kairen/minio-ocp4-install.yml

## minio-ocp4-install.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: minio-setup
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: minio-setup-edit
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
  - kind: ServiceAccount
    name: minio-setup
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: minio
spec:
  ports:
    - name: api
      port: 9000
      targetPort: api
    - name: console
      port: 9090
      targetPort: 9090
  selector:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: minio
spec:
  storageClassName: gp3-csi
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 75Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: minio
spec:
  replicas: 1
  selector:
    matchLabels:
      app: minio
      app.kubernetes.io/component: minio
      app.kubernetes.io/instance: minio
      app.kubernetes.io/name: minio
      app.kubernetes.io/part-of: minio
      component: minio
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: minio
        app.kubernetes.io/component: minio
        app.kubernetes.io/instance: minio
        app.kubernetes.io/name: minio
        app.kubernetes.io/part-of: minio
        component: minio
    spec:
      containers:
        - args:
            - minio server /data --console-address :9090
          command:
            - /bin/bash
            - -c
          envFrom:
            - secretRef:
                name: minio-root-user
          image: quay.io/minio/minio:latest
          name: minio
          ports:
            - containerPort: 9000
              name: api
              protocol: TCP
            - containerPort: 9090
              name: console
              protocol: TCP
          resources:
            limits:
              cpu: "1"
              memory: 1Gi
            requests:
              cpu: 250m
              memory: 512Mi
          volumeMounts:
            - mountPath: /data
              name: minio
      volumes:
        - name: minio
          persistentVolumeClaim:
            claimName: minio
        - emptyDir: {}
          name: empty
---
apiVersion: batch/v1
kind: Job
metadata:
  name: create-ds-connections
spec:
  selector: {}
  template:
    spec:
      containers:
        - args:
            - -ec
            - |-
              echo -n 'Waiting for minio route'
              while ! oc get route minio-s3 2>/dev/null | grep -qF minio-s3; do
                echo -n .
                sleep 5
              done; echo

              echo -n 'Waiting for minio root user secret'
              while ! oc get secret minio-root-user 2>/dev/null | grep -qF minio-root-user; do
                echo -n .
                sleep 5
              done; echo

              MINIO_ROOT_USER=$(oc get secret minio-root-user -o template --template '{{.data.MINIO_ROOT_USER}}')
              MINIO_ROOT_PASSWORD=$(oc get secret minio-root-user -o template --template '{{.data.MINIO_ROOT_PASSWORD}}')
              MINIO_HOST=https://$(oc get route minio-s3 -o template --template '{{.spec.host}}')

              cat << EOF | oc apply -f-
              apiVersion: v1
              kind: Secret
              metadata:
                annotations:
                  opendatahub.io/connection-type: s3
                  openshift.io/display-name: OAI Storage
                labels:
                  opendatahub.io/dashboard: "true"
                  opendatahub.io/managed: "true"
                name: aws-connection-oai-storage
              data:
                AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
                AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
              stringData:
                AWS_DEFAULT_REGION: ap-southeast-1
                AWS_S3_BUCKET: oai-storage
                AWS_S3_ENDPOINT: ${MINIO_HOST}
              type: Opaque
              EOF
              cat << EOF | oc apply -f-
              apiVersion: v1
              kind: Secret
              metadata:
                annotations:
                  opendatahub.io/connection-type: s3
                  openshift.io/display-name: Pipeline Artifacts
                labels:
                  opendatahub.io/dashboard: "true"
                  opendatahub.io/managed: "true"
                name: aws-connection-pipeline-artifacts
              data:
                AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
                AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
              stringData:
                AWS_DEFAULT_REGION: ap-southeast-1
                AWS_S3_BUCKET: pipeline-artifacts
                AWS_S3_ENDPOINT: ${MINIO_HOST}
              type: Opaque
              EOF
          command:
            - /bin/bash
          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
          imagePullPolicy: IfNotPresent
          name: create-ds-connections
      restartPolicy: Never
      serviceAccount: minio-setup
      serviceAccountName: minio-setup
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: create-minio-buckets
spec:
  selector: {}
  template:
    metadata:
      labels:
        app.kubernetes.io/component: minio
        app.kubernetes.io/instance: minio
        app.kubernetes.io/name: minio
        app.kubernetes.io/part-of: minio
        component: minio
    spec:
      containers:
        - args:
            - -ec
            - |-
              oc get secret minio-root-user

              cat << 'EOF' | python3
              import boto3, os

              s3 = boto3.client("s3",
                                endpoint_url="http://minio:9000",
                                aws_access_key_id=os.getenv("MINIO_ROOT_USER"),
                                aws_secret_access_key=os.getenv("MINIO_ROOT_PASSWORD"))

              bucket = 'pipeline-artifacts'
              print('creating pipeline-artifacts bucket')
              if bucket not in [bu["Name"] for bu in s3.list_buckets()["Buckets"]]:
                s3.create_bucket(Bucket=bucket)

