the CA cert from the "tls" SecretClass
+              # mkdir -p /etc/minio/mc/certs/CAs
+              cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt
+
+              . /config/initialize
           env:
             - name: MINIO_ENDPOINT
               value: minio
@@ -651,13 +677,25 @@ spec:
               mountPath: /tmp
             - name: minio-configuration
               mountPath: /config
+            - name: tls
+              mountPath: /etc/minio/mc/original_certs
+            - name: certs
+              mountPath: /etc/minio/mc/certs/CAs
           resources:
             requests:
               memory: 128Mi
         - name: minio-make-user
           image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z"
           imagePullPolicy: IfNotPresent
-          command: [ "/bin/sh", "/config/add-user" ]
+          command:
+            - "/bin/sh"
+            - "-ce"
+            - |
+              # Copy the CA cert from the "tls" SecretClass
+              # mkdir -p /etc/minio/mc/certs/CAs
+              cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt
+
+              . /config/add-user
           env:
             - name: MINIO_ENDPOINT
               value: minio
@@ -670,6 +708,10 @@ spec:
               mountPath: /tmp
             - name: minio-configuration
               mountPath: /config
+            - name: tls
+              mountPath: /etc/minio/mc/original_certs
+            - name: certs
+              mountPath: /etc/minio/mc/certs/CAs
           resources:
             requests:
               memory: 128Mi

stacks/_templates/minio-tls/values.yaml

@@ -20,6 +20,8 @@ service:
 consoleService:
   type: NodePort
   nodePort: null
+tls:
+  enabled: true
 extraVolumes:
   # Request a TLS certificate from the secret-operator
   - name: tls
@@ -49,3 +51,35 @@ extraVolumeMounts:
   # On startup, we will rename the certs and move them here:
   - mountPath: /etc/minio/certs
     name: certs
+
+customCommandJob:
+  extraVolumes:
+    # Request a TLS certificate from the secret-operator
+    - name: tls
+      ephemeral:
+        volumeClaimTemplate:
+          metadata:
+            annotations:
+              secrets.stackable.tech/class: tls
+              secrets.stackable.tech/scope: |-
+                service=minio
+          spec:
+            storageClassName: secrets.stackable.tech
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1
+    # Create an in-memory emptyDir to copy the certs to (to avoid permission errors)
+    - name: certs
+      emptyDir:
+        sizeLimit: 5Mi
+        medium: Memory
+  # WARNING: this is currently only used by the custom-scripts job container. Other containers do not mount these.
+  extraVolumeMounts:
+    # Mount the certificate generated by the secret-operator
+    - name: tls
+      mountPath: /etc/minio/mc/original_certs
+    # On startup, we will rename the certs and move them here:
+    - mountPath: /etc/minio/mc/certs/CAs
+      name: certs