feat: add minio to nerc-ocp-obs cluster

Signed-off-by: Dheeraj<[email protected]>

cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
 - ../../bundles/prom-keycloak-proxy
 - ../../bundles/zookeeper
 - ../../bundles/solr
+- ../../bundles/minio
 - ../../base/core/namespaces/openshift-gitops
 - ../../base/core/namespaces/dex
 - ../../base/rbac.authorization.k8s.io/clusterroles/allow-edit-rbac

minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml

@@ -0,0 +1,9 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-admin-credentials
+  namespace: minio
+spec:
+  dataFrom:
+    - extract:
+        key: nerc/nerc-ocp-obs/minio/minio-admin-credentials

minio/overlays/nerc-ocp-obs/files/minio-config.env

@@ -0,0 +1,11 @@
+# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.ocp-obs.nerc.mghpcc.org/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on
+
+# This tells minio to look up policy names in the "groups" claim (so e.g. if
+# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops"
+# policy to apply). A person cannot log in if there is no policy matches any of
+# the claim values.
+MINIO_IDENTITY_OPENID_CLAIM_NAME=groups

minio/overlays/nerc-ocp-obs/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+configMapGenerator:
+- name: minio-config
+  namespace: minio
+  envs:
+  - files/minio-config.env
+
+patches:
+  - path: externalsecrets/patch-minio-admin-credentials.yaml