apiVersion: v1
kind: Namespace
metadata:
  name: minio
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: minio-data
  namespace: minio
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
  storageClassName: local-path
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: minio
  namespace: minio
spec:
  replicas: 1
  selector:
    matchLabels:
      app: minio
  template:
    metadata:
      labels:
        app: minio
    spec:
      containers:
      - name: minio
        image: minio/minio:latest
        command:
        - /bin/sh
        - -c
        - minio server /data --console-address ":9001"
        ports:
        - containerPort: 9000
          name: api
        - containerPort: 9001
          name: console
        env:
        - name: MINIO_ROOT_USER
          value: "admin"
        - name: MINIO_ROOT_PASSWORD
          value: "adminks.."
        - name: MINIO_SERVER_URL
          value: "https://s3.u6.net3w.com"
        - name: MINIO_BROWSER_REDIRECT_URL
          value: "https://console.s3.u6.net3w.com"
        volumeMounts:
        - name: data
          mountPath: /data
        livenessProbe:
          httpGet:
            path: /minio/health/live
            port: 9000
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /minio/health/ready
            port: 9000
          initialDelaySeconds: 10
          periodSeconds: 5
      - name: policy-manager
        image: alpine:latest
        command:
        - /bin/sh
        - -c
        - |
          # 安装 MinIO Client
          wget https://dl.min.io/client/mc/release/linux-arm64/mc -O /usr/local/bin/mc
          chmod +x /usr/local/bin/mc

          # 等待 MinIO 启动
          sleep 10

          # 配置 mc 客户端
          mc alias set myminio http://localhost:9000 ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD}

          echo "Policy manager started. Monitoring buckets..."

          # 持续监控并设置新桶的策略
          while true; do
            # 获取所有存储桶
            mc ls myminio 2>/dev/null | awk '{print $NF}' | sed 's/\///' | while read -r BUCKET; do
              if [ -n "$BUCKET" ]; then
                # 检查当前策略
                POLICY_OUTPUT=$(mc anonymous get myminio/${BUCKET} 2>&1)

                # 如果是私有的（包含 "Access permission for" 且不包含 "download"）
                if echo "$POLICY_OUTPUT" | grep -q "Access permission for" && ! echo "$POLICY_OUTPUT" | grep -q "download"; then
                  echo "Setting download policy for bucket: ${BUCKET}"
                  mc anonymous set download myminio/${BUCKET}
                fi
              fi
            done

            sleep 30
          done
        env:
        - name: MINIO_ROOT_USER
          value: "admin"
        - name: MINIO_ROOT_PASSWORD
          value: "adminks.."
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: minio-data
---
apiVersion: v1
kind: Service
metadata:
  name: minio
  namespace: minio
spec:
  type: ClusterIP
  ports:
  - port: 9000
    targetPort: 9000
    name: api
  - port: 9001
    targetPort: 9001
    name: console
  selector:
    app: minio
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minio-api
  namespace: minio
spec:
  ingressClassName: traefik
  rules:
  - host: s3.u6.net3w.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: minio
            port:
              number: 9000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minio-console
  namespace: minio
spec:
  ingressClassName: traefik
  rules:
  - host: console.s3.u6.net3w.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: minio
            port:
              number: 9001