feat(chart): remove minio configuration

charts/kms-core/README.md

@@ -15,14 +15,3 @@ To pull and install the OCI Helm chart from hub.zama.ai:
 
     helm registry login hub.zama.ai
     helm install kms oci://hub.zama.ai/zama-protocol/zama-ai/kms/charts/kms-core
-
-## Local testing
-
-When `minio.enabled=true`, connect to minio UI on http://localhost:9001:
-
-    kubectl port-forward svc/minio 9001
-
-Interact with the bucket using the `aws` CLI:
-
-    kubectl port-forward svc/minio 9000
-    AWS_ACCESS_KEY_ID=kms-access-key-id AWS_SECRET_ACCESS_KEY=kms-secret-access-key aws --endpoint-url http://localhost:9000 --region eu-west-1 s3 ls s3://kms-public

charts/kms-core/templates/_helpers.tpl

@@ -152,17 +152,11 @@ export KMS_CORE__BACKUP_VAULT__KEYCHAIN__AWS_KMS__ROOT_KEY_SPEC="${KMS_CORE__BAC
 {{- end }}
 {{- if $.Values.kmsCore.thresholdMode.tls.enabled }}
 # Fetch CA certificates for all peers (needed for peer verification)
-# In minio/localstack context: CORE_CLIENT__S3_ENDPOINT is just the endpoint, need to add bucket
-# In AWS context: CORE_CLIENT__S3_ENDPOINT already contains the bucket path
-{{- if $.Values.minio.enabled }}
-S3_BASE_URL="${CORE_CLIENT__S3_ENDPOINT}/{{ .Values.kmsCore.publicVault.s3.bucket }}"
-{{- else }}
 S3_BASE_URL="${CORE_CLIENT__S3_ENDPOINT}"
-{{- end }}
 echo "Fetching TLS certificates from S3 base URL: ${S3_BASE_URL}"
 {{- range .Values.kmsCore.thresholdMode.peersList }}
-{{- if or $.Values.minio.enabled (not $.Values.kmsCore.nitroEnclave.enabled) }}
-# For minio/localstack or non-enclave threshold: use direct path to cert.pem
+{{- if not $.Values.kmsCore.nitroEnclave.enabled }}
+# For non-enclave threshold: use direct path to cert.pem
 CERT_PATH="PUB-p{{ .id }}/CACert/cert.pem"
 echo "Fetching CA cert for party {{ .id }} from: ${S3_BASE_URL}/${CERT_PATH}"
 # Retry logic: wait for certificate to appear (for parallel deployments)
@@ -199,8 +193,8 @@ fi
 {{- end }}
 {{- end }}
 # Fetch private key only for this party (party {{ .Values.kmsPeers.id }})
-{{- if or $.Values.minio.enabled (not $.Values.kmsCore.nitroEnclave.enabled) }}
-# For minio/localstack or non-enclave threshold: use direct path to key.pem
+{{- if not $.Values.kmsCore.nitroEnclave.enabled }}
+# For non-enclave threshold: use direct path to key.pem
 KEY_PATH="PUB-p{{ .Values.kmsPeers.id }}/PrivateKey/key.pem"
 echo "Fetching private key from: ${S3_BASE_URL}/${KEY_PATH}"
 # Retry logic: wait for private key to appear (for parallel deployments)

charts/kms-core/templates/kms-core-client-cronjob.yaml

@@ -21,13 +21,8 @@ spec:
           - name: kms-core-client
             image: {{ .Values.kmsCoreClient.image.name }}:{{ .Values.kmsCoreClient.image.tag }}
             env:
-              {{ if .Values.minio.enabled }}
-              - name: S3_ENDPOINT
-                value: "{{ .Values.minio.endpoint }}/{{ .Values.kmsCore.publicVault.s3.bucket }}/{{ .Values.kmsCore.publicVault.s3.path }}"
-              {{ else }}
               - name: S3_ENDPOINT
                 value: "https://{{ .Values.kmsCore.publicVault.s3.bucket }}.s3.{{ .Values.kmsCore.aws.region }}.amazonaws.com"
-              {{ end }}
               - name: NUM_MAJORITY
                 value: '{{ .Values.kmsCoreClient.num_majority | int }}'
               - name: NUM_RECONSTRUCT

charts/kms-core/templates/kms-core-client-statefulset.yaml

@@ -23,13 +23,8 @@ spec:
       - name: kms-core-client
         image: {{ .Values.kmsCoreClient.image.name }}:{{ .Values.kmsCoreClient.image.tag }}
         env:
-          {{- if .Values.minio.enabled }}
-          - name: S3_ENDPOINT
-            value: "{{ .Values.minio.endpoint }}/{{ .Values.kmsCore.publicVault.s3.bucket }}"
-          {{- else }}
           - name: S3_ENDPOINT
             value: "https://{{ .Values.kmsCore.publicVault.s3.bucket }}.s3.{{ .Values.kmsCore.aws.region }}.amazonaws.com"
-          {{- end }}
           - name: NUM_MAJORITY
             value: '{{ .Values.kmsCoreClient.num_majority | int }}'
           - name: NUM_RECONSTRUCT
@@ -40,11 +35,9 @@ spec:
             value: '{{ .Values.kmsCoreClient.fhe_parameter | quote }}'
         command:
           - /app/load-core-client-config.sh
-        {{- if not .Values.minio.enabled }}
         envFrom:
           - configMapRef:
               name: {{ .Values.kmsCoreClient.envFrom.configmap.name }}
-        {{- end }}
         volumeMounts:
           - mountPath: /app/load-core-client-config.sh
             subPath: load-core-client-config.sh

