From 6b9495f21810cb1b5dcd4a1f6bcf16f97d839472 Mon Sep 17 00:00:00 2001 From: Tyler Perkins Date: Sun, 19 May 2024 14:18:15 -0400 Subject: [PATCH] Add minio --- minio/helmrelease-minio.yaml | 564 +++++++++++++++++++++++++++++++++++ minio/sealed-secret.yaml | 15 + 2 files changed, 579 insertions(+) create mode 100644 minio/helmrelease-minio.yaml create mode 100644 minio/sealed-secret.yaml diff --git a/minio/helmrelease-minio.yaml b/minio/helmrelease-minio.yaml new file mode 100644 index 0000000..a92942e --- /dev/null +++ b/minio/helmrelease-minio.yaml @@ -0,0 +1,564 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: minio + namespace: minio-ns +spec: + chart: + spec: + chart: minio + sourceRef: + kind: HelmRepository + name: minio + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: minio + values: + ## Provide a name in place of minio for `app:` labels + ## + nameOverride: "" + + ## Provide a name to substitute for the full names of resources + ## + fullnameOverride: "" + + ## set kubernetes cluster domain where minio is running + ## + clusterDomain: cluster.local + + ## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the + ## + image: + repository: quay.io/minio/minio + tag: RELEASE.2023-09-30T07-02-29Z + pullPolicy: IfNotPresent + + imagePullSecrets: [] + # - name: "image-pull-secret" + + ## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio + ## client used to create a default bucket). + ## + mcImage: + repository: quay.io/minio/mc + tag: RELEASE.2023-09-29T16-41-22Z + pullPolicy: IfNotPresent + + ## minio mode, i.e. standalone or distributed + mode: standalone ## other supported values are "standalone" + + ## Additional labels to include with deployment or statefulset + additionalLabels: {} + + ## Additional annotations to include with deployment or statefulset + additionalAnnotations: {} + + ## Typically the deployment/statefulset includes checksums of secrets/config, + ## So that when these change on a subsequent helm install, the deployment/statefulset + ## is restarted. This can result in unnecessary restarts under GitOps tooling such as + ## flux, so set to "true" to disable this behaviour. + ignoreChartChecksums: false + + ## Additional arguments to pass to minio binary + extraArgs: [] + + ## Additional volumes to minio container + extraVolumes: [] + + ## Additional volumeMounts to minio container + extraVolumeMounts: [] + + ## Additional sidecar containers + extraContainers: [] + + ## Internal port number for MinIO S3 API container + ## Change service.port to change external port number + minioAPIPort: "9000" + + ## Internal port number for MinIO Browser Console container + ## Change consoleService.port to change external port number + minioConsolePort: "9001" + + ## Update strategy for Deployments + deploymentUpdate: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 100% + + ## Update strategy for StatefulSets + statefulSetUpdate: + updateStrategy: RollingUpdate + + ## Pod priority settings + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + + ## Pod runtime class name + ## ref https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + + ## Set default rootUser, rootPassword + ## AccessKey and secretKey is generated when not set + ## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html + ## + #rootUser: "" + #rootPassword: "" + # + + ## Use existing Secret that store following variables: + ## + ## | Chart var | .data. in Secret | + ## |:----------------------|:-------------------------| + ## | rootUser | rootUser | + ## | rootPassword | rootPassword | + ## + ## All mentioned variables will be ignored in values file. + ## .data.rootUser and .data.rootPassword are mandatory, + ## others depend on enabled status of corresponding sections. + existingSecret: "minio-default-credentials" + + ## Directory on the MinIO pof + certsPath: "/etc/minio/certs/" + configPathmc: "/etc/minio/mc/" + + ## Path where PV would be mounted on the MinIO Pod + mountPath: "/export" + ## Override the root directory which the minio server should serve from. + ## If left empty, it defaults to the value of {{ .Values.mountPath }} + ## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }} + ## + bucketRoot: "" + + # Number of drives attached to a node + drivesPerNode: 1 + # Number of MinIO containers running + replicas: 1 + # Number of expanded MinIO clusters + pools: 1 + + ## TLS Settings for MinIO + tls: + enabled: false + ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + certSecret: "" + publicCrt: public.crt + privateKey: private.key + + ## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities + ## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + ## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt. + ## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret. + trustedCertsSecret: "" + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + #annotations: {} + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + #existingClaim: "" + + ## minio data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + ## Storage class of PV to bind. By default it looks for standard storage class. + ## If the PV uses a different storage class, specify that here. + storageClass: "longhorn" + #volumeName: "" + accessMode: ReadWriteOnce + size: 30Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + + ## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service). + ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. + ## ref: http://kubernetes.io/docs/user-guide/services/ + ## + service: + type: LoadBalancer + clusterIP: ~ + port: "9000" + nodePort: 9000 + loadBalancerIP: ~ + externalIPs: [] + annotations: {} + + ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + + ingress: + enabled: false + ingressClassName: ~ + labels: {} + # node-role.kubernetes.io/ingress: platform + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + consoleService: + type: LoadBalancer + clusterIP: ~ + port: "9001" + nodePort: 80 + loadBalancerIP: ~ + externalIPs: [] + annotations: {} + + consoleIngress: + enabled: false + ingressClassName: ~ + labels: {} + # node-role.kubernetes.io/ingress: platform + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.allow-http: "false" + # kubernetes.io/ingress.global-static-ip-name: "" + # nginx.ingress.kubernetes.io/secure-backends: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 + path: / + hosts: + - console.minio-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + topologySpreadConstraints: [] + + ## Add stateful containers to have security context, if enabled MinIO will run as this + ## user and group NOTE: securityContext is only enabled if persistence.enabled=true + securityContext: + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + + # Additational pod annotations + podAnnotations: {} + + # Additional pod labels + podLabels: {} + + ## Configure resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + requests: + memory: 16Gi + + ## List of policies to be created after minio install + ## + ## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics] + ## you can define additional policies with custom supported actions and resources + policies: [] + ## writeexamplepolicy policy grants creation or deletion of buckets with name + ## starting with example. In addition, grants objects write permissions on buckets starting with + ## example. + # - name: writeexamplepolicy + # statements: + # - effect: Allow # this is the default + # resources: + # - 'arn:aws:s3:::example*/*' + # actions: + # - "s3:AbortMultipartUpload" + # - "s3:GetObject" + # - "s3:DeleteObject" + # - "s3:PutObject" + # - "s3:ListMultipartUploadParts" + # - resources: + # - 'arn:aws:s3:::example*' + # actions: + # - "s3:CreateBucket" + # - "s3:DeleteBucket" + # - "s3:GetBucketLocation" + # - "s3:ListBucket" + # - "s3:ListBucketMultipartUploads" + ## readonlyexamplepolicy policy grants access to buckets with name starting with