Adding KES example with cert-manager (#1415)

.gitignore

@@ -14,4 +14,6 @@ logsearchapi-bin
 *.log
 .vscode
 minio.yaml
-nancy
+nancy
+examples/.DS_Store
+

examples/kustomization/tenant-certmanager-kes/certificates.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: tenant-certmanager-issuer
+  namespace: minio-tenant
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tenant-certmanager-cert
+  namespace: minio-tenant
+spec:
+  dnsNames:
+    - "*.tenant-certmanager.svc.cluster.local"
+    - "*.storage-certmanager.tenant-certmanager.svc.cluster.local"
+    - "*.storage-certmanager-hl.tenant-certmanager.svc.cluster.local"
+  secretName: tenant-certmanager-tls
+  issuerRef:
+    name: tenant-certmanager-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tenant-certmanager-2-cert
+  namespace: tenant-certmanager
+spec:
+  dnsNames:
+    - "*.tenant-certmanager.svc.cluster.local"
+    - "*.storage-certmanager.tenant-certmanager.svc.cluster.local"
+    - "*.storage-certmanager-hl.tenant-certmanager.svc.cluster.local"
+  secretName: tenant-certmanager-2-tls
+  issuerRef:
+    name: tenant-certmanager-issuer

examples/kustomization/tenant-certmanager-kes/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - certificates.yaml
+  - vault.yaml
+  - ubuntu.yaml
+  - ../base
+namespace: tenant-certmanager
+patchesStrategicMerge:
+  - tenant.yaml
+patchesJson6902:
+  - target:
+      group: minio.min.io
+      version: v2
+      kind: Tenant
+      name: storage
+    path: tenantNamePatch.yaml
+

examples/kustomization/tenant-certmanager-kes/tenant.yaml

@@ -0,0 +1,29 @@
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: storage
+  namespace: minio-tenant
+spec:
+  ## Disable default tls certificates.
+  requestAutoCert: false
+  ## Use certificates generated by cert-manager.
+  externalCertSecret:
+    - name: tenant-certmanager-tls
+      type: cert-manager.io/v1
+  kes:
+    externalCertSecret:
+      name: tenant-certmanager-2-tls
+      type: cert-manager.io/v1
+    image: minio/kes:v0.17.6
+    imagePullPolicy: IfNotPresent
+    kesSecret:
+      name: storage-certmanager-secret-kes-configuration
+    keyName: my-minio-key
+    replicas: 1
+    resources: {}
+    securityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: Always
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000

examples/kustomization/tenant-certmanager-kes/tenantNamePatch.yaml

@@ -0,0 +1,4 @@
+- op: replace
+  path: /metadata/name
+  value: storage-certmanager
+

examples/kustomization/tenant-certmanager-kes/ubuntu.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu
+  namespace: tenant-certmanager
+  labels:
+    app: ubuntu
+spec:
+  volumes:
+    - name: socket
+      hostPath:
+        path: /run/containerd/containerd.sock
+  containers:
+  - volumeMounts:
+      - mountPath: /run/containerd/containerd.sock
+        name: socket
+        readOnly: false
+    image: ubuntu
+    command:
+      - "sleep"
+      - "604800"
+    imagePullPolicy: IfNotPresent
+    name: ubuntu
+  restartPolicy: Always

examples/kustomization/tenant-certmanager-kes/vault.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault
+  namespace: tenant-certmanager
+  labels:
+    name: vault
+spec:
+  ports:
+    - port: 8200
+      name: http
+  selector:
+    app: vault
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault
+  namespace: tenant-certmanager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vault
+  template:
+    metadata:
+      labels:
+        app: vault
+    spec:
+      containers:
+        - name: vault
+          image: vault:latest
+          imagePullPolicy: "IfNotPresent"
+          env:
+            - name: SECRET_SHARES
+              value: "5"
+            - name: SECRET_THRESHOLD
+              value: "3"
+            - name: SELF_SIGNED_CERT
+              value: "true"
+            - name: TOTAL_INIT_RETRIES
+              value: "5"
+          ports:
+            - containerPort: 8200
+              name: http
+          securityContext:
+            capabilities:
+              add:
+                - IPC_LOCK