This commit is contained in:
parent
bf26752a16
commit
a390a2a2e1
46
immich/immich-machine-learning-deployment.yaml
Normal file
46
immich/immich-machine-learning-deployment.yaml
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: immich-machine-learning
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: immich-machine-learning
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: immich-machine-learning
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: immich-machine-learning
|
||||||
|
image: ghcr.io/immich-app/immich-machine-learning:release
|
||||||
|
env:
|
||||||
|
- name: UPLOAD_LOCATION
|
||||||
|
value: /usr/src/app/upload
|
||||||
|
- name: DB_HOSTNAME
|
||||||
|
value: postgresql.postgresql-system.svc.cluster.local
|
||||||
|
- name: DB_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: username
|
||||||
|
- name: DB_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: password
|
||||||
|
- name: DB_DATABASE_NAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: database
|
||||||
|
- name: REDIS_HOSTNAME
|
||||||
|
value: redis-master.redis-system.svc.cluster.local
|
||||||
|
volumeMounts:
|
||||||
|
- name: model-cache
|
||||||
|
mountPath: /cache
|
||||||
|
volumes:
|
||||||
|
- name: model-cache
|
||||||
|
emptyDir: {}
|
55
immich/immich-microservices-deployment.yaml
Normal file
55
immich/immich-microservices-deployment.yaml
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: immich-microservices
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: immich-microservices
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: immich-microservices
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: immich-microservices
|
||||||
|
image: ghcr.io/immich-app/immich-server:release
|
||||||
|
args: ["start.sh", "microservices"]
|
||||||
|
env:
|
||||||
|
- name: UPLOAD_LOCATION
|
||||||
|
value: /usr/src/app/upload
|
||||||
|
- name: DB_VECTOR_EXTENSION
|
||||||
|
value: pgvector
|
||||||
|
- name: DB_HOSTNAME
|
||||||
|
value: postgresql.postgresql-system.svc.cluster.local
|
||||||
|
- name: DB_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: username
|
||||||
|
- name: DB_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: password
|
||||||
|
- name: DB_DATABASE_NAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: database
|
||||||
|
- name: REDIS_HOSTNAME
|
||||||
|
value: redis-master.redis-system.svc.cluster.local
|
||||||
|
- name: REDIS_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: redis-immich-secret
|
||||||
|
key: REDIS_PASS
|
||||||
|
volumeMounts:
|
||||||
|
- name: upload-volume
|
||||||
|
mountPath: /usr/src/app/upload
|
||||||
|
volumes:
|
||||||
|
- name: upload-volume
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: immich-library-pvc
|
0
immich/immich-microservices-service.yaml
Normal file
0
immich/immich-microservices-service.yaml
Normal file
12
immich/immich-pvc-library.yaml
Normal file
12
immich/immich-pvc-library.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: immich-library-pvc
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteMany
|
||||||
|
storageClassName: longhorn
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 100Gi
|
57
immich/immich-server-deployment.yaml
Normal file
57
immich/immich-server-deployment.yaml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: immich-server
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: immich-server
