Dont use bitnami/minio helm chart

2023-04-14 20:17:25 -04:00 · 2023-04-14 20:17:25 -04:00 · 5228ee74a5
parent 4b97aa3573
commit 5228ee74a5
4 changed files with 98 additions and 50 deletions
--- a/cluster/apps/database/minio/helm-release.yaml
+++ b/cluster/apps/database/minio/helm-release.yaml
@ -7,29 +7,105 @@ spec:
  interval: 5m
  chart:
    spec:
-      chart: minio
-      version: 12.2.x
+      chart: app-template
+      version: 1.3.x
      sourceRef:
        kind: HelmRepository
-        name: bitnami-charts
+        name: bjws-charts
        namespace: flux-system
+        
  values:
-    auth:
-      existingSecret: "minio-secret"
+    image:
+      repository: quay.io/minio/minio
+      tag: RELEASE.2023-04-13T03-08-07Z
+    env:
+      TZ: "America/New_York"
+      MINIO_UPDATE: "off"
+      MINIO_BROWSER_REDIRECT_URL: "https://minio.${SECRET_DOMAIN}"
+      MINIO_SERVER_URL: "https://s3.${SECRET_DOMAIN}"
+    envFrom:
+      - secretRef:
+          name: minio-secret
+    
+    args: ["server", "/data", "--console-address", ":9001"]
+
+    service:
+      main:
+        enabled: true
+        ports:
+          http:
+            port: &console-port 9001
+          api:
+            enabled: true
+            port: &api-port 9000
+            
+    probes:
+      liveness: &probes
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /minio/health/live
+            port: *api-port
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 3
+      readiness: *probes
+      startup:
+        enabled: false

    ingress:
-      enabled: true
-      hostname: "minio.${SECRET_NEW_DOMAIN}"
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &console-host minio.${SECRET_NEW_DOMAIN}
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  port: *console-port
+        tls:
+          - hosts:
+              - *console-host
+            secretName: wildcard-main-tls
            
-    apiIngress:
-      enabled: true
-      hostname: "s3.${SECRET_NEW_DOMAIN}"
+      s3:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &api-host s3.${SECRET_NEW_DOMAIN}
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  port: *api-port
+        tls:
+          - hosts:
+              - *api-host
+            secretName: wildcard-main-tls

-    tls:
-      enabled: true
-      existingSecret: "wildcard-main-tls"
+    podSecurityContext:
+      runAsUser: 1024
+      runAsGroup: 100
+      fsGroup: 100
+      fsGroupChangePolicy: "OnRootMismatch"
    
-    # Note: This is only available in standalone mode, not in distributed mode
    persistence:
-      existingClaim: "postgresql-pv-claim"
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/minio
+        mountPath: /data
    
+    resources:
+      requests:
+        memory: 100Mi
+        cpu: 10m
+      limits:
+        memory: 750Mi
--- a/cluster/apps/database/minio/kustomization.yaml
+++ b/cluster/apps/database/minio/kustomization.yaml
@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./minio.sops.yaml
- ./minio-pv.yaml
 - ./helm-release.yaml
--- a/cluster/apps/database/minio/minio-pv.yaml
+++ b/cluster/apps/database/minio/minio-pv.yaml
@ -1,27 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: minio-pv
-  namespace: database
-spec:
-  storageClassName: hostpath
-  persistentVolumeReclaimPolicy: Retain
-  capacity:
-    storage: 100Gi
-  accessModes:
-    - ReadWriteOnce
-  hostPath:
-    path: "/mnt/MainPool/Kubernetes/databases/minio"
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: minio-pv-claim
-  namespace: database
-spec:
-  storageClassName: hostpath
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 100Gi
--- a/cluster/apps/database/minio/minio.sops.yaml
+++ b/cluster/apps/database/minio/minio.sops.yaml
@ -4,16 +4,16 @@ metadata:
    name: minio-secret
    namespace: database
 stringData:
-    root-user: ENC[AES256_GCM,data:eISjlQ==,iv:eNbddpAADIvhx6kNBsFClGygmwUgZmZvwHNSDtijvts=,tag:fdF4nAR3UpwAOO4dF6Vc4Q==,type:str]
-    root-password: ENC[AES256_GCM,data:BRpms+OcNHActb4=,iv:pWW7zgYZJ/PKORDKsQ5XuxLczPxnMFsprvq5kqANLrY=,tag:mZf+ul4HlACducRJyPkNHA==,type:str]
+    MINIO_ROOT_USER: ENC[AES256_GCM,data:xEqc/w==,iv:QNJlfvs/uIWuTZ5i/OuGKRvK0iYhbO2bMI9oufCYQAI=,tag:Ck6DVPTcqcDpuM1SUBl+xA==,type:str]
+    MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:G83RzKMZ8L7F4e0=,iv:UidYzq8QTNX0/xTGcozEI8kvKJD8g58g2Z45Pihtpmw=,tag:UhnngTLbV3ZWK+4jF2hQQw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-04-14T23:37:34Z"
-    mac: ENC[AES256_GCM,data:QnKfDtijgkqz3X1E0T9Fb/okOqORHUAmWwbWPBal93CrPbHRYv8y6gUglxVo9hrItG06y187RbNz76uWyqpTIeNZr1nW84f9jf/74vSNmi3NiCGH+Ztu9AkpY14qZlKg8k9MwSV3hXspZae2UqJTWMAm96jTexGI/uGrUOZz1iI=,iv:oe5OgYpR8yFVOATzEC9wCiE/YuZgRJyWnWHzia/Dlyg=,tag:ZCMd0JsNMDMQFG/eQFPTIg==,type:str]
+    lastmodified: "2023-04-15T00:16:34Z"
+    mac: ENC[AES256_GCM,data:evOpEk01hJma7fD46PpjXtIeMJ2vLrMEdC4J08djTAFLFZ5R0xCzx7Q1LqpUYYbD6+/Np7KgS8J5Y3vG3XR+IBKJOa5e3Td8ark9ZX9uyeAs6OY/knBg/N8CaArAktb4ZKVAjd5qH3K+jex9NOKQMc05NnCfrxweMGI7GZMJ75c=,iv:jWERVLB3gHD1Dli3K4qKP1C4iSsSs2h6VBVsgIKSzmY=,tag:+wVUGRkMx1FRX/1/wLRVkg==,type:str]
    pgp:
        - created_at: "2023-04-07T01:57:22Z"
          enc: |