For some reason, most NAS devices (which we managed to reach) still do not support the S3 protocol. At the same time, this is the main protocol for backups in K8s. So let’s add such an adapter.
The adapter is made on the basis of a Mini. There is a special mode for this (gateway nas).
For example, like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: minio
spec:
replicas: 1
selector:
matchLabels:
app: minio
strategy:
type: Recreate
template:
metadata:
labels:
app: minio
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: main
image: minio/minio
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ce"
- "/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway nas --console-address=:9001 /storage"
resources:
limits:
memory: 4Gi
requests:
memory: 4Gi
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: minio
key: accesskey
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: minio
key: secretkey
ports:
- name: api
containerPort: 9000
protocol: TCP
- name: console
containerPort: 9001
protocol: TCP
volumeMounts:
- name: storage
mountPath: "/storage"
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
volumes:
- name: storage
hostPath:
path: /mnt/s3
type: Directory
- name: minio-user
secret:
defaultMode: 420
secretName: minio
---
apiVersion: v1
kind: Service
metadata:
name: minio
spec:
type: LoadBalancer
loadBalancerIP: 192.168.1.120
ports:
- port: 9000
targetPort: 9000
protocol: TCP
name: api
- port: 9001
targetPort: 9001
protocol: TCP
name: console
selector:
app: minio
and accordingly the commands:
k create ns s3nas
k ns s3nas
k create secret generic minio --from-literal=accesskey=userNamek8s --from-literal="secretkey=PassWord"
k apply -f s3nas.yaml
Example of how to mount WebDAV on each note (commands for Ubuntu):
apt-get -y install davfs2
mkdir /mnt/s3
cat << EOF | sudo tee -a /etc/fstab
https://192.168.1.100:5003/webdav/s3 /mnt/s3 davfs _netdev,auto,user,uid=1000 0 0
EOF
cat << EOF | sudo tee -a /etc/davfs2/secrets
/mnt/s3 userNamek8s PassWord
EOF
# import https cert
openssl s_client -connect 192.168.1.100:5003 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > nas-CA.cer
mv nas-CA.cer /etc/ssl/certs/
cp /etc/ssl/certs/nas-CA.cer /etc/davfs2/certs/
echo "trust_ca_cert /etc/davfs2/certs/nas-CA.cer" >> /etc/davfs2/davfs2.conf
mount /mnt/s3
Using port 9001, you can access the web admin panel (you can also create layouts and users there), and to work with the console:
ACCESS_KEY=$(kubectl get secret minio -o jsonpath="{.data.accesskey}" | base64 --decode)
SECRET_KEY=$(kubectl get secret minio -o jsonpath="{.data.secretkey}" | base64 --decode)
brew install minio-mc
mc alias set minio-local http://192.168.78.120:9000 "$ACCESS_KEY" "$SECRET_KEY" --api s3v4
mc ls minio-local
Of course, it is better when the volume is mounted directly into the container, but this is not supported in a standard Cube. You need to install a plugin. We’ll do it sometime later.
More security (RBAC) and monitoring (Prometheus) issues they are not affected here, but for the first iteration it is enough for the house.