From c8501f505bfb7d41ebef1366c4dbe7b3a1b4d10f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beatrice=20Dellac=C3=A0?= <hello@beatrice.wtf>
Date: Sun, 6 Apr 2025 20:58:12 +0200
Subject: [PATCH] fix tls termination

---
 deploy/minio-tenant/certificate.yaml   | 14 +++++
 deploy/minio-tenant/ingress.yaml       |  8 +--
 deploy/minio-tenant/kustomization.yaml |  1 +
 deploy/minio-tenant/secret.yaml        |  2 -
 deploy/minio-tenant/tenant.yaml        | 85 +++++++++++++-------------
 5 files changed, 61 insertions(+), 49 deletions(-)
 create mode 100644 deploy/minio-tenant/certificate.yaml

diff --git a/deploy/minio-tenant/certificate.yaml b/deploy/minio-tenant/certificate.yaml
new file mode 100644
index 0000000..e5c4b99
--- /dev/null
+++ b/deploy/minio-tenant/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: minio-cert
+  namespace: minio-tenant
+spec:
+  secretName: minio-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: s3.minio.panic.haus
+  dnsNames:
+    - s3.minio.panic.haus
+    - console.minio.panic.haus
\ No newline at end of file
diff --git a/deploy/minio-tenant/ingress.yaml b/deploy/minio-tenant/ingress.yaml
index fd23fa3..2ea09fa 100644
--- a/deploy/minio-tenant/ingress.yaml
+++ b/deploy/minio-tenant/ingress.yaml
@@ -6,8 +6,6 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
 spec:
   rules:
     - host: s3.minio.panic.haus
@@ -19,7 +17,7 @@ spec:
               service:
                 name: minio
                 port:
-                  number: 443
+                  number: 9000
     - host: console.minio.panic.haus
       http:
         paths:
@@ -27,9 +25,9 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: panic-minio-console
+                name: minio-console
                 port:
-                  number: 9443
+                  number: 9001
   tls:
     - hosts:
         - s3.minio.panic.haus
diff --git a/deploy/minio-tenant/kustomization.yaml b/deploy/minio-tenant/kustomization.yaml
index 1b98376..1722561 100644
--- a/deploy/minio-tenant/kustomization.yaml
+++ b/deploy/minio-tenant/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - namespace.yaml
   - secret.yaml
   - tenant.yaml
+  - certificate.yaml
   - ingress.yaml
   - svc-minio.yaml
   - svc-minio-console.yaml
diff --git a/deploy/minio-tenant/secret.yaml b/deploy/minio-tenant/secret.yaml
index e00fa54..65852b4 100644
--- a/deploy/minio-tenant/secret.yaml
+++ b/deploy/minio-tenant/secret.yaml
@@ -7,8 +7,6 @@ stringData:
   config.env: |-
     export MINIO_ROOT_USER="minio"
     export MINIO_ROOT_PASSWORD="minio123"
-    export MINIO_STORAGE_CLASS_STANDARD="EC:2"
-    export MINIO_SERVER_URL="https://s3.minio.panic.haus"
 type: Opaque
 ---
 apiVersion: v1
diff --git a/deploy/minio-tenant/tenant.yaml b/deploy/minio-tenant/tenant.yaml
index 2ba4061..34eca54 100644
--- a/deploy/minio-tenant/tenant.yaml
+++ b/deploy/minio-tenant/tenant.yaml
@@ -10,6 +10,9 @@ metadata:
   name: panic-minio
   namespace: minio-tenant
 spec:
+  requestAutoCert: false
+  externalCertSecret:
+    - name: minio-tls
   exposeServices: {}
   imagePullPolicy: IfNotPresent
   certConfig: {}
@@ -17,7 +20,6 @@ spec:
     name: storage-configuration
   env: []
   externalCaCertSecret: []
-  externalCertSecret: []
   externalClientCertSecrets: []
   features:
     bucketDNS: false
@@ -27,47 +29,46 @@ spec:
   mountPath: /export
   podManagementPolicy: Parallel
   pools:
-  - affinity:
-      nodeAffinity: {}
-      podAffinity: {}
-      podAntiAffinity: {}
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    name: pool-0
-    nodeSelector: {}
-    resources: {}
-    securityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-    servers: 4
-    tolerations: []
-    topologySpreadConstraints: []
-    volumeClaimTemplate:
-      apiVersion: v1
-      kind: persistentvolumeclaims
-      metadata: {}
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
-        storageClassName: longhorn
-      status: {}
-    volumesPerServer: 1
+    - name: pool-0
+      affinity:
+        nodeAffinity: {}
+        podAffinity: {}
+        podAntiAffinity: {}
+      containerSecurityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      nodeSelector: {}
+      resources: {}
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+      servers: 4
+      tolerations: []
+      topologySpreadConstraints: []
+      volumeClaimTemplate:
+        apiVersion: v1
+        kind: persistentvolumeclaims
+        metadata: {}
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+          storageClassName: longhorn
+        status: {}
+      volumesPerServer: 1
   priorityClassName: ""
-  requestAutoCert: true
   serviceAccountName: ""
   serviceMetadata:
     consoleServiceAnnotations: {}
@@ -76,4 +77,4 @@ spec:
     minioServiceLabels: {}
   subPath: ""
   users:
-  - name: storage-user
+    - name: storage-user
\ No newline at end of file