              bucket = 'oai-storage'
              print('creating oai-storage bucket')
              if bucket not in [bu["Name"] for bu in s3.list_buckets()["Buckets"]]:
                s3.create_bucket(Bucket=bucket)
              EOF
          command:
            - /bin/bash
          envFrom:
            - secretRef:
                name: minio-root-user
          image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/tensorflow:2023.2
          imagePullPolicy: IfNotPresent
          name: create-buckets
      initContainers:
        - args:
            - -ec
            - |-
              echo -n 'Waiting for minio root user secret'
              while ! oc get secret minio-root-user 2>/dev/null | grep -qF minio-root-user; do
              echo -n .
              sleep 5
              done; echo

              echo -n 'Waiting for minio deployment'
              while ! oc get deployment minio 2>/dev/null | grep -qF minio; do
                echo -n .
                sleep 5
              done; echo
              oc wait --for=condition=available --timeout=60s deployment/minio
              sleep 10
          command:
            - /bin/bash
          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
          imagePullPolicy: IfNotPresent
          name: wait-for-minio
      restartPolicy: Never
      serviceAccount: minio-setup
      serviceAccountName: minio-setup
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: create-minio-root-user
spec:
  backoffLimit: 4
  template:
    metadata:
      labels:
        app.kubernetes.io/component: minio
        app.kubernetes.io/instance: minio
        app.kubernetes.io/name: minio
        app.kubernetes.io/part-of: minio
        component: minio
    spec:
      containers:
        - args:
            - -ec
            - |-
              if [ -n "$(oc get secret minio-root-user -oname 2>/dev/null)" ]; then
                echo "Secret already exists. Skipping." >&2
                exit 0
              fi
              genpass() {
                  < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-32}"
              }
              MINIO_ROOT_USER=${MINIO_ROOT_USER:-"admin"}
              MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-$(genpass)}
              cat << EOF | oc apply -f-
              apiVersion: v1
              kind: Secret
              metadata:
                name: minio-root-user
              type: Opaque
              stringData:
                MINIO_ROOT_USER: ${MINIO_ROOT_USER}
                MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
              EOF
          command:
            - /bin/bash
          env:
            - name: MINIO_ROOT_USER
              value: ""
            - name: MINIO_ROOT_PASSWORD
              value: ""
          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
          imagePullPolicy: IfNotPresent
          name: create-minio-root-user
      restartPolicy: Never
      serviceAccount: minio-setup
      serviceAccountName: minio-setup
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  labels:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: minio-console
spec:
  port:
    targetPort: console
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: minio
    weight: 100
  wildcardPolicy: None
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  labels:
    app: minio
    app.kubernetes.io/component: minio
    app.kubernetes.io/instance: minio
    app.kubernetes.io/name: minio
    app.kubernetes.io/part-of: minio
    component: minio
  name: minio-s3
spec:
  port:
    targetPort: api
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: minio
    weight: 100
  wildcardPolicy: None
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: minio-setup
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: minio-setup-edit
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: edit
	subjects:
	- kind: ServiceAccount
	name: minio-setup
	---
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: minio
	spec:
	ports:
	- name: api
	port: 9000
	targetPort: api
	- name: console
	port: 9090
	targetPort: 9090
	selector:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	sessionAffinity: None
	type: ClusterIP
	---
	apiVersion: v1
	kind: PersistentVolumeClaim
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: minio
	spec:
	storageClassName: gp3-csi
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 75Gi
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: minio
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	strategy:
	type: Recreate
	template:
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	spec:
	containers:
	- args:
	- minio server /data --console-address :9090
	command:
	- /bin/bash
	- -c
	envFrom:
	- secretRef:
	name: minio-root-user
	image: quay.io/minio/minio:latest
	name: minio
	ports:
	- containerPort: 9000
	name: api
	protocol: TCP
	- containerPort: 9090
	name: console
	protocol: TCP
	resources:
	limits:
	cpu: "1"
	memory: 1Gi
	requests:
	cpu: 250m
	memory: 512Mi
	volumeMounts:
	- mountPath: /data
	name: minio
	volumes:
	- name: minio
	persistentVolumeClaim:
	claimName: minio
	- emptyDir: {}
	name: empty
	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: create-ds-connections
	spec:
	selector: {}
	template:
	spec:
	containers:
	- args:
	- -ec
	- \|-
	echo -n 'Waiting for minio route'
	while ! oc get route minio-s3 2>/dev/null \| grep -qF minio-s3; do
	echo -n .
	sleep 5
	done; echo

	echo -n 'Waiting for minio root user secret'
	while ! oc get secret minio-root-user 2>/dev/null \| grep -qF minio-root-user; do
	echo -n .
	sleep 5
	done; echo

