Nubus for Kubernetes - Operation Manual 1.x

Use external S3-compatible object storage

6.1.3. Use external S3-compatible object storage#

Nubus for Kubernetes needs an S3-compatible object storage for various application components. This section describes how to configure Nubus for Kubernetes to use an external S3-compatible object storage. First, you need to prepare a bucket in your S3-compatible storage. Second, you must configure your Nubus deployment to use the storage.

For an overview about which application components require an S3-compatible object storage, see S3-compatible object storage in Univention Nubus for Kubernetes - Architecture Manual [2].

Important

Nubus for Kubernetes includes a deployment for MinIO. However, ⚠️ Univention doesn’t provide support for the MinIO deployment within Nubus.

Recommendation

Use an external S3-compatible object storage with implemented concepts for backup, restore, and redundancy.

See also

S3-compatible object storage as architectural piece in Nubus

in Univention Nubus for Kubernetes - Architecture Manual [2] for information about application components using S3-compatible object storage.

6.1.3.1. Prepare external S3-compatible object storage for Nubus#

Before you can connect Nubus for Kubernetes to your S3-compatible storage, you need to prepare it properly. This section describes the necessary steps.

  1. Create a private bucket in your S3-compatible storage for the Nubus assets.

    Nubus creates various folders in it. Most are for private use, one folder must allow public access.

    Caution

    ⚠️ Make sure and verify that you configure the bucket as private bucket.

  2. Create a policy for the folder portal-assets that allows public read access.

  3. Create the following accounts for the bucket:

    • For the Portal Server with read access.

    • For the Portal Consumer with read and write access.

    Remember the access key and the secret key for each account. You need those credentials for the configuration of the Nubus deployment.

  4. You need to collect the following information about your S3-compatible object storage:

    • Bucket name

    • Access key and secret key for each of the users in your storage you created before.

    • Endpoint URL of your S3-compatible storage with the following elements:

      • Protocol, such as http or https.

      • Host or fully qualified hostname.

      • Port to the API of the S3-compatible storage.

      Example:

      https://storage.example.com:9000

After you have configured everything, you can continue with Configure deployment for using external S3-compatible object storage.

6.1.3.2. Configure deployment for using external S3-compatible object storage#

To use an external S3-compatible object storage for Nubus, go through the following steps:

  1. Deactivate the provisioning jobs for the S3-compatible object storage. Add the lines in Listing 6.5 to your custom_values.yaml values file.

    Listing 6.5 Deactivate the provisioning jobs for MinIO#
    global:
  minio:
    provisioning:
      enabled: false

  2. Add the connection parameters for your external S3-compatible storage to your custom_values.yaml values file. You need to configure the application components separately, as shown in Listing 6.6.

    Listing 6.6 Configure parameters for external S3-compatible storage#
    nubusPortalConsumer:
  portalConsumer:
    objectStorageEndpoint: "https://storage.example.com:9000"
    objectStorageBucket: "nubus"

nubusPortalServer:
  portalServer:
    objectStorageEndpoint: "https://storage.example.com:9000"
    objectStorageBucket: "nubus"

  3. Add the credentials to the S3-compatible object storage. Make sure to use the right user account for the right section. You can either configure the custom credentials, or you can refer to existing Kubernetes Secrets objects. See the following examples.

    Custom credential configuration

    Use the example in Listing 6.7, if you want to provide custom credentials.

    Listing 6.7 Configure custom credentials for external S3-compatible storage#
    nubusPortalConsumer:
  objectStorage:
    auth:
      accessKey: "<access-key-for-portal-server-user>"
      secretKey: "<secret-key-for-portal-server-user>"

nubusPortalServer:
  objectStorage:
    auth:
      accessKey: "<access-key-for-portal-server-user>"
      secretKey: "<secret-key-for-portal-server-user>"
    Kubernetes secrets for credentials configuration

    Use the example in Listing 6.8, if you want to use existing Kubernetes Secrets.

    Listing 6.8 Configure existing Kubernetes Secrets for external S3-compatible storage#
    nubusPortalConsumer:
  objectStorageCredentialSecret:
    name: "name-of-secret-object-for-portal-consumer"
    accessKeyKey: "<key-in-secret-object-for-access-key>"
    secretKeyKey: "<key-in-secret-object-for-secret-key>"

nubusPortalServer:
  objectStorageCredentialSecret:
    name: "name-of-secret-object-for-portal-server"
    accessKeyKey: "<key-in-secret-object-for-access-key>"
    secretKeyKey: "<key-in-secret-object-for-secret-key>"

    See also

    Secrets in Nubus for Kubernetes

    for information about different options using secrets in Nubus for Kubernetes.

  4. To apply the configuration, follow the steps in Apply configuration.

    After you configured the settings in your values file, you need to make them known to your Nubus deployment.

On this page