diff --git a/kubernetes/apps/storage/kustomization.yaml b/kubernetes/apps/storage/kustomization.yaml index 10f42a1d..f2ba760a 100644 --- a/kubernetes/apps/storage/kustomization.yaml +++ b/kubernetes/apps/storage/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ./namespace.yaml - ./openebs/ks.yaml - ./volsync/ks.yaml + - ./minio/ks.yaml diff --git a/kubernetes/apps/storage/minio/app/helm-release.yaml b/kubernetes/apps/storage/minio/app/helm-release.yaml new file mode 100644 index 00000000..1c7ee1a2 --- /dev/null +++ b/kubernetes/apps/storage/minio/app/helm-release.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: minio +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + image: + repository: quay.io/minio/minio + tag: RELEASE.2023-05-04T21-44-30Z + env: + TZ: America/Denver + MINIO_UPDATE: "off" + MINIO_BROWSER_REDIRECT_URL: https://minio.${SECRET_DOMAIN} + MINIO_SERVER_URL: https://s3.${SECRET_DOMAIN} + envFrom: + - secretRef: + name: minio-secret + args: ["server", "/data", "--console-address", ":9001"] + service: + main: + enabled: true + ports: + http: + port: 9001 + api: + enabled: true + port: 9000 + probes: + # liveness: &probes + # enabled: true + # custom: true + # spec: + # httpGet: + # path: /minio/health/live + # port: 9000 + # initialDelaySeconds: 0 + # periodSeconds: 10 + # timeoutSeconds: 1 + # failureThreshold: 3 + # readiness: *probes + startup: + enabled: false + ingress: + main: + enabled: true + ClassName: internal + hosts: + - host: &host minio.${SECRET_DOMAIN} + paths: + - path: / + pathType: Prefix + service: + port: 9001 + tls: + - hosts: + - *host + s3: + enabled: true + className: internal + hosts: + - host: &s3host s3.${SECRET_DOMAIN} + paths: + - path: / + pathType: Prefix + service: + port: 9000 + tls: + - hosts: + - *s3host + podSecurityContext: + runAsUser: 1024 + runAsGroup: 100 + fsGroup: 100 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 100 + persistence: + config: + enabled: true + existingClaim: minio-nfs + mountPath: /data + resources: + requests: + memory: 100Mi + cpu: 100m + limits: + memory: 750Mi diff --git a/kubernetes/apps/storage/minio/app/kustomization.yaml b/kubernetes/apps/storage/minio/app/kustomization.yaml new file mode 100644 index 00000000..1eee598d --- /dev/null +++ b/kubernetes/apps/storage/minio/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secret.enc.yaml + - nfs-pvc.yaml + - helm-release.yaml diff --git a/kubernetes/apps/storage/minio/app/nfs-pvc.yaml b/kubernetes/apps/storage/minio/app/nfs-pvc.yaml new file mode 100644 index 00000000..906214e4 --- /dev/null +++ b/kubernetes/apps/storage/minio/app/nfs-pvc.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: minio-nfs +spec: + capacity: + storage: 1Mi + accessModes: + - ReadWriteMany + storageClassName: minio-nfs + persistentVolumeReclaimPolicy: Retain + nfs: + server: "192.168.1.33" + path: /volume10/Minio + mountOptions: + - nconnect=8 + - noatime +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-nfs +spec: + accessModes: + - ReadWriteMany + storageClassName: minio-nfs + resources: + requests: + storage: 1Mi diff --git a/kubernetes/apps/storage/minio/app/secret.sops.yaml b/kubernetes/apps/storage/minio/app/secret.sops.yaml new file mode 100644 index 00000000..b347bb93 --- /dev/null +++ b/kubernetes/apps/storage/minio/app/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: minio-secret +stringData: + MINIO_ROOT_USER: ENC[AES256_GCM,data:yoJuEdMXgyjuuBI=,iv:lmJs++9pzhTBPTmfkKRc1Z7Kdc5lvVN2qcaVkkl1x4k=,tag:th1WiPutWHQHc4/XIV7wIQ==,type:str] + MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:aTc+lOWlEeXqgpFAy1YdQQ==,iv:AwgcNiIb0Eu3kUFQwGuMA++aTnQfmiJX436RpmtO09I=,tag:0CPjxCBOx+JBTCauiNBEMg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12rzrdtn8xhd89y23qw4kymxftuylqn5cm522jcn327atent4a40swjcgmj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUVkSStORXBwRGI3VXMr + bXVZb3kyVkJrellNOW9LSlZrOG5EbU9LRFVzCmhOQi9ERVdyOGtVT1RSa2sxL0lu + MmtZOWJqbytOcDBPTHBoay9QVUlxOE0KLS0tIGVhTWZOeDhkZ3J6Wk1mNHUrcXNO + YjdLcWZJTnErQS8zSTFxdklvbVU3NEkKc1PWeQAv4S59aEkCTFzy5CcsaKslxurv + Z+7N1uW3eN8IGYVbIZTbLjmNvU3WOtpUN0uY9RiOIL5UctJL9hnoBQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-25T22:13:49Z" + mac: ENC[AES256_GCM,data:Xa+6zuDajCVheuuyDbWOihVySiwDHOzH+xZT/iluRTMmFjImauvib3XggZlFhgUYIFwY0cFd7dRik6GdvCsMidczMNwWKa0OBLVvi4V76rXu0uow/WfANj5UTAM+eGwaUGPzJlpQ3y/dYmRLqjF/ubeCyuYcwDt+BzWlTKD5Z5Y=,iv:IQFvw1qoIQLYDxZrQ3dbTwcMA/aDZC5LiuSP7Is37ao=,tag:3d03RurfYnE9LYciOyegPw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/apps/storage/minio/ks.yaml b/kubernetes/apps/storage/minio/ks.yaml new file mode 100644 index 00000000..e316d8e3 --- /dev/null +++ b/kubernetes/apps/storage/minio/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app minio + namespace: flux-system +spec: + targetNamespace: storage + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/storage/minio/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m