Redefine minio tenants

Francois Eleouetrequested to merge
redefine-minio-tenants into main

What does this MR do and why?

Redefine minio tenants as discussed in #1648 (closed)

Units are renamed to ensure tenant pruning & re-creation

Use a dedicated tenant for monitoring & logging, with a different longhorn storage class (2 replicas), update loki and thanos to use reduced-redundancy storage class

This MR comes in separated commits

- Vault: grant the secret-writer permission to delete secrets

This is required to enable the pruning of RandomSecrets that will be deleted when minio-monitoring-tenant unit will be deleted

- Rename minio-monitoring-tenant

This commit is essentially a renaming of minio-monitoring-tenant unit into minio-monitoring to force the re-creation of the minio tenant that can't be easily reconfigured.

It anyway contains few functional changes (sorry for not having a dedicated commit for that):

  • It adds a new storageClass two-replicas-storageclass and configures thanos to use REDUCED_REDUNDANCY storage class in minio
  • minio-monitoring-tenant-init unit is renamed to minio-monitoring-init unit, but the underlying kustomisation is generalized to minio-tenant-init (with a new TENANT_NAME parameter) in order to be usable as minio-logging-init later on

- Thanos: Use tenant user instead of root to access minio

This commit renames minio users to use more explicit usernames/access-keys:

  • 'minio' becomes 'minio-monitoring-root' (or 'minio-logging-root')
  • 'console' becomes 'minio-monitoring-user' (or 'minio-logging-user')

And it changes thanos to use minio-monitoring-user instead of minio-monitoring-root.

- Use dedicated minio tenant for logging

This commit finally defines a dedicated minio tenant for loki, and reconfigures loki to use it

- Uninstall thanos before upgrades

This is required as thanos was using single-replicas-storageclass when it was defined, and this value can't be updated

- Add job to delete minio-monitoring-tenant PVCs

minio-monitoring-tenant will be deleted when upgrading form previous release, but PVCs won't be cleaned up. This job takes care of removing them

Related reference(s)

Closes: #1648 (closed) Closes: #1646 (closed)

Edited by Francois Eleouet

Merge request reports