kubernetes/gabernetes/apps/minio/app/helmrelease.yaml

# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.5.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: minio
  namespace: minio
spec:
  chart:
    spec:
      chart: app-template
      version: 3.5.1
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        namespace: flux-system
        name: bjw-s
  interval: 1h
  driftDetection:
    mode: enabled
  values:
    controllers:
      minio:
        strategy: RollingUpdate
        containers:
          app:
            image:
              repository: quay.io/minio/minio
              tag: RELEASE.2024-11-07T00-52-20Z@sha256:ac591851803a79aee64bc37f66d77c56b0a4b6e12d9e5356380f4105510f2332
              pullPolicy: IfNotPresent
            env:
              MINIO_SITE_NAME: us-central-1
              MINIO_UPDATE: "off"
              MINIO_DOMAIN: ${s3_url}
              MINIO_SERVER_URL: https://${s3_url}
              MINIO_BROWSER_REDIRECT_URL: https://${app_url}
              MINIO_API_CORS_ALLOW_ORIGIN: https://${app_url},https://${s3_url}
              MINIO_API_ROOT_ACCESS: "off"
              MINIO_SCANNER_SPEED: slowest
              MINIO_IDENTITY_OPENID_DISPLAY_NAME: Login with Authentik
              MINIO_IDENTITY_OPENID_CONFIG_URL: https://${oidc_host}/application/o/minio/.well-known/openid-configuration
              MINIO_IDENTITY_OPENID_CLIENT_ID: ${oidc_client_id}
              MINIO_IDENTITY_OPENID_CLIENT_SECRET: ${oidc_client_secret}
              MINIO_IDENTITY_OPENID_SCOPES: openid,profile,email,minio
              MINIO_PROMETHEUS_JOB_ID: minio
              MINIO_PROMETHEUS_URL: http://kube-prometheus-stack-prometheus.prometheus:9090
              MINIO_PROMETHEUS_AUTH_TYPE: public
            args:
              - server
              - /data
              - --console-address=:9001
            probes:
              liveness: &probe
                enabled: true
                type: HTTP
                path: /minio/health/live
              readiness: *probe
              startup:
                << : *probe
                spec:
                  failureThreshold: 30
                  periodSeconds: 5
            securityContext:
              readOnlyRootFilesystem: true
        pod:
          labels:
            policy.gabe565.com/egress-authentik: "true"
            policy.gabe565.com/egress-prometheus: "true"
            policy.gabe565.com/egress-world: "true"
            policy.gabe565.com/ingress-ingress: "true"
            policy.gabe565.com/ingress-prometheus: "true"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
            fsGroupChangePolicy: OnRootMismatch

    persistence:
      data:
        enabled: true
        storageClass: longhorn-ssd
        accessMode: ReadWriteMany
        size: 8Gi
        retain: true

    service:
      minio:
        controller: minio
        ports:
          http:
            primary: true
            port: 9001
          s3:
            port: 9000

    ingress:
      minio:
        enabled: true
        annotations:
          nginx.ingress.kubernetes.io/custom-http-errors: "501,502,503,504"
          nginx.ingress.kubernetes.io/proxy-body-size: 64m
          # language=nginx configuration
          nginx.ingress.kubernetes.io/server-snippet: |
            location /minio/v2/metrics/cluster {
                return 403;
            }
        hosts:
          - host: ${app_url}
            paths:
              - path: /
                service:
                  identifier: minio
                  port: http
          - host: ${s3_url}
            paths:
              - path: /
                service:
                  identifier: minio
                  port: s3
          - host: "*.${s3_url}"
            paths:
              - path: /
                service:
                  identifier: minio
                  port: s3
        tls:
          - secretName: ${app_certificate_name}
            hosts:
              - ${app_url}
          - secretName: ${s3_certificate_name}
            hosts:
              - ${s3_url}
              - "*.${s3_url}"

    serviceMonitor:
      main:
        enabled: true
        serviceName: minio
        endpoints:
          - port: s3
            scheme: http
            path: /minio/v2/metrics/cluster
            interval: 1m