devops-stack-module-minio

A DevOps Stack module to deploy MinIO.

The MinIO chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.

Current Chart Version Original Repository Default Values

5.0.13

Chart

values.yaml

Usage

This module can be declared by adding the following block on your Terraform configuration:

module "minio" {
  source = "git::https://github.com/camptocamp/devops-stack-module-minio.git?ref=<RELEASE>"

  cluster_name     = local.cluster_name
  base_domain      = local.base_domain
  cluster_issuer   = local.cluster_issuer
  argocd_namespace = module.argocd_bootstrap.argocd_namespace

  enable_service_monitor = false # Needs to be false for the first deployment

  config_minio = local.minio_config

  oidc = module.oidc.oidc

  dependency_ids = {
    argocd = module.argocd_bootstrap.id
  }
}

The config_minio variable is where you create the necessary policies, users and buckets. In this example, we defined them inside a Terraform local variable:

resource "random_password" "loki_secretkey" {
  length  = 32
  special = false
}
resource "random_password" "thanos_secretkey" {
  length  = 32
  special = false
}

locals {
  minio_config = {
    policies = [
      {
        name = "loki-policy"
        statements = [
          {
            resources = ["arn:aws:s3:::loki-bucket"]
            actions   = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
          },
          {
            resources = ["arn:aws:s3:::loki-bucket/*"]
            actions   = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
          }
        ]
      },
      {
        name = "thanos-policy"
        statements = [
          {
            resources = ["arn:aws:s3:::thanos-bucket"]
            actions   = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
          },
          {
            resources = ["arn:aws:s3:::thanos-bucket/*"]
            actions   = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
          }
        ]
      }
    ],
    users = [
      {
        accessKey = "loki-user"
        secretKey = random_password.loki_secretkey.result
        policy    = "loki-policy"
      },
      {
        accessKey = "thanos-user"
        secretKey = random_password.thanos_secretkey.result
        policy    = "thanos-policy"
      }
    ],
    buckets = [
      {
        name = "loki-bucket"
      },
      {
        name = "thanos-bucket"
      }
    ]
  }
}
Check the KinD deployment tutorial and example to get a better idea of how these buckets are configured and used.

WebUI Login

This module is configured to used OIDC out-of-the-box, as long as the proper scope is passed. You can check the official documentation page to get more information about the way this is configured.

However, there is no way to configure the OIDC login as default on the login page, so take note that in order to use the OIDC login you need to click on Other Authentication Methods then Login using SSO ()_, as shown in the screenshot below.

login page

Technical Reference

Dependencies

module.traefik and module.cert-manager

In order to have a working ingress to be able to access the web interface.

module.oidc

In order to have the ability to login using OIDC.

Requirements

The following requirements are needed by this module:

Providers

The following providers are used by this module:

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

cluster_name

Description: Name given to the cluster. Value used for naming some the resources created by the module.

Type: string

base_domain

Description: Base domain of the cluster. Value used for the ingress' URL of the application.

Type: string

Optional Inputs

The following input variables are optional (have default values):

argocd_namespace

Description: Namespace used by Argo CD where the Application and AppProject resources should be created.

Type: string

Default: "argocd"

argocd_project

Description: Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.

Type: string

Default: null

argocd_labels

Description: Labels to attach to the Argo CD Application resource.

Type: map(string)

Default: {}

destination_cluster

Description: Destination cluster where the application should be deployed.

Type: string

Default: "in-cluster"

target_revision

Description: Override of target revision of the application chart.

Type: string

Default: "v2.1.0"

cluster_issuer

Description: SSL certificate issuer to use. Usually you would configure this value as letsencrypt-staging or letsencrypt-prod on your root *.tf files.

Type: string

Default: "ca-issuer"

namespace

Description: Namespace where the applications’s Kubernetes resources should be created. Namespace will be created in case it doesn’t exist.

Type: string

Default: "minio"

enable_service_monitor

Description: Enable Prometheus ServiceMonitor in the Helm chart.

Type: bool

Default: true

helm_values

Description: Helm chart value overrides. They should be passed as a list of HCL structures.

