search string side menu

BRIX On-Premises > Prepare infrastructure > Load balancer / S3 proxying in Kubernetes

S3 proxying in Kubernetes

S3 Gateway enables access to an S3 storage through a unified entry point in the BRIX application. The unified entry point is a domain (FQDN) or IP address through which BRIX is accessible. The S3 Gateway allows traffic to be proxied to an S3 storage both outside and within the Kubernetes cluster.

Installation consists of four steps:

  1. Download the Helm chart and configuration file.
  2. Fill in the configuration file.
  3. Install the S3 Gateway chart using Helm in the Kubernetes cluster.
  4. Connect to S3.

Step 1: Download the Helm chart and configuration file

To install via the internet, obtain the values-s3gateway.yaml configuration file by executing the following command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/s3gateway > values-s3gateway.yaml

Obtaining the configuration file for installation in a closed-loop environment without internet access

  1. On a computer with internet access, download the archive of the latest version of the S3 Gateway chart from the elma365 repository:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/s3gateway

  1. Copy the obtained s3gateway-X.Y.Z.tgz chart archive to the server where the installation will take place.
  1. Unpack the s3gateway-X.Y.Z.tgz chart on the installation server, and copy the values.yaml default configuration file to values-s3gateway.yaml:

tar -xf s3gateway-X.Y.Z.tgz
cp s3gateway/values.yaml values-s3gateway.yaml

Step 2: Fill in the configuration file

Fill in the configuration file values-s3gateway.yaml for the S3 Gateway installation.

In the ingress.hostname parameter, specify the domain (FQDN) or IP address through which the BRIX application is accessible. In the ingress.path parameter, specify the name of the S3 bucket in which the BRIX application stores files.

The format on for the name of the bucket in S3 must correspond to the s3elma365* format.

Начало примера

Example:

  1. s3elma365.
  2. s3elma365-dev.
  3. s3elma365-prod.

конец примера

If the BRIX web interface is accessible over HTTPS:

  • Specify the domain (FQDN) in the ingress.hostname parameter.
  • Enable TLS support by setting the value to true in the ingress.tls parameter.
  • Uncomment the parameters in the ingress.extraTls section.
  • For the ingress.extraTls.hosts parameter, specify the domain (FQDN) through which the BRIX application is accessible.
  • For the ingress.extraTls.secretName parameter, specify the name of the TLS type secret for the domain specified in ingress.extraTls.hosts.

If high availability is required, specify the desired number of replicas in the replicaCount parameter.

The configuration parameter specifies the HAProxy configuration with which it will run in the Kubernetes cluster. In the backend s3_main section of the HAProxy configuration, specify the list of S3 servers to which user traffic should be redirected.

Lets look at the example of user traffic proxying without SSL support in the S3 MinIO storage using the elma365‑dbs chart without SSL support in the Kubernetes cluster. The storage is installed according to the instruction in the MinIO S3 article.

Example:

## HAProxy settings for proxying connections to the S3 Storage
haproxy:
  ingress:
    enabled: true
  ## enabling HAProxy Ingress support for working with OpenShift
  openshift: false
  ## system's domain (FQDN) through which it is accessible
  hostname: elma365-server.your_domain
  ## name of the bucket (in the S3 storage) for the BRIX application
  path: /s3elma365
  ## enabling https
  tls: false
  #  extraTls:
  #  - hosts:
  #      - elma365-server.your_domain
  #  secretName: elma365-server.your_domain-tls
  ## number of replicas to ensure high availability
  replicaCount: 1
  containerPorts:
    - name: http
      containerPort: 8080
  ## HAProxy configuration
  configuration: |
    global
      log stdout format raw local0
      maxconn 1024
    defaults
      log global
      timeout client 60s
      timeout connect 60s
      timeout server 60s
    frontend s3_main
      bind :8080
      default_backend s3_main
    backend s3_main
      server s3_1 minio.elma365-dbs.svc.cluster.local:80 check inter 2s
  ## safety context policy
  podSecurityContext:
    enabled: true
    fsGroup: 1001
  containerSecurityContext:
    enabled: true
    runAsUser: 1001
    runAsNonRoot: true
  ## specifying resources
  resources:
    requests:
      memory: "64Mi"
      cpu: "50m"
    limits:
      memory: "512Mi"
      cpu: "500m"
...

Example of proxying user traffic with SSL support to 4 S3 servers (MinIO) located outside the Kubernetes cluster and deployed according to the instructions in MinIO cluster with SSL support:

## HAProxy settings for proxying connections to the S3 Storage
haproxy:
  ingress:
    enabled: true
  ## enabling HAProxy Ingress support for working with OpenShift
  openshift: false
  ## system's domain (FQDN) through which it is accessible
  hostname: elma365-server.your_domain
  ## name of the bucket (in the S3 storage) for the BRIX application
  path: /s3elma365
  ## enabling https
  tls: true
    extraTls:
    - hosts:
        - elma365-server.your_domain
    secretName: elma365-server.your_domain-tls
  ## number of replicas to ensure high availability
  replicaCount: 1
  containerPorts:
    - name: http
      containerPort: 8080
  ## HAProxy configuration
  configuration: |
    global
      log stdout format raw local0
      maxconn 100000
    defaults
      log global
      timeout client 60s
      timeout connect 60s
      timeout server 60s
    frontend s3_main
      bind :8080
      default_backend s3_main
    backend s3_main
      balance leastconn
      server s3_1 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
      server s3_2 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
      server s3_3 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
      server s3_4 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
  ## safety context policy
  podSecurityContext:
    enabled: true
    fsGroup: 1001
  containerSecurityContext:
    enabled: true
    runAsUser: 1001
    runAsNonRoot: true
  ## resources
  resources:
    requests:
      memory: "64Mi"
      cpu: "50m"
    limits:
      memory: "512Mi"
      cpu: "500m"
...

Filling in connection parameters for installation in a closed-loop without internet access

To connect to the private registry:

  1. Set address in haproxy.image.registry.
  2. Set path in haproxy.image.repository.
  3. Set name of the secret with access rights to the private registry in haproxy.image.pullSecrets. The private registry must be created manually and encrypted in Base64.

## HAProxy settings for proxying connections to the S3 Storage.
haproxy:
...
  ## connection parameters to the private registry
  image:
    ## address and path for the private registry
    registry: registry.example.com
    repository: /bitnami/haproxy
#   tag: 2.7.3-debian-11-r5
    ##  secret with access rights to the private registry must be created manually and encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName

Step 3: Install the S3 Gateway chart using Helm in the Kubernetes cluster

Perform the installation of the S3 Gateway chart in the s3gateway namespace.

For online installation:

helm upgrade --install s3gateway elma365/s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace 

For offline installation without internet access:

helm upgrade --install s3gateway ./s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace 

Step 4: Connect to S3

Parameters for connecting to S3:

  • address: specify elma365-server.your_domain.
  • bucket, region, access key ID, secret access key, secret access key and enable SSL: specify values according to the parameters of the S3 storage for which proxying is configured.

начало внимание

Infrastructure preparation occurs before the installation of the BRIX application. If the S3-Gateway chart has been installed, don't forget to change the connection address to S3 (elma365.s3.backend.address) in the BRIX application settings. For more details, refer to Modify BRIX Enterprise parameters.

конец внимание

haproxy-docs-server.html pgbouncer-installation.html