devops-stack-module-minio
A DevOps Stack module to deploy MinIO.
The MinIO chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.
| Current Chart Version | Original Repository | Default Values |
|---|---|---|
5.0.13 |
Usage
This module can be declared by adding the following block on your Terraform configuration:
module "minio" {
source = "git::https://github.com/camptocamp/devops-stack-module-minio.git?ref=<RELEASE>"
cluster_name = local.cluster_name
base_domain = local.base_domain
cluster_issuer = local.cluster_issuer
argocd_namespace = module.argocd_bootstrap.argocd_namespace
enable_service_monitor = false # Needs to be false for the first deployment
config_minio = local.minio_config
oidc = module.oidc.oidc
dependency_ids = {
argocd = module.argocd_bootstrap.id
}
}The config_minio variable is where you create the necessary policies, users and buckets. In this example, we defined them inside a Terraform local variable:
resource "random_password" "loki_secretkey" {
length = 32
special = false
}
resource "random_password" "thanos_secretkey" {
length = 32
special = false
}
locals {
minio_config = {
policies = [
{
name = "loki-policy"
statements = [
{
resources = ["arn:aws:s3:::loki-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::loki-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
},
{
name = "thanos-policy"
statements = [
{
resources = ["arn:aws:s3:::thanos-bucket"]
actions = ["s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads"]
},
{
resources = ["arn:aws:s3:::thanos-bucket/*"]
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
}
]
}
],
users = [
{
accessKey = "loki-user"
secretKey = random_password.loki_secretkey.result
policy = "loki-policy"
},
{
accessKey = "thanos-user"
secretKey = random_password.thanos_secretkey.result
policy = "thanos-policy"
}scope
],
buckets = [
{
name = "loki-bucket"
},
{
name = "thanos-bucket"
}
]
}
}| Check the KinD deployment tutorial and example to get a better idea of how these buckets are configured and used. |
WebUI Login
This module is configured to used OIDC out-of-the-box, as long as the proper configuration is passed. You can check the official documentation page to get more information about the way this is configured.
The OIDC will not work with the selfsigned-issuer cluster issuer, which is the one deployed by default by the cert-manager module. You are required to use the ca-issuer or any of the Let’s Encrypt issuers if you want to login to the MinIO Console using OIDC.
|
Technical Reference
Dependencies
Resources
The following resources are used by this module:
-
argocd_application.this (resource)
-
argocd_project.this (resource)
-
null_resource.dependencies (resource)
-
null_resource.this (resource)
-
random_password.minio_root_secretkey (resource)
-
utils_deep_merge_yaml.values (data source)
Required Inputs
The following input variables are required:
cluster_name
Description: Name given to the cluster. Value used for naming some the resources created by the module.
Type: string
base_domain
Description: Base domain of the cluster. Value used for the ingress' URL of the application.
Type: string
Optional Inputs
The following input variables are optional (have default values):
argocd_project
Description: Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.
Type: string
Default: null
argocd_labels
Description: Labels to attach to the Argo CD Application resource.
Type: map(string)
Default: {}
destination_cluster
Description: Destination cluster where the application should be deployed.
Type: string
Default: "in-cluster"
target_revision
Description: Override of target revision of the application chart.
Type: string
Default: "v2.2.0"
cluster_issuer
Description: SSL certificate issuer to use. Usually you would configure this value as letsencrypt-staging or letsencrypt-prod on your root *.tf files.
Type: string
Default: "selfsigned-issuer"
enable_service_monitor
Description: Enable Prometheus ServiceMonitor in the Helm chart.
Type: bool
Default: true
helm_values
Description: Helm chart value overrides. They should be passed as a list of HCL structures.
Type: any
Default: []
app_autosync
Description: Automated sync options for the Argo CD Application resource.
Type:
object({
allow_empty = optional(bool)
prune = optional(bool)
self_heal = optional(bool)
})Default:
{
"allow_empty": false,
"prune": true,
"self_heal": true
}dependency_ids
Description: IDs of the other modules on which this module depends on.
Type: map(string)
Default: {}
config_minio
Description: Variable to create buckets and required users and policies.
Type:
object({
policies = optional(list(object({
name = string
statements = list(object({
resources = list(string)
actions = list(string)
}))
})), [])
users = optional(list(object({
accessKey = string
secretKey = string
policy = string
})), [])
buckets = optional(list(object({
name = string
policy = optional(string, "none")
purge = optional(bool, false)
versioning = optional(bool, false)
objectlocking = optional(bool, false)
})), [])
})Default: {}
oidc
Description: OIDC configuration to access the MinIO web interface.
Type:
object({
issuer_url = string
oauth_url = string
token_url = string
api_url = string
client_id = string
client_secret = string
oauth2_proxy_extra_args = optional(list(string), [])
})Default: null
Outputs
The following outputs are exported:
id
Description: ID to pass other modules in order to refer to this module as a dependency.
endpoint
Description: MinIO endpoint where the buckets are available.
minio_root_user_credentials
Description: The MinIO root user password.
Reference in table format
Show tables
= Requirements
| Name | Version |
|---|---|
>= 5 |
|
>= 3 |
|
>= 3 |
|
>= 1 |
= Providers
| Name | Version |
|---|---|
>= 3 |
|
>= 1 |
|
>= 5 |
|
>= 3 |
= Resources
| Name | Type |
|---|---|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
data source |
= Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
Name given to the cluster. Value used for naming some the resources created by the module. |
|
n/a |
yes |
|
Base domain of the cluster. Value used for the ingress' URL of the application. |
|
n/a |
yes |
|
Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application. |
|
|
no |
|
Labels to attach to the Argo CD Application resource. |
|
|
no |
|
Destination cluster where the application should be deployed. |
|
|
no |
|
Override of target revision of the application chart. |
|
|
no |
|
SSL certificate issuer to use. Usually you would configure this value as |
|
|
no |
|
Enable Prometheus ServiceMonitor in the Helm chart. |
|
|
no |
|
Helm chart value overrides. They should be passed as a list of HCL structures. |
|
|
no |
|
Automated sync options for the Argo CD Application resource. |
|
|
no |
|
IDs of the other modules on which this module depends on. |
|
|
no |
|
Variable to create buckets and required users and policies. |
|
|
no |
|
OIDC configuration to access the MinIO web interface. |
|
|
no |
= Outputs
| Name | Description |
|---|---|
ID to pass other modules in order to refer to this module as a dependency. |
|
MinIO endpoint where the buckets are available. |
|
The MinIO root user password. |