Add Minio Service

2024-02-06 20:25:57 -08:00 · 2024-02-06 20:25:57 -08:00 · 7509ca056e
commit 7509ca056e
parent 6926e74b8a
3 changed files with 250 additions and 0 deletions
--- a/nomad_jobs/services/minio/minio-singleton.nomad.hcl
+++ b/nomad_jobs/services/minio/minio-singleton.nomad.hcl
@ -0,0 +1,59 @@
+job "minio-singleton" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "minio" {
+    count = 1
+
+    network {
+      mode = "bridge"
+      port "console" {
+        to = 9090
+      }
+    }
+
+    service {
+      # Make available to other services by the 'minio-singleton' name
+      name = "minio-singleton"
+      port = "9000"
+      tags = ["traefik.enable=false"] # Hide minio from traefik
+
+      connect {
+        sidecar_service {
+          tags = ["traefik.enable=false"] # Hide minio from traefik
+        }
+      }
+    }
+
+    volume "minio-data" {
+      type      = "host"
+      source    = "minio"
+    }
+
+    task "minio" {
+      driver = "docker"
+
+      volume_mount {
+        volume      = "minio-data"
+        destination = "/data"
+      }
+
+      config {
+        image = "quay.io/minio/minio"
+        ports = ["console"]
+        command = "server"
+        args = ["/data", "--console-address", ":9090"]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 2000
+      }
+
+      env {
+        MINIO_ROOT_USER="op://InfraSecrets/Minio-Singleton/username"
+        MINIO_ROOT_PASSWORD="op://InfraSecrets/Minio-Singleton/password"
+      }
+    }
+  }
+}
--- a/nomad_jobs/services/minio/minio.nomad.hcl
+++ b/nomad_jobs/services/minio/minio.nomad.hcl
@ -0,0 +1,143 @@
+# The use of Minio in this stack is not architected for high availability or
+# data integrity and as such, is not recommended for production use. Instead,
+# this is for making an s3 compatible storage available to the service mesh
+# and ZFS is relied upon for data integrity within a single node storage pool.
+
+# For a production ready Minio deployment, please start with the following:
+# https://min.io/docs/minio/kubernetes/upstream/operations/concepts/architecture.html
+
+# Note: This configures TWO minio instances, one for "HOT" storage made up of
+# SSDs and a "WARM" instance with HDDs instead. Manual configuration of tiers
+# is required to make use of this feature. TODO: Automate this.
+
+job "minio" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "minio" {
+    count = 1
+
+    network {
+      mode = "bridge"
+      port "console" {
+        to = 9090
+      }
+    }
+
+    service {
+      # Make available to other services by the 'minio' name
+      name = "minio"
+      port = "9000"
+      tags = ["traefik.enable=false"] # Hide minio from traefik
+
+      connect {
+        sidecar_service {
+          tags = ["traefik.enable=false"] # Hide minio from traefik
+        }
+      }
+    }
+
+    service {
+      name = "minio-backend-envoy"
+      tags = ["traefik.enable=false"] # Hide minio-backend from traefik
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "minio-backend"
+              local_bind_address = "127.0.0.1"
+              local_bind_port  = 9001
+            }
+          }
+          tags = ["traefik.enable=false"] # Hide minio-backend from traefik
+        }
+      }
+    }
+
+    volume "minio-data" {
+      type      = "host"
+      source    = "minio-ssd" # Tier 1 Storage Host Volume
+    }
+
+    task "minio" {
+      driver = "docker"
+
+      volume_mount {
+        volume      = "minio-data"
+        destination = "/data"
+      }
+
+      config {
+        image = "quay.io/minio/minio"
+        ports = ["console"]
+        command = "server"
+        args = ["/data", "--console-address", ":9090"]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 2000
+      }
+
+      env {
+        MINIO_ROOT_USER="op://InfraSecrets/Minio Tier 1/username"
+        MINIO_ROOT_PASSWORD="op://InfraSecrets/Minio Tier 1/password"
+      }
+    }
+  }
+
+  group "minio-hdd" {
+    count = 1
+
+    network {
+      mode = "bridge"
+      port "console" {
+        to = 9090
+      }
+    }
+
+    service {
+      name = "minio-backend"
+      port = "9000"
+      tags = ["traefik.enable=false"] # Hide minio-backend from traefik
+
+      connect {
+        sidecar_service {
+          tags = ["traefik.enable=false"] # Hide minio-backend from traefik
+        }
+      }
+    }
+    
+    volume "minio-warm-data" {
+      type      = "host"
+      source    = "minio-hdd" # Tier 2 Storage Host Volume
+    }
+
+    task "minio-hdd" {
+      driver = "docker"
+
+
+      volume_mount {
+        volume      = "minio-warm-data"
+        destination = "/data"
+      }
+
+      config {
+        image = "quay.io/minio/minio"
+        ports = ["console"]
+        command = "server"
+        args = ["/data", "--console-address", ":9090"]
+      }
+
+      resources {
+        cpu    = 100
+        memory = 2000
+      }
+
+      env {
+        MINIO_ROOT_USER="op://InfraSecrets/Minio Tier 2/username"
+        MINIO_ROOT_PASSWORD="op://InfraSecrets/Minio Tier 2/password"
+      }
+    }
+  }
+}
--- a/nomad_jobs/services/minio/readme.md
+++ b/nomad_jobs/services/minio/readme.md
@ -0,0 +1,48 @@
+# Minio
+Minio is an open source object storage server that is compatible with Amazon S3. You can use it to store and retrieve data from any application that requires s3 storage. You can configure storage tiers and lifecycle policies to manage your data with things like retention and expiration or movements between storage classes.
