From 46a39409891690e82649da9310730aea5d32181a Mon Sep 17 00:00:00 2001
From: Richard Conway <richard@rconway.co.uk>
Date: Mon, 18 Sep 2023 15:53:40 +0000
Subject: [PATCH] [docs] update docs for minio

---
 deploy/cluster/minio.sh               | 87 +--------------------------
 docs/cluster/cluster-prerequisites.md | 86 ++++++++++++++++++++------
 2 files changed, 69 insertions(+), 104 deletions(-)

diff --git a/deploy/cluster/minio.sh b/deploy/cluster/minio.sh
index 16875e22..adc7e58a 100755
--- a/deploy/cluster/minio.sh
+++ b/deploy/cluster/minio.sh
@@ -94,92 +94,11 @@ fi
 if [ "${ACTION}" = "apply" ]; then
   cat - <<EOF > s3cfg
 [default]
-  access_key = eoepca
-  access_token = 
-  add_encoding_exts = 
-  add_headers = 
-  bucket_location = us-east-1
-  ca_certs_file = 
-  cache_file = 
-  check_ssl_certificate = True
-  check_ssl_hostname = True
-  cloudfront_host = cloudfront.amazonaws.com
-  connection_max_age = 5
-  connection_pooling = True
-  content_disposition = 
-  content_type = 
-  default_mime_type = binary/octet-stream
-  delay_updates = False
-  delete_after = False
-  delete_after_fetch = False
-  delete_removed = False
-  dry_run = False
-  enable_multipart = True
-  encoding = UTF-8
-  encrypt = False
-  expiry_date = 
-  expiry_days = 
-  expiry_prefix = 
-  follow_symlinks = False
-  force = False
-  get_continue = False
-  gpg_command = /usr/bin/gpg
-  gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
-  gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
-  gpg_passphrase = 
-  guess_mime_type = True
   host_base = minio.${domain}
   host_bucket = minio.${domain}
-  human_readable_sizes = False
-  invalidate_default_index_on_cf = False
-  invalidate_default_index_root_on_cf = True
-  invalidate_on_cf = False
-  kms_key = 
-  limit = -1
-  limitrate = 0
-  list_md5 = False
-  log_target_prefix = 
-  long_listing = False
-  max_delete = -1
-  mime_type = 
-  multipart_chunk_size_mb = 15
-  multipart_copy_chunk_size_mb = 1024
-  multipart_max_chunks = 10000
-  preserve_attrs = True
-  progress_meter = True
-  proxy_host = 
-  proxy_port = 0
-  public_url_use_https = False
-  put_continue = False
-  recursive = False
-  recv_chunk = 65536
-  reduced_redundancy = False
-  requester_pays = False
-  restore_days = 1
-  restore_priority = Standard
-  secret_key = changeme
-  send_chunk = 65536
-  server_side_encryption = False
-  signature_v2 = False
-  signurl_use_https = False
-  simpledb_host = sdb.amazonaws.com
-  skip_existing = False
-  socket_timeout = 300
-  ssl_client_cert_file = 
-  ssl_client_key_file = 
-  stats = False
-  stop_on_error = False
-  storage_class = 
-  throttle_max = 100
-  upload_id = 
-  urlencoding_mode = normal
-  use_http_expect = False
-  use_https = False
-  use_mime_magic = True
-  verbosity = WARNING
-  website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
-  website_error = 
-  website_index = index.html
+  access_key = ${MINIO_ROOT_USER}
+  secret_key = ${MINIO_ROOT_PASSWORD}
+  use_https = True
 EOF
 elif [ "${ACTION}" = "delete" ]; then
   rm -f s3cfg
diff --git a/docs/cluster/cluster-prerequisites.md b/docs/cluster/cluster-prerequisites.md
index b048f18c..94ca946c 100644
--- a/docs/cluster/cluster-prerequisites.md
+++ b/docs/cluster/cluster-prerequisites.md
@@ -10,8 +10,10 @@ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm repo update
 
 # Install the Nginx Ingress Controller helm chart
-helm upgrade -i ingress-nginx ingress-nginx/ingress-nginx --wait
+helm upgrade -i --version='<4.5.0' ingress-nginx ingress-nginx/ingress-nginx --wait
 ```
+!!! note
+    For Kubernetes version 1.22 and earlier the version of the Nginx Ingress Controller must be before v4.5.0.
 
 To target the _Nginx Ingress Controller_ the `kubernetes.io/ingress.class: nginx` annotation must be applied to the Ingress resource...
 ```yaml
@@ -149,43 +151,86 @@ kubeseal -o yaml \
 
 Various building blocks require access to an S3-compatible object storage service. In particular the ADES processing service expects to stage-out its processing results to S3 object storage. Ideally the cloud provider for your deployment will make available a suitable object storage service.
 
