69848e42f0
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 15s
Address ai-review feedback on PR #17: - Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate will bump). 'latest' is unpredictable in GitOps. - Bootstrap script: set -e -> set -euo pipefail. - Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps, no privilege escalation. Matches PSS restricted profile.
147 lines
3.7 KiB
YAML
147 lines
3.7 KiB
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: forte-drop-minio
|
|
namespace: forte-drop
|
|
labels:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
app.kubernetes.io/component: object-storage
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- name: http-api
|
|
port: 9000
|
|
targetPort: http-api
|
|
- name: http-console
|
|
port: 9001
|
|
targetPort: http-console
|
|
selector:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: forte-drop-minio
|
|
namespace: forte-drop
|
|
labels:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
app.kubernetes.io/component: object-storage
|
|
spec:
|
|
serviceName: forte-drop-minio
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
app.kubernetes.io/component: object-storage
|
|
spec:
|
|
containers:
|
|
- name: minio
|
|
image: quay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z
|
|
args:
|
|
- server
|
|
- /data
|
|
- --console-address
|
|
- :9001
|
|
ports:
|
|
- name: http-api
|
|
containerPort: 9000
|
|
- name: http-console
|
|
containerPort: 9001
|
|
env:
|
|
- name: MINIO_ROOT_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: forte-drop-minio-creds
|
|
key: root-user
|
|
- name: MINIO_ROOT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: forte-drop-minio-creds
|
|
key: root-password
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /minio/health/live
|
|
port: http-api
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 20
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /minio/health/ready
|
|
port: http-api
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: data
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: upcloud-block-storage-maxiops
|
|
resources:
|
|
requests:
|
|
storage: 20Gi
|
|
---
|
|
# Bootstrap job — creates the 'drops' bucket once MinIO is reachable.
|
|
# Idempotent: `mc mb --ignore-existing` skips if bucket already exists.
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: forte-drop-minio-bootstrap
|
|
namespace: forte-drop
|
|
labels:
|
|
app.kubernetes.io/name: minio
|
|
app.kubernetes.io/instance: forte-drop
|
|
app.kubernetes.io/component: bootstrap
|
|
annotations:
|
|
argocd.argoproj.io/hook: PostSync
|
|
argocd.argoproj.io/hook-delete-policy: HookSucceeded
|
|
spec:
|
|
backoffLimit: 5
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: mc
|
|
image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
|
|
env:
|
|
- name: MINIO_ROOT_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: forte-drop-minio-creds
|
|
key: root-user
|
|
- name: MINIO_ROOT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: forte-drop-minio-creds
|
|
key: root-password
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -euo pipefail
|
|
until mc alias set local http://forte-drop-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" 2>/dev/null; do
|
|
echo "waiting for minio..."
|
|
sleep 2
|
|
done
|
|
mc mb --ignore-existing local/drops
|
|
echo "bucket 'drops' ready"
|