example. + ## In addition, grants objects read permissions on buckets starting with example. + # - name: readonlyexamplepolicy + # statements: + # - resources: + # - 'arn:aws:s3:::example*/*' + # actions: + # - "s3:GetObject" + # - resources: + # - 'arn:aws:s3:::example*' + # actions: + # - "s3:GetBucketLocation" + # - "s3:ListBucket" + # - "s3:ListBucketMultipartUploads" + ## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only + # - name: conditionsexample + # statements: + # - resources: + # - 'arn:aws:s3:::example/*' + # actions: + # - 's3:*' + # conditions: + # - StringEquals: '"aws:username": "johndoe"' + # - IpAddress: | + # "aws:SourceIp": [ + # "10.0.0.0/8", + # "192.168.0.0/24" + # ] + # + ## Additional Annotations for the Kubernetes Job makePolicyJob + makePolicyJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + + ## List of users to be created after minio install + ## + users: + ## Username, password and policy to be assigned to the user + ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] + ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management + ## NOTE: this will fail if LDAP is enabled in your MinIO deployment + ## make sure to disable this if you are using LDAP. + - accessKey: console + secretKey: console123 + policy: consoleAdmin + # Or you can refer to specific secret + #- accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # policy: readonly + + ## Additional Annotations for the Kubernetes Job makeUserJob + makeUserJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + + ## List of service accounts to be created after minio install + ## + svcaccts: [] + ## accessKey, secretKey and parent user to be assigned to the service accounts + ## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts + # - accessKey: console-svcacct + # secretKey: console123 + # user: console + ## Or you can refer to specific secret + # - accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # user: console + ## You also can pass custom policy + # - accessKey: console-svcacct + # secretKey: console123 + # user: console + # policy: + # statements: + # - resources: + # - 'arn:aws:s3:::example*/*' + # actions: + # - "s3:AbortMultipartUpload" + # - "s3:GetObject" + # - "s3:DeleteObject" + # - "s3:PutObject" + # - "s3:ListMultipartUploadParts" + + makeServiceAccountJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + + ## List of buckets to be created after minio install + ## + buckets: [] + # # Name of the bucket + # - name: bucket1 + # # Policy to be set on the + # # bucket [none|download|upload|public] + # policy: none + # # Purge if bucket exists already + # purge: false + # # set versioning for + # # bucket [true|false] + # versioning: false + # # set objectlocking for + # # bucket [true|false] NOTE: versioning is enabled by default if you use locking + # objectlocking: false + # - name: bucket2 + # policy: none + # purge: false + # versioning: true + # # set objectlocking for + # # bucket [true|false] NOTE: versioning is enabled by default if you use locking + # objectlocking: false + + ## Additional Annotations for the Kubernetes Job makeBucketJob + makeBucketJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + + ## List of command to run after minio install + ## NOTE: the mc command TARGET is always "myminio" + customCommands: + # - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'" + + ## Additional Annotations for the Kubernetes Job customCommandJob + customCommandJob: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + resources: + requests: + memory: 128Mi + # Command to run after the main command on exit + exitCommand: "" + + ## Merge jobs + postJob: + podAnnotations: {} + annotations: {} + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + nodeSelector: {} + tolerations: [] + affinity: {} + + ## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s) + ## when Chart is deployed + environment: + ## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html + ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io" + ## MINIO_BROWSER: "off" + + ## The name of a secret in the same kubernetes namespace which contain secret values + ## This can be useful for LDAP password, etc + ## The key in the secret must be 'config.env' + ## + extraSecret: ~ + + ## OpenID Identity Management + ## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. + ## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables. + oidc: + enabled: false + configUrl: "https://identity-provider-url/.well-known/openid-configuration" + clientId: "minio" + clientSecret: "" + # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret` + existingClientSecretName: "" + existingClientSecretKey: "" + claimName: "policy" + scopes: "openid,profile,email" + redirectUri: "https://console-endpoint-url/oauth_callback" + # Can leave empty + claimPrefix: "" + comment: "" + + networkPolicy: + enabled: false + allowExternal: true + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Specify the service account to use for the MinIO pods. If 'create' is set to 'false' + ## and 'name' is left unspecified, the account 'default' will be used. + serviceAccount: + create: true + ## The name of the service account to use. If 'create' is 'true', a service account with that name + ## will be created. + name: "minio-sa" + + metrics: + serviceMonitor: + enabled: false + # scrape each node/pod individually for additional metrics + includeNode: false + public: true + additionalLabels: {} + annotations: {} + # for node metrics + relabelConfigs: {} + # for cluster metrics + relabelConfigsCluster: {} + # metricRelabelings: + # - regex: (server|pod) + # action: labeldrop + namespace: ~ + # Scrape interval, for example `interval: 30s` + interval: ~ + # Scrape timeout, for example `scrapeTimeout: 10s` + scrapeTimeout: ~ + + ## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md + ## Define endpoints to enable this section. + etcd: + endpoints: [] + pathPrefix: "" + corednsPathPrefix: "" + clientCert: "" + clientCertKey: "" diff --git a/minio/sealed-secret.yaml b/minio/sealed-secret.yaml new file mode 100644 index 0000000..4869434 --- /dev/null +++ b/minio/sealed-secret.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: minio-default-credentials + namespace: minio-ns +spec: + encryptedData: + rootPassword: AgASkMrZq0TO6z/oeMyzGjDmSbJLBQCYW/7IQHdRS8M8vZkioEujShT/8IE6etxTOzGLwOkmpO8PyExTgMD3atyRRdiyBs2jaT0SIOyEZUA0PjiAgmYTWx9cAXBROOYzkT7u8IvMomEjiKx/EZG2XPhxgg0/Z9tBCVkstuEYyUfRokSco4icJ/JyHAz1Gg2F9w/KMiQJProcoAV5ajRdI4Bfb9e6E5GIW2Z0WKSH4fcCyM07nW+QnwlNGZNaAgLmSZygnUeF2PN/qD5aSj5YSjK5Va7KQRIlYszmzJcFg70yeustMIcE2nD2YVFFHb0CXKqEgnF9QrieBagorwoRvqU5XtXoXiBmzgvXtDQTJJ7ODT4XAB0oVF0QOdreBuVZ34D+Fb61O5HtFvSHRN3HsGXdvkKKgywJbjL+LaQBcEgztq0xjiGj/tjf3UDZOdOeHPZYJno9gdJX5eCTTjWVnaPxMyfwl3y4YmmHKVenCS6tsBkABk2/+lEthGUBRY9CyKl/ugwDQCJviX4tf7ZvMGGuPAxqIlZuM69jU53Zgp9Vq/8+UuTlksJzwQlH/VoyZsQl+/vSekyjDyPR3g3AunjoLsQDNnBwcghMzBFgeJzB/dSiyg0dQpiMUCcwe8i/20N/ER4pIC+ag1IyBAoKMQpWWJWyPU7IQ+JbYPdCI9Q1bMhQIpBNLkJsaiaRCvwrWaK07Ml9T4i+wMat8z8v0gIbnK+2JZ7FIeA66uuhxXhMi2Coqs5L0/vk + rootUser: AgDUG6LKdvzJorlYnxlW6cnJaqrhQkumFheLwZTD3aRf8ufFqQaGM/IPyNXwhKj4YAlr17gSR9kzIhYnkrKwVq9rtzo/arm2hF4cDWwQEZlrfmkqZfAec4p81KvyYgL19fuhDOeiZQfuCHl0MvDw+j6AzAk6Q6bbNdjWElaRzNLzjRAM892OCS2pubzRPLJl2+/9Ny/lZ2ePmZHHdin7ca73aCrcO1PryrhqQxZRMM0iaNKjUGsY8WMeoNnayhJ34KbsEMDTtPkWXlZb2FGtJDafw0A0fNn19PlU7wN7HeMK05SPgp4Sjs9LFrHNBanjF/rKqInCSg2lN57bUcJcVotpXEt6rmTEySo2QhnfFAXafX6hfl/HHT9GSrya+vFLKNXVf8hxVZMRjXmNIi0N3obvHOqGIJFDiy4iWEwOdrn/yetHs8ctS+DrO4pNY1cz/6SzaBayqaPqcxIAWhCKxXtNWb6sHBpTRsXpwUFq2Hoc9idB1uTGOpmpSWl8awUUsanXv4Kb2sZkXNc3iCCwx6TBDLQ1fukISj4n30RcTFDqa++3Nxq1n1immNerX30PjMWewxlUvAm5O9kwcIplfk8iW9ii3gRlth0Qs8FGhbfrghz5xs8CIgxEhnrCRphNeIow3JT1wxGU0r/QKoQu8zgEz+TsNdCXmB8bnauYyrW6ANhZaWx/wGoB29j7mHWfvLsTIwB2Q8HeV4agwKXoGSsp + template: + metadata: + creationTimestamp: null + name: minio-default-credentials + namespace: minio-ns