feat(minio): deploy minio configured with oidc

d3adb5 · d3adb5 · commit f7555ce4dfaf · 2025-09-04T04:38:28.000-07:00
Deploy MinIO already configured to use OIDC with Keycloak.
diff --git a/argo/app-of-apps/templates/minio/application.yaml b/argo/app-of-apps/templates/minio/application.yaml
@@ -0,0 +1,81 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minio
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: minio
+
+  sources:
+    - repoURL: {{ .Values.repository.url }}
+      targetRevision: {{ .Values.repository.targetRevision }}
+      path: argo/minio
+
+    - repoURL: https://charts.min.io/
+      targetRevision: 5.4.0
+      chart: minio
+
+      helm:
+        valuesObject:
+          persistence:
+            enabled: true
+            storageClass: truenas-iscsi-hdd
+            size: 50Gi
+
+          resources:
+            requests:
+              memory: 4Gi
+              cpu: 500m
+            limits:
+              memory: 4Gi
+
+          users:
+            - accessKey: console
+              policy: consoleAdmin
+              existingSecret: minio-admin-credentials
+              existingSecretKey: password
+
+          oidc:
+            enabled: true
+            configUrl: https://id.d3adb5.ca/realms/core/.well-known/openid-configuration
+            existingClientSecretName: minio-oidc-secrets
+            existingClientIdKey: client-id
+            existingClientSecretKey: client-secret
+            scopes: openid,profile,email,groups
+            redirectUri: https://console.minio.d3adb5.ca/oauth_callback
+
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt
+            hosts:
+              - minio.d3adb5.ca
+            tls:
+              - secretName: minio-tls
+                hosts:
+                  - minio.d3adb5.ca
+
+          consoleIngress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt
+            hosts:
+              - console.minio.d3adb5.ca
+            tls:
+              - secretName: minio-console-tls
+                hosts:
+                  - console.minio.d3adb5.ca
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: {{ .Values.minio.namespace }}
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/argo/app-of-apps/templates/projects/minio.yaml b/argo/app-of-apps/templates/projects/minio.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: minio
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: MinIO object storage
+
+  sourceRepos:
+    - {{ .Values.repository.url }}
+    - https://charts.min.io/
+
+  destinations:
+    - namespace: {{ .Values.minio.namespace }}
+      server: https://kubernetes.default.svc
+
+  clusterResourceWhitelist:
+    - group: ''
+      kind: Namespace
diff --git a/argo/app-of-apps/values.yaml b/argo/app-of-apps/values.yaml
@@ -6,6 +6,9 @@ repository:
 argocd:
   namespace: argocd
 
+minio:
+  namespace: minio
+
 operators:
   olmNamespace: operator-lifecycle-manager
   namespace: operators
diff --git a/argo/minio/admin-credentials.yaml b/argo/minio/admin-credentials.yaml
@@ -0,0 +1,7 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: minio-admin-credentials
+spec:
+  encryptedData:
+    password: AgAVAAlNYPWPTVVZ7LV/iCEU7i5jvo14FydjpgBE1Y7NMBkoVEc3qxyDfiXOItoss+OAIDQsj7CN7uSDYJDH4+vFvaUrNeJBgHxelCTWUocV0m0yKYZJW+JnfDvEsKMk2ICiXTW/IQMPG/gXTq3ZH8iqt57CtAvMqYDLgl/tWOnKxNafKiSTwO9AwVjAd5Ah77SFvo5P6reOAFQU9HQZicmQmZ6T7loREcollgaUto8FbSgHtKGv7u4dCPJ4qKpl+gxSx57vuA67JDC36P7KIMbYPBHGAkb7TGPeQuCG0vpwpCthacQtq/XjVZPEh86eDwGQwu5LerOynQcLZ8gG5R0Xc2HmMHlTGYr//j0HwQ32jczAVqvGT5Of8/NvIPu0U0H8BqGyiAvEwwmxA+iY3WRafQl/9BSxiOspx+qrz5/LKeMsZCk09ftXy5xBCtQx3vFU3JZ9KMYR2eG3LY6HAYpcyxPIvyJDxS9fw5bGN2AUngdEHcH3YaUw2GzpyCbeu7iQ8s7FxnuM2xjxAlkkg6ioT3+vzwOzEhxN3vqCN+3xcQel9xmMKacYiz1Kw0XSgzxzlVifqGxubuYUxYb7SUP7M6yNneb47BkHb6tOTfCxr7J+mpsWF/tTWJxJguczKf5mYg7s+4LaleffM4NEFW4o/vXagYFeD6v7f5/iGsyj8oP4ImUfuxBT1tjIQU3anrnwjrPoBa6gNQ+YcuH+TzI8s2fhF7CT574Pc77fk1JDBTxQ4GU+MweA
diff --git a/argo/minio/oidc-secrets.yaml b/argo/minio/oidc-secrets.yaml
@@ -0,0 +1,8 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: minio-oidc-secrets
+spec:
+  encryptedData:
+    client-id: AgATqQu7EuIAw5hFTxrHQ0T0ozfzPkqdvTEuDCinbp+63b1tAUPZJBJELTQuQK8SmOtRVZFEHwVWJ0EF4ANjWRFeM2KOdEGey2pEf4H3Z706vnH+XG51e22Vw0xvt4XGn3mZ/RkQ6qgO6e067mUYw/n/f+bp5kmy9t546uPApSTRcOV9PazYyEagjCNbiW3WxMVCtd0xXrAMJmfuSnj3iDSHTN6XP2t7OaYVriu7dD9ipr+HUvxOuxubbc0GA87VdI2A5XBt0WtBE/XB7glPeinpVCPMLk41qRezBzazh03Xa7KxUKCym6f1BhdC1LYr85Td2cB8c9+pZ3nNBhTy8J6nMthmgESE8/7smYjwT1cRCWN9gikPTQunAEAQeErWGohYkRobK7BzWIxHmyTkXfvVFX+RHXYpegNx6Ns7OZDM2iwppnYZJL3R/SROFWPrgxW4V2tmkzVqnaThLc5oX6AwKbxDF6OspZ+bfxheTny9uH2Eb7sv7dqH0bhaESnDZCuMdgRgJjRXw/jbSVlB0HUhXGrWeXpzBymtzruC1XS3nH2ozpn6qMDqwAchtO48WAfGk8aEtwGtyautrUdQEiYczEsvd1+189pe7L7CwoMrOi0lT6vGqxtYH16/mCojE7z9SWPoknZ7fkrUFBFm0Ji8j0oCf7SZePvaXiEOwhQ1R12qBW6wO6oksfhjpVI9WUSPed7NoQ==
+    client-secret: AgAlFI9inG9BcBch6sLUy1LC03ZEl2frSv7drR3hGh1jsgoB2rVGOYAcu/0/bBp1fhRqH7rZLOhj4dj358LFpgQPhxMTXKjTL+NBL+NfYrafeIRdDQpKBgvAZLQOK+UrI2wFwYSWUooZcARVpz+ifp+aZj8mT/mhkbMsCpckv8SjQkkGUIK4kUfUpVLdwdmIQ86Ajl6bufbW1hX7KNj/WrdL0UxR9FEi7r2C7by0POSwedYWFRmMyXKzD//bITxnKNimoFmHkSnDUST8RAYadUhYK4YgK5mCG8aJJ0gE9750/4wLeFOW2OYYjCkW3CW10SVC0k4k5J0Ge3nXdKkAVXm3CLFv7yCsqa2R8NOgmrPWD5xa/m0sqdGk/aHW028qWeA/0jk7MvEVyocCVzn7dGRLMpY2w8zXn8WFFhiZ/+1QHqYpZvy1o2i+XwM4AP++85QBamooI4/lR4ycEpkiQhgBKOknuTnu06tOqym8v+IW/yYuG0gdHQvwFGcZ6CEW4ghSFrFqYNrZ33zgG+ZDYhUSReIRBCf8AtqNQSJhkdubvSBAFj2WOQ8k2v85OgOcACsetaLMy8PCQqH7H1xMjJiP5WjiL/F1rnVz3U3dyNOytzSmkcLGBiOuhuJ631pBZ0p3vcSmMzVnMEYlKegh40Q8Rtqa3hrqg94WB9US4kbXItH/gotOM4I7E0OF8hZWhswIpU5zjz8s8McwPd+8ilzymaUQwNBvXrkGGLZK2YQSzg==
