Location>code7788 >text

-DirectPV Distributed Multi-Tenant Storage Deployment

Popularity:603 ℃/2024-09-05 19:10:03

MinIO Deployment Preparation

Deployment overview

This experiment combines MinIO deployment with Kubernetes to realize the integration of MinIO in Kubernetes.

minio is officially supported through simple rapid deployment for basic testing:

curl /minio/docs/master/source/extra/examples/ -O
kubectl apply -f 

Refer to the official:Rapid Deployment of MinIO

This experiment is based on a production environment and deploys a set of multi-tenant Minio that can be used in a production environment.

MinIO officially recommends using minio-operator to deploy multi-tenant minio systems.
Each MinIO Tenant represents a separate MinIO Object Store in a Kubernetes cluster.

Deployment Architecture

The official best practice recommended architecture is as follows:

003

preliminary planning

Kubernetes Installation

This experiment does not involve Kubernetes deployment, the Kubernetes deployment reference isKubernetes_v1.30.3 Highly Available Deployment Architecture II

The plans and related information for the completed deployed Kubernetes clusters are listed below:

hosts IP (computer) disk note
master01 172.24.10.11 —— master node
master02 172.24.10.12 —— master node
master03 172.24.10.13 —— master node
worker01 172.24.10.14 /dev/nvme0n2 Worker nodes + MinIO nodes
worker02 172.24.10.15 /dev/nvme0n2 Worker nodes + MinIO nodes
worker03 172.24.10.16 /dev/nvme0n2 Worker nodes + MinIO nodes
worker04 172.24.10.17 /dev/nvme0n2 Worker nodes + MinIO nodes

Cluster VIP: 172.24.10.100
The relevant domain names can be resolved normally, you can resolve the relevant domain names to VPI via hosts.

helm installation

The official recommendation for minio in production is to deploy it using helm, so you need to deploy the helm tool in Kubernetes in advance.
Reference:Kubernetes Cluster Management - Helm Deployment and Usage

MinIO Operator Components

Introduction to Minio Operator

Before deploying minio, you need to complete the deployment of minio operator, this experiment uses the latest stable Operator version 6.0.2.

MinIO Operator installs a Custom Resource Definition (CRD) to support describing MinIO tenants as Kubernetes objects.

The MinIO Operator exists in its own separate namespace and creates Kubernetes resources in it, which include pods, svc, replicasets, and deployments.

By default, Operator pods use the MinIO CRD to monitor all namespaces of an object and automatically manage these resources.

When a tenant is created using Operator, the tenant must have its own namespace in which Operator generates the pods required for tenant configuration.

Each Tenant pod runs three containers.

  • MinIO Container A container that runs all standard MinIO functionality, equivalent to a basic MinIO installation on bare metal. This container stores and retrieves objects in the provided mount point (pv).
  • InitContainer, which exists only during the startup of the pod, is used to manage the configuration secret during the startup, and this container is terminated when the startup is complete.
  • The Sidecar container is used to initialize the MinIO tenants. sidecar retrieves and validates the configuration of each tenant and creates the necessary local resources in the pod.

Starting with Operator 6.0.0, Sidecar has its own image and release cycle, separate from the rest of MinIO Operator.
MinIO Operator stores the tenant's environment variables in the sidecar, allowing Operator to update the variables without requiring a rolling reboot.

The tenant enables pvc to communicate with the persistent volume in which the object is stored.

Tip:
1: kubectl -k and kubectl --kustomize deployment are also officially supported:Deploy the MinIO Operator . The limited use of helm installation for this experiment is also available:Deploy Operator With Helm
2: However, if you use Helm chart to install Operator, you must use Helm to manage that installation process. Do not use kubectl krew, Kustomize, or similar methods to update or manage the MinIO Operator installation.

Kubernetes TLS Certificates

MinIO Operator automatically generates TLS Certificate Signing Requests (CSRs) and creates signed TLS certificates using the Kubernetes certificates. the TLS Certificate Management API.

MinIO Operator therefore requires that the Kubernetes kube-controller-manager configuration include the following configuration settings:

  • --cluster-signing-key-file : Specifies the PEM-encoded RSA or ECDSA private key used to sign cluster-wide certificates.
  • --cluster-signing-cert-file : Specifies the x.509 Certificate Authority certificate for the PEM encoding used to issue cluster-wide certificates.

