diff --git a/helm/minio/README.md b/helm/minio/README.md index e7174c4ff..504da59c0 100644 --- a/helm/minio/README.md +++ b/helm/minio/README.md @@ -188,6 +188,35 @@ Description of the configuration parameters used above - - `buckets[].policy` - can be one of none|download|upload|public - `buckets[].purge` - purge if bucket exists already +33# Create policies after install +Install the chart, specifying the policies you want to create after install: + +```bash +helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio +``` + +Description of the configuration parameters used above - + +- `policies[].name` - name of the policy to create, must be a string with length > 0 +- `policies[].statements[]` - list of statements, includes actions and resources +- `policies[].statements[].resources[]` - list of resources that applies the statement +- `policies[].statements[].actions[]` - list of actions granted + +### Create user after install +Install the chart, specifying the users you want to create after install: + +```bash +helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio +``` + +Description of the configuration parameters used above - + +- `users[].accessKey` - accessKey of user +- `users[].secretKey` - secretKey of usersecretRef +- `users[].existingSecret` - secret name that contains the secretKey of user +- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey +- `users[].policy` - name of the policy to assign to user + ## Uninstalling the Chart Assuming your release is named as `my-release`, delete it using the command: diff --git a/helm/minio/templates/_helper_create_policy.txt b/helm/minio/templates/_helper_create_policy.txt new file mode 100644 index 000000000..e5f2edb6a --- /dev/null +++ b/helm/minio/templates/_helper_create_policy.txt @@ -0,0 +1,73 @@ +#!/bin/sh +set -e ; # Have script exit in the event of a failed command. + +{{- if .Values.configPathmc }} +MC_CONFIG_DIR="{{ .Values.configPathmc }}" +MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" +{{- else }} +MC="/usr/bin/mc --insecure" +{{- end }} + +# connectToMinio +# Use a check-sleep-check loop to wait for MinIO service to be available +connectToMinio() { + SCHEME=$1 + ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS = 0 ] + do + ATTEMPTS=`expr $ATTEMPTS + 1` ; + echo \"Failed attempts: $ATTEMPTS\" ; + if [ $ATTEMPTS -gt $LIMIT ]; then + exit 1 ; + fi ; + sleep 2 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkPolicyExists ($policy) +# Check if the policy exists, by using the exit code of `mc admin policy info` +checkPolicyExists() { + POLICY=$1 + CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1) + return $? +} + +# createPolicy($name) +createPolicy () { + NAME=$1 + + # Create the name if it does not exist + if ! checkPolicyExists $NAME ; then + echo "Creating policy '$NAME'" + else + echo "Policy '$NAME' already exists." + fi + ${MC} admin policy add myminio $NAME /config/$NAME.json + +} + +# Try connecting to MinIO instance +{{- if .Values.tls.enabled }} +scheme=https +{{- else }} +scheme=http +{{- end }} +connectToMinio $scheme + +{{ if .Values.policies }} +# Create the policies +{{- range .Values.policies }} +createPolicy {{ .name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/minio/templates/_helper_create_user.txt b/helm/minio/templates/_helper_create_user.txt index c69fd4f77..fe0b09e27 100644 --- a/helm/minio/templates/_helper_create_user.txt +++ b/helm/minio/templates/_helper_create_user.txt @@ -78,6 +78,10 @@ connectToMinio $scheme {{ if .Values.users }} # Create the users {{- range .Values.users }} +{{- if .existingSecret }} +createUser {{ .accessKey }} $(cat /config/secrets/{{ .accessKey }}) {{ .policy }} +{{ else }} createUser {{ .accessKey }} {{ .secretKey }} {{ .policy }} {{- end }} {{- end }} +{{- end }} diff --git a/helm/minio/templates/_helper_policy.tpl b/helm/minio/templates/_helper_policy.tpl new file mode 100644 index 000000000..458ccbe9a --- /dev/null +++ b/helm/minio/templates/_helper_policy.tpl @@ -0,0 +1,18 @@ +{{- $statements_length := len .statements -}} +{{- $statements_length := sub $statements_length 1 -}} +{ + "Version": "2012-10-17", + "Statement": [ +{{- range $i, $statement := .statements }} + { + "Effect": "Allow", + "Action": [ +"{{ $statement.actions | join "\",\n\"" }}" + ], + "Resource": [ +"{{ $statement.resources | join "\",\n\"" }}" + ] + }{{ if lt $i $statements_length }},{{end }} +{{- end }} + ] +} diff --git a/helm/minio/templates/configmap.yaml b/helm/minio/templates/configmap.yaml index 3e0a85554..f86b09475 100644 --- a/helm/minio/templates/configmap.yaml +++ b/helm/minio/templates/configmap.yaml @@ -13,3 +13,9 @@ data: {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }} add-user: |- {{ include (print $.Template.BasePath "/_helper_create_user.txt") . | indent 4 }} + add-policy: |- +{{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }} +{{- range .Values.policies }} + {{ .name }}.json: |- +{{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }} +{{ end }} diff --git a/helm/minio/templates/post-install-create-policy-job.yaml b/helm/minio/templates/post-install-create-policy-job.yaml new file mode 100644 index 000000000..ae787692d --- /dev/null +++ b/helm/minio/templates/post-install-create-policy-job.yaml @@ -0,0 +1,87 @@ +{{- if .Values.policies }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.fullname" . }}-make-policies-job + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "minio.name" . }}-make-policies-job + chart: {{ template "minio.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.makePolicyJob.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ template "minio.name" . }}-job + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} +{{- if .Values.makePolicyJob.podAnnotations }} + annotations: +{{ toYaml .Values.makePolicyJob.podAnnotations | indent 8 }} +{{- end }} + spec: + restartPolicy: OnFailure +{{- include "minio.imagePullSecrets" . | indent 6 }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.makePolicyJob.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.makePolicyJob.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.makePolicyJob.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} +{{- if .Values.makePolicyJob.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }} + runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }} + fsGroup: {{ .Values.makePolicyJob.securityContext.fsGroup }} +{{- end }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }} + - secret: + name: {{ template "minio.secretName" . }} + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + secret: + secretName: {{ .Values.tls.certSecret }} + items: + - key: {{ .Values.tls.publicCrt }} + path: CAs/public.crt + {{ end }} + containers: + - name: minio-mc + image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" + imagePullPolicy: {{ .Values.mcImage.pullPolicy }} + command: ["/bin/sh", "/config/add-policy"] + env: + - name: MINIO_ENDPOINT + value: {{ template "minio.fullname" . }} + - name: MINIO_PORT + value: {{ .Values.service.port | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + {{- if .Values.tls.enabled }} + - name: cert-secret-volume-mc + mountPath: {{ .Values.configPathmc }}certs + {{ end }} + resources: +{{ toYaml .Values.makePolicyJob.resources | indent 10 }} +{{- end }} diff --git a/helm/minio/templates/post-install-create-user-job.yaml b/helm/minio/templates/post-install-create-user-job.yaml index 980fab722..9c47cad2e 100644 --- a/helm/minio/templates/post-install-create-user-job.yaml +++ b/helm/minio/templates/post-install-create-user-job.yaml @@ -57,6 +57,15 @@ spec: name: {{ template "minio.fullname" . }} - secret: name: {{ template "minio.secretName" . }} + {{- range .Values.users }} + {{- if .existingSecret }} + - secret: + name: {{ .existingSecret }} + items: + - key: {{ .existingSecretKey }} + path: secrets/{{ .accessKey }} + {{- end }} + {{- end }} {{- if .Values.tls.enabled }} - name: cert-secret-volume-mc secret: diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml index be225dfcd..75a833735 100644 --- a/helm/minio/values.yaml +++ b/helm/minio/values.yaml @@ -245,6 +245,62 @@ resources: requests: memory: 16Gi +## List of policies to be created after minio install +## +## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics] +## you can define additional policies with custom supported actions and resources +policies: [] +## writeexamplepolicy policy grants creation or deletion of buckets with name +## starting with example. In addition, grants objects write permissions on buckets starting with +## example. +# - name: writeexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:AbortMultipartUpload" +# - "s3:GetObject" +# - "s3:DeleteObject" +# - "s3:PutObject" +# - "s3:ListMultipartUploadParts" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:CreateBucket" +# - "s3:DeleteBucket" +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## readonlyexamplepolicy policy grants access to buckets with name starting with example. +## In addition, grants objects read permissions on buckets starting with example. +# - name: readonlyexamplepolicy +# statements: +# - resources: +# - 'arn:aws:s3:::example*/*' +# actions: +# - "s3:GetObject" +# - resources: +# - 'arn:aws:s3:::example*' +# actions: +# - "s3:GetBucketLocation" +# - "s3:ListBucket" +# - "s3:ListBucketMultipartUploads" +## Additional Annotations for the Kubernetes Job makePolicyJob +makePolicyJob: + podAnnotations: + annotations: + securityContext: + enabled: false + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + memory: 128Mi + nodeSelector: {} + tolerations: [] + affinity: {} + ## List of users to be created after minio install ## users: @@ -256,6 +312,11 @@ users: - accessKey: console secretKey: console123 policy: consoleAdmin + # Or you can refer to specific secret + #- accessKey: externalSecret + # existingSecret: my-secret + # existingSecretKey: password + # policy: readonly ## Additional Annotations for the Kubernetes Job makeUserJob