143 lines
4.7 KiB
YAML
143 lines
4.7 KiB
YAML
---
|
|
|
|
# Name of the instance
|
|
instance: minio
|
|
|
|
|
|
vault:
|
|
|
|
# Vault PKI used for minio
|
|
pki:
|
|
path: '[[ .vault.root ]]pki/[[ .instance ]]'
|
|
ou: S3 Storage
|
|
|
|
# Generate some random secrets
|
|
rand_secrets:
|
|
fields:
|
|
- root_pwd
|
|
|
|
minio:
|
|
|
|
server:
|
|
# Number of nodes of the cluster. Note : this can only be set on cluster initialization
|
|
# Once initialized, you cannot change this number (up or down)
|
|
count: 1
|
|
|
|
# Version of minio
|
|
version: 2025-04-22T22-12-26Z
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]]minio:[[ .minio.server.version ]]-1'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 200
|
|
memory: 1024
|
|
memory_max: 1200
|
|
|
|
nomad:
|
|
# Ensure all nodes run on distinct hosts
|
|
# It should already be the case as we allocate a static port, but better be explicit
|
|
constraints:
|
|
- operator: distinct_hosts
|
|
value: true
|
|
# Disable progressive deployments, as MinIO requires all nodes to restart at the same time
|
|
update:
|
|
max_parallel: 0
|
|
|
|
# Custom env vars to set in the containers
|
|
env:
|
|
MINIO_ROOT_USER: '[[ .instance ]]'
|
|
MINIO_ROOT_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}'
|
|
MINIO_COMPRESSION_ENABLE: on
|
|
MINIO_COMPRESSION_ALLOW_ENCRYPTION: on
|
|
MINIO_ILM_EXPIRY_WORKERS: 2
|
|
MINIO_API_OBJECT_MAX_VERSIONS: 1000
|
|
|
|
api_port: 2[[ crypto.SHA1 (printf "%s%s" .instance .consul.suffix) | regexp.Replace "[^\\d]" "" | regexp.Replace "^0*" "" | strings.Trunc 4 ]]
|
|
|
|
api:
|
|
port: 2[[ crypto.SHA1 (printf "%s%s" .instance .consul.suffix) | regexp.Replace "[^\\d]" "" | regexp.Replace "^0*" "" | strings.Trunc 4 ]]
|
|
public_url: https://s3.example.org
|
|
traefik:
|
|
enabled: false
|
|
# If MINIO_DOMAIN is set, then we use vhost style requests. Adjust Traefik rule to handle any subdomain of MINIO_DOMAIN
|
|
# Also, in any case, share URL point on the console addr, so serve them in this router so the standard API middlewares are used
|
|
rule: |-
|
|
[[- if not (has .minio.server.env "MINIO_DOMAIN") ]]
|
|
(Host(`[[ (urlParse .minio.server.api.public_url).Hostname ]]`) && !PathPrefix(`/minio/v2/metrics`)) || (Host(`[[ (urlParse .minio.server.console.public_url).Hostname ]]`) && PathPrefix(`/api/v1/download-shared-object/`))
|
|
[[- else ]]
|
|
(HostRegexp(`^.+\\.[[ .minio.server.env.MINIO_DOMAIN | replaceAll "." "\\\\." ]]$`) && !PathPrefix(`/minio/v2/metrics`)) || (Host(`[[ (urlParse .minio.server.console.public_url).Hostname ]]) && PathPrefix(`/api/v1/download-shared-object/`))
|
|
[[- end ]]
|
|
router: s3
|
|
csp: false
|
|
middlewares:
|
|
src-ip: ip-trusted@file
|
|
rate-limit: false
|
|
inflight: false
|
|
|
|
console:
|
|
public_url: https://s3.example.org/admin
|
|
traefik:
|
|
enabled: false
|
|
router: console
|
|
strip_prefix: false
|
|
middlewares:
|
|
src-ip: ip-trusted@file
|
|
|
|
# You can enable metrics exposure through Traefik
|
|
metrics:
|
|
traefik:
|
|
enabled: false
|
|
rule: 'Host(`[[ (urlParse .minio.server.api.public_url).Hostname ]]`) && PathPrefix(`/minio/v2/metrics`)'
|
|
router: metrics
|
|
csp: false
|
|
middlewares:
|
|
src-ip: ip-metrics@file
|
|
|
|
volumes:
|
|
data:
|
|
source: '[[ .instance ]]-data'
|
|
type: csi
|
|
per_alloc: true
|
|
destination: /data
|
|
owner: 9000
|
|
group: 9000
|
|
|
|
# A small nginx proxy is used to multiplexe the S3 API and the Console on the same port
|
|
nginx:
|
|
image: '[[ .docker.repo ]][[ .docker.base_images.nginx.image ]]'
|
|
resources:
|
|
cpu: 20
|
|
memory: 32
|
|
memory_max: 128
|
|
|
|
# Minio metrics are only cluster wide, not per instance. So to expose them
|
|
# use a dedicated group with a single task : the metrics-proxy. It'll proxify metrics
|
|
# to one of the minio instance through the service-mesh, and be seen metrics wise as a single instance
|
|
metrics:
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
'[[ .instance ]]':
|
|
local_bind_port: 8000
|
|
metrics:
|
|
# metrics-proxy needs to be the main task, and not just a sidecar (else it'd be terminated)
|
|
proxy_is_main_task: true
|
|
endpoints:
|
|
minio-bucket:
|
|
path: /bucket
|
|
target: http://127.0.0.1:8000/minio/v2/metrics/bucket
|
|
proxy_options:
|
|
proxy_http_version: 1.1
|
|
minio-cluster:
|
|
path: /cluster
|
|
target: http://127.0.0.1:8000/minio/v2/metrics/cluster
|
|
proxy_options:
|
|
proxy_http_version: 1.1
|
|
minio-resource:
|
|
path: /resource
|
|
target: http://127.0.0.1:8000/minio/v2/metrics/resource
|
|
proxy_options:
|
|
proxy_http_version: 1.1
|