diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index f6855781..987b8240 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -21,6 +21,7 @@ resources: - ../../../deploy/core/secrets/external-secrets/ - ../../../deploy/core/secrets/reflector/ - ../../../deploy/core/storage/fstrim/ + - ../../../deploy/core/storage/minio-nas/ - ../../../deploy/core/storage/_external-snapshotter/ - ../../../deploy/core/storage/_csi-addons/ - ../../../deploy/core/storage/rook-ceph/ diff --git a/kube/deploy/core/storage/minio-nas/app/es.yaml b/kube/deploy/core/storage/minio-nas/app/es.yaml new file mode 100644 index 00000000..f0e2b606 --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/app/es.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name minio-nas-secrets + namespace: minio-nas +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "MinIO NAS - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + engineVersion: v2 + mergePolicy: Merge + data: + MINIO_ROOT_USER: "{{ .username }}" + MINIO_ROOT_PASSWORD: "{{ .password }}" diff --git a/kube/deploy/core/storage/minio-nas/app/hr.yaml b/kube/deploy/core/storage/minio-nas/app/hr.yaml new file mode 100644 index 00000000..34be2814 --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/app/hr.yaml @@ -0,0 +1,155 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app minio-nas + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.6.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: "allow" + db.home.arpa/pg: "pg-default" + containers: + main: + image: &img + repository: quay.io/minio/minio + tag: RELEASE.2024-04-06T05-26-02Z + command: ["minio", "server"] + args: ["--console-address", ":9001", "--certs-dir", "/tls"] + env: + TZ: "${CONFIG_TZ}" + MINIO_VOLUMES: "/data" + MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3}" + MINIO_COMPRESSION_ENABLE: "on" + MINIO_BROWSER_LOGIN_ANIMATION: "off" + MINIO_BROWSER_REDIRECT: "true" + MINIO_BROWSER_REDIRECT_URL: "https://${APP_DNS_MINIO_NAS}" + MINIO_SERVER_URL: "https://${APP_DNS_MINIO_NAS_S3}" + envFrom: + - secretRef: + name: "minio-nas-secrets" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6Gi" + #initContainers: + # 01-init-minio-nas-admin-password: + # command: + # - /bin/sh + # - -c + # - "[ -s /data/minio-nas.db ] || /sbin/minio-nasd recover_account -c /data/server.toml admin" + # image: *img + # imagePullPolicy: IfNotPresent + # envFrom: [secretRef: { name: "minio-nas-pg-superuser" }] + service: + main: + ports: + http: + port: 9001 + ssh: + enabled: true + primary: false + controller: main + type: LoadBalancer + externalTrafficPolicy: Cluster + annotations: + coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3}" + "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3}" + ports: + http: + enabled: true + port: 443 + targetPort: 9000 + protocol: HTTPS + ingress: + main: + enabled: true + primary: true + className: "nginx-internal" + hosts: + - host: &host "${APP_DNS_MINIO_NAS}" + paths: &paths + - path: / + pathType: Prefix + service: + name: main + port: http + tls: + - hosts: [*host] + persistence: + config: + enabled: false + data: + enabled: true + #existingClaim: "minio-nas-data" + type: "custom" + volumeSpec: + iscsi: + targetPortal: "${IP_TRUENAS}:3260" + iqn: "${CONFIG_TRUENAS_IQN}:minio" + lun: "0" + initiatorName: "{{ .Release.Name }}" + fsType: "xfs" # MinIO recommendation + globalMounts: + - subPath: "data" + path: "/data" + tls: + enabled: true + type: secret + name: "long-domain-tls" + defaultMode: 0400 + advancedMounts: + main: + main: + - subPath: "tls.crt" + path: "/tls/public.crt" + readOnly: true + - subPath: "tls.key" + path: "/tls/private.key" + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_MINIO_NAS} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/minio-nas" + operator: "DoesNotExist" diff --git a/kube/deploy/core/storage/minio-nas/app/pvc.yaml b/kube/deploy/core/storage/minio-nas/app/pvc.yaml new file mode 100644 index 00000000..368b077a --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/app/pvc.yaml @@ -0,0 +1,41 @@ +#--- +#apiVersion: v1 +#kind: PersistentVolume +#metadata: +# name: minio-nas-media +#spec: +# storageClassName: minio-nas-media +# capacity: +# storage: 100Gi +# accessModes: +# - ReadWriteOnce +# persistentVolumeReclaimPolicy: Retain +# nfs: +# server: "${IP_TRUENAS}" +# path: "${PATH_NAS_PERSIST_K8S}/gotosocial-media" +# mountOptions: +# - nfsvers=4.2 +# - tcp +# - intr +# - soft +# - noatime +# - nodiratime +# - nocto +# - nconnect=8 +# - rsize=131072 +# - wsize=131072 +# - local_lock=posix +#--- +#apiVersion: v1 +#kind: PersistentVolumeClaim +#metadata: +# name: &n minio-nas-media +# namespace: minio-nas +#spec: +# accessModes: +# - ReadWriteMany +# storageClassName: *n +# volumeName: *n +# resources: +# requests: +# storage: 100Gi diff --git a/kube/deploy/core/storage/minio-nas/ks.yaml b/kube/deploy/core/storage/minio-nas/ks.yaml new file mode 100644 index 00000000..4f092190 --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/ks.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-storage-minio-nas-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "minio-nas" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/storage/minio-nas/app + targetNamespace: "minio-nas" + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/storage/minio-nas/kustomization.yaml b/kube/deploy/core/storage/minio-nas/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/core/storage/minio-nas/ns.yaml b/kube/deploy/core/storage/minio-nas/ns.yaml new file mode 100644 index 00000000..77835990 --- /dev/null +++ b/kube/deploy/core/storage/minio-nas/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio-nas + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps