feat(lifecycle): add MinIO subchart with secure credential architecture for log archival (v0.8.0)

[vigneshrajsb]

Goal

Build and deploy job logs are permanently lost when k8s Job pods are evicted or TTL-expired (~24h). This PR adds MinIO as an optional in-cluster S3-compatible object store so logs can be archived at job completion time and retrieved even after live pods are gone. It also supports AWS S3 via IRSA for production environments.

Changes

File	Change
Chart.yaml	Add minio 17.0.21 Bitnami subchart dependency (disabled by default); bump chart version → 0.8.0
values.yaml	Add objectStore: section (type, endpoint, port, bucket, SSL, region); add secrets.objectStore section; add minio: subchart values; wire minio.auth.existingSecret to shared secret
templates/secret-objectstore.yaml	(new) Kubernetes Secret storing OBJECT_STORE_ACCESS_KEY and OBJECT_STORE_SECRET_KEY; shared by both the app and MinIO via existingSecret
templates/configmap.yaml	Emit OBJECT_STORE_* env vars (no credentials); guarded by minio.enabled flag; add SECRET_OBJECT_STORE_NAME; hook changed to pre-install,pre-upgrade; S3 mode validates required region
templates/deployments.yaml	Add envFrom: secretRef for secrets.objectStore — injects credentials into all pods automatically
templates/_helpers.tpl	Add ..helper.objectStoreSecretName and ..helper.minioSvcEndpoint helpers

Credential architecture

Credentials are not in the ConfigMap. They live exclusively in a Kubernetes Secret:

ConfigMap	Secret (<release>-objectstore)
OBJECT_STORE_TYPE	OBJECT_STORE_ACCESS_KEY
OBJECT_STORE_ENDPOINT	OBJECT_STORE_SECRET_KEY
OBJECT_STORE_PORT
OBJECT_STORE_BUCKET
OBJECT_STORE_USE_SSL
SECRET_OBJECT_STORE_NAME

The same secret is referenced by minio.auth.existingSecret — MinIO and the app share one credential source with no duplication.

How it works

1. Opt-in: MinIO is disabled by default (minio.enabled: false). When disabled, the ConfigMap emits no OBJECT_STORE_* vars — no broken env vars pointing at a non-existent service.
2. Credentials: Stored in a dedicated Secret (created on install, resource-policy: keep). Set secrets.objectStore.accessKey / secretKey in your override values or let the chart generate random values.
3. S3 mode: Set objectStore.type: s3 + objectStore.region for AWS S3 via IRSA — no static credentials needed.
4. App-side gating: The lifecycle backend checks logArchival.enabled in global_config before making any object store calls — enabling the subchart alone is safe.

Rollout

minio:
  enabled: true

secrets:
  objectStore:
    accessKey: <from-sealed-secret>
    secretKey: <from-sealed-secret>

Then activate archival via global_config:

{ "logArchival": { "enabled": true, "retentionDays": 14 } }

Test plan

• helm template with defaults (minio.enabled=false) — no OBJECT_STORE_* vars in ConfigMap
• helm template --set minio.enabled=true — ConfigMap has OBJECT_STORE_* (no credentials), Secret has OBJECT_STORE_ACCESS_KEY/SECRET_KEY, deployments have envFrom: secretRef
• helm template --set objectStore.type=s3 --set objectStore.region=us-east-1 — ConfigMap has S3 vars only
• helm template --set objectStore.type=s3 — fails with objectStore.region is required error
• In a test cluster: MinIO pod reaches Running, bucket lifecycle-logs auto-created, app pods have credentials available as env vars

🤖 Generated with Claude Code

[binlab]

LGTM