Operator cannot complete initialization if the Kubernetes cluster is not configured with the corresponding generated CSR.
By default, Kubernetes is configured for autoblocking as above, and you can check whether the current Kubernetes cluster is configured for TLS certificates in the following way.

kubectl get pod kube-controller-manager-$CLUSTERNAME-control-plane -n kube-system -o yaml

004

Tip: MinIO Operator automatically generates TLS certificates for all MinIO tenant pods using a specified Certificate Authority (CA). clients external to the Kubernetes cluster must trust the Kubernetes cluster CA in order to connect to MinIO Operator or a MinIO tenant.

Clients that cannot trust the Kubernetes cluster CA can try disabling TLS authentication for connections to MinIO Operator or MinIO Tenant.

It is also possible to generate x.509 TLS certificates signed by a known and trusted CA and pass these certificates to MinIO tenants.

Add repo

Add the minio chart repo using helm.

[root@master01 ~]# mkdir ten-minio
[root@master01 ~]# cd ten-minio
[root@master01 ten-minio]# helm repo add minio-operator 
[root@master01 ten-minio]# helm repo update
[root@master01 ten-minio]# helm search repo minio-operator
NAME                         	CHART VERSION	APP VERSION	DESCRIPTION                    
minio-operator/minio-operator	4.3.7        	v4.3.7     	A Helm chart for MinIO Operator
minio-operator/operator      	6.0.3        	v6.0.3     	A Helm chart for MinIO Operator
minio-operator/tenant        	6.0.3        	v6.0.3     	A Helm chart for MinIO Operator

Tip: Available domesticallyhelm repo add minio-operator Make additions.
minio-operator/minio-operator is an older version of operator and does not need to be installed.

Installation operator

Run the helm install command to install operator.
The following command specifies and creates a dedicated minio-operator namespace for installation.

[root@master01 ten-minio]# helm show values minio-operator/operator > #selectable,Export Defaultschart values
[root@master01 ten-minio]# cat

[root@master01 ten-minio]# helm install \
  --namespace minio-operator \
  --create-namespace \
  operator minio-operator/operator

Verify operator

Verify the operator installation.

[root@master01 ten-minio]# kubectl get all -n minio-operator #View installed resources
NAME READY STATUS RESTARTS AGE
pod/minio-operator-95fd896dc-cdt84 1/1 Running 0 2m6s
pod/minio-operator-95fd896dc-rfjsr 1/1 Running 0 2m6s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/operator ClusterIP 10.20.194.160 <none> 4221/TCP 2m7s
service/sts ClusterIP 10.20.24.158 <none> 4223/TCP 2m7s

NAME READY UP-TO-DATE AVAILABLE AGE
/minio-operator 2/2 2 2 2m7s

NAME DESIRED CURRENT READY AGE
/minio-operator-95fd896dc 2 2 2 2m7s

Permanent Volume

MinIO requires dedicated access to the drive or volume that gives access to the object storage, this experiment uses the local disk /dev/nvme0n2 , which is used independently to deploy minio.

Tip: This proprietary disk is used for deploying minio distributed storage, and no other processes, software, scripts, etc. are allowed to perform any operations or perform operations on objects or files placed on it by MinIO, otherwise it may bring the risk of data corruption.

MinIO can use any Kubernetes PV that supports the ReadWriteOnce access mode.
MinIO's consistency guarantees require exclusive storage access, and ReadWriteOnce provides that support.

Additionally, MinIO recommends setting a Retain recycling policy for PVC StorageClass, and also recommends formatting volumes to XFS when configuring storage class, CSI, or PV-based storage to ensure optimal performance.

MinIO can use any Kubernetes Persistent Volume (PV) that supports ReadWriteOnce access mode.
MinIO's consistency guarantees require the exclusive storage access provided by ReadWriteOnce, and the persistent volume must already exist before the tenant is deployed.

Additionally, MinIO recommends setting up Retain's recycling policy for PVC StorageClass, and under best practices, configuring StorageClass, CSI, or other providers at the bottom of the PV, it is recommended that volumes be formatted as XFS to ensure optimal performance.

For Kubernetes clusters where nodes have direct attached storage, MinIO strongly recommends using the DirectPV CSI driver.

DirectPV provides a distributed persistent volume manager that discovers, formats, mounts, schedules, and monitors drives on Kubernetes nodes, DirectPV addresses the limitations of manually configuring and monitoring local persistent volumes.

