zipline

infra/overlays/upc-dev/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
+- minio
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/minio/keycloak-client-config.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-minio
+  namespace: minio
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "minio",
+      "name": "MinIO",
+      "redirectUris": ["https://minio.forteapps.net/oauth_callback"],
+      "webOrigins": ["https://minio.forteapps.net"],
+      "protocolMappers": [
+        {
+          "name": "minio-policy-mapper",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "config": {
+            "user.attribute": "policy",
+            "claim.name": "policy",
+            "jsonType.label": "String",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ],
+      "secret": {
+        "namespace": "minio",
+        "name": "minio-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }

infra/overlays/upc-dev/minio/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- minio.yaml
+- minio-credentials-sealed.yaml
+- keycloak-client-config.yaml

infra/overlays/upc-dev/minio/minio-credentials-sealed.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  rootPassword: NTUwYTU2YmRjZjYyY2RlYmE1ZTYwZDAwZjNhYzcxOGM1MGY0NjExNmZkMzdjZWI0MGY4Yzc3NDA1NTM5YWM4Mg==
+  rootUser: Zm9ydGVtaW5pbw==
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: minio-credentials
+  namespace: minio

infra/overlays/upc-dev/minio/minio.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minio
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: minio
+    app.kubernetes.io/part-of: storage
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://charts.min.io/
+    chart: minio
+    targetRevision: "5.4.0"
+    helm:
+      releaseName: minio
+      valueFiles:
+      - $values/infra/values/base/minio-values.yaml
+      - $values/infra/values/upc-dev/minio-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: minio
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/values/base/minio-values.yaml

@@ -0,0 +1,33 @@
+## MinIO base values — cross-cluster constants
+
+mode: standalone
+
+image:
+  repository: quay.io/minio/minio
+  tag: "RELEASE.2025-05-24T17-08-30Z"
+  pullPolicy: IfNotPresent
+
+## Use existing secret for root credentials
+## Secret must contain keys: rootUser, rootPassword
+existingSecret: "minio-credentials"
+
+## Single bucket created on startup
+buckets:
+- name: default
+  policy: none
+  purge: false
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+## Service configuration
+service:
+  type: ClusterIP
+
+consoleService:
+  type: ClusterIP

infra/values/upc-dev/minio-values.yaml

@@ -0,0 +1,52 @@
+## MinIO upc-dev overlay values
+
+## Storage
+persistence:
+  enabled: true
+  size: 10Gi
+  accessMode: ReadWriteOnce
+
+## Console Ingress (Web UI) — port 9001
+consoleIngress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Forte Zipline"
+    gethomepage.dev/description: "Object storage"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "minio"
+    gethomepage.dev/href: "https://zipline.forteapps.net"
+  hosts:
+  - zipline.forteapps.net
+  tls:
+  - secretName: minio-console-tls
+    hosts:
+    - zipline.forteapps.net
+
+## API Ingress — port 9000
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - s3.forteapps.net
+  tls:
+  - secretName: minio-api-tls
+    hosts:
+    - s3.forteapps.net
+
+## Native OIDC via Keycloak
+oidc:
+  enabled: true
+  configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+  clientId: "minio"
+  existingClientSecretName: "minio-oidc-credentials"
+  existingClientSecretKey: "client-secret"
+  claimName: "policy"
+  scopes: "openid,email,profile"
+  redirectUri: "https://zipline.forteapps.net/oauth_callback"
+  claimPrefix: ""
+  comment: ""