-As a workaround, in the absence of an existing object storage, it is possible to use [MinIO](https://min.io/) to establish an object storage service within the Kubernetes cluster. We use the [minio helm chart provided by bitnami](https://bitnami.com/stack/minio/helm).
+As a workaround, in the absence of an existing object storage, it is possible to use [MinIO](https://min.io/) to establish an object storage service within the Kubernetes cluster. We use the [minio helm chart provided by the MinIO Project](https://charts.min.io/).
 
 ```bash
-# Add the bitnami helm repository
-helm repo add bitnami https://charts.bitnami.com/bitnami
-helm repo update
-
 # Install the minio helm chart
-helm upgrade -i minio -f minio-values.yaml bitnami/minio
+helm upgrade -i minio -f minio-values.yaml bitnami/minio \
+  --repo https://charts.min.io/ \
+  --namespace rm --create-namespace \
+  --wait
 ```
 
+!!! note
+    The Kubernetes namespace `rm` is used above as an example, and can be changed according to your deployment preference.
+
 The minio deployment is customised via the values file `minio-values.yaml`, for example...
 
 ```yaml
-auth:
-  rootUser: eoepca
-  rootPassword: changeme
+existingSecret: minio-auth
+replicas: 2
 
 ingress:
   enabled: true
   ingressClassName: nginx
-  hostname: minio-console.192-168-49-2.nip.io
   annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: 0m
-
-apiIngress:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
+  path: /
+  hosts:
+    - minio.192-168-49-2.nip.io
+  tls:
+    - secretName: minio-tls
+      hosts:
+        - minio.192-168-49-2.nip.io
+
+consoleIngress:
   enabled: true
   ingressClassName: nginx
-  hostname: minio.192-168-49-2.nip.io
   annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: 0m
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
+  path: /
+  hosts:
+    - console.minio.192-168-49-2.nip.io
+  tls:
+  - secretName: minio-console-tls
+    hosts:
+      - console.minio.192-168-49-2.nip.io
+
+resources:
+  requests:
+    memory: 1Gi
 
 persistence:
   storageClass: standard
+
+buckets:
+  - name: eoepca
+  - name: cache-bucket
+```
+
+!!! note
+    * The example values assuming a TLS configuration using `letsencrypt` certificate provider
+    * The admin credentials are provided by the Kubernetes secret named `minio-auth` - see below
+    * The annotation `nginx.ingress.kubernetes.io/proxy-body-size` was found to be required to allow transfer of large files (such as data products) through the nginx proxy
+
+### Minio Credentials Secret
+
+The Minio admin credentials are provided via a Kubernetes secret that is referenced from the Minio helm chart deployment values. For example...
+
+```
+kubectl -n rm create secret generic minio-auth \
+  --from-literal=rootUser="eoepca" \
+  --from-literal=rootPassword="changeme"
 ```
 
-_Note that the annotation `nginx.ingress.kubernetes.io/proxy-body-size` was found to be required to allow transfer of large files (such as data products) through the nginx proxy_
+!!! note
+    The secret must be created in the same Kubernetes namespace as the Minio service deployment - e.g. `rm` namespce in the example above.
 
 ### s3cmd Configuration
 
@@ -205,7 +250,7 @@ S3 Endpoint: minio.192-168-49-2.nip.io
 DNS-style bucket+hostname:port template for accessing a bucket: minio.192-168-49-2.nip.io
 Encryption password: 
 Path to GPG program: /usr/bin/gpg
-Use HTTPS protocol: False
+Use HTTPS protocol: True
 HTTP Proxy server name: 
 HTTP Proxy server port: 0
 ```
@@ -227,5 +272,6 @@ s3cmd -c deploy/cluster/s3cfg ls
 
 ### References
 
-* [MinIO Helm Chart](https://bitnami.com/stack/minio/helm)
-* [MinIO Helm Chart on GitHub](https://github.com/bitnami/charts/tree/master/bitnami/minio)
+* [MinIO Website](https://min.io/)
+* [MinIO Helm Chart](https://charts.min.io/)
+* [MinIO on GitHub](https://github.com/minio/minio)