Type: any

Default: []

app_autosync

Description: Automated sync options for the Argo CD Application resource.

Type:

object({
    allow_empty = optional(bool)
    prune       = optional(bool)
    self_heal   = optional(bool)
  })

Default:

{
  "allow_empty": false,
  "prune": true,
  "self_heal": true
}

dependency_ids

Description: IDs of the other modules on which this module depends on.

Type: map(string)

Default: {}

config_minio

Description: Variable to create buckets and required users and policies.

Type:

object({
    policies = optional(list(object({
      name = string
      statements = list(object({
        resources = list(string)
        actions   = list(string)
      }))
    })), [])
    users = optional(list(object({
      accessKey = string
      secretKey = string
      policy    = string
    })), [])
    buckets = optional(list(object({
      name          = string
      policy        = optional(string, "none")
      purge         = optional(bool, false)
      versioning    = optional(bool, false)
      objectlocking = optional(bool, false)
    })), [])
  })

Default: {}

oidc

Description: OIDC configuration to access the MinIO web interface.

Type:

object({
    issuer_url              = string
    oauth_url               = string
    token_url               = string
    api_url                 = string
    client_id               = string
    client_secret           = string
    oauth2_proxy_extra_args = optional(list(string), [])
  })

Default: null

Outputs

The following outputs are exported:

id

Description: ID to pass other modules in order to refer to this module as a dependency.

endpoint

Description: MinIO endpoint where the buckets are available.

minio_root_user_credentials

Description: The MinIO root user password.

Reference in table format

Show tables

= Requirements

Name Version

>= 5

>= 3

>= 3

>= 1

= Providers

Name Version

>= 3

>= 3

>= 1

>= 5

= Resources

Name Type

resource

resource

resource

resource

resource

data source

= Inputs

Name Description Type Default Required

Name given to the cluster. Value used for naming some the resources created by the module.

string

n/a

yes

Base domain of the cluster. Value used for the ingress' URL of the application.

string

n/a

yes

Namespace used by Argo CD where the Application and AppProject resources should be created.

string

"argocd"

no

Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.

string

null

no

Labels to attach to the Argo CD Application resource.

map(string)

{}

no

Destination cluster where the application should be deployed.

string

"in-cluster"

no

Override of target revision of the application chart.

string

"v2.1.0"

no

SSL certificate issuer to use. Usually you would configure this value as letsencrypt-staging or letsencrypt-prod on your root *.tf files.

string

"ca-issuer"

no

Namespace where the applications’s Kubernetes resources should be created. Namespace will be created in case it doesn’t exist.

string

"minio"

no

Enable Prometheus ServiceMonitor in the Helm chart.

bool

true

no

Helm chart value overrides. They should be passed as a list of HCL structures.

any

[]

no

Automated sync options for the Argo CD Application resource.

object({
    allow_empty = optional(bool)
    prune       = optional(bool)
    self_heal   = optional(bool)
  })
{
  "allow_empty": false,
  "prune": true,
  "self_heal": true
}

no

IDs of the other modules on which this module depends on.

map(string)

{}

no

Variable to create buckets and required users and policies.

object({
    policies = optional(list(object({
      name = string
      statements = list(object({
        resources = list(string)
        actions   = list(string)
      }))
    })), [])
    users = optional(list(object({
      accessKey = string
      secretKey = string
      policy    = string
    })), [])
    buckets = optional(list(object({
      name          = string
      policy        = optional(string, "none")
      purge         = optional(bool, false)
      versioning    = optional(bool, false)
      objectlocking = optional(bool, false)
    })), [])
  })

{}

no

OIDC configuration to access the MinIO web interface.

object({
    issuer_url              = string
    oauth_url               = string
    token_url               = string
    api_url                 = string
    client_id               = string
    client_secret           = string
    oauth2_proxy_extra_args = optional(list(string), [])
  })

null

no

= Outputs

Name Description

id

ID to pass other modules in order to refer to this module as a dependency.

MinIO endpoint where the buckets are available.

The MinIO root user password.