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: immich-server
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: immich-server
|
||||||
|
image: ghcr.io/immich-app/immich-server:release
|
||||||
|
args: ["start.sh", "immich"]
|
||||||
|
ports:
|
||||||
|
- containerPort: 3001
|
||||||
|
env:
|
||||||
|
- name: UPLOAD_LOCATION
|
||||||
|
value: /usr/src/app/upload
|
||||||
|
- name: DB_VECTOR_EXTENSION
|
||||||
|
value: pgvector
|
||||||
|
- name: DB_HOSTNAME
|
||||||
|
value: postgresql.postgresql-system.svc.cluster.local
|
||||||
|
- name: DB_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: username
|
||||||
|
- name: DB_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: password
|
||||||
|
- name: DB_DATABASE_NAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: database
|
||||||
|
- name: REDIS_HOSTNAME
|
||||||
|
value: redis-master.redis-system.svc.cluster.local
|
||||||
|
- name: REDIS_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: redis-immich-secret
|
||||||
|
key: REDIS_PASS
|
||||||
|
volumeMounts:
|
||||||
|
- name: upload-volume
|
||||||
|
mountPath: /usr/src/app/upload
|
||||||
|
volumes:
|
||||||
|
- name: upload-volume
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: immich-library-pvc
|
12
immich/immich-server-service.yaml
Normal file
12
immich/immich-server-service.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: immich-server-service
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
ports:
|
||||||
|
- port: 80
|
||||||
|
targetPort: 3001
|
||||||
|
selector:
|
||||||
|
app: immich-server
|
14
immich/redis-secret.yaml
Normal file
14
immich/redis-secret.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: redis-immich-secret
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
REDIS_PASS: AgA87rwcuMmDmgvDRl6pcObFFNBPKSH1qCkXUFgIqB/jX/ursxPgP+5f9ANY7PZjZTJ3QSAenJKPKUu9ER5B04o9b09EIcSpTQ0eVQRl6jwMRRzCbFWedb1bsNPuNyQBaf7IhaLshfQPSsjamp4oAaczLjbQPs/musn/3TUYVThIdgWBltv9i/12+BkbA98sS3gsMVWyP+cCcVQ+mMTGNsLZbxP1XC50yAAWifqJk6NbT+m9CA1wnesgegyr1W7KUGxudKnRA7iaGiP+fC+LbLIbD63tkme6/65b9x5qXZLM9qpiBEX+Yrv7YTn+ZJ94KwMnDjV8Y3Izom4etOawnLaRIIal/PGJPjSLE+PqtVRKXpTO8I3ExKSHb3MfLpfqTQ24N1yoNOnYu6dv2Rhd0Q9lMA6RBX4XUfsjYxHwIWyN1HhdAkbAS+ZqIlcnzT/rVIkkLcU/3/2Ptjj1IRDHFZplibUTbmkiKBvSDeOWDDRXC0FPvMegcfv2mYXY03W70N1uW39JVd0hcDhMxVaaW7yB7rmNEdOpFmpSPBScNtJj7bjEkAQCqXfqogclPs7FJOkrEJKK92Mon8ZMRdeD7GAbh4UqiRIe/SnjD2PsxWKDIMX3uqHN4PpxtsI5F3cY8mQNLG9nP4QzS5b8uU3vfJ4aSX2WpY7UhCXZ1ZuZDMNUDyQ9ULNcFh0FAkB3KzFi35Kqlxf6CsiY2pkxmtHm4w1WJkq09n2iNlsORJayzwDu6Q==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: redis-immich-secret
|
||||||
|
namespace: immich-ns
|
16
immich/sealed-secret.yaml
Normal file
16
immich/sealed-secret.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: immich-secret
|
||||||
|
namespace: immich-ns
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
database: AgA+Vgab29fZ+NPF1PxzvcT3StAlEiOOKO77tYH+IgfKhdK7wTP4q+OVdV6gWPahK1ssZ8lPISml1HDMPx/IIlCYHmp1xi+wtoOgvyOGq5/8czupMQ4dLwiMVWFyRnCUm94119dCA9KImIqyhrNZ/FebqrcqvykI3h8/XDGCZujjMlHhnhRSUF3AohL3cW72tnZkDeSKebp1Mkmi0LEij2v0/+dZXuIEsfLPVHgxJKvCfPX7ND3TigBlFsa1VQOSZY19MI283rS9keqX0pFP+h0LAT6iGw/4p9fOjVYPNZySVn/z/XXcxnKjO477edJp9TGb+xd1m/kSmUhKF2w58jkKoZMlUwwCxteh9H1zj9rHMQfSmVG+tg9j5WoSsfIaWbDIFIf91l07XSwa8MGJ91NE6nvHEgf7C/OtZ52SjHTKEielLHsvTPRn2lIi14P9tMadI1z11POTf416CIcB2fXzuu619FHARSJseBpBLYwPM5pSpF0XKqTl7mW0kypa46kikjGou6CuJWhrFkh8Yqpth6hfsIV0BkLxXUpoWW9/dMQztfnuB7OvogNUJRTn+g9tzGLyY5bWddokV9s6uxyyaDAi9wPe48HRhX6bGwOgEPdprV5VRSuXu7A2g2YGYsxvvsEr9dXZA3rY9dW63wAzIhydxO8i0+9JHd9CMKohj60S5Llh402p4fDm3JIXchpeNwJzyo4=
|
||||||
|
password: AgC68pWUzY4eghLcYSxEkwVtBL7BlQ8ytG11hk8NuGcPK+B9kA0VFtw5gFTYMIb0UL95O0BN/L7A6O7oXZm6skWlwOaYmUUOhdCnws1vRA7RamA+gWiT6qV+aFVdeiWLm2pgTdwquqB/Ky2/K3FF2tLoA2Gmp+uGGbet8txMb5RlCWA5jdb6xqsszCFu8NKpcb85kaRtBAP1AzXwWWnP1E+ITM8FjsL1QXlwkxra/uChN99w6Sc66GR8VUb3M3lmtv26AX2hHhqOeWNNJzIbWpmThS+DuluopF4UF+rEixTnR5jBtl8Let6ZA/UwgZ0sfBOijFLyoSFK0ly0f1p3bDH7jtgL2f7OQNPv/VkY6RKi5LViE20m2fYKmt2Fx+FdrIAw64jK3fhLuWF9MKuHOLhgbcrpCvuIMcR1P+/TEPoOrwLy8qzSyGlHZlYHo2m16FqdHqvwHF2vd3A2OnblBx8RN51Hxr0PaRb11FxGQSdQgVU4IoQp0GlvDrhzRXHU1g4G7BnG7+fQpFHujw5QB0rrSLP8WgfWkdYOo6E7xF5EXZ+E2vWsRPRJ2bkVH0mywIo8BC1e7WCR28uLK29e2kBMxiwzDxu+7x/g8rbXxLZGVakEhvZMlWPUSBpcU6rEdW1x7+TEJCGxxBUf3/e6K60MqvOQIe3gRrevY8DddkCFbi6+ZIPmTpd95K9MwnwDDWub+CzKZaWBn6+23NMiBkMa2mgFIWn0QMxEtazTWwJITw==
|
||||||
|
username: AgA/sz7ukcLAtrSfiGncgMC/VkekQYAYhUmsVTR/sS9di8gv98+pBZbC2i1CC+Qy0yagVEmpstqD46AlkI4d/38S1YLoEolJomEn8KUcdvle7RXK5d+HXSDQCbWdhdhJsbw094rLd2pPzJ1ykVpJglbg+Ec9pzydorjS5LA8vXyujmH3YXW3OU2GCI+B8rgiedetlP6zyZciKuSNd/yDPB7cYzch0lmheGHREulvAzXE6xPv4hiyZtY0FA26zjixtQjW/CJnmwzD6/F1MBZWXtColxZob6I9I5DY4zGawNgS8n4qF/bRoIr75LYkD77KEfBWba5QkQcfnvsEmJWKFmMBchdrM8+wHulgElzTRn8HIfaslk6Aq9RBasXEBDtumBgLiOVCr4TNNX6RHNooyF6uc+Ms4zTdTsibBmMs3X0W8ON1qZx+oXf5M7QW3x+rz+cl7o1TQUsGaHeAcLjh1xGJWddSo1gRL8kqX7wlVucm2LZwIwdWnGT+Bp97FJmJ+R+xgjrmzy9lhboSK58LnpHk65psIngp0XCZ6b3pNrKbDc7H/v8EAjElSAhTGwX7nIwZ4jGCdgPICcX0FtWW17nlJIXJoHmQL08fPa7dqqkpx2JgLQ2E19TywfItxxRApYtRP2AXuf53XLiyQjDgo6STldASysj4MgpJti0lKZNUQkK2QedaXKhyLO3/n53SADSac+P8s0E=
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: immich-secret
|
||||||
|
namespace: immich-ns
|
564
minio/helmrelease-minio.yaml
Normal file
564
minio/helmrelease-minio.yaml
Normal file
@ -0,0 +1,564 @@
|
|||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: minio
|
||||||
|
namespace: minio-ns
|
||||||
|
spec:
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: minio
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: minio
|
||||||
|
namespace: flux-system
|
||||||
|
interval: 15m0s
|
||||||
|
timeout: 5m
|
||||||
|
releaseName: minio
|
||||||
|
values:
|
||||||
|
## Provide a name in place of minio for `app:` labels
|
||||||
|
##
|
||||||
|
nameOverride: ""
|
||||||
|
|
||||||
|
## Provide a name to substitute for the full names of resources
|
||||||
|
##
|
||||||
|
fullnameOverride: ""
|
||||||
|
|
||||||
|
## set kubernetes cluster domain where minio is running
|
||||||
|
##
|
||||||
|
clusterDomain: cluster.local
|
||||||
|
|
||||||
|
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
|
||||||
|
##
|
||||||
|
image:
|
||||||
|
repository: quay.io/minio/minio
|
||||||
|
tag: RELEASE.2023-09-30T07-02-29Z
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - name: "image-pull-secret"
|
||||||
|
|
||||||
|
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
|
||||||
|
## client used to create a default bucket).
|
||||||
|
##
|
||||||
|
mcImage:
|
||||||
|
repository: quay.io/minio/mc
|
||||||
|
tag: RELEASE.2023-09-29T16-41-22Z
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
## minio mode, i.e. standalone or distributed
|
||||||
|
mode: standalone ## other supported values are "standalone"
