This repository contains resources that deploy an instance of Minio on a flynnt kubernetes cluster. It is build for private Cloud and on-premise environments.
The deployment is GDPR/DSGVO-compliant. This means, no data stored in your ArgoCD instance will leave your server. As long as you use trusted infrastructure providers (for example your own datacenter) your data is safe.
It is meant to be used for reference and as a blueprint for your own deployment.
- Uses Hetzner Cloud and the Hetzner CSI Driver for compute nodes and as the StorageClass
- You can optionally use ArgoCD for your deployment. This is recommended, but not mandatory. The alternative is plain Helm/Kustomize. See here for a sample on how to deploy ArgoCD
Note
Even though this sample is built to be deployed on a flynnt managed kubernetes cluster, you can easily customize this to use a different managed k8s provider. In general, almost every technology choice made here is opinionated and exchangeable with different products.
We use several open-source tools and stitch them together for a nice, standalone deployment experience.
- Terraform, Helm and Kustomize for deploying infrastructure, auxiliary apps and minio itself
- Sops and Age for secret encryption and handling
- At least two nodes to use in your cluster in different availability zones. (You can use the terraform instructions from below)
- An Ingress and Cert-Manager solution deployed to your cluster.
- A way to point your preferred DNS record to your nodes for ingress.
- A way to store secrets and share them with your team. As an example, a keepass database is sufficient.
- A kubernetes cluster and access via kubectl to it. This example uses a flynnt cluster. Save the
kubeconfig.yamlin the root of this repo. - (optional) A place to store the terraform state. If you work in a team, you should use some form of shared storage.
- (optional) An external prometheus-compatible monitoring layer. Because of the shared failure-domain with the application, it's not recommended to deploy prometheus, alertmanager and grafana in the same cluster.
We included the age-binaries in this repository. Feel free to update or remove them. They are only used for this step.
./age/age-keygenCopy the private and public key of the output and save it to your secret database. Both keys will be used throughout this repository.
You should only do this, if your flynnt cluster does not have any nodes. This uses Hetzner Cloud to deploy compute nodes and you need an Hetzner API Key to use this.
We have some secrets that we want to use with terraform. Namely, our hcloud_token and the flynnt_token. We obviously don't want to store them in plain text in git, so we need to encrypt them first.
To do this, there is a terraform/secrets.sample.yaml file in this repo. It contains sample values. Replace them with real values. Next, we encrypt the file to be used by terraform as variables.
./sops --encrypt --age <put-age-public-key-here> terraform/secrets.sample.yaml > terraform/secrets.enc.yamlImportant Don't commit the plain secrets file to git. The
secrets.enc.yamlis fine to commit though. That's the whole point ofsopsandage.
Next, we will deploy the nodes through terraform and join them to a flynnt cluster. If you want to use a different backend to store your state, customize the terraform/main.tf accordingly.
Also, check the terraform/terraform.tfvars file for the correct cluster name.
export SOPS_AGE_KEY=<put-private-secret-key-here>
terraform -chdir=terraform init -upgrade #(only on first deploy)
terraform -chdir=terraform applyCheck that the nodes are successfully added to the cluster. Either through the Flynnt Dashboard or directly by using kubectl get nodes
We need to provide two secrets for this deployment to work.
The first is for the Hetzner CSI Driver to access the Hetzner API. This is optional if you are using a different CSI provider.
It's located in applications/hetzner-csi-driver/secrets.sample.yaml. Change it and encrypt it.
./sops --encrypt --age <put-age-public-key-here> applications/hetzner-csi-driver/secrets.sample.yaml > applications/hetzner-csi-driver/secrets.enc.yamlThe second secret you need to change is in applications/minio/secrets.sample.yaml. This will be the login credentials for your tenant.
Change them and encrypt the secret
./sops --encrypt --age <put-age-public-key-here> applications/minio/secrets.sample.yaml > applications/minio/secrets.enc.yamlNow you are ready to deploy Minio.
If you have ArgoCD installed in your cluster, you can simply customize the argocd-appliations.yaml to your needs.
ArgoCD needs access to this repository if you want this to work.
kubectl apply -f argocd-applications.yamlSee this repository on how to install ArgoCD to your cluster.
Note
The Hetzner CSI Driver is included in this deployment. If your cluster is not using compute nodes from Hetzner, replace it with the StorageClass of your choice.
This is optional if you already have a different CSI provider deployed. The kustomize below automatically decrypts the secret by using ksops. This is also exactly how ArgoCD would do it.
export KUBECONFIG=kubeconfig.yaml
./kustomize build --enable-alpha-plugins --enable-exec applications/hetzner-csi-driver | kubectl apply -f -
First, we need the Minio Operator. We use the default values. So no separate values.yaml.
export KUBECONFIG=kubeconfig.yaml
./helm repo add minio https://operator.min.io/
./helm upgrade --install --namespace minio-operator --create-namespace --version 5.0.9 minio-operator minio/operatorNow deploy the actual tenant.
Customize applications/minio/values.yaml and add your Ingress domain and TLS configuration. The sample configuration works for ingess-nginx and cert-manager.
export KUBECONFIG=kubeconfig.yaml
./kustomize build --enable-alpha-plugins --enable-exec applications/minio | kubectl apply -f -
./helm repo add minio https://operator.min.io/
./helm upgrade --install --values applications/minio/values.yaml --namespace minio-tenant --create-namespace --version 5.0.9 tenant-1 minio/tenantYou should now be able to access your Minio Tenant console and buckets through the configured Ingress.
Editing the secrets file inline:
SOPS_AGE_KEY=<put-secret-key-here> ./sops -i secrets.enc.yaml