search string side menu

S3 proxying in Kubernetes via S3-Gateway

Proxying traffic to S3 storage is one of the steps for preparing the BRIX infrastructure. The S3‑Gateway tool can be used for this purpose.

It provides access to the S3 storage deployed inside or outside the Kubernetes cluster via a single entry point — domain (FQDN) or IP address for BRIX.

S3-Gateway installation consists of four steps:

  1. Download the Helm chart and configuration file.
  2. Fill in the configuration file.
  3. Install the S3 Gateway chart using Helm in the Kubernetes cluster.
  4. Connect to S3.

Step 1: Download the Helm chart and configuration file

To install via the internet, obtain the values-s3gateway.yaml configuration file by executing the following command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/s3gateway > values-s3gateway.yaml

Obtaining the configuration file for installation in a closed-loop environment without internet access

  1. On a computer with internet access, download the archive of the latest version of the S3 Gateway chart from the elma365 repository:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/s3gateway

  1. Copy the obtained s3gateway-X.Y.Z.tgz chart archive to the server where the installation will take place.
  1. Unpack the s3gateway-X.Y.Z.tgz chart on the installation server, and copy the values.yaml default configuration file to values-s3gateway.yaml:

tar -xf s3gateway-X.Y.Z.tgz
cp s3gateway/values.yaml values-s3gateway.yaml

Step 2: Fill in the configuration file

Fill in the configuration file values-s3gateway.yaml for the S3 Gateway installation:

  1. In the ingress.hostname parameter, specify the domain (FQDN) or IP address through which the BRIX application is accessible.
  2. In the ingress.path parameter, specify the name of the S3 bucket in which the BRIX application stores files.
    The name of the bucket in S3 must correspond to the s3elma365 format.

Начало примера

Example

  1. s3elma365.
  2. s3elma365-dev.
  3. s3elma365-prod.

конец примера

  1. The following changes should be made to the configuration file if the BRIX application web‑interface is accessible via HTTPS:
  • Specify the domain (FQDN) in the ingress.hostname parameter.
  • Enable TLS support by setting the value to true in the ingress.tls parameter.
  • Uncomment the parameters in the ingress.extraTls section.
  • For the ingress.extraTls.hosts parameter, specify the domain (FQDN) through which the BRIX application is accessible.
  • For the ingress.extraTls.secretName parameter, specify the name of the TLS type secret for the domain specified in ingress.extraTls.hosts.
  1. If high availability is required, specify the desired number of replicas in the replicaCount parameter.
  2. The configuration parameter specifies the HAProxy configuration with which it will run in the Kubernetes cluster. In the backend s3_main section of the HAProxy configuration, specify the list of S3 servers to which user traffic should be redirected.

How to proxy the user traffic in the S3 MinIO storage using the elma365 dbs chart without SSL support in the Kubernetes cluster

 
In this example, the S3 storage is installed according to the instruction in the MinIO S3 article.

 
# HAProxy settings for proxying connections to the S3 Storage
haproxy:
ingress:
  enabled: true
# enabling HAProxy Ingress support for working with OpenShift
openshift: false
# system's domain (FQDN) through which it is accessible
hostname: elma365-server.your_domain
# name of the bucket (in the S3 storage) for the BRIX application
path: /s3elma365
# enabling https
tls: false
#  extraTls:
#  - hosts:
#      - elma365-server.your_domain
#  secretName: elma365-server.your_domain-tls
# number of replicas to ensure high availability
replicaCount: 1
containerPorts:
  - name: http
    containerPort: 8080
# HAProxy configuration
configuration: |
  global
    log stdout format raw local0
    maxconn 1024
  defaults
    log global
    timeout client 60s
    timeout connect 60s
    timeout server 60s
  frontend s3_main
    bind :8080
    default_backend s3_main
  backend s3_main
    server s3_1 minio.elma365-dbs.svc.cluster.local:80 check inter 2s
# safety context policy
podSecurityContext:
  enabled: true
  fsGroup: 1001
containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsNonRoot: true
# specifying resources
resources:
  requests:
    memory: "64Mi"
    cpu: "50m"
  limits:
    memory: "512Mi"
    cpu: "500m"
...

 

How to proxy the user traffic in the S3 MinIO storage with SSL support

 
In this example, four S3 (MinIO) servers are located outside the Kubernetes cluster and deployed according to the instructions in MinIO cluster article.

 
# HAProxy settings for proxying connections to the S3 Storage
haproxy:
ingress:
  enabled: true
# enabling HAProxy Ingress support for working with OpenShift
openshift: false
# system's domain (FQDN) through which it is accessible
hostname: elma365-server.your_domain
# name of the bucket (in the S3 storage) for the BRIX application
path: /s3elma365
# enabling https
tls: true
  extraTls:
  - hosts:
      - elma365-server.your_domain
  secretName: elma365-server.your_domain-tls
# number of replicas to ensure high availability
replicaCount: 1
containerPorts:
  - name: http
    containerPort: 8080
# HAProxy configuration
configuration: |
  global
    log stdout format raw local0
    maxconn 100000
  defaults
    log global
    timeout client 60s
    timeout connect 60s
    timeout server 60s
  frontend s3_main
    bind :8080
    default_backend s3_main
  backend s3_main
    balance leastconn
    server s3_1 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
    server s3_2 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
    server s3_3 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
    server s3_4 minio-server1.your_domain:9000 check-ssl ssl verify none check inter 2s
# safety context policy
podSecurityContext:
  enabled: true
  fsGroup: 1001
containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsNonRoot: true
# resources
resources:
  requests:
    memory: "64Mi"
    cpu: "50m"
  limits:
    memory: "512Mi"
    cpu: "500m"
...
  1. If you install S3‑Gateway in an isolated environment without internet access, fill out the parameters for connecting to the private registry.

How to fill out the connection parameters for the private registry

 

  1. Set address in haproxy.image.registry.
  2. Set path in haproxy.image.repository.
  3. Set name of the secret with access rights to the private registry in haproxy.image.pullSecrets. The private registry must be created manually and encrypted in Base64.

# HAProxy settings for proxying connections to the S3 Storage.
haproxy:
...
  # connection parameters to the private registry
  image:
    # address and path for the private registry
    registry: registry.example.com
    repository: /bitnami/haproxy
#   tag: 2.7.3-debian-11-r5
    #  secret with access rights to the private registry must be created manually and encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName

Step 3: Install the S3 Gateway chart using Helm in the Kubernetes cluster

Perform the installation of the S3 Gateway chart in the s3gateway namespace.

Run the following command for online installation:

helm upgrade --install s3gateway elma365/s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace

Run the following command for offline installation without internet access:

helm upgrade --install s3gateway ./s3gateway -f values-s3gateway.yaml -n s3gateway --create-namespace

Step 4: Connect to S3

Parameters for connecting to S3:

  • address: specify elma365-server.your_domain.
  • bucket, region, access key ID, secret access key, secret access key and enable SSL: specify values according to the parameters of the S3 storage for which proxying is configured.

начало внимание

Infrastructure preparation occurs before the installation of the BRIX application. If the S3-Gateway chart has been installed, change the connection address to S3 (elma365.s3.backend.address) in the BRIX application settings.

конец внимание

proxy-db-kubernetes.html pgbouncer-installation.html