feat(infra): forte-drop postgres + minio for upc-dev

Two new ArgoCD Applications: - forte-drop-postgresql: in-cluster Postgres 16 StatefulSet, 5Gi PVC, POSTGRES_DB=drops, creds from forte-drop-pg-creds SealedSecret. - forte-drop-minio: in-cluster MinIO StatefulSet, 20Gi PVC, bootstrap Job creates the 'drops' bucket post-sync, creds from forte-drop-minio-creds SealedSecret. Both live in namespace 'forte-drop'. Mirrors the Vaultwarden pattern. Sealed secrets are added in a follow-up commit by the maintainer: kubeseal --fetch-cert > pub.pem kubeseal --cert pub.pem --format yaml < private/forte-drop-pg-creds.yaml > \ infra/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml kubeseal --cert pub.pem --format yaml < private/forte-drop-minio-creds.yaml > \ infra/overlays/upc-dev/forte-drop-minio/resources/forte-drop-minio-creds-sealed.yaml
2026-05-28 14:33:19 +02:00
parent 0582cd9917
commit 3ce93017f9
9 changed files with 350 additions and 0 deletions
--- a/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml
+++ b/infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml
@@ -0,0 +1,146 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: forte-drop-minio
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: minio
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: object-storage
+spec:
+  type: ClusterIP
+  ports:
+  - name: http-api
+    port: 9000
+    targetPort: http-api
+  - name: http-console
+    port: 9001
+    targetPort: http-console
+  selector:
+    app.kubernetes.io/name: minio
+    app.kubernetes.io/instance: forte-drop
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: forte-drop-minio
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: minio
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: object-storage
+spec:
+  serviceName: forte-drop-minio
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: minio
+      app.kubernetes.io/instance: forte-drop
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: minio
+        app.kubernetes.io/instance: forte-drop
+        app.kubernetes.io/component: object-storage
+    spec:
+      containers:
+      - name: minio
+        image: quay.io/minio/minio:latest
+        args:
+        - server
+        - /data
+        - --console-address
+        - :9001
+        ports:
+        - name: http-api
+          containerPort: 9000
+        - name: http-console
+          containerPort: 9001
+        env:
+        - name: MINIO_ROOT_USER
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-minio-creds
+              key: root-user
+        - name: MINIO_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-minio-creds
+              key: root-password
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        livenessProbe:
+          httpGet:
+            path: /minio/health/live
+            port: http-api
+          initialDelaySeconds: 30
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /minio/health/ready
+            port: http-api
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 1Gi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      storageClassName: upcloud-block-storage-maxiops
+      resources:
+        requests:
+          storage: 20Gi
+---
+# Bootstrap job — creates the 'drops' bucket once MinIO is reachable.
+# Idempotent: `mc mb --ignore-existing` skips if bucket already exists.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: forte-drop-minio-bootstrap
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: minio
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: bootstrap
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  backoffLimit: 5
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: mc
+        image: quay.io/minio/mc:latest
+        env:
+        - name: MINIO_ROOT_USER
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-minio-creds
+              key: root-user
+        - name: MINIO_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-minio-creds
+              key: root-password
+        command:
+        - sh
+        - -c
+        - |
+          set -e
+          until mc alias set local http://forte-drop-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" 2>/dev/null; do
+            echo "waiting for minio..."
+            sleep 2
+          done
+          mc mb --ignore-existing local/drops
+          echo "bucket 'drops' ready"