baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
50b0094e8622272da1dbe9c5cda70aeb06c9c567
buun-stack/minio/minio-values.gomplate.yaml
Masaki Yatsu a8599b66f4 fix(minio): fix OIDC and add public access recipes
2025-12-10 13:26:41 +09:00

118 lines
2.6 KiB
YAML
Raw Blame History

mode: standalone
clusterDomain: {{ .Env.MINIO_HOST }}
existingSecret: "minio"
oidc:
enabled: true
configUrl: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/.well-known/openid-configuration"
existingClientSecretName: "minio-oidc"
existingClientIdKey: "clientId"
existingClientSecretKey: "clientSecret"
claimName: "minioPolicy"
scopes: "openid,profile,email"
redirectUri: "https://{{ .Env.MINIO_CONSOLE_HOST }}/oauth_callback"
displayName: "Login with Keycloak"
persistence:
size: {{ .Env.MINIO_STORAGE_SIZE }}
ingress:
enabled: true
ingressClassName: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- {{ .Env.MINIO_HOST }}
tls:
- hosts:
- {{ .Env.MINIO_HOST }}
consoleIngress:
enabled: true
ingressClassName: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- {{ .Env.MINIO_CONSOLE_HOST }}
tls:
- hosts:
- {{ .Env.MINIO_CONSOLE_HOST }}
# Resource configuration based on Goldilocks/VPA recommendations (rounded to clean values)
resources:
requests:
cpu: 50m
memory: 512Mi
limits:
cpu: 100m
memory: 1Gi
# Security context for Pod Security Standards (restricted)
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
# Security context for init jobs
makeUserJob:
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
makePolicyJob:
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Reference in New Issue View Git Blame Copy Permalink