|
||||||
|
|
||||||
|
## Additional labels to include with deployment or statefulset
|
||||||
|
additionalLabels: {}
|
||||||
|
|
||||||
|
## Additional annotations to include with deployment or statefulset
|
||||||
|
additionalAnnotations: {}
|
||||||
|
|
||||||
|
## Typically the deployment/statefulset includes checksums of secrets/config,
|
||||||
|
## So that when these change on a subsequent helm install, the deployment/statefulset
|
||||||
|
## is restarted. This can result in unnecessary restarts under GitOps tooling such as
|
||||||
|
## flux, so set to "true" to disable this behaviour.
|
||||||
|
ignoreChartChecksums: false
|
||||||
|
|
||||||
|
## Additional arguments to pass to minio binary
|
||||||
|
extraArgs: []
|
||||||
|
|
||||||
|
## Additional volumes to minio container
|
||||||
|
extraVolumes: []
|
||||||
|
|
||||||
|
## Additional volumeMounts to minio container
|
||||||
|
extraVolumeMounts: []
|
||||||
|
|
||||||
|
## Additional sidecar containers
|
||||||
|
extraContainers: []
|
||||||
|
|
||||||
|
## Internal port number for MinIO S3 API container
|
||||||
|
## Change service.port to change external port number
|
||||||
|
minioAPIPort: "9000"
|
||||||
|
|
||||||
|
## Internal port number for MinIO Browser Console container
|
||||||
|
## Change consoleService.port to change external port number
|
||||||
|
minioConsolePort: "9001"
|
||||||
|
|
||||||
|
## Update strategy for Deployments
|
||||||
|
deploymentUpdate:
|
||||||
|
type: RollingUpdate
|
||||||
|
maxUnavailable: 0
|
||||||
|
maxSurge: 100%
|
||||||
|
|
||||||
|
## Update strategy for StatefulSets
|
||||||
|
statefulSetUpdate:
|
||||||
|
updateStrategy: RollingUpdate
|
||||||
|
|
||||||
|
## Pod priority settings
|
||||||
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
||||||
|
##
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
## Pod runtime class name
|
||||||
|
## ref https://kubernetes.io/docs/concepts/containers/runtime-class/
|
||||||
|
##
|
||||||
|
runtimeClassName: ""
|
||||||
|
|
||||||
|
## Set default rootUser, rootPassword
|
||||||
|
## AccessKey and secretKey is generated when not set
|
||||||
|
## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html
|
||||||
|
##
|
||||||
|
#rootUser: ""
|
||||||
|
#rootPassword: ""
|
||||||
|
#
|
||||||
|
|
||||||
|
## Use existing Secret that store following variables:
|
||||||
|
##
|
||||||
|
## | Chart var | .data.<key> in Secret |
|
||||||
|
## |:----------------------|:-------------------------|
|
||||||
|
## | rootUser | rootUser |
|
||||||
|
## | rootPassword | rootPassword |
|
||||||
|
##
|
||||||
|
## All mentioned variables will be ignored in values file.
|
||||||
|
## .data.rootUser and .data.rootPassword are mandatory,
|
||||||
|
## others depend on enabled status of corresponding sections.
|
||||||
|
existingSecret: "minio-default-credentials"
|
||||||
|
|
||||||
|
## Directory on the MinIO pof
|
||||||
|
certsPath: "/etc/minio/certs/"
|
||||||
|
configPathmc: "/etc/minio/mc/"
|
||||||
|
|
||||||
|
## Path where PV would be mounted on the MinIO Pod
|
||||||
|
mountPath: "/export"
|
||||||
|
## Override the root directory which the minio server should serve from.
|
||||||
|
## If left empty, it defaults to the value of {{ .Values.mountPath }}
|
||||||
|
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
|
||||||
|
##
|
||||||
|
bucketRoot: ""
|
||||||
|
|
||||||
|
# Number of drives attached to a node
|
||||||
|
drivesPerNode: 1
|
||||||
|
# Number of MinIO containers running
|
||||||
|
replicas: 1
|
||||||
|
# Number of expanded MinIO clusters
|
||||||
|
pools: 1
|
||||||
|
|
||||||
|
## TLS Settings for MinIO
|
||||||
|
tls:
|
||||||
|
enabled: false
|
||||||
|
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
||||||
|
certSecret: ""
|
||||||
|
publicCrt: public.crt
|
||||||
|
privateKey: private.key
|
||||||
|
|
||||||
|
## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities
|
||||||
|
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
||||||
|
## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt.
|
||||||
|
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
|
||||||
|
trustedCertsSecret: ""
|
||||||
|
|
||||||
|
## Enable persistence using Persistent Volume Claims
|
||||||
|
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
||||||
|
##
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
#annotations: {}
|
||||||
|
|
||||||
|
## A manually managed Persistent Volume and Claim
|
||||||
|
## Requires persistence.enabled: true
|
||||||
|
## If defined, PVC must be created manually before volume will be bound
|
||||||
|
#existingClaim: ""
|
||||||
|
|
||||||
|
## minio data Persistent Volume Storage Class
|
||||||
|
## If defined, storageClassName: <storageClass>
|
||||||
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||||
|
## If undefined (the default) or set to null, no storageClassName spec is
|
||||||
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||||
|
## GKE, AWS & OpenStack)
|
||||||
|
##
|
||||||
|
## Storage class of PV to bind. By default it looks for standard storage class.
|
||||||
|
## If the PV uses a different storage class, specify that here.
|
||||||
|
storageClass: "longhorn"
|
||||||
|
#volumeName: ""
|
||||||
|
accessMode: ReadWriteOnce
|
||||||
|
size: 30Gi
|
||||||
|
|
||||||
|
## If subPath is set mount a sub folder of a volume instead of the root of the volume.
|
||||||
|
## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs).
|
||||||
|
##
|
||||||
|
subPath: ""
|
||||||
|
|
||||||
|
## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
|
||||||
|
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
|
||||||
|
## ref: http://kubernetes.io/docs/user-guide/services/
|
||||||
|
##
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
clusterIP: ~
|
||||||
|
port: "9000"
|
||||||
|
nodePort: 9000
|
||||||
|
loadBalancerIP: ~
|
||||||
|
externalIPs: []
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
||||||
|
##
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: false
|
||||||
|
ingressClassName: ~
|
||||||
|
labels: {}
|
||||||
|
# node-role.kubernetes.io/ingress: platform
|
||||||
|
annotations: {}
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
# kubernetes.io/ingress.allow-http: "false"
|
||||||
|
# kubernetes.io/ingress.global-static-ip-name: ""
|
||||||
|
# nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||||
|
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||||
|
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
|
||||||
|
path: /
|
||||||
|
hosts:
|
||||||
|
- minio-example.local
|
||||||
|
tls: []
|
||||||
|
# - secretName: chart-example-tls
|
||||||
|
# hosts:
|
||||||
|
# - chart-example.local
|
||||||
|
|
||||||
|
consoleService:
|
||||||
|
type: LoadBalancer
|
||||||
|
clusterIP: ~
|
||||||
|
port: "9001"
|
||||||
|
nodePort: 80
|
||||||
|
loadBalancerIP: ~
|
||||||
|
externalIPs: []
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
consoleIngress:
|
||||||
|
enabled: false
|
||||||
|
ingressClassName: ~
|
||||||
|
labels: {}
|
||||||
|
# node-role.kubernetes.io/ingress: platform
|
||||||
|
annotations: {}
|
||||||
|
# kubernetes.io/ingress.class: nginx
|
||||||
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
# kubernetes.io/ingress.allow-http: "false"
|
||||||
|
# kubernetes.io/ingress.global-static-ip-name: ""
|
||||||
|
# nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||||
|
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||||
|
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
|
||||||
|
path: /
|
||||||
|
hosts:
|
||||||
|
- console.minio-example.local
|
||||||
|
tls: []
|
||||||
|
# - secretName: chart-example-tls
|
||||||
|
# hosts:
|
||||||
|
# - chart-example.local
|
||||||
|
|
||||||
|
## Node labels for pod assignment
|
||||||
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
||||||
|
##
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
affinity: {}
|
||||||
|
topologySpreadConstraints: []
|
||||||
|
|
||||||
|
## Add stateful containers to have security context, if enabled MinIO will run as this
|
||||||
|
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
|
||||||
|
securityContext:
|
||||||
|
enabled: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
fsGroupChangePolicy: "OnRootMismatch"
|
||||||
|
|
||||||
|
# Additational pod annotations
|
||||||
|
podAnnotations: {}
|
||||||
|
|
||||||
|
# Additional pod labels
|
||||||
|
podLabels: {}
|
||||||
|
|
||||||
|
## Configure resource requests and limits
|
||||||
|
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
||||||
|
##
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 16Gi
|
||||||
|
|
||||||
|
## List of policies to be created after minio install
|
||||||
|
##
|
||||||
|
## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
|
||||||
|
## you can define additional policies with custom supported actions and resources
|
||||||
|
policies: []
|
||||||
|
## writeexamplepolicy policy grants creation or deletion of buckets with name
|
||||||
|
## starting with example. In addition, grants objects write permissions on buckets starting with
|
||||||
|
## example.
|
||||||
|
# - name: writeexamplepolicy
|
||||||
|
# statements:
|
||||||
|
# - effect: Allow # this is the default
|
||||||
|
# resources:
|
||||||
|
# - 'arn:aws:s3:::example*/*'
|
||||||
|
# actions:
|
||||||
|
# - "s3:AbortMultipartUpload"
|
||||||
|
# - "s3:GetObject"
|
||||||
|
# - "s3:DeleteObject"
|
||||||
|
# - "s3:PutObject"
|
||||||
|
# - "s3:ListMultipartUploadParts"
|
||||||
|
# - resources:
|
||||||
|
# - 'arn:aws:s3:::example*'
|
||||||
|
# actions:
|
||||||
|
# - "s3:CreateBucket"
|
||||||
|
# - "s3:DeleteBucket"
|
||||||
|
# - "s3:GetBucketLocation"
|
||||||
|
# - "s3:ListBucket"
|
||||||
|
# - "s3:ListBucketMultipartUploads"
|
||||||
|
## readonlyexamplepolicy policy grants access to buckets with name starting with example.
|
||||||
|
## In addition, grants objects read permissions on buckets starting with example.
|
||||||
|
# - name: readonlyexamplepolicy
|
||||||
|
# statements:
|
||||||
|
# - resources:
|
||||||
|
# - 'arn:aws:s3:::example*/*'
|
||||||
|
# actions:
|
||||||
|
# - "s3:GetObject"
|
||||||
|
# - resources:
|
||||||
|
# - 'arn:aws:s3:::example*'
|
||||||
|
# actions:
|
||||||
|
# - "s3:GetBucketLocation"
|
||||||
|
# - "s3:ListBucket"
|
||||||
|
# - "s3:ListBucketMultipartUploads"
|
||||||
|
## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only
|
||||||
|
# - name: conditionsexample
|
||||||
|
# statements:
|
||||||
|
# - resources:
|
||||||
|
# - 'arn:aws:s3:::example/*'
|
||||||
|
# actions:
|
||||||
|
# - 's3:*'
|
||||||
|
# conditions:
|
||||||
|
# - StringEquals: '"aws:username": "johndoe"'
|
||||||
|
# - IpAddress: |
|
||||||
|
# "aws:SourceIp": [
|
||||||
|
# "10.0.0.0/8",
|
||||||
|
# "192.168.0.0/24"
|
||||||
|
# ]
|
||||||
|
#
|
||||||
|
## Additional Annotations for the Kubernetes Job makePolicyJob
|
||||||
|
makePolicyJob:
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 128Mi
|
||||||
|
# Command to run after the main command on exit
|
||||||
|
exitCommand: ""
|
||||||
|
|
||||||
|
## List of users to be created after minio install
|
||||||
|
##
|
||||||
|
users:
|
||||||
|
## Username, password and policy to be assigned to the user
|
||||||
|
## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
|
||||||
|
## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management
|
||||||
|
## NOTE: this will fail if LDAP is enabled in your MinIO deployment
|
||||||
|
## make sure to disable this if you are using LDAP.
|
||||||
|
- accessKey: console
|
||||||
|
secretKey: console123
|
||||||
|
policy: consoleAdmin
|
||||||
|
# Or you can refer to specific secret
|
||||||
|
#- accessKey: externalSecret
|
||||||
|
# existingSecret: my-secret
|
||||||
|
# existingSecretKey: password
|
||||||
|
# policy: readonly
|
||||||
|
|
||||||
|
## Additional Annotations for the Kubernetes Job makeUserJob
|
||||||
|
makeUserJob:
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 128Mi
|
||||||
|
# Command to run after the main command on exit
|
||||||
|
exitCommand: ""
|
||||||
|
|
||||||
|
## List of service accounts to be created after minio install
|
||||||
|
##
|
||||||
|
svcaccts: []
|
||||||
|
## accessKey, secretKey and parent user to be assigned to the service accounts
|
||||||
|
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
|
||||||
|
# - accessKey: console-svcacct
|
||||||
|
# secretKey: console123
|
||||||
|
# user: console
|
||||||
|
## Or you can refer to specific secret
|
||||||
|
# - accessKey: externalSecret
|
||||||
|
# existingSecret: my-secret
|
||||||
|
# existingSecretKey: password
|
||||||
|
# user: console
|
||||||
|
## You also can pass custom policy
|
||||||
|
# - accessKey: console-svcacct
|
||||||
|
# secretKey: console123
|
||||||
|
