From db538f718175395f97e0b8f3b76a4d3b721c8fce Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <allanger@zohomail.com>
Date: Mon, 13 Mar 2023 07:41:49 +0000
Subject: [PATCH] Add oauth to MinIO (#35)

I want to use OAuth everywhere it's possible, so I need to create accounts in gitea only

Reviewed-on: https://git.badhouseplants.net/badhouseplants/k8s-cluster-config/pulls/35
---
 badhouseplants/helmfile.yaml             |  4 +-
 badhouseplants/values/secrets.minio.yaml | 16 ++++++--
 badhouseplants/values/values.minio.yaml  | 47 ++++++++++++++++++++++--
 releases.yaml                            | 16 ++++----
 4 files changed, 66 insertions(+), 17 deletions(-)

diff --git a/badhouseplants/helmfile.yaml b/badhouseplants/helmfile.yaml
index 604b1c4..e535da1 100644
--- a/badhouseplants/helmfile.yaml
+++ b/badhouseplants/helmfile.yaml
@@ -46,5 +46,5 @@ bases:
   - ../environments.yaml
   - ../repositories.yaml
 
-helmfiles:
-  - namespaces.yaml
+    #helmfiles:
+    #  - namespaces.yaml
diff --git a/badhouseplants/values/secrets.minio.yaml b/badhouseplants/values/secrets.minio.yaml
index c47026c..44630df 100644
--- a/badhouseplants/values/secrets.minio.yaml
+++ b/badhouseplants/values/secrets.minio.yaml
@@ -2,7 +2,17 @@ rootPassword: ENC[AES256_GCM,data:7baD0HwMztU27TymEWp+Ad1s8Zc=,iv:CXiTBEGU1tr99i
 users:
     - accessKey: ENC[AES256_GCM,data:9ZhHOes+vQM=,iv:ltKbQ0KW8/Jmn7kmTaGaDcerlkquTXhGr0wbMMwxNgA=,tag:X6n+44dvPAm4v2rcxYkPEQ==,type:str]
       secretKey: ENC[AES256_GCM,data:mzWBQcPitrpwIMqBrbtBs3RBDg==,iv:cLA6Wvmf5il54DFkNbwQ27wPxAm/eqSrxAc3MVELero=,tag:nUc83Ctqw4PTwirkUr803A==,type:str]
-      policy: ENC[AES256_GCM,data:B7CQsSUaq3B/gO/X,iv:Z4DTTXk5TO288lIrjbvXQXsUt44WjvGLMGxXmnEnHGU=,tag:pvK4zoZGBbpithTBYVDKfQ==,type:str]
+      policy: ENC[AES256_GCM,data:szr/D/u/ng0=,iv:jzm7Q4zdKQpNV0FgJ4jA9CuN7r912ySBJHmxKeQGS2I=,tag:cKarFmhIbBEtslSxOc4mcA==,type:str]
+oidc:
+    enabled: ENC[AES256_GCM,data:lK45+A==,iv:NcoTJPt4XZGRlVRwpsmuI5nu66cGVksQBRAwRval5JY=,tag:kjtPLITQLBOqjF3IaJAL8w==,type:bool]
+    configUrl: ENC[AES256_GCM,data:ZNVvWPlFPA1xgfysavsEusfxE2ySIM9FYatYqfWPnUrHKMtCxYlrn1ip3nTYL2JHvjM3yltLBNbqWMCGlgtw,iv:p1F2DqCFaKvjYKhMieFytnMuggrec8DmBzDATLTVe+8=,tag:3EtpPSyRlGThov5OcZfV+g==,type:str]
+    clientId: ENC[AES256_GCM,data:kO7PkjN+5GqZCxChvtbTQb/5zo7nVxfh7MZqbDoJLIKMEfth,iv:ti3Xlc3sRVOVGtxGw/pT5iBy5rBqV2v+MhiNF3Krb9U=,tag:3LUDIkq08zGmvjJtSnE/jA==,type:str]
+    clientSecret: ENC[AES256_GCM,data:PVe+8SlNrznBiFVNpuQXIcuPkUXyUJ7DObZpRvlgA8JjUHXTy3VY7soyJVBZEMfYbNjSLLcKcWM=,iv:fbh2RcQdPf3jUt2AOI3xp09SSEaWzI4rLGZmlZY46uM=,tag:wvEBkkPsXoQXAP7fN1iDMA==,type:str]
+    claimName: ENC[AES256_GCM,data:K7IO7TyaAUr4U80Ni5Xt/bma,iv:R8RQLttCNMHpAit+3OQ/STXo7u6xqQ1+RYgGLpJTpn4=,tag:3Wsh7TNnh1V0GrqjF/4Uiw==,type:str]
+    redirectUri: ENC[AES256_GCM,data:+Q8cNCvslAcO4m7VJwNe/CpEntyHfuHOrHqqtlrDILkfc0IRAA8aSbZwbA2v+So=,iv:GwzNILyqLuAYUQFKbt5WE+VCdOzSTBmGCAHcCAnzxXk=,tag:p9/86/r2DfT1mkQu+aQJfQ==,type:str]
+    comment: ENC[AES256_GCM,data:TO3kA0i503ZA+EFhKa2AZw==,iv:Cl3NvvgXz71AaCgMl062urNtcBtgk832vtxTs9MJwik=,tag:JwerK2q1L7xMv/NIoWkESw==,type:str]
+    claimPrefix: ""
+    scopes: ENC[AES256_GCM,data:kyewug7Dv2UOcsc8UWe1ssepra8uBW7uYw==,iv:RfQQiwBWWSd9DSgSlYZFwyZy2xaizMuVjeCZAws3ddM=,tag:jnegIPBviRTPi4kwM1jexQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -18,8 +28,8 @@ sops:
             NFd0WDBXRERZc2ZDbWhDTFhnZExjVmcKDKHKoouDK66AYXenznGjTMnahqIwbp1y
             zA+MZx0FPO7xm9UCGaxIFzdLXK6O2ctw9fDceR6oMj+YehLOKwEmoA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-19T20:48:11Z"
-    mac: ENC[AES256_GCM,data:MTcZ//5+uC+yFp+TmLhqdGIBpcaW96HpfUZeIUZijOffss401/XMOYprIILTPRq2B8kaCW2jp8hkL3oFDxSce0BGeqdRsFOlRL9vbtpyBPTUoGBnr6u/HK1G09zqtlsA/RZTvpBNoKrfdSvoWwoFIjs5oWPbi1f44gkgAl85ENM=,iv:07nSOo1F63sPgadSHtdI9JjtKjH/F9ThFW4sxWVGTxs=,tag:fFOO4sT6EFsAKje5llEUqg==,type:str]
+    lastmodified: "2023-03-12T10:17:38Z"
+    mac: ENC[AES256_GCM,data:I6DCLZNMl3LuGif/mDDNKKODZ6O/CSYty0+N60Xw4go2mH9J8/PPX0fEYL0ilRG2VDLuZ86RTiPCwAtUXVrtu1jzlkajbZPytWMpURZk+4m2XxXSDrTHNt6KJglF29DhENCkVXeZ75fHSKOS0yliZ+Q/90Ye18FJSlvVUy6HSfM=,iv:4y4pU0OTK6c2Oj5LvoJALtcn5TJ7OQFNys2swbYkodU=,tag:GSPQ64Ntu/oYnz6BfWXOTg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/badhouseplants/values/values.minio.yaml b/badhouseplants/values/values.minio.yaml
index aaa04e3..f379e7a 100644
--- a/badhouseplants/values/values.minio.yaml
+++ b/badhouseplants/values/values.minio.yaml
@@ -1,3 +1,4 @@
+---
 rootUser: 'overlord'
 replicas: 1
 mode: standalone
@@ -24,13 +25,51 @@ resources:
   requests:
     memory: 2Gi
 buckets:
-  - name: allanger
-    policy: none
+  - name: badhouseplants-net
+    policy: download
     purge: false
-    versioning: true
+    versioning: false
+  - name: badhouseplants-net-main
+    policy: download
+    purge: false
+    versioning: false
 metrics:
   serviceMonitor:
     enabled: false
     public: true
     additionalLabels: {}
-
+policies:
+  - name: allanger
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: badhouseplants:owners
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: badhouseplants
+    statements:
+      - resources:
+          - 'arn:aws:s3:::badhouseplants'
+        actions:
+          - "s3:*"
+      - resources:
+          - 'arn:aws:s3:::badhouseplants/*'
+        actions:
+          - "s3:*"
diff --git a/releases.yaml b/releases.yaml
index eaff832..2359f94 100644
--- a/releases.yaml
+++ b/releases.yaml
@@ -58,14 +58,14 @@ templates:
   metrics-server: &metrics-server
     name: metrics-server
     chart: metrics-server/metrics-server
-    version: 3.8.3
+    version: 3.8.4
     values:
       - common/values.{{ .Release.Name }}.yaml
 
