feat(minio): setup on kube-nas #2007

kubernetes/kube-nas/apps/minio-system/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./minio/flux-sync.yaml

kubernetes/kube-nas/apps/minio-system/minio/app/helm-release.yaml

@@ -0,0 +1,132 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: minio
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      minio:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: quay.io/minio/minio
+              tag: RELEASE.2024-07-31T05-46-26Z@sha256:9eea83a4e1425067e7b768397756efad19d36fc1c710808b8e1072236e8806c7
+            env:
+              MINIO_API_CORS_ALLOW_ORIGIN: https://minio.tyriis.dev,https://s3.tyriis.dev
+              MINIO_BROWSER_REDIRECT_URL: https://minio.tyriis.dev
+              MINIO_PROMETHEUS_JOB_ID: minio
+              MINIO_PROMETHEUS_URL: https://prometheus.techtales.io
+              MINIO_PROMETHEUS_AUTH_TYPE: public
+              MINIO_SERVER_URL: https://s3.tyriis.dev
+              MINIO_STORAGE_CLASS_RRS: EC:0
+              MINIO_STORAGE_CLASS_STANDARD: EC:0
+              MINIO_UPDATE: "off"
+            envFrom:
+              - secretRef:
+                  name: minio-env
+            args: ["server", "/data", "--console-address", ":9001"]
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /minio/health/live
+                    port: 9000
+                  initialDelaySeconds: 30
+                  periodSeconds: 30
+                  timeoutSeconds: 10
+                  failureThreshold: 6
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 100m
+              limits:
+                memory: 2Gi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        supplementalGroups: [10000]
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: minio
+        ports:
+          http:
+            port: 9001
+          s3:
+            port: 9000
+    # serviceMonitor:
+    #   app:
+    #     serviceName: minio
+    #     endpoints:
+    #       - port: s3
+    #         scheme: http
+    #         path: /minio/v2/metrics/cluster
+    #         interval: 1m
+    #         scrapeTimeout: 10s
+    ingress:
+      app:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        className: internal
+        hosts:
+          - host: &host1 "{{ .Release.Name }}.tyriis.dev"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+          - host: &host2 s3.tyriis.dev
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: s3
+        tls:
+          - hosts:
+              - *host1
+              - *host2
+            secretName: "{{ .Release.Name }}-tls"
+    persistence:
+      data:
+        type: persistentVolumeClaim
+        accessMode: ReadWriteOnce
+        size: 100Gi
+        storageClass: openebs-hostpath
+        advancedMounts:
+          syncthing:
+            app:
+              - path: /data

kubernetes/kube-nas/apps/minio-system/minio/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secrets.sops.yaml
+  - ./helm-release.yaml

kubernetes/kube-nas/apps/minio-system/minio/app/secrets.sops.yaml

@@ -0,0 +1,28 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: minio-env
+stringData:
+    MINIO_ROOT_USER: ENC[AES256_GCM,data:v7psJAGwot7+hg==,iv:hP6f0P0F5eDuNnixg622ZdB+jeoEuQkWtaIHvMMYtGA=,tag:r7jrBItaB0MT+JVapXcvTA==,type:str]
+    MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:zsuCm9SGevz7UA==,iv:9p4F0PGRtL7UGR5LfCrMO2+si5gTyGq9KwawRwk4IX8=,tag:otnMUDLHWEAtD/31CaLtRg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1clg0rd6ca86h3lnfnjyqsc9stgr0cnyp3l5uswtusxppjq9h2vcsaqckec
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUzRWUkxIMnA1Nm5MSFVP
+            anliQ3F3R1VyWVVNak5mUm5ST3dsSnFRY1hrCkpONU50NGsyUWlhNkYyL3lqN1h5
+            VXdSZ0g2NnFsS0loMERMWmZIbGdob28KLS0tIE83RHBlY2FYd0F0YklBRThQd2tl
+            TVM4dVYwY3ExYkIxSmJoK3V5VEJNQ2MKs9lDocwW5M7BmdvfvOABbjuffo16CJok
+            djKyN7RS86g3cstMR5X4uKoC+UFS6F4+xkNVtJoc6mZS71ZN4RU2/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-05T21:09:48Z"
+    mac: ENC[AES256_GCM,data:8tP8lBAril8ZJluPI4a+Eim65ZF6v0+c1XI0e1vsStZ4SdLTEeY933fHmurRO9qD9H9JDopQdxfKfnxbNMkldwz+ycqOgWyWIeh3s/iXbulaG48e9CnPW6mPU+soLo8cTHxpWpEFYnC23Vui0vRt/Mzt+BgbpeRQGIQJDSSIsi8=,iv:O5G5Hnqqa7931GuyO60z1YJ2ncioBx6qNfzIBacn/98=,tag:T8sekJ8jXgQmmuMscSQqLQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/kube-nas/apps/minio-system/minio/flux-sync.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app minio
+  namespace: flux-system
+spec:
+  targetNamespace: minio-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/kube-nas/apps/minio-system/minio/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/kube-nas/apps/minio-system/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: minio-system
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled