From 0db1930f482b0fa5c8e238e28bbccbd248c9fe33 Mon Sep 17 00:00:00 2001 From: orblazer Date: Sun, 18 Dec 2022 07:50:37 +0100 Subject: [PATCH] helm: add policy to svcacct (#16272) --- helm/minio/templates/_helper_create_svcacct.txt | 15 ++++++++++++--- helm/minio/templates/configmap.yaml | 9 ++++++++- helm/minio/values.yaml | 14 ++++++++++++++ 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/helm/minio/templates/_helper_create_svcacct.txt b/helm/minio/templates/_helper_create_svcacct.txt index 99f5fb053..285d50cfe 100644 --- a/helm/minio/templates/_helper_create_svcacct.txt +++ b/helm/minio/templates/_helper_create_svcacct.txt @@ -49,6 +49,7 @@ checkSvcacctExists() { # createSvcacct ($user) createSvcacct () { USER=$1 + FILENAME=$2 #check accessKey_and_secretKey_tmp file if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then echo "credentials file does not exist" @@ -63,7 +64,12 @@ createSvcacct () { # Create the svcacct if it does not exist if ! checkSvcacctExists ; then echo "Creating svcacct '$SVCACCT'" - ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER + # Check if policy file is define + if [ -z $FILENAME ]; then + ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER + else + ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER + fi else echo "Svcacct '$SVCACCT' already exists." fi @@ -82,15 +88,18 @@ connectToMinio $scheme {{ if .Values.svcaccts }} {{ $global := . }} # Create the svcaccts -{{- range .Values.svcaccts }} +{{- range $idx, $svc := .Values.svcaccts }} echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP {{- if .existingSecret }} cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP # Add a new line if it doesn't exist sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP -createSvcacct {{ .user }} {{ else }} echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP +{{- end }} +{{- if $svc.policy}} +createSvcacct {{ .user }} svc_policy_{{ $idx }} +{{ else }} createSvcacct {{ .user }} {{- end }} {{- end }} diff --git a/helm/minio/templates/configmap.yaml b/helm/minio/templates/configmap.yaml index 524f191a6..54d56772c 100644 --- a/helm/minio/templates/configmap.yaml +++ b/helm/minio/templates/configmap.yaml @@ -16,9 +16,16 @@ data: add-policy: |- {{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }} {{- range $idx, $policy := .Values.policies }} - # {{ $policy.name }} + # Policy: {{ $policy.name }} policy_{{ $idx }}.json: |- {{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }} +{{ end }} +{{- range $idx, $svc := .Values.svcaccts }} +{{- if $svc.policy }} + # SVC: {{ $svc.accessKey }} + svc_policy_{{ $idx }}.json: |- +{{ include (print $.Template.BasePath "/_helper_policy.tpl") .policy | indent 4 }} +{{- end }} {{ end }} add-svcacct: |- {{ include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | indent 4 }} diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml index 948a5d514..afd728daa 100644 --- a/helm/minio/values.yaml +++ b/helm/minio/values.yaml @@ -370,6 +370,20 @@ makeUserJob: # existingSecret: my-secret # existingSecretKey: password # user: console + ## You also can pass custom policy + # - accessKey: console-svcacct + # secretKey: console123 + # user: console + # policy: + # statements: + # - resources: + # - 'arn:aws:s3:::example*/*' + # actions: + # - "s3:AbortMultipartUpload" + # - "s3:GetObject" + # - "s3:DeleteObject" + # - "s3:PutObject" + # - "s3:ListMultipartUploadParts" makeServiceAccountJob: securityContext: