Spin up minio for object storage

2022-12-21 17:06:52 -07:00 · 2022-12-21 17:06:52 -07:00 · 7ea0e4f017
parent 65a3f43ec6
commit 7ea0e4f017
8 changed files with 207 additions and 0 deletions
--- a/env.yaml.bash
+++ b/env.yaml.bash
@ -21,4 +21,8 @@ metallb:
 registry:
  password: "${registry_password}"
  htpasswd: "$(htpasswd -nbB admin "${registry_password}")"
+
+minio:
+  accessKey: "$(head -c16 /dev/urandom | xxd -p)"
+  secretKey: "$(head -c16 /dev/urandom | xxd -p)"
 EOF
--- a/k8s/namespaces.yaml
+++ b/k8s/namespaces.yaml
@ -15,3 +15,9 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: riju
+
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: riju-user
--- a/k8s/riju-docker-registry.yaml
+++ b/k8s/riju-docker-registry.yaml
@ -31,6 +31,27 @@ spec:
      containers:
        - name: registry
          image: "registry:2"
+          resources: {}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 5000
+              scheme: HTTP
+            failureThreshold: 1
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5000
+              scheme: HTTP
+            failureThreshold: 3
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
          env:
            - name: REGISTRY_AUTH
              value: htpasswd
--- a/k8s/riju-minio-rbac.yaml
+++ b/k8s/riju-minio-rbac.yaml
@ -0,0 +1,36 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: riju
+  name: minio
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - minio-keys
+    verbs:
+      - get
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: riju
+  name: minio
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: minio
+subjects:
+  - kind: ServiceAccount
+    name: minio
--- a/k8s/riju-minio.yaml
+++ b/k8s/riju-minio.yaml
@ -0,0 +1,102 @@
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  replicas: 1
+  serviceName: minio
+  selector:
+    matchLabels:
+      app: minio
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: [ReadWriteOnce]
+        resources:
+          requests:
+            storage: 16Gi
+        storageClassName: openebs-hostpath
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      serviceAccountName: minio
+      containers:
+        - name: minio
+          image: "minio/minio:RELEASE.2022-12-12T19-27-27Z"
+          resources: {}
+          readinessProbe:
+            httpGet:
+              path: /minio/health/live
+              port: 9000
+              scheme: HTTP
+            failureThreshold: 1
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /minio/health/live
+              port: 9000
+              scheme: HTTP
+            failureThreshold: 3
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          args:
+            - "server"
+            - "/data"
+          env:
+            - name: MINIO_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-keys
+                  key: access-key
+            - name: MINIO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-keys
+                  key: secret-key
+          ports:
+            - name: api
+              containerPort: 9000
+          volumeMounts:
+            - name: data
+              mountPath: /data
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  selector:
+    app: minio
+  ports:
+    - name: api
+      port: 80
+      targetPort: 9000
+
+---
+kind: IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  entryPoints:
+    - minio
+  routes:
+    - kind: Rule
+      match: "PathPrefix(`/`)"
+      services:
+        - namespace: riju
+          name: minio
+          port: 80
--- a/k8s/secrets.in.yaml
+++ b/k8s/secrets.in.yaml
@ -34,3 +34,32 @@ stringData:
        }
      }
    }
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju-user
+  name: registry-user-login
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "localhost:30999": {
+          "username": "admin",
+          "password": "{{ .registry.password }}",
+          "auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
+        }
+      }
+    }
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio-keys
+stringData:
+  access-key: "{{ .minio.accessKey }}"
+  secret-key: "{{ .minio.secretKey }}"
--- a/k8s/traefik-config.in.yaml
+++ b/k8s/traefik-config.in.yaml
@ -27,6 +27,13 @@ data:
            certResolver: riju
            domains:
              - main: k8s.riju.codes
+      minio:
+        address: ":32000"
+        http:
+          tls:
+            certResolver: riju
+            domains:
+              - main: k8s.riju.codes
    ping:
      entryPoint: "healthcheck"
    metrics:
--- a/k8s/traefik.yaml
+++ b/k8s/traefik.yaml
@ -132,6 +132,8 @@ spec:
      targetPort: 8443
    - port: 31000
      name: docker
+    - port: 32000
+      name: minio

 ---
 kind: IngressClass