From 370646a4553d369dcec45a48a02707ac297b696c Mon Sep 17 00:00:00 2001
From: Dheeraj <djodha@redhat.com>
Date: Fri, 29 Nov 2024 18:54:31 +0530
Subject: [PATCH 1/4] feat: add minio to nerc-ocp-obs cluster

Signed-off-by: Dheeraj<djodha@redhat.com>
---
 .../overlays/nerc-ocp-obs/kustomization.yaml        |  1 +
 .../patch-minio-admin-credentials.yaml              |  9 +++++++++
 minio/overlays/nerc-ocp-obs/files/minio-config.env  | 11 +++++++++++
 minio/overlays/nerc-ocp-obs/kustomization.yaml      | 13 +++++++++++++
 4 files changed, 34 insertions(+)
 create mode 100644 minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
 create mode 100644 minio/overlays/nerc-ocp-obs/files/minio-config.env
 create mode 100644 minio/overlays/nerc-ocp-obs/kustomization.yaml

diff --git a/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
index 6f7bcb57..2a1a7384 100644
--- a/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
+++ b/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
@@ -15,6 +15,7 @@ resources:
 - ../../bundles/prom-keycloak-proxy
 - ../../bundles/zookeeper
 - ../../bundles/solr
+- ../../bundles/minio
 - ../../base/core/namespaces/openshift-gitops
 - ../../base/core/namespaces/dex
 - ../../base/rbac.authorization.k8s.io/clusterroles/allow-edit-rbac
diff --git a/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
new file mode 100644
index 00000000..cf2bdfd0
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
@@ -0,0 +1,9 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-admin-credentials
+  namespace: minio
+spec:
+  dataFrom:
+    - extract:
+        key: nerc/nerc-ocp-obs/minio/minio-admin-credentials
diff --git a/minio/overlays/nerc-ocp-obs/files/minio-config.env b/minio/overlays/nerc-ocp-obs/files/minio-config.env
new file mode 100644
index 00000000..01836ade
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/files/minio-config.env
@@ -0,0 +1,11 @@
+# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.ocp-obs.nerc.mghpcc.org/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on
+
+# This tells minio to look up policy names in the "groups" claim (so e.g. if
+# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops"
+# policy to apply). A person cannot log in if there is no policy matches any of
+# the claim values.
+MINIO_IDENTITY_OPENID_CLAIM_NAME=groups
diff --git a/minio/overlays/nerc-ocp-obs/kustomization.yaml b/minio/overlays/nerc-ocp-obs/kustomization.yaml
new file mode 100644
index 00000000..c6f30db1
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+configMapGenerator:
+- name: minio-config
+  namespace: minio
+  envs:
+  - files/minio-config.env
+
+patches:
+  - path: externalsecrets/patch-minio-admin-credentials.yaml

From 42f0c5a819036f27c7f53966482ea0619b2a9e5b Mon Sep 17 00:00:00 2001
From: Dheeraj <djodha@redhat.com>
Date: Tue, 3 Dec 2024 14:43:23 +0530
Subject: [PATCH 2/4] feat: add pvc patch of 20 Ti storage for MinIO

Signed-off-by: Dheeraj<djodha@redhat.com>
---
 minio/overlays/nerc-ocp-obs/kustomization.yaml            | 1 +
 .../nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml    | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml

diff --git a/minio/overlays/nerc-ocp-obs/kustomization.yaml b/minio/overlays/nerc-ocp-obs/kustomization.yaml
index c6f30db1..59f1790b 100644
--- a/minio/overlays/nerc-ocp-obs/kustomization.yaml
+++ b/minio/overlays/nerc-ocp-obs/kustomization.yaml
@@ -11,3 +11,4 @@ configMapGenerator:
 
 patches:
   - path: externalsecrets/patch-minio-admin-credentials.yaml
+  - path: persistentvolumeclaims/patch-pvc.yaml
diff --git a/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml b/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml
new file mode 100644
index 00000000..093d769a
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-data
+spec:
+  resources:
+    requests:
+      storage: 20Ti

From 3730bb915dd431c7771586c5f4d27abfb7ea21bb Mon Sep 17 00:00:00 2001
From: Dheeraj <djodha@redhat.com>
Date: Wed, 4 Dec 2024 11:32:46 +0530
Subject: [PATCH 3/4] feat: add staticClients of ai-tel and minio, for dex

Signed-off-by: Dheeraj<djodha@redhat.com>
---
 .../nerc-ocp-obs/configmaps/files/config.yaml         | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml b/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
index 28ca50c4..315456d9 100644
--- a/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
+++ b/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
@@ -21,6 +21,17 @@ staticClients:
     redirectURIs:
       - https://grafana.apps.obs.nerc.mghpcc.org/login/generic_oauth
     secretEnv: GRAFANA_SECRET
+  - id: minio
+    name: MinIO
+    redirectURIs:
+      - https://minio-console-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+      - https://minio-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+    secretEnv: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+  - id: ai-telemetry
+    name: AI Telemetry
+    redirectURIs:
+      - https://keycloak.apps.obs.nerc.mghpcc.org/realms/NERC/broker/OpenShift/endpoint
+    secretEnv: AI_TELEMETRY_AUTH_SECRET
 
 connectors:
   - type: openshift

From 19a507375ee6e533014274976be1542b83231fd4 Mon Sep 17 00:00:00 2001
From: Dheeraj <djodha@redhat.com>
Date: Thu, 5 Dec 2024 01:14:00 +0530
Subject: [PATCH 4/4] fix: update minio config url

Fixes nerc-project/operations#848

Fixes SecretStore issue

Signed-off-by: Dheeraj<djodha@redhat.com>
---
 .../nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml      | 3 +++
 .../nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml        | 3 +++
 minio/base/deployment.yaml                                     | 2 +-
 .../externalsecrets/patch-minio-admin-credentials.yaml         | 3 +++
 minio/overlays/nerc-ocp-obs/files/minio-config.env             | 2 +-
 5 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml b/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
index 89c50c12..3c78bab0 100644
--- a/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
+++ b/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-infra/dex/dex-clients
diff --git a/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml b/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
index c294f322..1f787f84 100644
--- a/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
+++ b/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-obs/dex/dex-clients
diff --git a/minio/base/deployment.yaml b/minio/base/deployment.yaml
index c420f598..94babb15 100644
--- a/minio/base/deployment.yaml
+++ b/minio/base/deployment.yaml
@@ -16,7 +16,7 @@ spec:
         - configMapRef:
             name: minio-config
             optional: true
-        image: docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
+        image: quay.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
         ports:
         - containerPort: 9000
           name: object-storage
diff --git a/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
index cf2bdfd0..ea9041b0 100644
--- a/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
+++ b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
@@ -4,6 +4,9 @@ metadata:
   name: minio-admin-credentials
   namespace: minio
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc/nerc-ocp-obs/minio/minio-admin-credentials
diff --git a/minio/overlays/nerc-ocp-obs/files/minio-config.env b/minio/overlays/nerc-ocp-obs/files/minio-config.env
index 01836ade..4038f940 100644
--- a/minio/overlays/nerc-ocp-obs/files/minio-config.env
+++ b/minio/overlays/nerc-ocp-obs/files/minio-config.env
@@ -1,6 +1,6 @@
 # Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
 
-MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.ocp-obs.nerc.mghpcc.org/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.obs.nerc.mghpcc.org/.well-known/openid-configuration
 MINIO_IDENTITY_OPENID_CLIENT_ID=minio
 MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on