From 9a4699e54d7a6197dd88f43828f7f9b795641909 Mon Sep 17 00:00:00 2001 From: Christopher Tate Date: Tue, 26 Nov 2024 10:43:27 -0700 Subject: [PATCH] Adding minio with dex auth to nerc-ocp-test cluster Adding support for object stores in the test cluster with authentication and policy based authorization by OpenShift groups. --- .../core/namespaces/minio/kustomization.yaml | 4 ++ .../base/core/namespaces/minio/namespace.yaml | 5 ++ .../bundles/minio/kustomization.yaml | 6 +++ .../overlays/nerc-ocp-test/kustomization.yaml | 1 + minio/base/console-route.yaml | 13 ++++++ minio/base/deployment.yaml | 46 +++++++++++++++++++ ...xternalsecret-minio-admin-credentials.yaml | 15 ++++++ minio/base/kustomization.yaml | 13 ++++++ minio/base/object-storage-route.yaml | 13 ++++++ minio/base/pvc.yaml | 12 +++++ minio/base/service.yaml | 12 +++++ .../patch-minio-admin-credentials.yaml | 9 ++++ .../nerc-ocp-test/files/minio-config.env | 11 +++++ .../overlays/nerc-ocp-test/kustomization.yaml | 13 ++++++ 14 files changed, 173 insertions(+) create mode 100644 cluster-scope/base/core/namespaces/minio/kustomization.yaml create mode 100644 cluster-scope/base/core/namespaces/minio/namespace.yaml create mode 100644 cluster-scope/bundles/minio/kustomization.yaml create mode 100644 minio/base/console-route.yaml create mode 100644 minio/base/deployment.yaml create mode 100644 minio/base/externalsecret-minio-admin-credentials.yaml create mode 100644 minio/base/kustomization.yaml create mode 100644 minio/base/object-storage-route.yaml create mode 100644 minio/base/pvc.yaml create mode 100644 minio/base/service.yaml create mode 100644 minio/overlays/nerc-ocp-test/externalsecrets/patch-minio-admin-credentials.yaml create mode 100644 minio/overlays/nerc-ocp-test/files/minio-config.env create mode 100644 minio/overlays/nerc-ocp-test/kustomization.yaml diff --git a/cluster-scope/base/core/namespaces/minio/kustomization.yaml b/cluster-scope/base/core/namespaces/minio/kustomization.yaml new file mode 100644 index 00000000..48ef36e5 --- /dev/null +++ b/cluster-scope/base/core/namespaces/minio/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml diff --git a/cluster-scope/base/core/namespaces/minio/namespace.yaml b/cluster-scope/base/core/namespaces/minio/namespace.yaml new file mode 100644 index 00000000..ae7a30a7 --- /dev/null +++ b/cluster-scope/base/core/namespaces/minio/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: minio +spec: {} diff --git a/cluster-scope/bundles/minio/kustomization.yaml b/cluster-scope/bundles/minio/kustomization.yaml new file mode 100644 index 00000000..e4441b41 --- /dev/null +++ b/cluster-scope/bundles/minio/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + nerc.mghpcc.org/bundle: minio +resources: +- ../../base/core/namespaces/minio diff --git a/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml index 51b949a3..c176106f 100644 --- a/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml @@ -31,6 +31,7 @@ resources: - ../../bundles/openshift-pipelines-operator - ../../bundles/virt - ../../bundles/autopilot +- ../../bundles/minio components: - ../../components/nerc-oauth-github diff --git a/minio/base/console-route.yaml b/minio/base/console-route.yaml new file mode 100644 index 00000000..a70ae10e --- /dev/null +++ b/minio/base/console-route.yaml @@ -0,0 +1,13 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: minio-console +spec: + port: + targetPort: console + to: + kind: "Service" + name: minio + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/minio/base/deployment.yaml b/minio/base/deployment.yaml new file mode 100644 index 00000000..c420f598 --- /dev/null +++ b/minio/base/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + strategy: + type: Recreate + replicas: 1 + template: + spec: + containers: + - name: minio + envFrom: + - secretRef: + name: minio-admin-credentials + - configMapRef: + name: minio-config + optional: true + image: docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z + ports: + - containerPort: 9000 + name: object-storage + - containerPort: 8080 + name: console + args: + - server + - --console-address + - ":8080" + - /data + volumeMounts: + - name: minio-data + mountPath: /data + livenessProbe: + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 1 + httpGet: + scheme: HTTP + path: /minio/health/live + port: 9000 + volumes: + - name: minio-data + persistentVolumeClaim: + claimName: minio-data diff --git a/minio/base/externalsecret-minio-admin-credentials.yaml b/minio/base/externalsecret-minio-admin-credentials.yaml new file mode 100644 index 00000000..ba561906 --- /dev/null +++ b/minio/base/externalsecret-minio-admin-credentials.yaml @@ -0,0 +1,15 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: minio-admin-credentials + namespace: minio +spec: + refreshInterval: "1h" + secretStoreRef: + name: nerc-cluster-secrets + kind: ClusterSecretStore + target: + name: minio-admin-credentials + dataFrom: + - extract: + key: $ENV/$CLUSTER/minio/minio-config diff --git a/minio/base/kustomization.yaml b/minio/base/kustomization.yaml new file mode 100644 index 00000000..86dd3172 --- /dev/null +++ b/minio/base/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio +commonLabels: + app: minio + +resources: +- externalsecret-minio-admin-credentials.yaml +- deployment.yaml +- pvc.yaml +- service.yaml +- console-route.yaml +- object-storage-route.yaml diff --git a/minio/base/object-storage-route.yaml b/minio/base/object-storage-route.yaml new file mode 100644 index 00000000..f044e0d3 --- /dev/null +++ b/minio/base/object-storage-route.yaml @@ -0,0 +1,13 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: minio +spec: + port: + targetPort: object-storage + to: + kind: "Service" + name: minio + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/minio/base/pvc.yaml b/minio/base/pvc.yaml new file mode 100644 index 00000000..be714465 --- /dev/null +++ b/minio/base/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-data +spec: + storageClassName: ocs-external-storagecluster-ceph-rbd + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/minio/base/service.yaml b/minio/base/service.yaml new file mode 100644 index 00000000..378edb5f --- /dev/null +++ b/minio/base/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio +spec: + ports: + - name: object-storage + port: 9000 + targetPort: object-storage + - name: console + port: 8080 + targetPort: console diff --git a/minio/overlays/nerc-ocp-test/externalsecrets/patch-minio-admin-credentials.yaml b/minio/overlays/nerc-ocp-test/externalsecrets/patch-minio-admin-credentials.yaml new file mode 100644 index 00000000..313197ef --- /dev/null +++ b/minio/overlays/nerc-ocp-test/externalsecrets/patch-minio-admin-credentials.yaml @@ -0,0 +1,9 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: minio-admin-credentials + namespace: minio +spec: + dataFrom: + - extract: + key: nerc/nerc-ocp-test/minio/minio-admin-credentials diff --git a/minio/overlays/nerc-ocp-test/files/minio-config.env b/minio/overlays/nerc-ocp-test/files/minio-config.env new file mode 100644 index 00000000..92cbb8d9 --- /dev/null +++ b/minio/overlays/nerc-ocp-test/files/minio-config.env @@ -0,0 +1,11 @@ +# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html + +MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.ocp-test.nerc.mghpcc.org/.well-known/openid-configuration +MINIO_IDENTITY_OPENID_CLIENT_ID=minio +MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on + +# This tells minio to look up policy names in the "groups" claim (so e.g. if +# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops" +# policy to apply). A person cannot log in if there is no policy matches any of +# the claim values. +MINIO_IDENTITY_OPENID_CLAIM_NAME=groups diff --git a/minio/overlays/nerc-ocp-test/kustomization.yaml b/minio/overlays/nerc-ocp-test/kustomization.yaml new file mode 100644 index 00000000..c6f30db1 --- /dev/null +++ b/minio/overlays/nerc-ocp-test/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base + +configMapGenerator: +- name: minio-config + namespace: minio + envs: + - files/minio-config.env + +patches: + - path: externalsecrets/patch-minio-admin-credentials.yaml