S3 proxying in Kubernetes via S3-Gateway
Proxying traffic to S3 storage is one of the steps for preparing the BRIX infrastructure. The S3‑Gateway tool can be used for this purpose.
It provides access to the S3 storage deployed inside or outside the Kubernetes cluster via a single entry point — domain (FQDN) or IP address for BRIX.
S3-Gateway installation consists of four steps:
- Download the Helm chart and configuration file.
- Fill in the configuration file.
- Install the S3 Gateway chart using Helm in the Kubernetes cluster.
- Connect to S3.
Step 1: Download the Helm chart and configuration file
To install via the internet, obtain the values-s3gateway.yaml configuration file by executing the following command:
helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/s3gateway > values-s3gateway.yaml
Obtaining the configuration file for installation in a closed-loop environment without internet access
- On a computer with internet access, download the archive of the latest version of the S3 Gateway chart from the elma365 repository:
helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/s3gateway
- Copy the obtained s3gateway-X.Y.Z.tgz chart archive to the server where the installation will take place.
- Unpack the s3gateway-X.Y.Z.tgz chart on the installation server, and copy the
values.yaml default configuration file to values-s3gateway.yaml:
tar -xf s3gateway-X.Y.Z.tgz
cp s3gateway/values.yaml values-s3gateway.yaml
|
Step 2: Fill in the configuration file
Fill in the configuration file values-s3gateway.yaml for the S3 Gateway installation:
- In the
ingress.hostname parameter, specify the domain (FQDN) or IP address through which the BRIX application is accessible. - In the
ingress.path parameter, specify the name of the S3 bucket in which the BRIX application stores files.
The name of the bucket in S3 must correspond to the s3elma365 format.
Начало примера
Example:
- s3elma365.
- s3elma365-dev.
- s3elma365-prod.
конец примера
- The following changes should be made to the configuration file if the BRIX application web‑interface is accessible via HTTPS:
- Specify the domain (FQDN) in the
ingress.hostname parameter. - Enable TLS support by setting the value to
true in the ingress.tls parameter. - Uncomment the parameters in the
ingress.extraTls section. - For the
ingress.extraTls.hosts parameter, specify the domain (FQDN) through which the BRIX application is accessible. - For the
ingress.extraTls.secretName parameter, specify the name of the TLS type secret for the domain specified in ingress.extraTls.hosts.
- If high availability is required, specify the desired number of replicas in the
replicaCount parameter. - The
configuration parameter specifies the HAProxy configuration with which it will run in the Kubernetes cluster. In the backend s3_main section of the HAProxy configuration, specify the list of S3 servers to which user traffic should be redirected.
How to proxy the user traffic in the S3 MinIO storage using the elma365 dbs chart without SSL support in the Kubernetes cluster
In this example, the S3 storage is installed according to the instruction in the MinIO S3 article.
# HAProxy settings for proxying connections to the S3 Storage
haproxy:
ingress:
enabled: true
# enabling HAProxy Ingress support for working with OpenShift
openshift: false
# system's domain (FQDN) through which it is accessible
hostname: elma365-server.your_domain
# name of the bucket (in the S3 storage) for the BRIX application
path: /s3elma365
# enabling https
tls: false
# extraTls:
# - hosts:
# - elma365-server.your_domain
# secretName: elma365-server.your_domain-tls
# number of replicas to ensure high availability
replicaCount: 1
containerPorts:
- name: http
containerPort: 8080
# HAProxy configuration
configuration: |
global
log stdout format raw local0
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend s3_main
bind :8080
default_backend s3_main
backend s3_main
server s3_1 minio.elma365-dbs.svc.cluster.local:80 check inter 2s
# safety context policy
podSecurityContext:
enabled: true
fsGroup: 1001
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
# specifying resources
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
...
|
How to proxy the user traffic in the S3 MinIO storage with SSL support
In this example, four S3 (MinIO) servers are located outside the Kubernetes cluster and deployed according to the instructions in MinIO cluster article.
# HAProxy settings for proxying connections to the S3 Storage
haproxy:
ingress:
enabled: true
# enabling HAProxy Ingress support for working with OpenShift
openshift: false
# system's domain (FQDN) through which it is accessible
hostname: elma365-server.your_domain
# name of the bucket (in the S3 storage) for the BRIX application
path: /s3elma365
# enabling https
tls: true
extraTls:
- hosts:
- elma365-server.your_domain
secretName: elma365-server.your_domain-tls
# number of replicas to ensure high availability
replicaCount: 1
containerPorts:
- name: http
containerPort: 8080
# HAProxy configuration
configuration: |
global
log stdout format raw local0
maxconn 100000
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend s3_main
bind :8080
default_backend s3_main
backend s3_main
balance leastconn
server s3_1 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
server s3_2 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
server s3_3 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
server s3_4 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
# safety context policy
podSecurityContext:
enabled: true
fsGroup: 1001
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
# resources
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
...
|
- If you install S3‑Gateway in an isolated environment without internet access, fill out the parameters for connecting to the private registry.
How to fill out the connection parameters for the private registry
- Set address in
haproxy.image.registry. - Set path in
haproxy.image.repository. - Set name of the secret with access rights to the private registry in
haproxy.image.pullSecrets. The private registry must be created manually and encrypted in Base64.
# HAProxy settings for proxying connections to the S3 Storage.
haproxy:
...
# connection parameters to the private registry
image:
# address and path for the private registry
registry: registry.example.com
repository: /bitnami/haproxy
# tag: 2.7.3-debian-11-r5
# secret with access rights to the private registry must be created manually and encrypted in Base64
pullSecrets:
- myRegistryKeySecretName
|
Step 3: Install the S3 Gateway chart using Helm in the Kubernetes cluster
Perform the installation of the S3 Gateway chart in the s3gateway namespace.
Run the following command for online installation:
helm upgrade --install s3gateway elma365/s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace
Run the following command for offline installation without internet access:
helm upgrade --install s3gateway ./s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace
Step 4: Connect to S3
Parameters for connecting to S3:
address: specify elma365-server.your_domain.bucket, region, access key ID, secret access key, secret access key and enable SSL: specify values according to the parameters of the S3 storage for which proxying is configured.
начало внимание
Infrastructure preparation occurs before the installation of the BRIX application. If the S3-Gateway chart has been installed, don't forget to change the connection address to S3 (elma365.s3.backend.address) in the BRIX application settings. For more details, refer to Modify BRIX Enterprise parameters.
конец внимание
