devops-stack-module-minio
A DevOps Stack module to deploy MinIO.
The MinIO chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.
Current Chart Version | Original Repository | Default Values |
---|---|---|
5.0.13 |
Usage
This module can be declared by adding the following block on your Terraform configuration:
module "minio" {
source = "git::https://github.com/camptocamp/devops-stack-module-minio.git?ref=<RELEASE>"
cluster_name = local.cluster_name
base_domain = local.base_domain
cluster_issuer = local.cluster_issuer
argocd_namespace = module.argocd_bootstrap.argocd_namespace
enable_service_monitor = false # Needs to be false for the first deployment
config_minio = local.minio_config
oidc = module.oidc.oidc
dependency_ids = {
argocd = module.argocd_bootstrap.id
}
}
The config_minio
variable is where you create the necessary policies, users and buckets. In this example, we defined them inside a Terraform local variable:
resource "random_password" "loki_secretkey" {
length = 32
special = false
}
resource "random_password" "thanos_secretkey" {
length = 32
special = false
}
locals {
minio_config = {
policies = [
{
name = "loki-policy"
statements = [
{
resources = ["arn:aws:s3:::loki-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::loki-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
},
{
name = "thanos-policy"
statements = [
{
resources = ["arn:aws:s3:::thanos-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::thanos-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
}
],
users = [
{
accessKey = "loki-user"
secretKey = random_password.loki_secretkey.result
policy = "loki-policy"
},
{
accessKey = "thanos-user"
secretKey = random_password.thanos_secretkey.result
policy = "thanos-policy"
}
],
buckets = [
{
name = "loki-bucket"
},
{
name = "thanos-bucket"
}
]
}
}
Check the KinD deployment tutorial and example to get a better idea of how these buckets are configured and used. |
WebUI Login
This module is configured to used OIDC out-of-the-box, as long as the proper scope is passed. You can check the official documentation page to get more information about the way this is configured.
However, there is no way to configure the OIDC login as default on the login page, so take note that in order to use the OIDC login you need to click on Other Authentication Methods then Login using SSO ()_, as shown in the screenshot below.
Technical Reference
Dependencies
Resources
The following resources are used by this module:
-
argocd_application.this (resource)
-
argocd_project.this (resource)
-
null_resource.dependencies (resource)
-
null_resource.this (resource)
-
random_password.minio_root_secretkey (resource)
-
utils_deep_merge_yaml.values (data source)
Required Inputs
The following input variables are required:
cluster_name
Description: Name given to the cluster. Value used for naming some the resources created by the module.
Type: string
base_domain
Description: Base domain of the cluster. Value used for the ingress' URL of the application.
Type: string
Optional Inputs
The following input variables are optional (have default values):
argocd_namespace
Description: Namespace used by Argo CD where the Application and AppProject resources should be created.
Type: string
Default: "argocd"
target_revision
Description: Override of target revision of the application chart.
Type: string
Default: "v2.0.0"
cluster_issuer
Description: SSL certificate issuer to use. Usually you would configure this value as letsencrypt-staging
or letsencrypt-prod
on your root *.tf
files.
Type: string
Default: "ca-issuer"
namespace
Description: Namespace where the applications’s Kubernetes resources should be created. Namespace will be created in case it doesn’t exist.
Type: string
Default: "minio"
enable_service_monitor
Description: Enable Prometheus ServiceMonitor in the Helm chart.
Type: bool
Default: true
helm_values
Description: Helm chart value overrides. They should be passed as a list of HCL structures.
Type: any
Default: []
app_autosync
Description: Automated sync options for the Argo CD Application resource.
Type:
object({
allow_empty = optional(bool)
prune = optional(bool)
self_heal = optional(bool)
})
Default:
{
"allow_empty": false,
"prune": true,
"self_heal": true
}
dependency_ids
Description: IDs of the other modules on which this module depends on.
Type: map(string)
Default: {}
config_minio
Description: Variable to create buckets and required users and policies.
Type:
object({
policies = optional(list(object({
name = string
statements = list(object({
resources = list(string)
actions = list(string)
}))
})), [])
users = optional(list(object({
accessKey = string
secretKey = string
policy = string
})), [])
buckets = optional(list(object({
name = string
policy = optional(string, "none")
purge = optional(bool, false)
versioning = optional(bool, false)
objectlocking = optional(bool, false)
})), [])
})
Default: {}
oidc
Description: OIDC configuration to access the MinIO web interface.
Type:
object({
issuer_url = string
oauth_url = string
token_url = string
api_url = string
client_id = string
client_secret = string
oauth2_proxy_extra_args = optional(list(string), [])
})
Default: null
Outputs
The following outputs are exported:
id
Description: ID to pass other modules in order to refer to this module as a dependency.
endpoint
Description: MinIO endpoint where the buckets are available.
minio_root_user_credentials
Description: The MinIO root user password.
Reference in table format
Show tables
= Requirements
Name | Version |
---|---|
>= 5 |
|
>= 3 |
|
>= 3 |
|
>= 1 |
= Providers
Name | Version |
---|---|
>= 3 |
|
>= 1 |
|
>= 5 |
|
>= 3 |
= Resources
Name | Type |
---|---|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
data source |
= Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
Name given to the cluster. Value used for naming some the resources created by the module. |
|
n/a |
yes |
|
Base domain of the cluster. Value used for the ingress' URL of the application. |
|
n/a |
yes |
|
Namespace used by Argo CD where the Application and AppProject resources should be created. |
|
|
no |
|
Override of target revision of the application chart. |
|
|
no |
|
SSL certificate issuer to use. Usually you would configure this value as |
|
|
no |
|
Namespace where the applications’s Kubernetes resources should be created. Namespace will be created in case it doesn’t exist. |
|
|
no |
|
Enable Prometheus ServiceMonitor in the Helm chart. |
|
|
no |
|
Helm chart value overrides. They should be passed as a list of HCL structures. |
|
|
no |
|
Automated sync options for the Argo CD Application resource. |
|
|
no |
|
IDs of the other modules on which this module depends on. |
|
|
no |
|
Variable to create buckets and required users and policies. |
|
|
no |
|
OIDC configuration to access the MinIO web interface. |
|
|
no |
= Outputs
Name | Description |
---|---|
ID to pass other modules in order to refer to this module as a dependency. |
|
MinIO endpoint where the buckets are available. |
|
The MinIO root user password. |