feat: add minio-nas

kube/clusters/biohazard/flux/kustomization.yaml

@@ -21,6 +21,7 @@ resources:
   - ../../../deploy/core/secrets/external-secrets/
   - ../../../deploy/core/secrets/reflector/
   - ../../../deploy/core/storage/fstrim/
+  - ../../../deploy/core/storage/minio-nas/
   - ../../../deploy/core/storage/_external-snapshotter/
   - ../../../deploy/core/storage/_csi-addons/
   - ../../../deploy/core/storage/rook-ceph/

kube/deploy/core/storage/minio-nas/app/es.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name minio-nas-secrets
+  namespace: minio-nas
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "MinIO NAS - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        MINIO_ROOT_USER: "{{ .username }}"
+        MINIO_ROOT_PASSWORD: "{{ .password }}"

kube/deploy/core/storage/minio-nas/app/hr.yaml

@@ -0,0 +1,155 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app minio-nas
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: "2.6.0"
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      main:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: "allow"
+            db.home.arpa/pg: "pg-default"
+        containers:
+          main:
+            image: &img
+              repository: quay.io/minio/minio
+              tag: RELEASE.2024-04-06T05-26-02Z
+            command: ["minio", "server"]
+            args: ["--console-address", ":9001", "--certs-dir", "/tls"]
+            env:
+              TZ: "${CONFIG_TZ}"
+              MINIO_VOLUMES: "/data"
+              MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3}"
+              MINIO_COMPRESSION_ENABLE: "on"
+              MINIO_BROWSER_LOGIN_ANIMATION: "off"
+              MINIO_BROWSER_REDIRECT: "true"
+              MINIO_BROWSER_REDIRECT_URL: "https://${APP_DNS_MINIO_NAS}"
+              MINIO_SERVER_URL: "https://${APP_DNS_MINIO_NAS_S3}"
+            envFrom:
+              - secretRef:
+                  name: "minio-nas-secrets"
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+              limits:
+                cpu: "3000m"
+                memory: "6Gi"
+        #initContainers:
+        #  01-init-minio-nas-admin-password:
+        #    command:
+        #      - /bin/sh
+        #      - -c
+        #      - "[ -s /data/minio-nas.db ] || /sbin/minio-nasd recover_account -c /data/server.toml admin"
+        #    image: *img
+        #    imagePullPolicy: IfNotPresent
+        #    envFrom: [secretRef: { name: "minio-nas-pg-superuser" }]
+    service:
+      main:
+        ports:
+          http:
+            port: 9001
+      ssh:
+        enabled: true
+        primary: false
+        controller: main
+        type: LoadBalancer
+        externalTrafficPolicy: Cluster
+        annotations:
+          coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3}"
+          "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3}"
+        ports:
+          http:
+            enabled: true
+            port: 443
+            targetPort: 9000
+            protocol: HTTPS
+    ingress:
+      main:
+        enabled: true
+        primary: true
+        className: "nginx-internal"
+        hosts:
+          - host: &host "${APP_DNS_MINIO_NAS}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      config:
+        enabled: false
+      data:
+        enabled: true
+        #existingClaim: "minio-nas-data"
+        type: "custom"
+        volumeSpec:
+          iscsi:
+            targetPortal: "${IP_TRUENAS}:3260"
+            iqn: "${CONFIG_TRUENAS_IQN}:minio"
+            lun: "0"
+            initiatorName: "{{ .Release.Name }}"
+            fsType: "xfs" # MinIO recommendation
+        globalMounts:
+          - subPath: "data"
+            path: "/data"
+      tls:
+        enabled: true
+        type: secret
+        name: "long-domain-tls"
+        defaultMode: 0400
+        advancedMounts:
+          main:
+            main:
+              - subPath: "tls.crt"
+                path: "/tls/public.crt"
+                readOnly: true
+              - subPath: "tls.key"
+                path: "/tls/private.key"
+                readOnly: true
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid ${APP_UID_MINIO_NAS}
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: "Always"
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "fuckoff.home.arpa/minio-nas"
+                    operator: "DoesNotExist"

kube/deploy/core/storage/minio-nas/app/pvc.yaml

@@ -0,0 +1,41 @@
+#---
+#apiVersion: v1
+#kind: PersistentVolume
+#metadata:
+#  name: minio-nas-media
+#spec:
+#  storageClassName: minio-nas-media
+#  capacity:
+#    storage: 100Gi
+#  accessModes:
+#    - ReadWriteOnce
+#  persistentVolumeReclaimPolicy: Retain
+#  nfs:
+#    server: "${IP_TRUENAS}"
+#    path: "${PATH_NAS_PERSIST_K8S}/gotosocial-media"
+#  mountOptions:
+#    - nfsvers=4.2
+#    - tcp
+#    - intr
+#    - soft
+#    - noatime
+#    - nodiratime
+#    - nocto
+#    - nconnect=8
+#    - rsize=131072
+#    - wsize=131072
+#    - local_lock=posix
+#---
+#apiVersion: v1
+#kind: PersistentVolumeClaim
+#metadata:
+#  name: &n minio-nas-media
+#  namespace: minio-nas
+#spec:
+#  accessModes:
+#    - ReadWriteMany
+#  storageClassName: *n
+#  volumeName: *n
+#  resources:
+#    requests:
+#      storage: 100Gi

kube/deploy/core/storage/minio-nas/ks.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: 1-core-storage-minio-nas-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "minio-nas"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/storage/minio-nas/app
+  targetNamespace: "minio-nas"
+  dependsOn: []

kube/deploy/core/storage/minio-nas/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml

kube/deploy/core/storage/minio-nas/ns.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: minio-nas
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps