Update/minio migration from bitnami to official

chart/Chart.yaml

@@ -20,6 +20,6 @@ dependencies:
   repository: https://argoproj.github.io/argo-helm
   condition: features.to
 - name: minio
-  version: 3.5.0
-  repository: https://codedx.github.io/srm-k8s
+  version: 5.4.0
+  repository: https://charts.min.io/
   condition: features.minio

chart/templates/_secrets.tpl

@@ -32,48 +32,14 @@ Returns the MariaDB credential secret name (overwrites template).
 {{- end -}}
 
 {{/*
-Returns the MinIO secret name (overwrites template).
-*/}}
-{{- define "minio.secretName" -}}
-{{- if (not .Values.global.minio.existingSecret) -}}
-{{ include "srm-to.default.minio.secret" . }}
-{{- else -}}
-{{ required "You must specify a value for the 'global.minio.existingSecret' helm property" .Values.global.minio.existingSecret }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Get the root user key by switching the default from root-user to access-key (overwrites template).
-*/}}
-{{- define "minio.rootUserKey" -}}
-{{- if and (.Values.auth.existingSecret) (.Values.auth.rootUserSecretKey) -}}
-    {{- printf "%s" (tpl .Values.auth.rootUserSecretKey $) -}}
-{{- else -}}
-    {{/* Use the legacy name for key instead of root-user. */}}
-    {{- "access-key" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Get the root password key by switching the default from root-password to secret-key (overwrites template).
-*/}}
-{{- define "minio.rootPasswordKey" -}}
-{{- if and (.Values.auth.existingSecret) (.Values.auth.rootPasswordSecretKey) -}}
-    {{- printf "%s" (tpl .Values.auth.rootPasswordSecretKey $) -}}
-{{- else -}}
-    {{/* Use the legacy name for password instead of root-password. */}}
-    {{- "secret-key" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Returns the MinIO secret name.
+Returns the MinIO secret name used by the SRM chart templates (tool service
+volume mounts, network policies, etc.).
 */}}
 {{- define "minio.ref.secretName" -}}
-{{- if (not .Values.minio.global.minio.existingSecret) -}}
+{{- if (not .Values.minio.existingSecret) -}}
 {{ include "srm-to.default.minio.secret" . }}
 {{- else -}}
-{{ required "You must specify a value for the 'minio.global.minio.existingSecret' helm property" .Values.minio.global.minio.existingSecret }}
+{{ .Values.minio.existingSecret }}
 {{- end -}}
 {{- end -}}
 

chart/templates/_subchart.tpl

@@ -1,35 +1,23 @@
-{{- define "common.errors.insecureImages" -}}
-{{/* Ignore the insecure images check. */}}
-{{- end -}}
-
 {{/*
-Return false to block the subchart from creating a secret object (overwrites template).
-*/}}
-{{- define "minio.createSecret" -}}
-{{/* Block the MinIO chart from creating its own K8s Secret resource. */}}
-{{- false -}}
-{{- end -}}
+Official MinIO chart (charts.min.io) does not use Bitnami's common library,
+so the Bitnami template-override helpers (minio.createSecret,
+minio.secret.userValue, minio.secret.passwordValue, common.errors.insecureImages)
+are no longer needed and have been removed.
 
-{{/*
-Get the user to use to access MinIO® (overwrites template).
-*/}}
-{{- define "minio.secret.userValue" -}}
-{{- if (and (empty .Values.auth.rootUser) .Values.auth.forcePassword) }}
-    {{ required "A root username is required!" .Values.auth.rootUser }}
-{{- else -}}
-    {{/* Ignore password management, which is handled in _secrets.tpl. */}}
-    {{/* {{- include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "root-user" "providedValues" (list "auth.rootUser") "context" $) -}} */}}
-{{- end -}}
-{{- end -}}
+Secret wiring for the official MinIO chart (charts.min.io).
 
-{{/*
-Get the password to use to access MinIO® (overwrites template).
+The official MinIO chart reads credentials from the secret named by
+minio.existingSecret.  When existingSecret is set to a non-empty value the
+chart skips creating its own secret (which would contain default minioadmin
+credentials).
+
+The SRM chart sets minio.existingSecret to the auto-generated secret name
+(see values-to.yaml) so that:
+  1. MinIO skips its own secret creation.
+  2. to-default-storage-secret.yaml creates the secret with both
+     rootUser/rootPassword (for MinIO) and access-key/secret-key (for the
+     tool service), ensuring both consumers share the same credentials.
+
+No template overrides are required here; the wiring is done entirely through
+the minio.existingSecret value.
 */}}
-{{- define "minio.secret.passwordValue" -}}
-{{- if (and (empty .Values.auth.rootPassword) .Values.auth.forcePassword) }}
-    {{ required "A root password is required!" .Values.auth.rootPassword }}
-{{- else -}}
-    {{/* Ignore password management, which is handled in _secrets.tpl. */}}
-    {{/* {{- include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "root-password" "providedValues" (list "auth.rootPassword") "context" $) -}} */}}
-{{- end -}}
-{{- end -}}

chart/templates/_to.tpl

@@ -91,16 +91,16 @@ Create the name of the TO workflow service account to use
 {{- end }}
 