# user: console
|
||||||
|
# policy:
|
||||||
|
# statements:
|
||||||
|
# - resources:
|
||||||
|
# - 'arn:aws:s3:::example*/*'
|
||||||
|
# actions:
|
||||||
|
# - "s3:AbortMultipartUpload"
|
||||||
|
# - "s3:GetObject"
|
||||||
|
# - "s3:DeleteObject"
|
||||||
|
# - "s3:PutObject"
|
||||||
|
# - "s3:ListMultipartUploadParts"
|
||||||
|
|
||||||
|
makeServiceAccountJob:
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 128Mi
|
||||||
|
# Command to run after the main command on exit
|
||||||
|
exitCommand: ""
|
||||||
|
|
||||||
|
## List of buckets to be created after minio install
|
||||||
|
##
|
||||||
|
buckets: []
|
||||||
|
# # Name of the bucket
|
||||||
|
# - name: bucket1
|
||||||
|
# # Policy to be set on the
|
||||||
|
# # bucket [none|download|upload|public]
|
||||||
|
# policy: none
|
||||||
|
# # Purge if bucket exists already
|
||||||
|
# purge: false
|
||||||
|
# # set versioning for
|
||||||
|
# # bucket [true|false]
|
||||||
|
# versioning: false
|
||||||
|
# # set objectlocking for
|
||||||
|
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
|
||||||
|
# objectlocking: false
|
||||||
|
# - name: bucket2
|
||||||
|
# policy: none
|
||||||
|
# purge: false
|
||||||
|
# versioning: true
|
||||||
|
# # set objectlocking for
|
||||||
|
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
|
||||||
|
# objectlocking: false
|
||||||
|
|
||||||
|
## Additional Annotations for the Kubernetes Job makeBucketJob
|
||||||
|
makeBucketJob:
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 128Mi
|
||||||
|
# Command to run after the main command on exit
|
||||||
|
exitCommand: ""
|
||||||
|
|
||||||
|
## List of command to run after minio install
|
||||||
|
## NOTE: the mc command TARGET is always "myminio"
|
||||||
|
customCommands:
|
||||||
|
# - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'"
|
||||||
|
|
||||||
|
## Additional Annotations for the Kubernetes Job customCommandJob
|
||||||
|
customCommandJob:
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 128Mi
|
||||||
|
# Command to run after the main command on exit
|
||||||
|
exitCommand: ""
|
||||||
|
|
||||||
|
## Merge jobs
|
||||||
|
postJob:
|
||||||
|
podAnnotations: {}
|
||||||
|
annotations: {}
|
||||||
|
securityContext:
|
||||||
|
enabled: false
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
|
## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
|
||||||
|
## when Chart is deployed
|
||||||
|
environment:
|
||||||
|
## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
|
||||||
|
## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
|
||||||
|
## MINIO_BROWSER: "off"
|
||||||
|
|
||||||
|
## The name of a secret in the same kubernetes namespace which contain secret values
|
||||||
|
## This can be useful for LDAP password, etc
|
||||||
|
## The key in the secret must be 'config.env'
|
||||||
|
##
|
||||||
|
extraSecret: ~
|
||||||
|
|
||||||
|
## OpenID Identity Management
|
||||||
|
## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider.
|
||||||
|
## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables.
|
||||||
|
oidc:
|
||||||
|
enabled: false
|
||||||
|
configUrl: "https://identity-provider-url/.well-known/openid-configuration"
|
||||||
|
clientId: "minio"
|
||||||
|
clientSecret: ""
|
||||||
|
# Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret`
|
||||||
|
existingClientSecretName: ""
|
||||||
|
existingClientSecretKey: ""
|
||||||
|
claimName: "policy"
|
||||||
|
scopes: "openid,profile,email"
|
||||||
|
redirectUri: "https://console-endpoint-url/oauth_callback"
|
||||||
|
# Can leave empty
|
||||||
|
claimPrefix: ""
|
||||||
|
comment: ""
|
||||||
|
|
||||||
|
networkPolicy:
|
||||||
|
enabled: false
|
||||||
|
allowExternal: true
|
||||||
|
|
||||||
|
## PodDisruptionBudget settings
|
||||||
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
|
||||||
|
##
|
||||||
|
podDisruptionBudget:
