MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-23 12:43:16 -05:00
Code Issues Packages Projects Releases Wiki Activity

helm: Add new job to create service accounts (#15939)

Browse Source
This commit is contained in:
asoria-lf 2022-11-13 18:28:07 +01:00 committed by GitHub
parent 344ae9f84e
commit 14e52f29b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 266 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
helm/minio/README.md
View File

@ -219,6 +219,22 @@ Description of the configuration parameters used above -
- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey - `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `users[].policy` - name of the policy to assign to user - `users[].policy` - name of the policy to assign to user
### Create service account after install
Install the chart, specifying the service accounts you want to create after install:
```bash
helm install --set svcaccts[0].accessKey=accessKey,svcaccts[0].secretKey=secretKey,svcaccts[0].user=parentUser,svcaccts[1].accessKey=accessKey2,svcaccts[1].secretRef=existingSecret,svcaccts[1].secretKey=password,svcaccts[1].user=parentUser2 minio/minio
```
Description of the configuration parameters used above -
- `svcaccts[].accessKey` - accessKey of service account
- `svcaccts[].secretKey` - secretKey of svcacctsecretRef
- `svcaccts[].existingSecret` - secret name that contains the secretKey of service account
- `svcaccts[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `svcaccts[].user` - name of the parent user to assign to service account
## Uninstalling the Chart ## Uninstalling the Chart
Assuming your release is named as `my-release`, delete it using the command: Assuming your release is named as `my-release`, delete it using the command:

97
helm/minio/templates/_helper_create_svcacct.txt Normal file
View File

@ -0,0 +1,97 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 2 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkSvcacctExists ()
# Check if the svcacct exists, by using the exit code of `mc admin user svcacct info`
checkSvcacctExists() {
CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createSvcacct ($user)
createSvcacct () {
USER=$1
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the svcacct if it does not exist
if ! checkSvcacctExists ; then
echo "Creating svcacct '$SVCACCT'"
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER
else
echo "Svcacct '$SVCACCT' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.svcaccts }}
{{ $global := . }}
# Create the svcaccts
{{- range .Values.svcaccts }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
createSvcacct {{ .user }}
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
createSvcacct {{ .user }}
{{- end }}
{{- end }}
{{- end }}

2
helm/minio/templates/_helper_create_user.txt
View File

@ -93,7 +93,7 @@ connectToMinio $scheme
{{- range .Values.users }} {{- range .Values.users }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }} {{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist # Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }} createUser {{ .policy }}

2
helm/minio/templates/configmap.yaml
View File

@ -20,5 +20,7 @@ data:
policy_{{ $idx }}.json: |- policy_{{ $idx }}.json: |-
{{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }} {{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }}
{{ end }} {{ end }}
add-svcacct: |-
{{ include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | indent 4 }}
custom-command: |- custom-command: |-
{{ include (print $.Template.BasePath "/_helper_custom_command.txt") . | indent 4 }} {{ include (print $.Template.BasePath "/_helper_custom_command.txt") . | indent 4 }}

111
helm/minio/templates/post-install-create-svcacct-job.yaml Normal file
View File

@ -0,0 +1,111 @@
{{- $global := . -}}
{{- if .Values.svcaccts }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "minio.fullname" . }}-make-svcacct-job
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}-make-svcacct-job
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- with .Values.makeServiceAccountJob.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app: {{ template "minio.name" . }}-job
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
{{- if .Values.makeServiceAccountJob.podAnnotations }}
annotations:
{{ toYaml .Values.makeServiceAccountJob.podAnnotations | indent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.makeServiceAccountJob.nodeSelector | indent 8 }}
{{- end }}
{{- with .Values.makeServiceAccountJob.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.makeServiceAccountJob.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.makeServiceAccountJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.makeServiceAccountJob.securityContext.fsGroup }}
{{- end }}
volumes:
- name: minio-configuration
projected:
sources:
- configMap:
name: {{ template "minio.fullname" . }}
- secret:
name: {{ template "minio.secretName" . }}
{{- range .Values.svcaccts }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $global }}
items:
- key: {{ .existingSecretKey }}
path: secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }}
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
secret:
secretName: {{ .Values.tls.certSecret }}
items:
- key: {{ .Values.tls.publicCrt }}
path: CAs/public.crt
{{ end }}
{{- if .Values.makeServiceAccountJob.extraVolumes }}
{{- toYaml .Values.makeServiceAccountJob.extraVolumes | nindent 8 }}
{{- end }}
{{ if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: minio-mc
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeServiceAccountJob.exitCommand }}
command: ["/bin/sh", "-c"]
args: ["/bin/sh /config/add-svcacct; x=$(echo $?); {{ .Values.makeServiceAccountJob.exitCommand }} && exit $x" ]
{{- else }}
command: ["/bin/sh", "/config/add-svcacct"]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
{{- if .Values.makeServiceAccountJob.extraVolumeMounts }}
{{- toYaml .Values.makeServiceAccountJob.extraVolumeMounts | nindent 10 }}
{{- end }}
resources:
{{ toYaml .Values.makeServiceAccountJob.resources | indent 10 }}
{{- end }}