charts/kms-core/templates/kms-core-configmap.yaml

@@ -15,20 +15,16 @@ data:
   aws.toml: |
     [aws]
     region = "${AWS_REGION}"
-    {{- if .Values.minio.enabled }}
-    s3_endpoint = "{{ .Values.minio.endpoint }}"
-    {{- else }}
     role_arn = "${AWS_ROLE_ARN}"
-      {{- if .Values.kmsCore.nitroEnclave.enabled }}
-        {{- if .Values.kmsCore.nitroEnclave.ports.imds }}
+    {{- if .Values.kmsCore.nitroEnclave.enabled }}
+      {{- if .Values.kmsCore.nitroEnclave.ports.imds }}
     imds_endpoint = "http://localhost:{{ .Values.kmsCore.nitroEnclave.ports.imds }}"
-        {{- end }}
-        {{- if .Values.kmsCore.nitroEnclave.ports.sts }}
+      {{- end }}
+      {{- if .Values.kmsCore.nitroEnclave.ports.sts }}
     sts_endpoint = "https://localhost:{{ .Values.kmsCore.nitroEnclave.ports.sts }}"
-        {{- end }}
+      {{- end }}
     s3_endpoint = "https://localhost:{{ .Values.kmsCore.nitroEnclave.ports.s3 }}"
     awskms_endpoint = "https://localhost:{{ .Values.kmsCore.nitroEnclave.ports.awskms }}"
-      {{- end }}
     {{- end }}
   vaults.toml: |
     {{- if .Values.kmsCore.publicVault.s3.enabled }}

charts/kms-core/templates/kms-core-statefulset.yaml

@@ -78,7 +78,7 @@ spec:
               value: {{ .Values.runMode }}
             - name: RUST_LOG
               value: {{ .Values.rustLog }}
-            {{- if and .Values.kmsCore.envFrom.configmap.name (not .Values.minio.enabled) }}
+            {{- if .Values.kmsCore.envFrom.configmap.name }}
             - name: CORE_CLIENT__S3_ENDPOINT
               valueFrom:
                 configMapKeyRef:
@@ -135,12 +135,6 @@ spec:
                   key: {{ .Values.kmsCore.envFrom.configmap.key.backupVaultKeychainAWSKMSRootKeySpec }}
             {{- end }}
             {{- else }}
-            - name: AWS_ACCESS_KEY_ID
-              value: {{ .Values.minio.username}}
-            - name: AWS_SECRET_ACCESS_KEY
-              value: {{ .Values.minio.password}}
-            - name: CORE_CLIENT__S3_ENDPOINT
-              value: {{ .Values.minio.endpoint }}
             - name: KMS_CORE__PRIVATE_VAULT__STORAGE__S3__BUCKET
               value: {{ .Values.kmsCore.privateVault.s3.bucket | quote }}
             {{- if .Values.kmsCore.privateVault.s3.prefix }}
@@ -316,9 +310,6 @@ spec:
               env
               echo "generating keys"
               kms-gen-keys --cmd signing-keys \
-            {{- if .Values.minio.enabled }}
-              --aws-s3-endpoint {{ .Values.minio.endpoint }} \
-            {{- end }}
               --aws-region {{ .Values.kmsCore.aws.region }} \
             {{- if .Values.kmsCore.publicVault.s3.enabled }}
               --public-storage s3 \
@@ -379,7 +370,7 @@ spec:
               value: {{ .Values.runMode }}
             - name: RUST_LOG
               value: {{ .Values.rustLog }}
-          {{- if and .Values.kmsCore.envFrom.configmap.name (not .Values.minio.enabled) }}
+          {{- if .Values.kmsCore.envFrom.configmap.name }}
             - name: KMS_CORE__PRIVATE_VAULT__STORAGE__S3__BUCKET
               valueFrom:
                 configMapKeyRef:
@@ -431,12 +422,6 @@ spec:
                   key: {{ .Values.kmsCore.envFrom.configmap.key.backupVaultKeychainAWSKMSRootKeySpec }}
             {{- end }}
             {{- else }}
-            - name: AWS_ACCESS_KEY_ID
-              value: {{ .Values.minio.username}}
-            - name: AWS_SECRET_ACCESS_KEY
-              value: {{ .Values.minio.password}}
-            - name: CORE_CLIENT__S3_ENDPOINT
-              value: {{ .Values.minio.endpoint }}
             - name: KMS_CORE__PRIVATE_VAULT__STORAGE__S3__BUCKET
               value: {{ .Values.kmsCore.privateVault.s3.bucket | quote }}
             {{- if .Values.kmsCore.privateVault.s3.prefix }}
@@ -513,15 +498,6 @@ spec:
           args:
             - -c
             - |
-              {{- if .Values.minio.enabled }}
-              mkdir -p ~/.aws/
-              cat > ~/.aws/credentials <<EOF
-              [default]
-              aws_access_key_id=${AWS_ACCESS_KEY_ID}
-              aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
-              EOF
-              cat ~/.aws/credentials
-              {{- end }}
               env
               kms-server --config-file=kms-server.toml
           {{- end }}
@@ -544,7 +520,7 @@ spec:
               value: {{ .Values.runMode }}
             - name: RUST_LOG
               value: {{ .Values.rustLog }}
-            {{- if and .Values.kmsCore.envFrom.configmap.name (not .Values.minio.enabled) }}
+            {{- if .Values.kmsCore.envFrom.configmap.name }}
             - name: KMS_CORE__PRIVATE_VAULT__STORAGE__S3__BUCKET
               valueFrom:
                 configMapKeyRef:
@@ -600,12 +576,6 @@ spec:
                   optional: true
             {{- end }}
             {{- else }}
-            - name: AWS_ACCESS_KEY_ID
-              value: {{ .Values.minio.username}}
-            - name: AWS_SECRET_ACCESS_KEY
-              value: {{ .Values.minio.password}}
-            - name: AWS_ENDPOINT_URL_S3
-              value: {{ .Values.minio.endpoint }}
             - name: KMS_CORE__PRIVATE_VAULT__STORAGE__S3__BUCKET
               value: {{ .Values.kmsCore.privateVault.s3.bucket | quote }}
             {{- if .Values.kmsCore.privateVault.s3.prefix }}

