updated for infra

infra/s3/docker-compose.yml

@@ -0,0 +1,198 @@
+configs:
+  minio_wait_sh:
+    file: ./minio-wait.sh
+
+services:
+  vault-agent-s3:
+    image: hashicorp/vault:latest
+    command: >
+      sh -lc 'vault agent -config=/etc/vault/agent.hcl'
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+    secrets:
+      - source: s3_vault_role_id
+        target: /vault/secrets/role_id
+      - source: s3_vault_secret_id
+        target: /vault/secrets/secret_id
+    volumes:
+      - ./vault:/etc/vault:ro
+      - vault-secrets:/vault/secrets:rw
+    networks: [cicd]
+    healthcheck:
+      test: ["CMD-SHELL", "test -s /vault/secrets/MINIO_ROOT_USER -a -s /vault/secrets/MINIO_ROOT_PASSWORD"]
+      interval: 10s
+      timeout: 3s
+      retries: 10
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+
+
+  minio1:
+    image: quay.io/minio/minio:latest
+    hostname: minio1
+    entrypoint: ["/usr/local/bin/minio-wait"]
+    command:
+      - server
+      - --console-address
+      - :9001
+      - http://minio1:9000/data
+      - http://minio2:9000/data
+      - http://minio3:9000/data
+      - http://minio4:9000/data
+    configs:
+      - source: minio_wait_sh
+        target: /usr/local/bin/minio-wait
+        mode: 0755
+    environment:
+      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
+      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
+      MINIO_SERVER_URL: https://s3.sendico.io
+      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
+    volumes:
+      - minio1_data:/data
+      - vault-secrets:/vault/secrets:ro
+    networks: [cicd]
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=cicd"
+
+      # services (чётко укажем порты)
+      - "traefik.http.services.s3-minio-api.loadbalancer.server.port=9000"
+      - "traefik.http.services.s3-minio-console.loadbalancer.server.port=9001"
+
+      # router для API
+      - "traefik.http.routers.s3-minio-api.rule=Host(`s3.sendico.io`)"
+      - "traefik.http.routers.s3-minio-api.entrypoints=websecure"
+      - "traefik.http.routers.s3-minio-api.tls=true"
+      - "traefik.http.routers.s3-minio-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.s3-minio-api.service=s3-minio-api"
+
+      # router для Console
+      - "traefik.http.routers.s3-minio-console.rule=Host(`minio.sendico.io`)"
+      - "traefik.http.routers.s3-minio-console.entrypoints=websecure"
+      - "traefik.http.routers.s3-minio-console.tls=true"
+      - "traefik.http.routers.s3-minio-console.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.s3-minio-console.service=s3-minio-console"
+
+
+  minio2:
+    image: quay.io/minio/minio:latest
+    hostname: minio2
+    entrypoint: ["/usr/local/bin/minio-wait"]
+    command:
+      - server
+      - --console-address
+      - :9001
+      - http://minio1:9000/data
+      - http://minio2:9000/data
+      - http://minio3:9000/data
+      - http://minio4:9000/data
+    configs:
+      - source: minio_wait_sh
+        target: /usr/local/bin/minio-wait
+        mode: 0755
+    environment:
+      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
+      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
+      MINIO_SERVER_URL: https://s3.sendico.io
+      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
+    volumes:
+      - minio2_data:/data
+      - vault-secrets:/vault/secrets:ro
+    networks: [cicd]
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        - "traefik.enable=false"
+  
+  minio3:
+    image: quay.io/minio/minio:latest
+    hostname: minio3
+    entrypoint: ["/usr/local/bin/minio-wait"]
+    command:
+      - server
+      - --console-address
+      - :9001
+      - http://minio1:9000/data
+      - http://minio2:9000/data
+      - http://minio3:9000/data
+      - http://minio4:9000/data
+    configs:
+      - source: minio_wait_sh
+        target: /usr/local/bin/minio-wait
+        mode: 0755
+    environment:
+      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
+      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
+      MINIO_SERVER_URL: https://s3.sendico.io
+      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
+    volumes:
+      - minio3_data:/data
+      - vault-secrets:/vault/secrets:ro
+    networks:
+      - cicd
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        - "traefik.enable=false"
+
+  minio4:
+    image: quay.io/minio/minio:latest
+    hostname: minio4
+    entrypoint: ["/usr/local/bin/minio-wait"]
+    command:
+      - server
+      - --console-address
+      - :9001
+      - http://minio1:9000/data
+      - http://minio2:9000/data
+      - http://minio3:9000/data
+      - http://minio4:9000/data
+    configs:
+      - source: minio_wait_sh
+        target: /usr/local/bin/minio-wait
+        mode: 0755
+    environment:
+      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
+      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
+      MINIO_SERVER_URL: https://s3.sendico.io
+      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
+    volumes:
+      - minio4_data:/data
+      - vault-secrets:/vault/secrets:ro
+    networks:
+      - cicd
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        - "traefik.enable=false"
+
+networks:
+  cicd:
+    external: true
+
+volumes:
+  vault-secrets:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: size=16m,uid=1000,gid=1000,mode=0750
+  minio1_data:
+  minio2_data:
+  minio3_data:
+  minio4_data:
+
+secrets:
+  s3_vault_role_id:
+    external: true
+  s3_vault_secret_id:
+    external: true