diff --git a/env.yaml.bash b/env.yaml.bash index 9bdd552..ac1a23e 100755 --- a/env.yaml.bash +++ b/env.yaml.bash @@ -21,4 +21,8 @@ metallb: registry: password: "${registry_password}" htpasswd: "$(htpasswd -nbB admin "${registry_password}")" + +minio: + accessKey: "$(head -c16 /dev/urandom | xxd -p)" + secretKey: "$(head -c16 /dev/urandom | xxd -p)" EOF diff --git a/k8s/namespaces.yaml b/k8s/namespaces.yaml index cc5f09d..86e4829 100644 --- a/k8s/namespaces.yaml +++ b/k8s/namespaces.yaml @@ -15,3 +15,9 @@ kind: Namespace apiVersion: v1 metadata: name: riju + +--- +kind: Namespace +apiVersion: v1 +metadata: + name: riju-user diff --git a/k8s/riju-docker-registry.yaml b/k8s/riju-docker-registry.yaml index 4e3df08..4eb007d 100644 --- a/k8s/riju-docker-registry.yaml +++ b/k8s/riju-docker-registry.yaml @@ -31,6 +31,27 @@ spec: containers: - name: registry image: "registry:2" + resources: {} + readinessProbe: + httpGet: + path: / + port: 5000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: / + port: 5000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 env: - name: REGISTRY_AUTH value: htpasswd diff --git a/k8s/riju-minio-rbac.yaml b/k8s/riju-minio-rbac.yaml new file mode 100644 index 0000000..a19d215 --- /dev/null +++ b/k8s/riju-minio-rbac.yaml @@ -0,0 +1,36 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + namespace: riju + name: minio + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: riju + name: minio +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - minio-keys + verbs: + - get + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: riju + name: minio +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: minio +subjects: + - kind: ServiceAccount + name: minio diff --git a/k8s/riju-minio.yaml b/k8s/riju-minio.yaml new file mode 100644 index 0000000..739a184 --- /dev/null +++ b/k8s/riju-minio.yaml @@ -0,0 +1,102 @@ +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + namespace: riju + name: minio +spec: + replicas: 1 + serviceName: minio + selector: + matchLabels: + app: minio + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 16Gi + storageClassName: openebs-hostpath + template: + metadata: + labels: + app: minio + spec: + serviceAccountName: minio + containers: + - name: minio + image: "minio/minio:RELEASE.2022-12-12T19-27-27Z" + resources: {} + readinessProbe: + httpGet: + path: /minio/health/live + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /minio/health/live + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + args: + - "server" + - "/data" + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: minio-keys + key: access-key + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: minio-keys + key: secret-key + ports: + - name: api + containerPort: 9000 + volumeMounts: + - name: data + mountPath: /data + +--- +kind: Service +apiVersion: v1 +metadata: + namespace: riju + name: minio +spec: + selector: + app: minio + ports: + - name: api + port: 80 + targetPort: 9000 + +--- +kind: IngressRoute +apiVersion: traefik.containo.us/v1alpha1 +metadata: + namespace: riju + name: minio +spec: + entryPoints: + - minio + routes: + - kind: Rule + match: "PathPrefix(`/`)" + services: + - namespace: riju + name: minio + port: 80 diff --git a/k8s/secrets.in.yaml b/k8s/secrets.in.yaml index 65118e8..44fe7db 100644 --- a/k8s/secrets.in.yaml +++ b/k8s/secrets.in.yaml @@ -34,3 +34,32 @@ stringData: } } } + +--- +kind: Secret +apiVersion: v1 +metadata: + namespace: riju-user + name: registry-user-login +type: kubernetes.io/dockerconfigjson +stringData: + .dockerconfigjson: | + { + "auths": { + "localhost:30999": { + "username": "admin", + "password": "{{ .registry.password }}", + "auth": "{{ .registry.password | printf "admin:%s" | b64enc }}" + } + } + } + +--- +kind: Secret +apiVersion: v1 +metadata: + namespace: riju + name: minio-keys +stringData: + access-key: "{{ .minio.accessKey }}" + secret-key: "{{ .minio.secretKey }}" diff --git a/k8s/traefik-config.in.yaml b/k8s/traefik-config.in.yaml index 540346f..041bc8c 100644 --- a/k8s/traefik-config.in.yaml +++ b/k8s/traefik-config.in.yaml @@ -27,6 +27,13 @@ data: certResolver: riju domains: - main: k8s.riju.codes + minio: + address: ":32000" + http: + tls: + certResolver: riju + domains: + - main: k8s.riju.codes ping: entryPoint: "healthcheck" metrics: diff --git a/k8s/traefik.yaml b/k8s/traefik.yaml index d47954c..03bf0bd 100644 --- a/k8s/traefik.yaml +++ b/k8s/traefik.yaml @@ -132,6 +132,8 @@ spec: targetPort: 8443 - port: 31000 name: docker + - port: 32000 + name: minio --- kind: IngressClass