|
||||||
|
enabled: false
|
||||||
|
maxUnavailable: 1
|
||||||
|
|
||||||
|
## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
|
||||||
|
## and 'name' is left unspecified, the account 'default' will be used.
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
## The name of the service account to use. If 'create' is 'true', a service account with that name
|
||||||
|
## will be created.
|
||||||
|
name: "minio-sa"
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: false
|
||||||
|
# scrape each node/pod individually for additional metrics
|
||||||
|
includeNode: false
|
||||||
|
public: true
|
||||||
|
additionalLabels: {}
|
||||||
|
annotations: {}
|
||||||
|
# for node metrics
|
||||||
|
relabelConfigs: {}
|
||||||
|
# for cluster metrics
|
||||||
|
relabelConfigsCluster: {}
|
||||||
|
# metricRelabelings:
|
||||||
|
# - regex: (server|pod)
|
||||||
|
# action: labeldrop
|
||||||
|
namespace: ~
|
||||||
|
# Scrape interval, for example `interval: 30s`
|
||||||
|
interval: ~
|
||||||
|
# Scrape timeout, for example `scrapeTimeout: 10s`
|
||||||
|
scrapeTimeout: ~
|
||||||
|
|
||||||
|
## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md
|
||||||
|
## Define endpoints to enable this section.
|
||||||
|
etcd:
|
||||||
|
endpoints: []
|
||||||
|
pathPrefix: ""
|
||||||
|
corednsPathPrefix: ""
|
||||||
|
clientCert: ""
|
||||||
|
clientCertKey: ""
|
15
minio/sealed-secret.yaml
Normal file
15
minio/sealed-secret.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: minio-default-credentials
|
||||||
|
namespace: minio-ns
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
rootPassword: AgASkMrZq0TO6z/oeMyzGjDmSbJLBQCYW/7IQHdRS8M8vZkioEujShT/8IE6etxTOzGLwOkmpO8PyExTgMD3atyRRdiyBs2jaT0SIOyEZUA0PjiAgmYTWx9cAXBROOYzkT7u8IvMomEjiKx/EZG2XPhxgg0/Z9tBCVkstuEYyUfRokSco4icJ/JyHAz1Gg2F9w/KMiQJProcoAV5ajRdI4Bfb9e6E5GIW2Z0WKSH4fcCyM07nW+QnwlNGZNaAgLmSZygnUeF2PN/qD5aSj5YSjK5Va7KQRIlYszmzJcFg70yeustMIcE2nD2YVFFHb0CXKqEgnF9QrieBagorwoRvqU5XtXoXiBmzgvXtDQTJJ7ODT4XAB0oVF0QOdreBuVZ34D+Fb61O5HtFvSHRN3HsGXdvkKKgywJbjL+LaQBcEgztq0xjiGj/tjf3UDZOdOeHPZYJno9gdJX5eCTTjWVnaPxMyfwl3y4YmmHKVenCS6tsBkABk2/+lEthGUBRY9CyKl/ugwDQCJviX4tf7ZvMGGuPAxqIlZuM69jU53Zgp9Vq/8+UuTlksJzwQlH/VoyZsQl+/vSekyjDyPR3g3AunjoLsQDNnBwcghMzBFgeJzB/dSiyg0dQpiMUCcwe8i/20N/ER4pIC+ag1IyBAoKMQpWWJWyPU7IQ+JbYPdCI9Q1bMhQIpBNLkJsaiaRCvwrWaK07Ml9T4i+wMat8z8v0gIbnK+2JZ7FIeA66uuhxXhMi2Coqs5L0/vk
|
||||||
|
rootUser: AgDUG6LKdvzJorlYnxlW6cnJaqrhQkumFheLwZTD3aRf8ufFqQaGM/IPyNXwhKj4YAlr17gSR9kzIhYnkrKwVq9rtzo/arm2hF4cDWwQEZlrfmkqZfAec4p81KvyYgL19fuhDOeiZQfuCHl0MvDw+j6AzAk6Q6bbNdjWElaRzNLzjRAM892OCS2pubzRPLJl2+/9Ny/lZ2ePmZHHdin7ca73aCrcO1PryrhqQxZRMM0iaNKjUGsY8WMeoNnayhJ34KbsEMDTtPkWXlZb2FGtJDafw0A0fNn19PlU7wN7HeMK05SPgp4Sjs9LFrHNBanjF/rKqInCSg2lN57bUcJcVotpXEt6rmTEySo2QhnfFAXafX6hfl/HHT9GSrya+vFLKNXVf8hxVZMRjXmNIi0N3obvHOqGIJFDiy4iWEwOdrn/yetHs8ctS+DrO4pNY1cz/6SzaBayqaPqcxIAWhCKxXtNWb6sHBpTRsXpwUFq2Hoc9idB1uTGOpmpSWl8awUUsanXv4Kb2sZkXNc3iCCwx6TBDLQ1fukISj4n30RcTFDqa++3Nxq1n1immNerX30PjMWewxlUvAm5O9kwcIplfk8iW9ii3gRlth0Qs8FGhbfrghz5xs8CIgxEhnrCRphNeIow3JT1wxGU0r/QKoQu8zgEz+TsNdCXmB8bnauYyrW6ANhZaWx/wGoB29j7mHWfvLsTIwB2Q8HeV4agwKXoGSsp
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: minio-default-credentials
|
||||||
|
namespace: minio-ns
|
Loading…
Reference in New Issue
Block a user