This page provides information about KES configuration options for a KES Client and a KES Server. KES Client As a basic standard configuration, a KES client needs to know the KES server endpoint KES client’s own client certificate Corresponding private key to the client certificate You can provide these values in different ways, such as through environment variables at the command line or through a Software Development Kit.

class Complex: i>. en.

This tutorial shows how to setup a KES server that uses Vault’s K/V engine as a persistent and secure key store: K E S C l i e n t K E S S e r v e r V a u l t Prerequisites To start a development server or interact with Vault using the Vault CLI, download the Vault binary.

This page documents settings for configuring an NSQ service as a target for Bucket Notifications. See Publish Events to NSQ for a tutorial on using these settings. You can establish or modify settings by defining: an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable. a configuration setting using mc admin config set. If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.

The following page includes the full contents of the AIStor Server Helm Chart default values.yaml and all accompanying documentation. # Following annotations/labels are applied to all resources created by the Helm chart annotations: {} labels: {} # Allow to override the namespace for all resources #namespaceOverride: "test" ### # Root key for dynamically creating a secret for use with configuring root MinIO User # Specify the ``name`` and then a list of environment variables. # # .. important:: # # Do not use this in production environments. # This field is intended for use with rapid development or testing only. # # For example: # # .. code-block:: yaml # # name: myminio-env-configuration # accessKey: minio # secretKey: minio123 # secrets: name: myminio-env-configuration accessKey: minio secretKey: minio123 ### # If this variable is set, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store. # The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration # The secret must contain a key ``config.env``. # The values should be a series of export statements to set environment variables for the Object Store. # For example: # # .. code-block:: shell # # stringData: # config.env: |- # export MINIO_ROOT_USER=ROOTUSERNAME # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD # #existingSecret: # name: enabled ### # Root key for AIStor Object Store objectStore: ### # The Object Store name name: myminio ### # Specify the container image to use. # ``image.tag`` # For example, the following sets the image to the ``quay.io/minio/aistor/minio`` repo and the RELEASE.2024-10-10T15-35-50Z tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minio # tag: RELEASE.2024-10-10T15-35-50Z # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minio@sha256 # digest: 096024a024e74e21491dc40c26d0ffddcdc09f2cf9953b443178ffbb3732cfec # pullPolicy: IfNotPresent # # image: {} # repository: quay.io/minio/aistor/minio # tag: RELEASE.2024-10-10T15-35-50Z # pullPolicy: IfNotPresent ### # # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. # Only one array element is supported at this time. imagePullSecret: {} ### # The Kubernetes `Scheduler <https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Object Store pods. # # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. scheduler: {} ### # The Kubernetes secret name that contains MinIO environment variable configurations. # The secret is expected to have a key named config.env containing environment variables exports. configuration: name: myminio-env-configuration ### # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store. # The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration # The secret must contain a key ``config.env``. # The values should be a series of export statements to set environment variables for the Object Store. # For example: # # .. code-block:: shell # # stringData: # config.env: |- # export MINIO_ROOT_USER=ROOTUSERNAME # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD # # existingSecret: false ### # Top level key for configuring Pool(s) in this Object Store. # # See `Operator CRD: Pools <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#pool>`__ for more information on all subfields. pools: ### # The number of MinIO Object Store Pods / Servers in this pool. # For standalone mode, supply 1. For distributed mode, supply 4 or more. # Note that the operator does not support upgrading from standalone to distributed mode. - servers: 4 ### # Custom name for the pool name: pool-0 ### # The number of volumes attached per MinIO Pod / Server. volumesPerServer: 4 ### # The capacity per volume requested per MinIO Pod. size: 10Gi ### # The `storageClass <https://kubernetes.io/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool. # # If using Amazon Elastic Block Store (EBS) CSI driver # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md # storageClassName: standard ### # Specify `storageAnnotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs. storageAnnotations: {} ### # Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to pods. annotations: {} ### # Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to pods. labels: {} ### # # An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to pods. # # These settings determine the distribution of pods across worker nodes. tolerations: [] ### # Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to pods. # # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy pods. # # If no worker nodes match the specified selectors, the deployment will fail. nodeSelector: {} ### # # The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to the pods. # # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. affinity: {} ### # # The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to the pods. # # These settings can control the