Deploy MinIO via ArgoCD with 1Password Operator and Tailscale Ingress

[Copilot]

Adds MinIO object storage to the observability stack for Loki persistence. Standalone deployment on NFS with credentials managed via 1Password Operator, console exposed over Tailscale.

Implementation

ArgoCD Applications (argocd/apps/observability/)

• minio-secrets.yml (wave 10): Syncs 1Password credentials into minio-credentials Secret
• minio.yml (wave 20): Deploys MinIO Helm chart v5.3.0 in standalone mode

1Password Integration (k8s/minio_secrets/)

• OnePasswordItem CRD references vaults/HomeLab/items/k3s-observability-minio
• Required fields: rootUser, rootPassword, lokiSecretKey
• Creates Secret consumed by Helm chart via existingSecret: minio-credentials

MinIO Configuration

• 20Gi NFS PVC (nfs-synology-retain)
• ClusterIP services (API: 9000, Console: 9001)
• Automated provisioning: loki bucket + loki user with restricted RW policy

Tailscale Ingress (k8s/resources/ingresses/observability-minio/)

• Console at minio.rohu-shark.ts.net → minio-console:9001
• Homepage annotations for dashboard integration

S3 Endpoint

# Loki configuration
storage:
  s3:
    endpoint: http://minio.observability-minio.svc.cluster.local:9000
    bucket_name: loki
    access_key_id: loki
    secret_access_key: <from 1Password lokiSecretKey>

Prerequisites

Create 1Password item k3s-observability-minio in HomeLab vault with fields: rootUser, rootPassword, lokiSecretKey.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Deploy MinIO via Argo CD using 1Password Operator secrets (k3s + NFS)</issue_title>
<issue_description>### Goal

Deploy MinIO into k3s via Argo CD Application, with:

• Standalone MinIO (single-node / non-distributed)
• Persistence on NFS-backed PVC
• Credentials sourced exclusively via 1Password Operator CRDs (OnePasswordItem)
• Provisioning enabled to create a bucket + a Loki user (non-root)
• ClusterIP only (no ingress)

---

Repo changes

1) Add new MinIO app folder and manifests

Create (match your repo conventions; names here are suggested):

• argocd/minio/minio.yml (ArgoCD Application)
• argocd/minio/minio-onepassword.yml (OnePasswordItem CR(s))

Namespace:

• observability-minio

Argo project:

• coachlight-k3s-observability

---

2) 1Password Operator objects (no raw Secret manifests)

2.1 Create a 1Password item in your vault

Copilot should not do this step in git (obviously), but the PR should document the required 1Password item.

Create a 1Password item (example name):

• k3s-observability-minio

It must contain fields for:

• rootUser
• rootPassword
• lokiAccessKey
• lokiSecretKey

(Exact field names can be adjusted to whatever the MinIO Helm chart expects; Copilot must map these correctly.)

2.2 Create OnePasswordItem CR in-cluster

Create argocd/minio/minio-onepassword.yml that defines a OnePasswordItem in observability-minio that materializes a Kubernetes Secret (generated by the operator) with the above fields.

Example (Copilot must adapt to your established 1Password Operator patterns in-repo):

---
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: minio-credentials
  namespace: observability-minio
spec:
  itemPath: "vaults/<YOUR_VAULT>/items/k3s-observability-minio"

Copilot requirements

• Search the repo for existing OnePasswordItem usage and mirror:

  • apiVersion/kind
  • itemPath conventions
  • naming conventions

• Ensure Argo CD will apply this CR before the MinIO Helm release needs the Secret (sync-wave or separate Application ordering).

---

3) MinIO Helm chart: use existingSecret generated by 1Password Operator

3.1 Chart source and version pin

Use the same chart approach you already intended (MinIO chart repo), but:

• Pin targetRevision to a specific chart version (no floating).

Copilot must fetch chart values/docs and confirm parameter names.

3.2 Helm values: NFS persistence + secret wiring

In argocd/minio/minio.yml, set:

• mode: standalone (or equivalent)
• persistence.enabled: true
• persistence.storageClass: <YOUR_NFS_STORAGECLASS>
• service.type: ClusterIP
• ingress.enabled: false
• existingSecret: minio-credentials (this is the Secret produced by the OnePasswordItem)

Important
Copilot must confirm the exact key names the chart expects inside that Secret (often rootUser/rootPassword or accesskey/secretkey style). If the chart expects different keys, either:

• Adjust the 1Password item field names to match, or
• Use the chart’s “secretKey” mapping values (if supported).

No guessing. Copilot must validate against the chart’s values.yaml.

---

4) Provisioning: bucket + Loki user

We want MinIO to:

• Create bucket: loki
• Create a non-root user: loki
• Attach policy allowing RW to loki bucket

Copilot requirements

• Confirm the MinIO chart’s provisioning mechanism and exact values structure (some charts use a provisioning job and take config from values and/or Secrets).
• Ensure the provisioning uses lokiAccessKey/lokiSecretKey from the Secret produced by the OnePasswordItem, not hardcoded.
• Ensure the root creds are used only for MinIO bootstrap/provisioning, not by Loki.

Again: verify chart structure; don’t invent YAML.

---

5) Argo CD application manifests

5.1 OnePasswordItem should land first

You have two acceptable patterns. Copilot should use whichever matches your repo:

Pattern A: same Argo Application, split via sync-waves

• Put the OnePasswordItem in the same folder and ensure it applies before Helm render depends on the Secret.
• Use argocd.argoproj.io/sync-wave annotations on the CR manifest (or Kustomize ordering if you use it).

Pattern B: separate Argo Application

• Create minio-secrets Application (wave 10)
• Create minio Application (wave 20)
  This is often cleaner/less fragile.

Copilot should search the repo for how you already deploy 1Password items and follow that exact pattern.

5.2 MinIO Argo Application skeleton

Create argocd/minio/minio.yml similar to:

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: minio
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "20"
spec:
  project: coachlight-k3s-observability
  source:
    repoURL: https://charts.min.io/
    chart: minio
    targe...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes SRF-Audio/utility-scripts#194

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey).