Minio helm chart improvements for user and policy creation (#14216)

2025-01-11 15:03:22 -05:00 · 2022-02-14 02:14:18 +01:00 · 2022-02-14 02:14:18 +01:00 · b70053090c
commit b70053090c
parent f10e2254ae
8 changed files with 287 additions and 0 deletions
--- a/helm/minio/README.md
+++ b/helm/minio/README.md
@ -188,6 +188,35 @@ Description of the configuration parameters used above -
 - `buckets[].policy` - can be one of none|download|upload|public
 - `buckets[].purge` - purge if bucket exists already

+33# Create policies after install
+Install the chart, specifying the policies you want to create after install:
+
+```bash
+helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio
+```
+
+Description of the configuration parameters used above -
+
+- `policies[].name` - name of the policy to create, must be a string with length > 0
+- `policies[].statements[]` - list of statements, includes actions and resources
+- `policies[].statements[].resources[]` - list of resources that applies the statement
+- `policies[].statements[].actions[]` - list of actions granted
+
+### Create user after install
+Install the chart, specifying the users you want to create after install:
+
+```bash
+helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio
+```
+
+Description of the configuration parameters used above -
+
+- `users[].accessKey` - accessKey of user
+- `users[].secretKey` - secretKey of usersecretRef
+- `users[].existingSecret` - secret name that contains the secretKey of user
+- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey
+- `users[].policy` - name of the policy to assign to user
+
 ## Uninstalling the Chart

 Assuming your release is named as `my-release`, delete it using the command:
--- a/helm/minio/templates/_helper_create_policy.txt
+++ b/helm/minio/templates/_helper_create_policy.txt
@ -0,0 +1,73 @@
+#!/bin/sh
+set -e ; # Have script exit in the event of a failed command.
+
+{{- if .Values.configPathmc }}
+MC_CONFIG_DIR="{{ .Values.configPathmc }}"
+MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
+{{- else }}
+MC="/usr/bin/mc --insecure"
+{{- end }}
+
+# connectToMinio
+# Use a check-sleep-check loop to wait for MinIO service to be available
+connectToMinio() {
+  SCHEME=$1
+  ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
+  set -e ; # fail if we can't read the keys.
+  ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
+  set +e ; # The connections to minio are allowed to fail.
+  echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
+  MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
+  $MC_COMMAND ;
+  STATUS=$? ;
+  until [ $STATUS = 0 ]
+  do
+    ATTEMPTS=`expr $ATTEMPTS + 1` ;
+    echo \"Failed attempts: $ATTEMPTS\" ;
+    if [ $ATTEMPTS -gt $LIMIT ]; then
+      exit 1 ;
+    fi ;
+    sleep 2 ; # 1 second intervals between attempts
+    $MC_COMMAND ;
+    STATUS=$? ;
+  done ;
+  set -e ; # reset `e` as active
+  return 0
+}
+
+# checkPolicyExists ($policy)
+# Check if the policy exists, by using the exit code of `mc admin policy info`
+checkPolicyExists() {
+  POLICY=$1
+  CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
+  return $?
+}
+
+# createPolicy($name)
+createPolicy () {
+  NAME=$1
+
+  # Create the name if it does not exist
+  if ! checkPolicyExists $NAME ; then
+    echo "Creating policy '$NAME'"
+  else
+    echo "Policy '$NAME' already exists."
+  fi
+  ${MC} admin policy add myminio $NAME /config/$NAME.json
+
+}
+
+# Try connecting to MinIO instance
+{{- if .Values.tls.enabled }}
+scheme=https
+{{- else }}
+scheme=http
+{{- end }}
+connectToMinio $scheme
+
+{{ if .Values.policies }}
+# Create the policies
+{{- range .Values.policies }}
+createPolicy {{ .name }}
+{{- end }}
+{{- end }}
--- a/helm/minio/templates/_helper_create_user.txt
+++ b/helm/minio/templates/_helper_create_user.txt
@ -78,6 +78,10 @@ connectToMinio $scheme
 {{ if .Values.users }}
 # Create the users
 {{- range .Values.users }}
+{{- if .existingSecret }}
+createUser {{ .accessKey }} $(cat /config/secrets/{{ .accessKey }}) {{ .policy }}
+{{ else }}
 createUser {{ .accessKey }} {{ .secretKey }} {{ .policy }}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/helm/minio/templates/_helper_policy.tpl
+++ b/helm/minio/templates/_helper_policy.tpl
@ -0,0 +1,18 @@
+{{- $statements_length := len .statements -}}
+{{- $statements_length := sub $statements_length 1 -}}
+{
+  "Version": "2012-10-17",
+  "Statement": [
+{{- range $i, $statement := .statements }}
+    {
+      "Effect": "Allow",
+      "Action": [
+"{{ $statement.actions | join "\",\n\"" }}"
+      ],
+      "Resource": [
+"{{ $statement.resources | join "\",\n\"" }}"
+      ]
+    }{{ if lt $i $statements_length }},{{end }}
+{{- end }}
+  ]
+}
--- a/helm/minio/templates/configmap.yaml
+++ b/helm/minio/templates/configmap.yaml
@ -13,3 +13,9 @@ data:
 {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }}
  add-user: |-
 {{ include (print $.Template.BasePath "/_helper_create_user.txt") . | indent 4 }}
+  add-policy: |-
+{{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }}
+{{- range .Values.policies }}
+  {{ .name }}.json: |-
+{{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }}
+{{ end }}
--- a/helm/minio/templates/post-install-create-policy-job.yaml
+++ b/helm/minio/templates/post-install-create-policy-job.yaml
@ -0,0 +1,87 @@
+{{- if .Values.policies }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "minio.fullname" . }}-make-policies-job
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ template "minio.name" . }}-make-policies-job
+    chart: {{ template "minio.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- with .Values.makePolicyJob.annotations }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        app: {{ template "minio.name" . }}-job
+        release: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+{{- if .Values.makePolicyJob.podAnnotations }}
+      annotations:
+{{ toYaml .Values.makePolicyJob.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+      restartPolicy: OnFailure
+{{- include "minio.imagePullSecrets" . | indent 6 }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.makePolicyJob.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.makePolicyJob.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.makePolicyJob.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- if .Values.makePolicyJob.securityContext.enabled }}
+      securityContext:
+        runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.makePolicyJob.securityContext.fsGroup }}
+{{- end }}
+      volumes:
+        - name: minio-configuration
+          projected:
+            sources:
+            - configMap:
+                name: {{ template "minio.fullname" . }}
+            - secret:
+                name: {{ template "minio.secretName" . }}
+        {{- if .Values.tls.enabled }}
+        - name: cert-secret-volume-mc
+          secret:
+            secretName: {{ .Values.tls.certSecret }}
+            items:
+            - key: {{ .Values.tls.publicCrt }}
+              path: CAs/public.crt
+        {{ end }}
+      containers:
+      - name: minio-mc
+        image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
+        imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
+        command: ["/bin/sh", "/config/add-policy"]
+        env:
+          - name: MINIO_ENDPOINT
+            value: {{ template "minio.fullname" . }}
+          - name: MINIO_PORT
+            value: {{ .Values.service.port | quote }}
+        volumeMounts:
+          - name: minio-configuration
+            mountPath: /config
+          {{- if .Values.tls.enabled }}
+          - name: cert-secret-volume-mc
+            mountPath: {{ .Values.configPathmc }}certs
+          {{ end }}
+        resources:
+{{ toYaml .Values.makePolicyJob.resources | indent 10 }}
+{{- end }}
--- a/helm/minio/templates/post-install-create-user-job.yaml
+++ b/helm/minio/templates/post-install-create-user-job.yaml
@ -57,6 +57,15 @@ spec:
                name: {{ template "minio.fullname" . }}
            - secret:
                name: {{ template "minio.secretName" . }}
+            {{- range .Values.users }}
+            {{- if .existingSecret }}
+            - secret:
+                name: {{ .existingSecret }}
+                items:
+                  - key: {{ .existingSecretKey }}
+                    path: secrets/{{ .accessKey }}
+            {{- end }}
+            {{- end }}
        {{- if .Values.tls.enabled }}
        - name: cert-secret-volume-mc
          secret:
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -245,6 +245,62 @@ resources:
  requests:
    memory: 16Gi