minimum and maximum resources requested for each pod. # If no worker nodes can meet the specified requests, the Operator may fail to deploy. resources: {} ### # The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store resources. # # You may need to modify these values to meet your cluster's security and access settings. # # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files). securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" runAsNonRoot: true ### # The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store containers. # You may need to modify these values to meet your cluster's security and access settings. containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault ### # # An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods. # # These settings determine the distribution of pods across worker nodes. topologySpreadConstraints: [] ### # # The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods. # runtimeClassName: "" ### # The mount path where Persistent Volumes are mounted inside Object Store container(s). mountPath: /export ### # The Sub path inside Mount path where MinIO stores data. # # .. warning:: # # Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Object Store. # If you change these values post-deployment, then you may have different paths for new and pre-existing data. # This can vastly increase operational complexity and may result in unpredictable data states. subPath: /data ### # Configures a Prometheus-compatible scraping endpoint at the specified port. metrics: enabled: false port: 9000 protocol: http ### # Configures external certificate settings for the Object Store. certificates: ### # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. # # This is used by MinIO to verify TLS connections from clients using those CAs # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. # See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__. trustedCAs: [] ### # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair. # # Omit this to use only the MinIO Operator autogenerated certificates. # # If you omit this field *and* set ``disableAutoCert`` to true, the Object Store starts without TLS. # # See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__. # .. important:: # # The Object Store Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates. # # You can pass the CA to the Object Store Operator to allow it to trust that cert. # See `Self-Signed, Internal, and Private Certificates <https://docs.min.io/enterprise/aistor-object-store/installation/kubernetes/network-encryption/>`__ for more information. # This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Object Store Operator to help build the full chain of trust. server: [] ## Use this field to provide client certificates for MinIO & KES. This can be used to configure ## mTLS for MinIO and your KES server. Files will be mounted under /tmp/certs folder, supported types: ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1 ## ie: ## ## KESClient: ## name: mtls-certificates-for-object-store ## type: Opaque ## ## Create secrets as explained here: ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret # KESClient: {} ## ## Use this field to provide additional client certificate for the MinIO Object Store ## Certificate secret files will be mounted under /tmp/certs folder, supported types: ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1 ## ## mount path inside container: ## ## certs ## | ## + client-0 ## | + client.crt ## | + client.key ## + client-1 ## | + client.crt ## | + client.key ## + client-2 ## | + client.crt ## | + client.key ## ie: ## ## client: ## - name: client-certificate-1 ## type: kubernetes.io/tls ## - name: client-certificate-2 ## type: kubernetes.io/tls ## - name:client-certificate-3 ## type: kubernetes.io/tls ## ## Create secrets as explained here: ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret client: [] ### # Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__ disableAutoCert: false ### # The minimum number of days to expiry before an alert for an expiring certificate is fired. # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry # certExpiryAlertThreshold: 1 ### # This field is used only when ``disableAutoCert: false``. # Use this field to set CommonName for the auto-generated certificate. # MinIO defaults to using the internal Kubernetes DNS name for the pod # The default DNS name format is typically ``*.minio.default.svc.cluster.local``. # # See `Operator CRD: CertificateConfig <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#certificateconfig>`__ config: {} ### # MinIO features to enable or disable in the MinIO Object Store # See `Operator CRD: Features <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#features>`__. features: bucketDNS: false domains: {} enableSFTP: false ### # The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for Object Store Pods. # Can be "OrderedReady" or "Parallel" podManagementPolicy: Parallel # The `Liveness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Object Store pod liveness. # Object Store pods will be restarted if the probe fails. liveness: {} ### # `Readiness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Object Store container readiness. # Object Store pods will be removed from service endpoints if the probe fails. readiness: {} ### # `Startup Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup. # Object Store pods will be restarted if the probe fails. # Refer startup: {} ### # The `Lifecycle hooks <https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/>`__ for container. lifecycle: {} ### # Directs the Object Store Operator to expose the S3 API or Web Console services to clients outside of the Kubernetes cluster. # # Supports `LoadBalancer`, `NodePort`, and `ClusterIP` (Default) # # These configurations do not prevent exposing the services via Ingress, Routes, or other networking features services: console: serviceType: ClusterIP #serviceType: NodePort #nodePort: 31000 #serviceExternalTrafficPolicy: Local #annotations: {} #labels: {} minio: serviceType: ClusterIP #serviceType: NodePort #nodePort: 31001 #serviceExternalTrafficPolicy: Local #annotations: {} #labels: {} ### # The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Object Store. serviceAccountName: "" ### # Directs the Object Store Operator to add the Object Store's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator. prometheusOperator: false ### # Configure pod logging configuration for the MinIO Object Store. # # - Specify ``json`` for JSON-formatted logs. # - Specify ``anonymous`` for anonymized logs. # - Specify ``quiet`` to supress logging. # # An example of JSON-formatted logs is as follows: # # .. code-block:: shell # # $ k logs myminio-pool-0-0 -n default # {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"} logging: {} ### # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) env: [] ### # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. # This is applied to MinIO pods only. # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ priorityClassName: "" ### # An array of `Initialization Containers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to initialize the Object Store pods. # # All initialization containers should be run to completion before the Object Store pod starts. initContainers: [] ### # An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to Object Store pods. # # The volumes must exist *and* be accessible to the Object Store pods. additionalVolumes: [] ### # An array of volume mount points associated to each Object Store container. # # Specify each item in the array as follows: # # .. code-block:: yaml # # volumeMounts: # - name: volumename # mountPath: /path/to/mount # # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array. additionalVolumeMounts: [] # Define configuration for KES (stateless and distributed key-management system) # Refer https://github.com/minio/kes #kes: # ## Image field: # # Image from tag (original behavior), for example: # # image: # # repository: quay.io/minio/kes # # tag: 2024-06-17T15-47-05Z # # Image from digest (added after original behavior), for example: # # image: # # repository: quay.io/minio/kes@sha256 # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b # image: # repository: quay.io/minio/kes # tag: 2024-06-17T15-47-05Z # pullPolicy: IfNotPresent # env: [ ] # replicas: 1 # configuration: |- # address: :7373 # tls: # key: /tmp/kes/server.key # Path to the TLS private key # cert: /tmp/kes/server.crt # Path to the TLS certificate # proxy: # identities: [] # header: # cert: X-Tls-Client-Cert # admin: # identity: ${MINIO_KES_IDENTITY} # cache: # expiry: # any: 5m0s # unused: 20s # log: # error: on # audit: off # keystore: # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended # # use a real KMS # # fs: # # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production. # vault: # endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint # namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html # prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix. # approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html # id: "<YOUR APPROLE ID HERE>" # Your AppRole Role ID # secret: "<YOUR APPROLE SECRET ID HERE>" # Your AppRole Secret ID # retry: 15s # Duration until the server tries to re-authenticate after connection loss. # tls: # The Vault client TLS configuration for mTLS authentication and certificate verification # key: "" # Path to the TLS client private key for mTLS authentication to Vault # cert: "" # Path to the TLS client certificate for mTLS authentication to Vault # ca: "" # Path to one or multiple PEM root CA certificates # status: # Vault status configuration. The server will periodically reach out to Vault to check its status. # ping: 10s # Duration until the server checks Vault's status again. # # aws: # # # The AWS SecretsManager key store. The server will store # # # secret keys at the AWS SecretsManager encrypted with # # # AWS-KMS. See: https://aws.amazon.com/secrets-manager # # secretsmanager: # # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com # # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 # # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. # # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. # # accesskey: "" # Your AWS Access Key # # secretkey: "" # Your AWS Secret Key # # token: "" # Your AWS session token (usually optional) # imagePullPolicy: "IfNotPresent" # externalCertSecret: null # clientCertSecret: null # trustedCAs: null # # Key name to be created on the KMS, default is "my-minio-key" # keyName: "" # resources: { } # nodeSelector: { } # affinity: # nodeAffinity: { } # podAffinity: { } # podAntiAffinity: { } # tolerations: [ ] # annotations: { } # labels: { } # serviceAccountName: "" # securityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # fsGroup: 1000 # containerSecurityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - ALL # seccompProfile: # type: RuntimeDefault # Use an extraResources template section to include additional Kubernetes resources # with the Helm deployment. #extraResources: # - | # apiVersion: v1 # kind: Secret # type: Opaque # metadata: # name: {{ dig "objectStore" "configSecret" "name" "" (.Values | merge (dict)) }} # stringData: # config.env: |- # export MINIO_ROOT_USER='minio' # export MINIO_ROOT_PASSWORD='minio123'

Testing Gradle plugins version 9.0.0 Contents The sample project The importance of testing Setting up manual tests Se...

Working With Files version 9.0.0 Contents Hardcoded paths and laziness Locating files Copying files Renaming files Fi...

Project documentation for Gluster Filesystem

Project documentation for Gluster Filesystem

Upgrading from Gradle 6.x to 7.0 version 9.0.0 Contents Upgrading from 6.9 and earlier Upgrading from 6.8 and earlier...