Skip to content

feat:object storage aksk uses k8s secret storage #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
doubledna wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat:object storage aksk uses k8s secret storage #257

doubledna wants to merge 1 commit into from

Conversation

@doubledna
Copy link

@doubledna doubledna commented Oct 10, 2025
edited
Loading

What this PR does / why we need it: milvus connect external s3 aksk uses k8s secret storage. / s3 aksk stored in helm value is prone to leakage.

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • [x ] Chart Version bumped
  • Variables are documented in the README.md
  • Title of the PR starts with chart name (e.g. [mychartname])
  • PR only contains changes for one chart

@sre-ci-robot
Copy link
Collaborator

sre-ci-robot commented Oct 10, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: doubledna
To complete the pull request process, please assign loveeachday after the PR has been reviewed.
You can assign the PR to them by writing /assign @loveeachday in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sre-ci-robot
Copy link
Collaborator

sre-ci-robot commented Oct 10, 2025

Welcome @doubledna! It looks like this is your first PR to zilliztech/milvus-helm 🎉

@doubledna doubledna requested review from LoveEachDay and removed request for LoveEachDay and haorenfsa October 10, 2025 08:54
@doubledna doubledna force-pushed the gaolincheng/s3_aksk_use_secret branch 2 times, most recently from 7e1edaf to 508887d Compare October 10, 2025 11:19
@mergify mergify bot added the ci-passed label Oct 10, 2025
LoveEachDay
LoveEachDay reviewed Oct 10, 2025
View reviewed changes
charts/milvus/values.yaml Outdated
port: ""
accessKey: ""
secretKey: ""
existingSecret: false
Copy link
Collaborator

@LoveEachDay LoveEachDay Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

combine the values like this:

existingSecret:
   enabled: false
   name: s3-credentials
   accessKey: "accessKey"
   secretKey: "secretKey"

Copy link
Author

@doubledna doubledna Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modified and resubmitted

@doubledna doubledna force-pushed the gaolincheng/s3_aksk_use_secret branch from 508887d to 08bc22e Compare October 10, 2025 11:48
@mergify mergify bot added ci-passed and removed ci-passed labels Oct 10, 2025
LoveEachDay
LoveEachDay reviewed Oct 11, 2025
View reviewed changes
charts/milvus/README.md Outdated
$ helm upgrade --install my-release --set cluster.enabled=false --set standalone.messageQueue=kafka --set etcd.replicaCount=1 --set pulsarv3.enabled=false --set kafka.enabled=true --set minio.mode=standalone zilliztech/milvus
```
If you need to use standalone mode with embedded ETCD and local storage (without starting MinIO and additional ETCD), you can use the following steps:
use external S3 as object storage and store aksk in secret
Copy link
Collaborator

@LoveEachDay LoveEachDay Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should put this into a separate section not under Deploy Milvus with standalone mode.

LoveEachDay
LoveEachDay reviewed Oct 11, 2025
View reviewed changes
charts/milvus/README.md Outdated
```
If you need to use standalone mode with embedded ETCD and local storage (without starting MinIO and additional ETCD), you can use the following steps:
use external S3 as object storage and store aksk in secret
1. Create a secret with name `s3-credentials` in namespace `default` or use existing s3 aksk secret
Copy link
Collaborator

@LoveEachDay LoveEachDay Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to limit the namespace to default namespace.

Copy link
Author

@doubledna doubledna Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@doubledna doubledna force-pushed the gaolincheng/s3_aksk_use_secret branch from 08bc22e to 2b49aa5 Compare October 13, 2025 02:28
@mergify mergify bot removed the ci-passed label Oct 13, 2025
@doubledna doubledna force-pushed the gaolincheng/s3_aksk_use_secret branch from 2b49aa5 to 86923f0 Compare October 13, 2025 02:31
@doubledna
feat:support external s3 storage aksk uses k8s secret storage
dd725ca 
Signed-off-by: doubledna <gaolin.cheng@zilliz.com>
@doubledna doubledna force-pushed the gaolincheng/s3_aksk_use_secret branch from 86923f0 to dd725ca Compare October 13, 2025 02:39
@mergify mergify bot added the ci-passed label Oct 13, 2025
@doubledna doubledna requested a review from LoveEachDay October 14, 2025 03:58
@mateusz-mielewczyk-it
Copy link

mateusz-mielewczyk-it commented Oct 31, 2025

bump! it's really needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LoveEachDay LoveEachDay Awaiting requested review from LoveEachDay

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ci-passed size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@doubledna @sre-ci-robot @mateusz-mielewczyk-it @LoveEachDay