+## List of policies to be created after minio install
+##
+## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
+## you can define additional policies with custom supported actions and resources
+policies: []
+## writeexamplepolicy policy grants creation or deletion of buckets with name 
+## starting with example. In addition, grants objects write permissions on buckets starting with
+## example.
+# - name: writeexamplepolicy
+#   statements:
+#     - resources: 
+#         - 'arn:aws:s3:::example*/*'
+#       actions:
+#         - "s3:AbortMultipartUpload"
+#         - "s3:GetObject"
+#         - "s3:DeleteObject"
+#         - "s3:PutObject"
+#         - "s3:ListMultipartUploadParts"
+#     - resources: 
+#         - 'arn:aws:s3:::example*'
+#       actions:
+#         - "s3:CreateBucket"
+#         - "s3:DeleteBucket"
+#         - "s3:GetBucketLocation"
+#         - "s3:ListBucket"
+#         - "s3:ListBucketMultipartUploads"
+## readonlyexamplepolicy policy grants access to buckets with name starting with example. 
+## In addition, grants objects read permissions on buckets starting with example.
+# - name: readonlyexamplepolicy
+#   statements:
+#     - resources: 
+#         - 'arn:aws:s3:::example*/*'
+#       actions:
+#         - "s3:GetObject"
+#     - resources: 
+#         - 'arn:aws:s3:::example*'
+#       actions:
+#         - "s3:GetBucketLocation"
+#         - "s3:ListBucket"
+#         - "s3:ListBucketMultipartUploads"
+## Additional Annotations for the Kubernetes Job makePolicyJob
+makePolicyJob:
+  podAnnotations:
+  annotations:
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  resources:
+    requests:
+      memory: 128Mi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
 ## List of users to be created after minio install
 ##
 users:
@ -256,6 +312,11 @@ users:
  - accessKey: console
    secretKey: console123
    policy: consoleAdmin
+  # Or you can refer to specific secret
+  #- accessKey: externalSecret
+  #  existingSecret: my-secret
+  #  existingSecretKey: password
+  #  policy: readonly


 ## Additional Annotations for the Kubernetes Job makeUserJob