A DevOps Stack module to deploy MinIO.
The MinIO chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.
Current Chart Version | Original Repository | Default Values |
---|---|---|
5.0.13 |
This module can be declared by adding the following block on your Terraform configuration:
module "minio" {
source = "git::https://github.com/camptocamp/devops-stack-module-minio.git?ref=<RELEASE>"
cluster_name = local.cluster_name
base_domain = local.base_domain
cluster_issuer = local.cluster_issuer
argocd_namespace = module.argocd_bootstrap.argocd_namespace
enable_service_monitor = false # Needs to be false for the first deployment
config_minio = local.minio_config
oidc = module.oidc.oidc
dependency_ids = {
argocd = module.argocd_bootstrap.id
}
}
The config_minio
variable is where you create the necessary policies, users and buckets. In this example, we defined them inside a Terraform local variable:
resource "random_password" "loki_secretkey" {
length = 32
special = false
}
resource "random_password" "thanos_secretkey" {
length = 32
special = false
}
locals {
minio_config = {
policies = [
{
name = "loki-policy"
statements = [
{
resources = ["arn:aws:s3:::loki-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::loki-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
},
{
name = "thanos-policy"
statements = [
{
resources = ["arn:aws:s3:::thanos-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::thanos-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
}
],
users = [
{
accessKey = "loki-user"
secretKey = random_password.loki_secretkey.result
policy = "loki-policy"
},
{
accessKey = "thanos-user"
secretKey = random_password.thanos_secretkey.result
policy = "thanos-policy"
}scope
],
buckets = [
{
name = "loki-bucket"
},
{
name = "thanos-bucket"
}
]
}
}
Tip
|
Check the KinD deployment tutorial and example to get a better idea of how these buckets are configured and used. |
This module is configured to used OIDC out-of-the-box, as long as the proper configuration is passed. You can check the official documentation page to get more information about the way this is configured.
Note
|
The OIDC will not work with the selfsigned-issuer cluster issuer, which is the one deployed by default by the cert-manager module. You are required to use the ca-issuer or any of the Let’s Encrypt issuers if you want to login to the MinIO Console using OIDC.
|
In order to have a working ingress to be able to access the web interface.
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
-
argocd_application.this (resource)
-
argocd_project.this (resource)
-
null_resource.dependencies (resource)
-
null_resource.this (resource)
-
random_password.minio_root_secretkey (resource)
-
utils_deep_merge_yaml.values (data source)
The following input variables are required:
Description: Name given to the cluster. Value used for naming some the resources created by the module.
Type: string
Description: Base domain of the cluster. Value used for the ingress' URL of the application.
Type: string
The following input variables are optional (have default values):
Description: Subdomain of the cluster. Value used for the ingress' URL of the application.
Type: string
Default: "apps"
Description: Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.
Type: string
Default: null
Description: Labels to attach to the Argo CD Application resource.
Type: map(string)
Default: {}
Description: Destination cluster where the application should be deployed.
Type: string
Default: "in-cluster"
Description: Override of target revision of the application chart.
Type: string
Default: "v3.1.0"
Description: SSL certificate issuer to use. Usually you would configure this value as letsencrypt-staging
or letsencrypt-prod
on your root *.tf
files.
Type: string
Default: "selfsigned-issuer"
Description: Enable Prometheus ServiceMonitor in the Helm chart.
Type: bool
Default: true
Description: Helm chart value overrides. They should be passed as a list of HCL structures.
Type: any
Default: []
Description: Automated sync options for the Argo CD Application resource.
Type:
object({
allow_empty = optional(bool)
prune = optional(bool)
self_heal = optional(bool)
})
Default:
{
"allow_empty": false,
"prune": true,
"self_heal": true
}
Description: IDs of the other modules on which this module depends on.
Type: map(string)
Default: {}
Description: Variable to create buckets and required users and policies.
Type:
object({
policies = optional(list(object({
name = string
statements = list(object({
resources = list(string)
actions = list(string)
}))
})), [])
users = optional(list(object({
accessKey = string
secretKey = string
policy = string
})), [])
buckets = optional(list(object({
name = string
policy = optional(string, "none")
purge = optional(bool, false)
versioning = optional(bool, false)
objectlocking = optional(bool, false)
})), [])
})
Default: {}
Description: OIDC configuration to access the MinIO web interface.
Type:
object({
issuer_url = string
oauth_url = string
token_url = string
api_url = string
client_id = string
client_secret = string
oauth2_proxy_extra_args = optional(list(string), [])
})
Default: null
The following outputs are exported:
Description: ID to pass other modules in order to refer to this module as a dependency.
Description: MinIO endpoint where the buckets are available.
Description: The MinIO root user password.
Show tables
= Requirements
Name | Version |
---|---|
>= 5 |
|
>= 3 |
|
>= 3 |
|
>= 1 |
= Providers
Name | Version |
---|---|
>= 3 |
|
>= 1 |
|
>= 5 |
|
>= 3 |
= Resources
Name | Type |
---|---|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
data source |
= Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
Name given to the cluster. Value used for naming some the resources created by the module. |
|
n/a |
yes |
|
Base domain of the cluster. Value used for the ingress' URL of the application. |
|
n/a |
yes |
|
Subdomain of the cluster. Value used for the ingress' URL of the application. |
|
|
no |
|
Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application. |
|
|
no |
|
Labels to attach to the Argo CD Application resource. |
|
|
no |
|
Destination cluster where the application should be deployed. |
|
|
no |
|
Override of target revision of the application chart. |
|
|
no |
|
SSL certificate issuer to use. Usually you would configure this value as |
|
|
no |
|
Enable Prometheus ServiceMonitor in the Helm chart. |
|
|
no |
|
Helm chart value overrides. They should be passed as a list of HCL structures. |
|
|
no |
|
Automated sync options for the Argo CD Application resource. |
|
|
no |
|
IDs of the other modules on which this module depends on. |
|
|
no |
|
Variable to create buckets and required users and policies. |
|
|
no |
|
OIDC configuration to access the MinIO web interface. |
|
|
no |
= Outputs
Name | Description |
---|---|
ID to pass other modules in order to refer to this module as a dependency. |
|
MinIO endpoint where the buckets are available. |
|
The MinIO root user password. |