JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 10 Projects Releases Packages 12 Wiki Activity Actions

Initial talos storage server
All checks were successful
/ render-helm (push) Successful in 29s
Details

Browse source
This commit is contained in:
Finn 2025-01-13 18:40:19 -08:00
parent 33667cc9e3
commit 4b51367839
19 changed files with 770 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
helm/cert-manager-webhook-pdns/kustomization.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: cert-manager-webhook-pdns
namespace: cert-manager
releaseName: cert-manager-webhook-pdns
version: v3.2.2
repo: https://zachomedia.github.io/cert-manager-webhook-pdns

2
helm/render-all.sh
View file

@ -19,6 +19,6 @@ for component in openbao external-secrets secrets-store-csi-driver; do
done
# cisco k8s cluster operators
for component in rook; do
for component in rook cert-manager-webhook-pdns traefik; do
render_helm ../talos/k8s/operators "${component}"
done

20
helm/traefik/kustomization.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: traefik
namespace: traefik
releaseName: traefik
version: v34.0.0
valuesInline:
deployment:
replicas: 2
ports:
websecure:
hostPort: 443
proxyProtocol:
trustedIPs:
- 10.5.1.1/32
providers:
kubernetesCRD:
allowCrossNamespace: true
repo: https://traefik.github.io/charts

1
talos/.gitignore vendored
View file

@ -1 +1,2 @@
/talosconfig
/controlplane.yaml

311
talos/k8s/operators/cert-manager-webhook-pdns/bundle.yaml Normal file
View file

@ -0,0 +1,311 @@
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns:domain-solver
rules:
- apiGroups:
- acme.zacharyseguin.ca
resources:
- '*'
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns:webhook-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-pdns
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-pdns
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-pdns
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-pdns
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns:domain-solver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-pdns:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/name: cert-manager-webhook-pdns
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns
spec:
replicas: null
selector:
matchLabels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/name: cert-manager-webhook-pdns
template:
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
spec:
containers:
- args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
- --secure-port=8443
env:
- name: GROUP_NAME
value: acme.zacharyseguin.ca
image: zachomedia/cert-manager-webhook-pdns:v2.5.1
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: https
scheme: HTTPS
name: cert-manager-webhook-pdns
ports:
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: https
scheme: HTTPS
resources: {}
securityContext:
runAsGroup: 100
runAsUser: 100
volumeMounts:
- mountPath: /tls
name: certs
readOnly: true
serviceAccountName: cert-manager-webhook-pdns
volumes:
- name: certs
secret:
secretName: cert-manager-webhook-pdns-webhook-tls
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-pdns-webhook-tls
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: v1alpha1.acme.zacharyseguin.ca
spec:
group: acme.zacharyseguin.ca
groupPriorityMinimum: 1000
service:
name: cert-manager-webhook-pdns
namespace: cert-manager
version: v1alpha1
versionPriority: 15
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns-ca
namespace: cert-manager
spec:
commonName: ca.cert-manager-webhook-pdns.cert-manager
duration: 43800h0m0s
isCA: true
issuerRef:
name: cert-manager-webhook-pdns-selfsign
secretName: cert-manager-webhook-pdns-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns-webhook-tls
namespace: cert-manager
spec:
dnsNames:
- cert-manager-webhook-pdns
- cert-manager-webhook-pdns.cert-manager
- cert-manager-webhook-pdns.cert-manager.svc
duration: 8760h0m0s
issuerRef:
name: cert-manager-webhook-pdns-ca
secretName: cert-manager-webhook-pdns-webhook-tls
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns-ca
namespace: cert-manager
spec:
ca:
secretName: cert-manager-webhook-pdns-ca
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
app.kubernetes.io/instance: cert-manager-webhook-pdns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager-webhook-pdns
app.kubernetes.io/version: v2.5.1
helm.sh/chart: cert-manager-webhook-pdns-3.2.2
name: cert-manager-webhook-pdns-selfsign
namespace: cert-manager
spec:
selfSigned: {}

18
talos/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- bundle.yaml
- letsencrypt.yaml
patches:
- path: namespace-patch.yaml
target:
kind: Deployment
name: cert-manager-webhook-pdns
- path: namespace-patch.yaml
target:
kind: ServiceAccount
name: cert-manager-webhook-pdns
- path: namespace-patch.yaml
target:
kind: Service
name: cert-manager-webhook-pdns

20
talos/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: dns-admin@janky.solutions
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: acme.zacharyseguin.ca
solverName: pdns
config:
host: https://dns.janky.solutions
apiKeySecretRef:
name: dns-janky-solutions
key: api-key

3
talos/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml Normal file
View file

@ -0,0 +1,3 @@
- op: add
path: /metadata/namespace
value: cert-manager

6
talos/k8s/operators/cert-manager/controller-patches.yaml Normal file
View file

@ -0,0 +1,6 @@
- op: add
path: /spec/template/spec/containers/0/args/-
value: --dns01-recursive-nameservers-only # adding this arg makes DNS-01 validation work, unclear why it doesnt work otherwise.
- op: add
path: /spec/template/spec/containers/0/args/-
value: --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53,8.8.4.4:53

