Add minio and setup backups

- Fix pgdump backups by adding needed secret
- Ensure nested kustomizations grab pgdump and minio

namespaces/core/core-secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: core-postgres-secrets
+  name: core-secrets
   namespace: infisical
   labels:
     label-to-be-passed-to-managed-secret: homelab
@@ -16,12 +16,12 @@ spec:
       secretsScope:
         projectSlug: homelab-n-f-yj
         envSlug: prod
-        secretsPath: "/core/postgres" # Root is "/"
+        secretsPath: "/core" # Root is "/"
         recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
       credentialsRef:
         secretName: universal-auth-credentials
         secretNamespace: infisical
   managedSecretReference:
-    secretName: postgres-secrets
+    secretName: core-secrets
     secretNamespace: core
     creationPolicy: "Orphan" ## Owner | Orphan

namespaces/core/kustomization.yaml

@@ -3,7 +3,10 @@ kind: Kustomization
 
 resources:
   - namespace.yaml
+  - core-secrets.yaml
   - postgres/
   - redis/
   - tika/
   - gotenburg/
+  - pgdump/
+  - minio/

namespaces/core/minio/extras/server-route.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: server-route
+spec:
+  parentRefs:
+    - name: homelab-gateway
+      sectionName: minio
+      kind: Gateway
+      namespace: homelab
+  hostnames:
+    - minio.leechpepin.com
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: minio-server-svc
+          port: 9000

namespaces/core/minio/extras/server-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: server-svc
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9000
+      name: minio
+      targetPort: minio
+      protocol: TCP

namespaces/core/minio/kustomization.yaml

@@ -0,0 +1,139 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: core
+    unsetOnly: true
+
+namePrefix: minio-
+resources:
+  - ../../../kustomize/statefulset/
+  - extras/server-svc.yaml
+  - extras/server-route.yaml
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: minio
+  - pairs:
+      app.kubernetes.io/appNamespace: core
+
+patches:
+  - path: patches/statefulset.yaml
+    target:
+      kind: StatefulSet
+      name: ss
+
+replacements:
+  - source:
+      kind: StatefulSet
+      name: ss
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+  - source:
+      kind: StatefulSet
+      name: ss
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: StatefulSet
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.volumeClaimTemplates.0.metadata.annotations.name
+          - spec.volumeClaimTemplates.0.metadata.name
+          - spec.serviceName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: HTTPRoute
+          name: https
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+      - select:
+          kind: HTTPRoute
+          name: http
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+  - source:
+      kind: StatefulSet
+      name: ss
+      fieldPath: spec.template.spec.containers.0.ports.0.name
+    targets:
+      - select:
+          kind: Service
+          name: svc
+        fieldPaths:
+          - spec.ports.0.name
+          - spec.ports.0.targetPort
+  - source:
+      kind: Service
+      name: svc
+    targets:
+      - select:
+          kind: HTTPRoute
+          name: http
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+      - select:
+          kind: HTTPRoute
+          name: https
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: StatefulSet
+      name: ss
+      fieldPath: spec.template.spec.containers.0.ports.0.containerPort
+    targets:
+      - select:
+          kind: Service
+          name: svc
+        fieldPaths:
+          - spec.ports.0.port
+      - select:
+          kind: HTTPRoute
+          name: http
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.port
+      - select:
+          kind: HTTPRoute
+          name: https
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.port

namespaces/core/minio/patches/statefulset.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: app
+spec:
+  template:
+    spec:
+      restartPolicy: Always
+      containers:
+        - name: minio
+          image: quay.io/minio/minio:latest
+          command:
+            - /bin/bash
+            - -c
+          args:
+            - minio server /data --console-address ":80"
+          env:
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio-secrets
+                  key: ROOT_PASSWORD
+                  optional: false
+            - name: MINIO_ROOT_USER
+              value: minio
+          volumeMounts:
+            - mountPath: /data
+              name: minio-data
+              subPath: "data"
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: console
+            - containerPort: 9000
+              protocol: TCP
+              name: minio
+      volumes:
+        - name: minio-data
+          hostPath:
+            path: /data/minio
+            type: DirectoryOrCreate

namespaces/homelab/gateway.yaml

@@ -71,3 +71,17 @@ spec:
       name: forgejo-ssh
       port: 2222
       protocol: TCP
+    - allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              homelab-access: "true"
+      name: minio
+      port: 9000
+      protocol: HTTPS
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - kind: Secret
+            name: wildcard-leechpepin-tls

namespaces/longhorn/longhorn/extras/longhorn-backupjob.yaml

@@ -0,0 +1,13 @@
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: daily-backup
+spec:
+  cron: "0 23 * * *" # Daily at 11pm
+  task: "backup"
+  groups:
+    - default
+  retain: 3 # Keep last 7 backups
+  concurrency: 2
+  labels:
+    type: scheduled-backup

namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml

@@ -10,3 +10,4 @@ parameters:
   dataLocality: "best-effort"
   diskSelector: "private"
   nodeSelector: "private"
+  # recurringJobSelector: '[{"name":"backup-all-volumes","isGroup":true}]'

namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml

@@ -9,3 +9,4 @@ parameters:
   numberOfReplicas: "2"
   dataLocality: "best-effort"
   diskSelector: "public"
+  # recurringJobSelector: '[{"name":"backup-all-volumes","isGroup":true}]'

namespaces/longhorn/longhorn/extras/longhorn-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: longhorn-minio-secrets
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/longhorn/longhorn" # Root is "/"
+        recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: longhorn-minio-secrets
+    secretNamespace: longhorn
+    creationPolicy: "Orphan" ## Owner | Orphan

namespaces/longhorn/longhorn/kustomization.yaml

@@ -15,6 +15,8 @@ resources:
   - ../../../kustomize/helmchart
   - extras/longhorn-public-storageclass.yaml
   - extras/longhorn-private-storageclass.yaml
+  - extras/longhorn-secret.yaml
+  - extras/longhorn-backupjob.yaml
 
 patches:
   - path: patches/chart.yaml

namespaces/traefik/traefik/patches/chart.yaml

@@ -34,6 +34,11 @@ spec:
           default: true
         port: 2222
         exposedPort: 2222
+      minio:
+        expose:
+          default: true
+        port: 9000
+        exposedPort: 9000
     service:
       annotations:
         svccontroller.k3s.cattle.io/tolerations: |