	MINIO_ROOT_USER=$(oc get secret minio-root-user -o template --template '{{.data.MINIO_ROOT_USER}}')
	MINIO_ROOT_PASSWORD=$(oc get secret minio-root-user -o template --template '{{.data.MINIO_ROOT_PASSWORD}}')
	MINIO_HOST=https://$(oc get route minio-s3 -o template --template '{{.spec.host}}')

	cat << EOF \| oc apply -f-
	apiVersion: v1
	kind: Secret
	metadata:
	annotations:
	opendatahub.io/connection-type: s3
	openshift.io/display-name: OAI Storage
	labels:
	opendatahub.io/dashboard: "true"
	opendatahub.io/managed: "true"
	name: aws-connection-oai-storage
	data:
	AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
	AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
	stringData:
	AWS_DEFAULT_REGION: ap-southeast-1
	AWS_S3_BUCKET: oai-storage
	AWS_S3_ENDPOINT: ${MINIO_HOST}
	type: Opaque
	EOF
	cat << EOF \| oc apply -f-
	apiVersion: v1
	kind: Secret
	metadata:
	annotations:
	opendatahub.io/connection-type: s3
	openshift.io/display-name: Pipeline Artifacts
	labels:
	opendatahub.io/dashboard: "true"
	opendatahub.io/managed: "true"
	name: aws-connection-pipeline-artifacts
	data:
	AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
	AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
	stringData:
	AWS_DEFAULT_REGION: ap-southeast-1
	AWS_S3_BUCKET: pipeline-artifacts
	AWS_S3_ENDPOINT: ${MINIO_HOST}
	type: Opaque
	EOF
	command:
	- /bin/bash
	image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
	imagePullPolicy: IfNotPresent
	name: create-ds-connections
	restartPolicy: Never
	serviceAccount: minio-setup
	serviceAccountName: minio-setup
	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	labels:
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: create-minio-buckets
	spec:
	selector: {}
	template:
	metadata:
	labels:
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	spec:
	containers:
	- args:
	- -ec
	- \|-
	oc get secret minio-root-user

	cat << 'EOF' \| python3
	import boto3, os

	s3 = boto3.client("s3",
	endpoint_url="http://minio:9000",
	aws_access_key_id=os.getenv("MINIO_ROOT_USER"),
	aws_secret_access_key=os.getenv("MINIO_ROOT_PASSWORD"))

	bucket = 'pipeline-artifacts'
	print('creating pipeline-artifacts bucket')
	if bucket not in [bu["Name"] for bu in s3.list_buckets()["Buckets"]]:
	s3.create_bucket(Bucket=bucket)

	bucket = 'oai-storage'
	print('creating oai-storage bucket')
	if bucket not in [bu["Name"] for bu in s3.list_buckets()["Buckets"]]:
	s3.create_bucket(Bucket=bucket)
	EOF
	command:
	- /bin/bash
	envFrom:
	- secretRef:
	name: minio-root-user
	image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/tensorflow:2023.2
	imagePullPolicy: IfNotPresent
	name: create-buckets
	initContainers:
	- args:
	- -ec
	- \|-
	echo -n 'Waiting for minio root user secret'
	while ! oc get secret minio-root-user 2>/dev/null \| grep -qF minio-root-user; do
	echo -n .
	sleep 5
	done; echo

	echo -n 'Waiting for minio deployment'
	while ! oc get deployment minio 2>/dev/null \| grep -qF minio; do
	echo -n .
	sleep 5
	done; echo
	oc wait --for=condition=available --timeout=60s deployment/minio
	sleep 10
	command:
	- /bin/bash
	image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
	imagePullPolicy: IfNotPresent
	name: wait-for-minio
	restartPolicy: Never
	serviceAccount: minio-setup
	serviceAccountName: minio-setup
	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	labels:
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: create-minio-root-user
	spec:
	backoffLimit: 4
	template:
	metadata:
	labels:
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	spec:
	containers:
	- args:
	- -ec
	- \|-
	if [ -n "$(oc get secret minio-root-user -oname 2>/dev/null)" ]; then
	echo "Secret already exists. Skipping." >&2
	exit 0
	fi
	genpass() {
	< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c"${1:-32}"
	}
	MINIO_ROOT_USER=${MINIO_ROOT_USER:-"admin"}
	MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-$(genpass)}
	cat << EOF \| oc apply -f-
	apiVersion: v1
	kind: Secret
	metadata:
	name: minio-root-user
	type: Opaque
	stringData:
	MINIO_ROOT_USER: ${MINIO_ROOT_USER}
	MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
	EOF
	command:
	- /bin/bash
	env:
	- name: MINIO_ROOT_USER
	value: ""
	- name: MINIO_ROOT_PASSWORD
	value: ""
	image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
	imagePullPolicy: IfNotPresent
	name: create-minio-root-user
	restartPolicy: Never
	serviceAccount: minio-setup
	serviceAccountName: minio-setup
	---
	apiVersion: route.openshift.io/v1
	kind: Route
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: minio-console
	spec:
	port:
	targetPort: console
	tls:
	insecureEdgeTerminationPolicy: Redirect
	termination: edge
	to:
	kind: Service
	name: minio
	weight: 100
	wildcardPolicy: None
	---
	apiVersion: route.openshift.io/v1
	kind: Route
	metadata:
	labels:
	app: minio
	app.kubernetes.io/component: minio
	app.kubernetes.io/instance: minio
	app.kubernetes.io/name: minio
	app.kubernetes.io/part-of: minio
	component: minio
	name: minio-s3
	spec:
	port:
	targetPort: api
	tls:
	insecureEdgeTerminationPolicy: Redirect
	termination: edge
	to:
	kind: Service
	name: minio
	weight: 100
	wildcardPolicy: None