For details on DirectPV usage, see:Introduction and Installation cap (a poem)Storage Management

This experiment has completed the installation of directpv with the following information:

[root@master01 ten-minio]# kubectl -n directpv get all
NAME                              READY   STATUS    RESTARTS   AGE
pod/controller-79f6b96bf8-t9c4l   3/3     Running   0          25m
pod/controller-79f6b96bf8-vrb2q   3/3     Running   0          25m
pod/controller-79f6b96bf8-x76gj   3/3     Running   0          25m
pod/node-server-4tj7p             4/4     Running   0          25m
pod/node-server-67c7b             4/4     Running   0          25m
pod/node-server-cjhd5             4/4     Running   0          25m
pod/node-server-k6ks2             4/4     Running   0          25m

NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
/node-server   4         4         4       4            4           <none>          25m

NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
/controller   3/3     3            3           25m

NAME                                    DESIRED   CURRENT   READY   AGE
/controller-79f6b96bf8   3         3         3       25m
[root@master01 ten-minio]# kubectl -n directpv get sc
NAME                 PROVISIONER          RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
directpv-min-io      directpv-min-io      Delete          WaitForFirstConsumer   true                   26m

Creating a tenant namespace

Create a namespace that simulates multi-tenancy.

[root@master01 ten-minio]# vim 
apiVersion: v1
kind: Namespace
metadata:
  name: minio-ns01
  labels:
    name: minio-ns01

[root@master01 ten-minio]# kubectl apply -f 

MinIO Helm deployment

helm overview

Helm is a tool that automates the deployment of applications to Kubernetes clusters ref:Cluster Management - Helm Deployment and Usage

Helm charts are a set of YAML files, templates and other files needed to define deployment details.
The following procedure uses Helm Chart to deploy tenants managed by MinIO Operator.

This process requires that the Kubernetes cluster has a valid Operator deployment and cannot use the MinIO Operator tenant chart to deploy tenants independent of Operator.

Tip: The MinIO Operator Tenant Chart is different from the community-managed MinIO chart.

Community Helm Chart is built, maintained and supported by the community.
MinIO does not guarantee support for any given bug, feature request, or issue arising from an update that references this chart.

The Operator Tenant Chart is officially maintained and supported by MinIO, and MinIO strongly recommends using the official Helm Chart for Operator and tenant in production environments.

precondition

To install a MinIO tenant with Helm, the following requirements need to be met:

  • Available Kubernetes clusters;
  • The kubectl CLI tool that matches the Kubernetes cluster;
  • Hlem 3.8 or later;
  • yq 4.18.1 or later;
  • MinIO Operator is installed.

This installation must have Kubernetes cluster access administrative privileges.

Helm Charts deployed MinIO Tenant

The following uses the official MinIO Tenant chart for deploying MinIO tenants, which supports a simplified installation path compared to a local chart installation.

The following steps use Helm to deploy MinIO tenants based on the official MinIO Tenant chart.

More chart configuration references:MinIO Server Config Guide

Verify MinIO Operator

Add repo reference:Add repo

Configuring helm

Configure the related helm vaule .

[root@master01 ten-minio]# curl -sLo  /minio/operator/master/helm/tenant/

Tip: If you use Helm to deploy MinIO tenant, you must use Helm to manage or upgrade that deployment. Do not use kubectl krew, Kustomize, or similar methods to manage or upgrade MinIO tenant.
2: You can also use the helm command to export the default of minio chart.

[root@master01 ten-minio]# helm show values minio-operator/tenant > 

Configure tenant topology

The pool[0] prefix controls the number of servers, the number of volumes per server, and the storage class for all pods deployed in the tenant.

Configuration Notes:

configuration item descriptive
servers Number of MinIO pods to deploy in the server pool
volumesPerServer To attach the number of persistent volumes to each MinIO pod (server), Operator generates a PVC for the number of volumesPerServer x servers for the tenant
storageClassName The Kubernetes storage class to be associated with the generated PVC may cause tenant startup to fail if no storage class matching the specified value exists, or if the specified storage class does not satisfy the number of pvc's or storage capacity requested
size The amount of storage requested for each generated PVC
[root@master01 ten-minio]# vim
tenant: name: tenant-01
  name: tenant-01
  pools.
    - servers: 4
      volumesPerServer: 4
      name: pool-0
      size: 2Gi #Limited by experimental disk space, adjusted to 2Gi
      storageClassName: directpv-min-io #Specify the sc created with directpv.

