From 381b7cda3fad72ea6f68885651d3b74a96aae9fa Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Thu, 8 Jan 2026 17:15:50 +0900 Subject: [PATCH] FEAT(minio): add ClusterExternalSecret for S3 credentials - Add minio-s3-credentials ClusterExternalSecret - Auto-create secret in namespaces with minio-s3: enabled label - Add minio-s3 label to zot namespace via managedNamespaceMetadata - Credentials stored in Vault at secret/minio-s3-credentials --- minio/manifests/secret.yaml | 34 ++++++++++++++++++++++++++++++++++ zot/argocd.yaml | 1 + 2 files changed, 35 insertions(+) diff --git a/minio/manifests/secret.yaml b/minio/manifests/secret.yaml index c042aed..df0ebd2 100644 --- a/minio/manifests/secret.yaml +++ b/minio/manifests/secret.yaml @@ -28,3 +28,37 @@ spec: remoteRef: key: minio property: ROOT_PASSWORD +--- +apiVersion: external-secrets.io/v1 +kind: ClusterExternalSecret +metadata: + name: minio-s3-credentials +spec: + namespaceSelector: + matchLabels: + minio-s3: enabled + refreshInterval: 1h + externalSecretSpec: + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: minio-s3-credentials + creationPolicy: Owner + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: minio-s3-credentials + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: minio-s3-credentials + property: AWS_SECRET_ACCESS_KEY + - secretKey: AWS_REGION + remoteRef: + key: minio-s3-credentials + property: AWS_REGION + - secretKey: AWS_S3_ENDPOINT + remoteRef: + key: minio-s3-credentials + property: AWS_S3_ENDPOINT diff --git a/zot/argocd.yaml b/zot/argocd.yaml index 9bb2129..99cbecc 100644 --- a/zot/argocd.yaml +++ b/zot/argocd.yaml @@ -41,4 +41,5 @@ spec: managedNamespaceMetadata: labels: goldilocks.fairwinds.com/enabled: 'true' + minio-s3: enabled revisionHistoryLimit: 10