   cert-manager: &cert-manager
     name: cert-manager
     chart: jetstack/cert-manager
-    version: 1.10.1
+    version: 1.11.0
     set:
       - name: installCRDs
         value: true
@@ -79,7 +79,7 @@ templates:
   argocd: &argocd
     name: argocd
     chart: argo/argo-cd
-    version: 5.23.3
+    version: 5.25.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -89,7 +89,7 @@ templates:
   istio-common:
     labels:
       bundle: istio
-    version: 1.16.1
+    version: 1.17.1
 
   istio-base: &istio-base
     name: istio-base
@@ -141,7 +141,7 @@ templates:
   nrodionov: &nrodionov
     name: nrodionov
     chart: bitnami/wordpress
-    version: 15.2.22
+    version: 15.2.51
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -149,7 +149,7 @@ templates:
   minio: &minio
     name: minio
     chart: minio/minio
-    version: 5.0.4
+    version: 5.0.7
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -157,14 +157,14 @@ templates:
   minecraft: &minecraft
     name: minecraft
     chart: minecraft-server-charts/minecraft
-    version: 4.4.0
+    version: 4.6.0
     inherit:
       - template: default-env-values
 
   gitea: &gitea
     name: gitea
     chart: gitea/gitea
-    version: 7.0.2
+    version: 7.0.4
     inherit:
       - template: default-env-values
       - template: default-env-secrets