Configuration affinity/ or anti-affinity

Tenant Chart supports the following Kubernetes Selector, affinity, and anti-affinity configurations:

  • Node Selector ()
  • Node/Pod affinity or anti-affinity ([n].affinity)

MinIO recommends configuring Pod anti-affinity for tenants to ensure that the Kubernetes scheduler does not deploy multiple Pods to the same worker node.

If you need to deploy Pods to specific worker nodes, you can pass the labels or filters for those nodes to the nodeSelector or affinity field to restrict the scheduler from deploying Pods to those nodes.

[root@master01 ten-minio]# kubectl label nodes worker0{1,2,3,4} tenant-minio=enabled #Tagging nodes based on deployment planning
tenant:
  pools:
    - servers: 4
      name: pool-0
      size: 2Gi #Limited by experimental disk space,turn2Gi
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: tenant-minio
                operator: In
                values:
                - enabled

Configuring TLS Certificates

The MinIO Tenant CRD provides the following fields; use the appropriate fields to configure tenant TLS network encryption:

configure descriptive
Enables or disables the automatic generation of TLS certificates by MinIO.
If omitted, the default is true or enabled.
Customize the behavior of automatic TLS (if enabled).
Enable TLS for multiple hostnames via Server Name Indication ( SNI ).
Specify one or more Kubernetes secrets for /tls or cert-manager.
Enables validation of client TLS certificates signed by unknown, third-party, or internal CAs (Certificate authority).
Specify one or more Kubernetes secrets for /tls that contain the full chain of CA certificates for a specific organization.

Create certificates in advance.

[root@master01 ten-minio]# ll *com*
-rw-r--r-- 1 root root 3.9K Aug 24 06:19 
-rw-r--r-- 1 root root 1.7K Aug 24 06:19 
-rw-r--r-- 1 root root 3.9K Aug 24 05:36 
-rw-r--r-- 1 root root 1.7K Aug 24 05:36 


[root@master01 ten-minio]# kubectl -n minio-ns01 create secret tls minio-webui-tls --cert= --key=
[root@master01 ten-minio]# kubectl -n minio-ns01 create secret tls minio-api-tls --cert= --key=

[root@master01 ten-minio]# kubectl -n minio-ns01 describe secrets minio-webui-tls
[root@master01 ten-minio]# kubectl -n minio-ns01 describe secrets minio-api-tls

Turn off cert-manager automatic certificates.

  certificate:
    externalCaCertSecret: [ ]
    externalCertSecret: [ ]
    requestAutoCert: false
    certConfig: { }

Configuring Environment Variables

You can use Set MinIO Server environment variables.

meter header meter header
Specify a Kubernetes opaque secret with a data load containing every MinIO environment variable you want to set.
The data load must be a base64-encoded string, which can be created by creating a local file, setting environment variables, and then using cat LOCALFILE base64 to create the payload.

This setting allows you to set minio related users and passwords, this experiment keeps the default minio/minio123 .

Configuring the ingress

Configure ingress rules to expose minio within the cluster to the outside world.

ingress:
  api:
    enabled: true
    ingressClassName: "nginx"
    labels: { }
    annotations: 
      /rewrite-target: /
    tls: 
      - hosts:
          - ''
        secretName: minio-api-tls
    host: 
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: "nginx"
    labels: { }
    annotations: 
      /rewrite-target: /
    tls: 
      - hosts:
          - ''
        secretName: minio-webui-tls
    host: 
    path: /
    pathType: Prefix

Complete below:

tenant:
  name: tenant-01
  image:
    repository: /minio/minio
    tag: RELEASE.2024-08-17T01-24-54Z
    pullPolicy: IfNotPresent
  imagePullSecret: { }
  scheduler: { }
  configuration:
    name: myminio-env-configuration
  configSecret:
    name: myminio-env-configuration
    accessKey: minio
    secretKey: minio123

