From 4b92f2fb8bdb3d4f01244aa47c0033b29e2df90c Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <allanger@badhouseplants.net>
Date: Thu, 12 Sep 2024 14:45:25 +0200
Subject: [PATCH] Migrate minio to the platform namespace

---
 installations/applications/helmfile.yaml | 15 +++++----
 installations/platform/helmfile.yaml     | 43 ++++++------------------
 manifests/network-policy.yaml            | 32 ++++++++++++++++++
 values/badhouseplants/values.minio.yaml  |  5 +--
 4 files changed, 51 insertions(+), 44 deletions(-)
 create mode 100644 manifests/network-policy.yaml

diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml
index 82acdf7..373333e 100644
--- a/installations/applications/helmfile.yaml
+++ b/installations/applications/helmfile.yaml
@@ -85,14 +85,15 @@ releases:
     inherit:
       - template: default-env-values
       - template: ext-tcp-routes
-  #- name: vaultwardentest
-  #  chart: allangers-charts/vaultwarden
-  #  version: 2.1.0
-  #  namespace: applications
-  #  inherit:
-  #    - template: default-env-values
-  #    - template: default-env-secrets
   - name: shadowsocks-libev
+    #- name: vaultwardentest
+    #  chart: allangers-charts/vaultwarden
+    #  version: 2.1.0
+    #  namespace: applications
+    #  inherit:
+    #    - template: default-env-values
+    #    - template: default-env-secrets
+
     chart: allangers-charts/shadowsocks-libev
     namespace: applications
     version: 0.3.1
diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml
index 59463e9..a8c83c3 100644
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@@ -10,16 +10,12 @@ repositories:
     url: https://zotregistry.dev/helm-charts/
   - name: bedag
     url: https://bedag.github.io/helm-charts/
-  - name: minio-standalone
-    url: https://charts.min.io/
-  - name: minio
-    url: https://operator.min.io/
-  - name: fluxcd-community
-    url: https://fluxcd-community.github.io/helm-charts
   - name: crossplane-stable
     url: https://charts.crossplane.io/stable
   - name: goauthentik
     url: https://charts.goauthentik.io/
+  - name: minio-standalone
+    url: https://charts.min.io/
 releases:
   - name: argocd
     chart: argo/argo-cd
@@ -30,12 +26,6 @@ releases:
     inherit:
       - template: default-env-values
       - template: default-env-secrets
-  - name: flux
-    chart: fluxcd-community/flux2
-    namespace: platform
-    condition: workload.enabled
-    version: 2.13.0
-    installed: false
   - name: db-operator
     namespace: platform
     chart: db-operator/db-operator
@@ -69,32 +59,12 @@ releases:
     inherit:
       - template: default-env-values
       - template: default-env-secrets
-  - name: minio-operator
-    chart: minio/operator
-    version: 6.0.3
-    namespace: platform
-    installed: false
-    condition: workload.enabled
-    inherit:
-      - template: default-env-values
-  - name: minio-tenant
-    chart: minio/tenant
-    version: 6.0.3
-    namespace: platform
-    installed: false
-    condition: workload.enabled
-    needs:
-      - platform/minio-operator
-    inherit:
-      - template: default-env-values
   - name: crossplane
-    #     - template: default-env-secrets
-
     chart: crossplane-stable/crossplane
+    installed: false
     version: 1.17.0
     namespace: platform
     condition: workload.enabled
-    installed: true
     inherit:
       - template: default-env-values
   - name: authentik
@@ -106,3 +76,10 @@ releases:
       - template: default-env-values
       - template: default-env-secrets
       - template: ext-database
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.2.0
+    namespace: platform
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
diff --git a/manifests/network-policy.yaml b/manifests/network-policy.yaml
new file mode 100644
index 0000000..6813819
--- /dev/null
+++ b/manifests/network-policy.yaml
@@ -0,0 +1,32 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 192.168.0.0/16
+              - 172.16.0.0/20
diff --git a/values/badhouseplants/values.minio.yaml b/values/badhouseplants/values.minio.yaml
index 43df59e..dba9ea2 100644
--- a/values/badhouseplants/values.minio.yaml
+++ b/values/badhouseplants/values.minio.yaml
@@ -1,4 +1,3 @@
----
 # ------------------------------------------
 # -- Istio extenstion. Just because I'm
 # --  not using ingress nginx
@@ -18,7 +17,6 @@ istio:
       hostname: s3.badhouseplants.net
       service: minio
       port: 9000
-
 ingress:
   enabled: true
   ingressClassName: ~
@@ -53,7 +51,6 @@ consoleIngress:
     - secretName: minio-tls-secret
       hosts:
         - minio.badhouseplants.net
-
 rootUser: 'overlord'
 replicas: 1
 mode: standalone
@@ -66,7 +63,7 @@ tls:
   privateKey: private.key
 persistence:
   enabled: true
-  accessMode: ReadWriteOnce
+  accessMode: ReadWriteMany
   size: 10Gi
 service:
   type: ClusterIP