Spin up minio for object storage

env.yaml.bash

@@ -21,4 +21,8 @@ metallb:
 registry:
   password: "${registry_password}"
   htpasswd: "$(htpasswd -nbB admin "${registry_password}")"
+
+minio:
+  accessKey: "$(head -c16 /dev/urandom | xxd -p)"
+  secretKey: "$(head -c16 /dev/urandom | xxd -p)"
 EOF

k8s/namespaces.yaml

@@ -15,3 +15,9 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: riju
+
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: riju-user

k8s/riju-docker-registry.yaml

@@ -31,6 +31,27 @@ spec:
       containers:
         - name: registry
           image: "registry:2"
+          resources: {}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 5000
+              scheme: HTTP
+            failureThreshold: 1
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5000
+              scheme: HTTP
+            failureThreshold: 3
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
           env:
             - name: REGISTRY_AUTH
               value: htpasswd

k8s/riju-minio-rbac.yaml

@@ -0,0 +1,36 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: riju
+  name: minio
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - minio-keys
+    verbs:
+      - get
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: riju
+  name: minio
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: minio
+subjects:
+  - kind: ServiceAccount
+    name: minio

k8s/riju-minio.yaml

@@ -0,0 +1,102 @@
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  replicas: 1
+  serviceName: minio
+  selector:
+    matchLabels:
+      app: minio
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: [ReadWriteOnce]
+        resources:
+          requests:
+            storage: 16Gi
+        storageClassName: openebs-hostpath
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      serviceAccountName: minio
+      containers:
+        - name: minio
+          image: "minio/minio:RELEASE.2022-12-12T19-27-27Z"
+          resources: {}
+          readinessProbe:
+            httpGet:
+              path: /minio/health/live
+              port: 9000
+              scheme: HTTP
+            failureThreshold: 1
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /minio/health/live
+              port: 9000
+              scheme: HTTP
+            failureThreshold: 3
+            initialDelaySeconds: 2
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 2
+          args:
+            - "server"
+            - "/data"
+          env:
+            - name: MINIO_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-keys
+                  key: access-key
+            - name: MINIO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-keys
+                  key: secret-key
+          ports:
+            - name: api
+              containerPort: 9000
+          volumeMounts:
+            - name: data
+              mountPath: /data
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  selector:
+    app: minio
+  ports:
+    - name: api
+      port: 80
+      targetPort: 9000
+
+---
+kind: IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+metadata:
+  namespace: riju
+  name: minio
+spec:
+  entryPoints:
+    - minio
+  routes:
+    - kind: Rule
+      match: "PathPrefix(`/`)"
+      services:
+        - namespace: riju
+          name: minio
+          port: 80

k8s/secrets.in.yaml

@@ -34,3 +34,32 @@ stringData:
         }
       }
     }
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju-user
+  name: registry-user-login
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "localhost:30999": {
+          "username": "admin",
+          "password": "{{ .registry.password }}",
+          "auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
+        }
+      }
+    }
+
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: riju
+  name: minio-keys
+stringData:
+  access-key: "{{ .minio.accessKey }}"
+  secret-key: "{{ .minio.secretKey }}"

k8s/traefik-config.in.yaml

@@ -27,6 +27,13 @@ data:
             certResolver: riju
             domains:
               - main: k8s.riju.codes
+      minio:
+        address: ":32000"
+        http:
+          tls:
+            certResolver: riju
+            domains:
+              - main: k8s.riju.codes
     ping:
       entryPoint: "healthcheck"
     metrics:

k8s/traefik.yaml

@@ -132,6 +132,8 @@ spec:
       targetPort: 8443
     - port: 31000
       name: docker
+    - port: 32000
+      name: minio
 
 ---
 kind: IngressClass