-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtenant_argocd_appset.yaml
207 lines (176 loc) · 8.07 KB
/
tenant_argocd_appset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: harbor-minio-tenant-app-set
namespace: argocd
spec:
goTemplate: true
# generator allows us to source specific values from an external k8s secret
generators:
- plugin:
configMapRef:
name: secret-var-plugin-generator
input:
parameters:
secret_vars:
- harbor_s3_endpoint
- harbor_s3_region
- global_cluster_issuer
template:
metadata:
name: harbor-minio-tenant
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
project: harbor
destination:
server: "https://kubernetes.default.svc"
namespace: harbor
syncPolicy:
syncOptions:
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
source:
# official minio helm repo
repoURL: 'https://operator.min.io/'
chart: tenant
targetRevision: 6.0.4
helm:
releaseName: harbor-minio-tenant
values: |
## Secret with default environment variable configurations to be used by MinIO Tenant.
secrets:
existingSecret: default-tenant-env-config
## MinIO Tenant Definition
tenant:
# Tenant name
name: harbor-tenant
## Secret name that contains additional environment variable configurations.
## The secret is expected to have a key named config.env containing environment variables exports.
configuration:
name: default-tenant-env-config
## Specification for MinIO Pool(s) in this Tenant.
pools:
## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
## For standalone mode, supply 1. For distributed mode, supply 4 or more.
## Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 1
## custom name for the pool
name: pool-0
## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
volumesPerServer: 1
## size specifies the capacity per volume
size: 10Gi
## storageClass specifies the storage class name to be used for this pool
### Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
storageClassName: local-path
## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
## eligible to run on a node, the node must have each of the
## indicated key-value pairs as labels.
## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: { }
## Affinity settings for MinIO pods. Read more about affinity
## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
affinity: { }
## Configure resource requests and limits for MinIO containers
resources: { }
## Configure Pod's security context
## We recommend to skip the recursive permission change by using
## fsGroupChangePolicy as OnRootMismatch because it can be pretty
## expensive for larger volumes with lots of small files.
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
## Configure container security context
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
## Configure topology constraints
topologySpreadConstraints: [ ]
## Configure Runtime Class
# runtimeClassName: ""
# pool metrics to be read by Prometheus
metrics:
enabled: false
port: 9000
protocol: http
certificate:
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: false
# https://github.com/minio/operator/blob/master/examples/kustomization/tenant-certmanager/certificates.yaml
## Use certificates generated by cert-manager.
# externalCertSecret:
# - name: minio-tls
# type: cert-manager.io/v1
# - name: minio-api-tls
# type: cert-manager.io/v1
# - name: minio-user-console-tls
# type: cert-manager.io/v1
# - name: harbor-minio-pods-tls
# type: cert-manager.io/v1
## MinIO features to enable or disable in the MinIO Tenant
## https://github.com/minio/operator/blob/master/docs/tenant_crd.adoc#features
features:
bucketDNS: false
domains:
minio:
- https://{{ .harbor_s3_endpoint }}
enableSFTP: false
## List of bucket definitions to create during tenant provisioning.
buckets:
- name: harbor
objectLock: false
region: {{ .harbor_s3_region }}
- name: harbor-postgresql
objectLock: false
## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
## for details.
podManagementPolicy: Parallel
## exposeServices defines the exposure of the MinIO object storage and Console services.
## service is exposed as a loadbalancer in k8s service.
exposeServices:
minio: true
# kubernetes service account associated with a specific tenant
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccountName: "harbor-minio-tenant"
# Tenant scrape configuration will be added to prometheus managed by the prometheus-operator.
prometheusOperator: false
# Enable JSON, Anonymous logging for MinIO tenants.
# Refer https://github.com/minio/operator/blob/master/pkg/apis/minio.min.io/v2/types.go#L303
logging:
anonymous: true
json: true
quiet: true
## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
# stolen from https://github.com/minio/operator/blob/master/examples/kustomization/tenant-letsencrypt/tenant.yaml
env:
- name: MINIO_DOMAIN
value: "{{ .harbor_s3_endpoint }}"
- name: MINIO_SERVER_URL
value: "https://{{ .harbor_s3_endpoint }}"
ingress:
# user api ingress settings
api:
enabled: true
ingressClassName: "nginx"
annotations:
cert-manager.io/cluster-issuer: {{ .global_cluster_issuer }}
nginx.ingress.kubernetes.io/proxy-body-size: 64M
tls:
- secretName: harbor-minio-api-tls
hosts:
- "{{ .harbor_s3_endpoint }}"
host: {{ .harbor_s3_endpoint }}
path: /
pathType: Prefix
# user console ingress settings
console:
enabled: false