chore: minio support tls (#2484)

ldming · apecloud-bot · commit 327846854edb · 2026-03-05T09:40:42.000Z
(cherry picked from commit 35ea77a)
diff --git a/addons/minio/scripts/startup.sh b/addons/minio/scripts/startup.sh
@@ -3,6 +3,15 @@
 replicas_history_file="/minio-config/MINIO_REPLICAS_HISTORY"
 bucket_dir="/data"
 
+setup_tls_certs() {
+  if [ "$TLS_ENABLED" = "true" ] && [ -f ${CERTS_PATH}/ca.pem ]; then
+    echo "Setting up TLS CA certificate for MinIO..."
+    mkdir -p ${CERTS_PATH}/CAs
+    cp -L ${CERTS_PATH}/ca.pem ${CERTS_PATH}/CAs/ca.crt
+    echo "TLS CA certificate setup completed"
+  fi
+}
+
 init_buckets() {
   local buckets=$1
   IFS=',' read -ra BUCKET_ARRAY <<< "$buckets"
@@ -62,6 +71,14 @@ build_startup_cmd() {
 }
 
 startup() {
+  if [ "$TLS_ENABLED" = "true" ]; then
+    export HTTP_PROTOCOL="https"
+  else
+    export HTTP_PROTOCOL="http"
+  fi
+
+  setup_tls_certs
+
   cmd=$(build_startup_cmd)
   status=$?
   if [ $status -ne 0 ]; then
diff --git a/addons/minio/templates/cmpd.yaml b/addons/minio/templates/cmpd.yaml
@@ -95,10 +95,18 @@ spec:
       value: {{ .Values.minioAPIPort | quote }}
     - name: MINIO_CONSOLE_PORT
       value: {{ .Values.minioConsolePort | quote}}
-    - name: HTTP_PROTOCOL
-      value: {{ .Values.tls.enabled | ternary "https" "http" | quote }}
     - name: SERVICE_PORT
       value: "9000"
+    - name: TLS_ENABLED
+      valueFrom:
+        tlsVarRef:
+          enabled: Optional
+  tls:
+    volumeName: tls
+    mountPath: {{ .Values.certsPath | quote }}
+    caFile: ca.pem
+    certFile: public.crt
+    keyFile: private.key
   roles:
     - name: readwrite
       updatePriority: 1
@@ -123,8 +131,14 @@ spec:
           - -c
           - |
             # Set alias and check MinIO readiness using mc command
-            mc alias set local http://127.0.0.1:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD >/dev/null 2>&1
-            if mc admin info local >/dev/null 2>&1; then
+            PROTOCOL="http"
+            MC_INSECURE=""
+            if [ "$TLS_ENABLED" = "true" ]; then
+              PROTOCOL="https"
+              MC_INSECURE="--insecure"
+            fi
+            mc alias set local ${PROTOCOL}://127.0.0.1:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD ${MC_INSECURE} >/dev/null 2>&1
+            if mc admin info local ${MC_INSECURE} >/dev/null 2>&1; then
               echo -n "readwrite"
             else
               echo -n "notready"
