use sts endpoint to get minio creds

[awalford16]

• Enabled Minio chart to generate its own certs, minio then listens on port 443
• Added API functionality to use STS auth if ACCESS_KEY and SECRET_KEY are not provided
• Uses AssumeRoleWithWebIdentity endpoint: https://docs.min.io/enterprise/aistor-object-store/developers/security-token-service/assumerolewithwebidentity/ to grab access/secret key from minio STS
• Uses the k8s certificate accessible through the mounted service account so the minio cert can be trusted
• Mounts the k8s service account with audience sts.min.io which is used as the JWT for authenticating with minio
• Creates a minio PolicyBinding which ties the STS authenticated account to readwrite permissions
• Minio client requires SSL_CERT_FILE to be exported which is used by minio python client

---

• Replaced the copy job to use curl which supports referencing a custom ca-cert
• Added the trusted k8s CA cert to /tmp/.mc allowing the minio config setup to trust minio TLS
• Changed argo-artifacts-tls to argo-artifacts-ingress-tls for minio ingress cert since Minio creates a secret called argo-artifacts-tls for the auto-generated certificates

---

• Adds network policy rules to allow resolving sts endpoint and talking to the minio-operator namespace for STS auth
• Added some improved error handling in the minio client

[craddm]

@awalford16 is this one ready for another review?

[awalford16]

This policy is still quite open, since it allows bucket creation

[craddm]

LGTM