(app) add minio

dexter136 · Apr 13, 2024 · b75c9a3 · b75c9a3
1 parent ecc3cc0
commit b75c9a3
Show file tree

Hide file tree

Showing 6 changed files with 178 additions and 0 deletions.
diff --git a/300-cluster-software/global-secrets/files/secret-generator/config.yaml b/300-cluster-software/global-secrets/files/secret-generator/config.yaml
@@ -37,6 +37,20 @@
       length: 32
       special: false
 
+# Minio
+- name: minio.password
+  data:
+    - key: password
+      length: 32
+      special: false
+
+- name: minio.user
+  data:
+    - key: password
+      length: 32
+      special: false
+
+
 #Sonarr
 - name: sonarr.api
   data:

diff --git a/300-cluster-software/ingress-nginx/values.yaml b/300-cluster-software/ingress-nginx/values.yaml
@@ -1,6 +1,18 @@
 ingress-nginx:
   controller:
     allowSnippetAnnotations: true
+    config:
+      enable-brotli: "true"
+      enable-ocsp: "true"
+      enable-real-ip: "true"
+      hide-headers: Server,X-Powered-By
+      hsts-max-age: 31449600
+      keep-alive-requests: 10000
+      keep-alive: 120
+      proxy-body-size: 0
+      proxy-buffer-size: 16k
+      ssl-protocols: TLSv1.3 TLSv1.2
+      use-forwarded-headers: "true"
     admissionWebhooks:
       timeoutSeconds: 30
     metrics:

diff --git a/300-cluster-software/minio/Chart.yaml b/300-cluster-software/minio/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: minio
+version: 0.0.0
+dependencies:
+  - name: app-template
+    version: 3.1.0
+    repository: https://bjw-s.github.io/helm-charts
diff --git a/300-cluster-software/minio/templates/externalsecret.yaml b/300-cluster-software/minio/templates/externalsecret.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: global-secrets
+  target:
+    name: minio
+    template:
+      engineVersion: v2
+      data:
+        MINIO_ROOT_USER: "{{ `{{ .MINIO_ROOT_USER }}` }}"
+        MINIO_ROOT_PASSWORD: "{{ `{{ .MINIO_ROOT_PASSWORD }}` }}"
+  data:
+    - secretKey: MINIO_ROOT_PASSWORD
+      remoteRef:
+        key: minio.password
+        property: password
+    - secretKey: MINIO_ROOT_USER
+      remoteRef:
+        key: minio.user
+        property: password
diff --git a/300-cluster-software/minio/templates/pvc.yaml b/300-cluster-software/minio/templates/pvc.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  storageClassName: "longhorn"
+  resources:
+    requests:
+      storage: "20Gi"
diff --git a/300-cluster-software/minio/values.yaml b/300-cluster-software/minio/values.yaml
@@ -0,0 +1,108 @@
+app-template:
+  controllers:
+    minio:
+      annotations:
+        reloader.stakater.com/auto: "true"
+      containers:
+        app:
+          image:
+            repository: quay.io/minio/minio
+            tag: RELEASE.2024-04-06T05-26-02Z
+          env:
+            TZ: America/New_York
+            MINIO_UPDATE: "off"
+            MINIO_PROMETHEUS_URL: http://kube-prometheus-stack-prometheus.monitoring:9090
+            MINIO_PROMETHEUS_JOB_ID: minio
+            MINIO_PROMETHEUS_AUTH_TYPE: public
+            MINIO_BROWSER_REDIRECT_URL: https://minio.dex136.xyz
+            MINIO_SERVER_URL: https://s3.dex136.xyz
+            MINIO_API_CORS_ALLOW_ORIGIN: https://minio.dex136.xyz,https://s3.dex136.xyz
+          envFrom:
+            - secretRef:
+                name: minio
+          args: ["server", "/data", "--console-address", ":9001"]
+          probes:
+            liveness: &probes
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /minio/health/live
+                  port: &api-port 9000
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 3
+            readiness: *probes
+          resources:
+            requests:
+              memory: 100Mi
+              cpu: 50m
+            limits:
+              memory: 750Mi
+      pod:
+        securityContext:
+          runAsUser: 103
+          runAsGroup: 103
+          fsGroup: 103
+          fsGroupChangePolicy: OnRootMismatch
+  service:
+    app:
+      controller: minio
+      ports:
+        http:
+          primary: true
+          port: 9001
+        api:
+          port: *api-port
+  serviceMonitor:
+    app:
+      serviceName: minio
+      endpoints:
+        - port: api
+          scheme: http
+          path: /minio/v2/metrics/cluster
+          interval: 1m
+          scrapeTimeout: 10s
+  ingress:
+    app:
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        hajimari.io/icon: "pail"
+        hajimari.io/enable: "true"
+      hosts:
+        - host: &console-host "minio.dex136.xyz"
+          paths:
+            - path: /
+              service:
+                identifier: app
+                port: http
+      tls:
+        - hosts: [*console-host]
+          secretName: minio-tls-certificate
+    s3:
+      className: nginx
+      annotations:
+        hajimari.io/enable: "false"
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "180"
+        nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+        nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          chunked_transfer_encoding off;
+      hosts:
+        - host: &api-host s3.dex136.xyz
+          paths:
+            - path: /
+              service:
+                identifier: app
+                port: api
+      tls:
+        - hosts: [*api-host]
+          secretName: s3-tls-certificate
+  persistence:
+    data:
+      existingClaim: minio
+      globalMounts:
+       - path: /data