118 lines
2.6 KiB
YAML
118 lines
2.6 KiB
YAML
mode: standalone
|
|
|
|
clusterDomain: {{ .Env.MINIO_HOST }}
|
|
|
|
existingSecret: "minio"
|
|
|
|
oidc:
|
|
enabled: true
|
|
configUrl: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/.well-known/openid-configuration"
|
|
existingClientSecretName: "minio-oidc"
|
|
existingClientIdKey: "clientId"
|
|
existingClientSecretKey: "clientSecret"
|
|
claimName: "minioPolicy"
|
|
scopes: "openid,profile,email"
|
|
redirectUri: "https://{{ .Env.MINIO_CONSOLE_HOST }}/oauth_callback"
|
|
displayName: "Login with Keycloak"
|
|
|
|
persistence:
|
|
size: {{ .Env.MINIO_STORAGE_SIZE }}
|
|
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
hosts:
|
|
- {{ .Env.MINIO_HOST }}
|
|
tls:
|
|
- hosts:
|
|
- {{ .Env.MINIO_HOST }}
|
|
|
|
consoleIngress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
hosts:
|
|
- {{ .Env.MINIO_CONSOLE_HOST }}
|
|
tls:
|
|
- hosts:
|
|
- {{ .Env.MINIO_CONSOLE_HOST }}
|
|
|
|
# Resource configuration based on Goldilocks/VPA recommendations (rounded to clean values)
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 512Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 1Gi
|
|
|
|
# Security context for Pod Security Standards (restricted)
|
|
securityContext:
|
|
enabled: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
containerSecurityContext:
|
|
readOnlyRootFilesystem: false
|
|
allowPrivilegeEscalation: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
# Security context for init jobs
|
|
makeUserJob:
|
|
securityContext:
|
|
enabled: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containerSecurityContext:
|
|
readOnlyRootFilesystem: false
|
|
allowPrivilegeEscalation: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
makePolicyJob:
|
|
securityContext:
|
|
enabled: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containerSecurityContext:
|
|
readOnlyRootFilesystem: false
|
|
allowPrivilegeEscalation: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
capabilities:
|
|
drop:
|
|
- ALL
|