2
helm/minio/templates/post-install-create-user-job.yaml
View File

@ -64,7 +64,7 @@ spec:
name: {{ tpl .existingSecret $global }} name: {{ tpl .existingSecret $global }}
items: items:
- key: {{ .existingSecretKey }} - key: {{ .existingSecretKey }}
path: secrets/{{ tpl .existingSecretKey $global }} path: secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.tls.enabled }} {{- if .Values.tls.enabled }}

44
helm/minio/values.yaml
View File

@ -351,7 +351,6 @@ users:
# existingSecretKey: password # existingSecretKey: password
# policy: readonly # policy: readonly
## Additional Annotations for the Kubernetes Job makeUserJob ## Additional Annotations for the Kubernetes Job makeUserJob
makeUserJob: makeUserJob:
podAnnotations: {} podAnnotations: {}
@ -372,6 +371,39 @@ makeUserJob:
# Command to run after the main command on exit # Command to run after the main command on exit
exitCommand: "" exitCommand: ""
## List of service accounts to be created after minio install
##
# svcaccts:
## accessKey, secretKey and parent user to be assigned to the service accounts
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
# - accessKey: console-svcacct
# secretKey: console123
# user: console
## Or you can refer to specific secret
# - accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# user: console
makeServiceAccountJob:
podAnnotations: {}
annotations: {}
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
extraVolumes: []
extraVolumeMounts: []
# Command to run after the main command on exit
exitCommand: ""
## List of buckets to be created after minio install ## List of buckets to be created after minio install
## ##
buckets: buckets:
@ -386,14 +418,14 @@ buckets:
# # bucket [true|false] # # bucket [true|false]
# versioning: false # versioning: false
# # set objectlocking for # # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking # # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false # objectlocking: false
# - name: bucket2 # - name: bucket2
# policy: none # policy: none
# purge: false # purge: false
# versioning: true # versioning: true
# # set objectlocking for # # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking # # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false # objectlocking: false
## Additional Annotations for the Kubernetes Job makeBucketJob ## Additional Annotations for the Kubernetes Job makeBucketJob
@ -415,7 +447,7 @@ makeBucketJob:
extraVolumeMounts: [] extraVolumeMounts: []
# Command to run after the main command on exit # Command to run after the main command on exit
exitCommand: "" exitCommand: ""
## List of command to run after minio install ## List of command to run after minio install
## NOTE: the mc command TARGET is always "myminio" ## NOTE: the mc command TARGET is always "myminio"
customCommands: customCommands:
@ -438,7 +470,7 @@ customCommandJob:
affinity: {} affinity: {}
# Command to run after the main command on exit # Command to run after the main command on exit
exitCommand: "" exitCommand: ""
## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s) ## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
## when Chart is deployed ## when Chart is deployed
environment: environment:
@ -490,7 +522,7 @@ metrics:
serviceMonitor: serviceMonitor:
enabled: false enabled: false
# scrape each node/pod individually for additional metrics # scrape each node/pod individually for additional metrics
includeNode: false includeNode: false
public: true public: true
additionalLabels: {} additionalLabels: {}
# for node metrics # for node metrics