 {{- define "srm-to.storageEndpoint" -}}
-{{- if .Values.minio.enabled -}}
-{{- print (include "minio.ref.fullname" .) "." .Release.Namespace ".svc.cluster.local:" .Values.minio.service.ports.api -}}
+{{- if .Values.features.minio -}}
+{{- print (include "minio.ref.fullname" .) "." .Release.Namespace ".svc.cluster.local:" .Values.minio.service.port -}}
 {{- else -}}
 {{- .Values.to.workflowStorage.endpoint -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "srm-to.storageTlsEnabled" -}}
 {{- $enabled := 0 -}}
-{{- if (or .Values.to.workflowStorage.endpointSecure (and .Values.minio.enabled .Values.minio.tls.existingSecret)) -}}
+{{- if (or .Values.to.workflowStorage.endpointSecure (and .Values.features.minio .Values.minio.tls.certSecret)) -}}
 {{- $enabled = 1 -}}
 {{- end -}}
 {{ $enabled }}
@@ -223,6 +223,12 @@ Duplicates of a Minio template helper so we can reference Minio's service name
 {{- end -}}
 {{- end -}}
 
+{{/*
+NOTE: The Bitnami minio.claimName override (which appended "-snsd") has been
+removed. The official MinIO chart (charts.min.io) manages its own PVC naming
+internally and does not rely on this helper.
+*/}}
+
 {{/*
 Duplicates of an Argo template helper so we can reference the Argo controller's service name
 */}}
@@ -253,14 +259,3 @@ Duplicates of an Argo template helper so we can reference the Argo controller's
     {{ default "default" $serviceAccount.name }}
 {{- end -}}
 {{- end -}}
-
-{{/*
-Return the PVC name, potentially forcing a switch to the single-node, single-drive configuration (overwrites template).
-*/}}
-{{- define "minio.claimName" -}}
-{{- if and .Values.persistence.existingClaim }}
-    {{- printf "%s" (tpl .Values.persistence.existingClaim $) -}}
-{{- else -}}
-    {{- printf "%s-snsd" (include "common.names.fullname" .) -}}
-{{- end -}}
-{{- end -}}

chart/templates/cert-manager-tls-minio.yaml

@@ -2,11 +2,11 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ .Values.minio.tls.existingSecret }}
+  name: {{ .Values.minio.tls.certSecret }}
 spec:
   isCA: false
   commonName: {{ include "minio.ref.fullname" . }}
-  secretName: {{ .Values.minio.tls.existingSecret }}
+  secretName: {{ .Values.minio.tls.certSecret }}
   duration: {{ .Values.tls.certManager.duration | quote }}
   renewBefore: {{ .Values.tls.certManager.renewBefore | quote }}
   privateKey:

chart/templates/to-default-storage-secret.yaml

@@ -1,18 +1,25 @@
 {{- if .Values.features.minio -}}
-{{- if (not .Values.minio.global.minio.existingSecret) -}}
-{{- $default := lookup "v1" "Secret" .Release.Namespace (include "srm-to.default.minio.secret" .) -}}
+{{- $generatedName := include "srm-to.default.minio.secret" . -}}
+{{- $existingSecret := .Values.minio.existingSecret | default "" -}}
+{{- $useGenerated := or (not $existingSecret) (eq $existingSecret $generatedName) -}}
+{{- if $useGenerated -}}
+{{- $default := lookup "v1" "Secret" .Release.Namespace $generatedName -}}
 {{- $accessKey := dig "data" "access-key" (randAlphaNum 10 | b64enc) $default | b64dec -}}
 {{- $secretKey := dig "data" "secret-key" (randAlphaNum 10 | b64enc) $default | b64dec -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "srm-to.default.minio.secret" . | quote }}
+  name: {{ $generatedName | quote }}
   labels:
     {{- include "srm-to.labels" . | nindent 4 }}
 type: Opaque
 data:
   # lookup requires cluster access, so a disconnected context (e.g., dry-run, template) has no password reuse with generated password(s)
+  # Keys used by the SRM tool service (legacy names kept for backward compatibility)
   access-key: {{ $accessKey | b64enc }}
   secret-key: {{ $secretKey | b64enc }}
+  # Keys expected by the official MinIO chart (charts.min.io) when existingSecret is set
+  rootUser: {{ $accessKey | b64enc }}
+  rootPassword: {{ $secretKey | b64enc }}
+{{- end -}}
 {{- end -}}
-{{- end -}}

chart/templates/to-networkpolicy.yaml

@@ -30,8 +30,7 @@ spec:
     to:
     - podSelector:
         matchLabels:
-          app.kubernetes.io/name: {{ include "minio.ref.name" . }}
-          app.kubernetes.io/instance: {{ .Release.Name | quote }}
+          app: {{ include "minio.ref.name" . }}
   ingress:
   - ports:
     - port: 3333
@@ -83,8 +82,7 @@ spec:
       port: 9000
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "minio.ref.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name | quote }}
+      app: {{ include "minio.ref.name" . }}
   policyTypes:
   - Ingress
   - Egress

chart/values/values-tls.yaml

@@ -86,7 +86,8 @@ minio:
     # @ignore (refer to values-to.yaml file for details)
     enabled: true
     # @ignore (refer to values-to.yaml file for details)
-    existingSecret: srm-minio-tls-secret
+    # Official MinIO chart uses tls.certSecret (not tls.existingSecret)
+    certSecret: srm-minio-tls-secret
 
 to:
   # @ignore (refer to values-to.yaml file for details)