9
talos/k8s/operators/cert-manager/kustomization.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
patches:
- path: controller-patches.yaml
target:
kind: Deployment
name: cert-manager

3
talos/k8s/operators/kustomization.yaml
View file

@ -1,4 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cert-manager
- cert-manager-webhook-pdns
- rook
- traefik

1
talos/k8s/operators/rook/kustomization.yaml
View file

@ -6,4 +6,3 @@ resources:
- bundle.yaml
- cluster.yaml
- toolbox.yaml
- pools.yaml

34
talos/k8s/operators/rook/pools.yaml
View file

@ -1,34 +0,0 @@
apiVersion: ceph.rook.io/v1
kind: CephObjectStore
metadata:
name: muh-buckets
namespace: rook-ceph
spec:
metadataPool:
failureDomain: osd
replicated:
size: 3
dataPool:
failureDomain: osd
erasureCoded:
dataChunks: 2
codingChunks: 1
preservePoolsOnDelete: true
gateway:
# sslCertificateRef:
# caBundleRef:
port: 80
# securePort: 443
instances: 1
# A key/value list of annotations
annotations:
# key: value
resources:
# limits:
# cpu: "500m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"
#zone:
#name: zone-a

273
talos/k8s/operators/traefik/bundle.yaml Normal file
View file

@ -0,0 +1,273 @@
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik
namespace: traefik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik-traefik
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- serverstransports
- serverstransporttcps
- tlsoptions
- tlsstores
- traefikservices
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik-traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-traefik
subjects:
- kind: ServiceAccount
name: traefik
namespace: traefik
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik
namespace: traefik
spec:
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: websecure
port: 443
protocol: TCP
targetPort: websecure
selector:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/name: traefik
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik
namespace: traefik
spec:
minReadySeconds: 0
replicas: 2
selector:
matchLabels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/name: traefik
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9100"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
spec:
automountServiceAccountToken: true
containers:
- args:
- --global.checknewversion
- --global.sendanonymoususage
- --entryPoints.metrics.address=:9100/tcp
- --entryPoints.traefik.address=:8080/tcp
- --entryPoints.web.address=:8000/tcp
- --entryPoints.websecure.address=:8443/tcp
- --api.dashboard=true
- --ping=true
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
- --providers.kubernetescrd.allowCrossNamespace=true
- --providers.kubernetescrd.allowEmptyServices=true
- --providers.kubernetesingress
- --providers.kubernetesingress.allowEmptyServices=true
- --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik
- --entryPoints.websecure.http.tls=true
- --entryPoints.websecure.proxyProtocol.trustedIPs=10.5.1.1/32
- --log.level=INFO
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: docker.io/traefik:v3.3.1
imagePullPolicy: IfNotPresent
lifecycle: null
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: 8080
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
name: traefik
ports:
- containerPort: 9100
name: metrics
protocol: TCP
- containerPort: 8080
name: traefik
protocol: TCP
- containerPort: 8000
name: web
protocol: TCP
- containerPort: 8443
hostPort: 443
name: websecure
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /ping
port: 8080
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
resources: null
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
hostNetwork: false
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
labels:
app.kubernetes.io/instance: traefik-traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-34.0.0
name: traefik
spec:
controller: traefik.io/ingress-controller

6
talos/k8s/operators/traefik/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: traefik
resources:
- namespace.yaml
- bundle.yaml

6
talos/k8s/operators/traefik/namespace.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: traefik
labels:
pod-security.kubernetes.io/enforce: privileged

7
talos/k8s/rook/buckets.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: test-bucket
spec:
bucketName: test-bucket
storageClassName: rook-ceph-bucket

6
talos/k8s/rook/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: rook-ceph
resources:
- buckets.yaml
- s3-pool.yaml

72
talos/k8s/rook/s3-pool.yaml Normal file
View file

@ -0,0 +1,72 @@
apiVersion: ceph.rook.io/v1
kind: CephObjectStore
metadata:
name: muh-buckets
namespace: rook-ceph
spec:
metadataPool:
failureDomain: osd
replicated:
size: 3
dataPool:
failureDomain: osd
erasureCoded:
dataChunks: 2
codingChunks: 1
preservePoolsOnDelete: true
gateway:
port: 80
instances: 1
annotations:
resources:
# hosting:
# advertiseEndpoint:
# dnsName: s3.janky.solutions
# port: 443
# useTls: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: s3.janky.solutions
labels:
name: s3.janky.solutions
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- s3.janky.solutions
- "*.s3.janky.solutions"
secretName: s3.janky.solutions
rules:
- host: s3.janky.solutions
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: rook-ceph-rgw-muh-buckets
port:
number: 80
- host: "*.s3.janky.solutions"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: rook-ceph-rgw-muh-buckets
port:
number: 80
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-ceph-bucket
provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: muh-buckets
objectStoreNamespace: rook-ceph