charts/kms-core/templates/kms-gen-keys-job.yaml

@@ -27,22 +27,15 @@ spec:
           image: {{ .Values.kmsCoreClient.image.name }}:{{ .Values.kmsCoreClient.image.tag }}
           command:
             - /app/core-client-gen-keys.sh
-          {{- if not .Values.minio.enabled }}
           envFrom:
             - configMapRef:
                 name: {{ .Values.kmsCoreClient.envFrom.configmap.name }}
-          {{- end }}
           env:
-            {{- if .Values.minio.enabled }}
-            - name: S3_ENDPOINT
-              value: "{{ .Values.minio.endpoint }}/{{ .Values.kmsCore.publicVault.s3.bucket }}{{- $path := default "" .Values.kmsCore.publicVault.s3.path }}{{- if ne $path "" }}/{{ $path }}{{- end }}"
-            {{- else }}
             - name: CORE_CLIENT__S3_ENDPOINT
               valueFrom:
                 configMapKeyRef:
                   name: {{ .Values.kmsCore.envFrom.configmap.name }}
                   key: {{ .Values.kmsCore.envFrom.configmap.key.coreClientS3Endpoint }}
-            {{- end }}
             - name: NUM_MAJORITY
               value: '{{ .Values.kmsCoreClient.num_majority | int }}'
             - name: NUM_RECONSTRUCT

charts/kms-core/values-example-local.yaml

@@ -69,27 +69,6 @@ environment: dev
 
 rustLog: info
 
-minio:
-  enabled: true
-  commonAnnotations:
-    "helm.sh/hook-weight": "-1"
-  fullnameOverride: minio
-  auth:
-    rootUser: minio-admin
-    rootPassword: minio-admin
-  provisioning:
-    enabled: true
-    buckets:
-      - name: kms-public
-        region: eu-west-1
-    users:
-      - username: kms-access-key-id
-        password: kms-secret-access-key
-        policies:
-          - readwrite
-    extraCommands:
-      - "mc anonymous set public provisioning/kms-public"
-
 kyverno:
   enabled: false
 

charts/kms-core/values.yaml

@@ -287,20 +287,6 @@ tracing:
   endpoint: "http://otel-deployment-opentelemetry-collector.observability.svc.cluster.local:4317"
   otlp_timeout_ms: 10000
 
-
-# Minio: If we want to use local s3 storage, we can use Minio
-# i.e: by deploying Minio operator: https://docs.min.io/community/minio-object-store/operations/deployments/k8s-deploy-operator-helm-on-kubernetes.html?ref=github
-# or Minio chart community maintained: https://github.com/minio/minio/tree/master/helm/minio
-#
-minio:
-  enabled: false
-  # If enabled, the minio endpoint will be used to store the keys. Example: http://minio:9000
-  endpoint:
-  # If enabled, the minio username will be used to store the keys
-  username:
-  # If enabled, the minio password will be used to store the keys
-  password:
-
 rustLog: info
 
 # Add pod annotations to the kms-core