  pools:
    - servers: 4
      name: pool-0
      volumesPerServer: 4
      size: 2Gi
      storageClassName: directpv-min-io
      storageAnnotations: { }
      annotations: { }
      labels: { }
      tolerations: [ ]
      nodeSelector: { }
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: tenant-minio
                operator: In
                values:
                - enabled
      resources: { }
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
      containerSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault
      topologySpreadConstraints: [ ]
  mountPath: /export
  subPath: /data
  metrics:
    enabled: false
    port: 9000
    protocol: http
  certificate:
    externalCaCertSecret: [ ]
    externalCertSecret: [ ]
    requestAutoCert: false
    certConfig: { }
  features:
    bucketDNS: false
    domains: { }
    enableSFTP: false
  buckets: [ ]
  users: [ ]
  podManagementPolicy: Parallel
  liveness: { }
  readiness: { }
  startup: { }
  lifecycle: { }
  exposeServices: { }
  serviceAccountName: ""
  prometheusOperator: false
  logging: { }
  serviceMetadata: { }
  env: [ ]
  priorityClassName: ""
  additionalVolumes: [ ]
  additionalVolumeMounts: [ ]

ingress:
  api:
    enabled: true
    ingressClassName: "nginx"
    labels: { }
    annotations: 
      /rewrite-target: /
    tls: 
      - hosts:
          - ''
        secretName: minio-api-tls
    host: 
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: "nginx"
    labels: { }
    annotations: 
      /rewrite-target: /
    tls: 
      - hosts:
          - ''
        secretName: minio-webui-tls
    host: 
    path: /
    pathType: Prefix

Official deployment

Use the configured one for deployment.

[root@master01 ten-minio]# helm install \
--namespace minio-ns01 \
--create-namespace \
--values  tenant-01 minio-operator/tenant

016

validate

Confirm that the related deployment was successful.

  • Deployment validation
    View minio.
[root@master01 ten-minio]# kubectl get all -n minio-ns01 -o wide
NAME                     READY   STATUS    RESTARTS   AGE    IP             NODE       NOMINATED NODE   READINESS GATES
pod/tenant-01-pool-0-0   2/2     Running   0          6m6s   10.10.5.9      worker01   <none>           <none>
pod/tenant-01-pool-0-1   2/2     Running   0          6m6s   10.10.30.65    worker02   <none>           <none>
pod/tenant-01-pool-0-2   2/2     Running   0          6m6s   10.10.196.79   worker04   <none>           <none>
pod/tenant-01-pool-0-3   2/2     Running   0          6m5s   10.10.19.79    worker03   <none>           <none>

NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE    SELECTOR
service/minio               ClusterIP   10.20.208.139   <none>        80/TCP     6m7s   /tenant=tenant-01
service/tenant-01-console   ClusterIP   10.20.114.138   <none>        9090/TCP   6m7s   /tenant=tenant-01
service/tenant-01-hl        ClusterIP   None            <none>        9000/TCP   6m7s   /tenant=tenant-01

NAME                                READY   AGE    CONTAINERS      IMAGES
/tenant-01-pool-0   4/4     6m6s   minio,sidecar   /minio/minio:RELEASE.2024-08-17T01-24-54Z,/minio/operator-sidecar:v6.0.2

[root@master01 ten-minio]# kubectl -n minio-ns01 get ingress -o wide
NAME                CLASS   HOSTS               ADDRESS        PORTS     AGE
tenant-01           nginx        172.24.10.11   80, 443   6m31s
tenant-01-console   nginx      172.24.10.11   80, 443   6m31s

View directpv.

[root@master01 ten-minio]# kubectl -n minio-ns01 get pvc
[root@master01 ten-minio]# kubectl directpv list drives

019

020

  • browser authentication
    Accessed using a browser The default minio account password: minio / minio123.

017

018

  • MC Validation
    The MinIO Client mc command line tool provides commands such as ls, cat, cp, mirror, and diff to support file systems and Amazon s3-compatible cloud storage services.

The mc command line tool is built for compatibility with the AWS S3 API and has been tested on MinIO and AWS S3 for expected functionality and behavior.

Install mc:

[root@master01 minio]# curl /client/mc/release/linux-amd64/mc \
  --create-dirs \
  -o /usr/local/bin/mc

[root@master01 minio]# chmod +x /usr/local/bin/mc
[root@master01 minio]# mc --help

Connect minio:
Use the mc alias set command to add Amazon s3-compatible services to the mc configuration, replacing the alias with the name to be associated with the S3 service.
The mc command usually requires alias as an argument to identify which S3 service it is to be executed against. If you omit ACCESS_KEY and SECRET_KEY, you will be prompted to enter these values in the CLI when executing the command.

[root@master01 minio]# mc alias set myminio  minio minio123
Added `myminio` successfully.
[root@master01 minio]# mc admin info myminio

021

Deployment Reference:Installing the MinIO Book with helm in K8S