+
+The use of Minio in this stack is not architected for high availability or data integrity and as such, is not recommended for production use of any reasonably large scale. Instead, this is for making an s3 compatible storage available to the service mesh and ZFS is relied upon for data integrity within a single node storage pool.
+
+For a production ready Minio deployment, please start with the following:
+https://min.io/docs/minio/kubernetes/upstream/operations/concepts/architecture.html
+
+## Nomad Job for Minio
+Nomad requires a Host Volume to persist data across restarts. This will limit the portability of the running instance but it is simple to configure. If you want have dynamic storage, you will need to modify the job spec to use a different storage driver such as [Ceph](https://docs.ceph.com/en/latest/start/intro/) or [Seaweedfs](https://github.com/seaweedfs/seaweedfs/wiki). Both provide object storage that is S3 compatible so if you deploy those, you may not have a need for Minio but the admin interface and features of Minio may still meet your needs better. 
+
+### Minio-Singleton (minio-singleton.nomad.hcl)
+This job is for a single instance of Minio with no tiering. It is the simplest configuration and is suitable for a small amount of data. It is great for getting started with your own S3 compatible storage.
+
+#### Service Dependencies
+- A Valid [Host Volume](../../../host_init/README.md#storage-and-zfs)
+
+#### TODO
+If you want to deploy this, you will need to verify you have a valid host volume and set the initial  root credentials.
+
+| Line | Default | Adjustment |
+| --- | --- | --- |
+| 30 | `source = "minio"` | Change `minio` to a valid host volume name if applicable |
+| 37 | `volume = "minio-data"` | Change `minio-data` to the host volume defined on line 28 if applicable |
+| 54 | `"MINIO_ROOT_USER"="op://InfraSecrets/Minio-Singleton/username"` | Change the value to the root username you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |
+| 55 | `"MINIO_ROOT_PASSWORD"="op://InfraSecrets/Minio-Singleton/password"` | Change the value to the root password you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |
+
+### Minio-Tiered (minio.nomad.hcl)
+This job is for an instance of Minio with tiering. If your host has SSDs and HDDs, you can configure Minio to use the SSDs for "HOT" storage and the HDDs for "WARM" storage. This is useful for managing data that is accessed frequently and data that is accessed infrequently. 
+
+> IMPORTANT: Tiering is not a backup solution! You should still have a backup strategy for your data. Best to make backups regularly and follow at least the 3-2-1 rule: 3 copies of your data, 2 on different media, 1 offsite.
+
+#### Service Dependencies
+- Two Valid [Host Volumes](../../../host_init/README.md#storage-and-zfs)
+
+#### TODO
+If you want to deploy this, you will need to verify you have a valid host volume and set the initial  root credentials.
+
+| Line | Default | Adjustment |
+| --- | --- | --- |
+| 59 | `source = "minio-ssd"` | Change `minio-ssd` to a valid host volume name if applicable |
+| 66 | `volume = "minio-data"` | Change `minio-data` to the host volume defined on line 57 if applicable |
+| 83 | `"MINIO_ROOT_USER"="op://InfraSecrets/Minio Tier 1/username"` | Change the value to the root username you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |
+| 84 | `"MINIO_ROOT_PASSWORD"="op://InfraSecrets/Minio Tier 1/password"` | Change the value to the root password you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |
+| 113 | `source = "minio-hdd"` | Change `minio-hdd` to a valid host volume name if applicable |
+| 121 | `volume = "minio-warm-data"` | Change `minio-warm-data` to the host volume defined on line 111 if applicable |
+| 138 | `"MINIO_ROOT_USER"="op://InfraSecrets/Minio Tier 2/username"` | Change the value to the root username you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |
+| 139 | `"MINIO_ROOT_PASSWORD"="op://InfraSecrets/Minio Tier 2/password"` | Change the value to the root password you want. By default, this is a 1password path. See [Managing Secrets](../../README.md#managing-secrets) for more information |