From 30933481a4f5346660c89b4f3f57258843935877 Mon Sep 17 00:00:00 2001
From: Ubuntu <nick@vm-management-200.stabify.de>
Date: Tue, 13 Jan 2026 22:44:33 +0000
Subject: [PATCH] feat(minio): add minio object storage deployment

---
 apps/minio-app.yaml             | 22 ++++++++
 apps/minio/deployment.yaml      | 95 +++++++++++++++++++++++++++++++++
 apps/minio/external-secret.yaml | 22 ++++++++
 apps/minio/ingress.yaml         | 38 +++++++++++++
 4 files changed, 177 insertions(+)
 create mode 100644 apps/minio-app.yaml
 create mode 100644 apps/minio/deployment.yaml
 create mode 100644 apps/minio/external-secret.yaml
 create mode 100644 apps/minio/ingress.yaml

diff --git a/apps/minio-app.yaml b/apps/minio-app.yaml
new file mode 100644
index 0000000..3a33654
--- /dev/null
+++ b/apps/minio-app.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minio
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: apps/minio
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: minio
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/apps/minio/deployment.yaml b/apps/minio/deployment.yaml
new file mode 100644
index 0000000..4ae06c7
--- /dev/null
+++ b/apps/minio/deployment.yaml
@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+  namespace: minio
+  labels:
+    app: minio
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate # Wichtig für PVCs (ReadWriteOnce)
+  selector:
+    matchLabels:
+      app: minio
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      containers:
+        - name: minio
+          image: quay.io/minio/minio:RELEASE.2024-01-13T22-51-38Z
+          args:
+            - server
+            - /data
+            - --console-address
+            - :9001
+          ports:
+            - containerPort: 9000
+              name: api
+            - containerPort: 9001
+              name: console
+          env:
+            - name: MINIO_ROOT_USER
+              valueFrom:
+                secretKeyRef:
+                  name: minio-secrets
+                  key: root_user
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio-secrets
+                  key: root_password
+            # Setze die Browser Redirect URL korrekt für Public Access
+            - name: MINIO_BROWSER_REDIRECT_URL
+              value: "https://minio.apps.k3s.stabify.de"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /minio/health/live
+              port: 9000
+            initialDelaySeconds: 30
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /minio/health/ready
+              port: 9000
+            initialDelaySeconds: 30
+            periodSeconds: 20
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: minio-pvc
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-pvc
+  namespace: minio
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi # Kannst du später vergrößern (Requires VM disk space)
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+  namespace: minio
+spec:
+  ports:
+    - port: 9000
+      targetPort: 9000
+      protocol: TCP
+      name: api
+    - port: 9001
+      targetPort: 9001
+      protocol: TCP
+      name: console
+  selector:
+    app: minio
diff --git a/apps/minio/external-secret.yaml b/apps/minio/external-secret.yaml
new file mode 100644
index 0000000..b6d04af
--- /dev/null
+++ b/apps/minio/external-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-external-secret
+  namespace: minio
+spec:
+  refreshInterval: "1m"
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: minio-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: root_user
+      remoteRef:
+        key: secret/apps/minio
+        property: root_user
+    - secretKey: root_password
+      remoteRef:
+        key: secret/apps/minio
+        property: root_password
diff --git a/apps/minio/ingress.yaml b/apps/minio/ingress.yaml
new file mode 100644
index 0000000..ccb5bb7
--- /dev/null
+++ b/apps/minio/ingress.yaml
@@ -0,0 +1,38 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minio-ingress
+  namespace: minio
+  annotations:
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - minio.apps.k3s.stabify.de
+        - s3.apps.k3s.stabify.de
+      secretName: minio-tls
+  rules:
+    # Console Access (Browser UI)
+    - host: minio.apps.k3s.stabify.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 9001
+    # API Access (Apps like Outline, etc.)
+    - host: s3.apps.k3s.stabify.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: minio
+                port:
+                  number: 9000