Minio helm chart improvements for user and policy creation (#14216)

2025-01-11 23:13:23 -05:00 · 2022-02-14 02:14:18 +01:00 · 2022-02-14 02:14:18 +01:00 · b70053090c
commit b70053090c
parent f10e2254ae
8 changed files with 287 additions and 0 deletions
--- a/helm/minio/README.md
+++ b/helm/minio/README.md
@ -188,6 +188,35 @@ Description of the configuration parameters used above -
 - `buckets[].policy` - can be one of none|download|upload|public
 - `buckets[].purge` - purge if bucket exists already
 33# Create policies after install
 Install the chart, specifying the policies you want to create after install:
 ```bash
 helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio
 ```
 Description of the configuration parameters used above -
 - `policies[].name` - name of the policy to create, must be a string with length > 0
 - `policies[].statements[]` - list of statements, includes actions and resources
 - `policies[].statements[].resources[]` - list of resources that applies the statement
 - `policies[].statements[].actions[]` - list of actions granted
 ### Create user after install
 Install the chart, specifying the users you want to create after install:
 ```bash
 helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio
 ```
 Description of the configuration parameters used above -
 - `users[].accessKey` - accessKey of user
 - `users[].secretKey` - secretKey of usersecretRef
 - `users[].existingSecret` - secret name that contains the secretKey of user
 - `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey
 - `users[].policy` - name of the policy to assign to user
 ## Uninstalling the Chart
 Assuming your release is named as `my-release`, delete it using the command:
--- a/helm/minio/templates/_helper_create_policy.txt
+++ b/helm/minio/templates/_helper_create_policy.txt
@ -0,0 +1,73 @@
 #!/bin/sh
 set -e ; # Have script exit in the event of a failed command.
 {{- if .Values.configPathmc }}
 MC_CONFIG_DIR="{{ .Values.configPathmc }}"
 MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
 {{- else }}
 MC="/usr/bin/mc --insecure"
 {{- end }}
 # connectToMinio
 # Use a check-sleep-check loop to wait for MinIO service to be available
 connectToMinio() {
  SCHEME=$1
  ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
  set -e ; # fail if we can't read the keys.
  ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
  set +e ; # The connections to minio are allowed to fail.
  echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
  MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
  $MC_COMMAND ;
  STATUS=$? ;
  until [ $STATUS = 0 ]
  do
    ATTEMPTS=`expr $ATTEMPTS + 1` ;
    echo \"Failed attempts: $ATTEMPTS\" ;
    if [ $ATTEMPTS -gt $LIMIT ]; then
      exit 1 ;
    fi ;
    sleep 2 ; # 1 second intervals between attempts
    $MC_COMMAND ;
    STATUS=$? ;
  done ;
  set -e ; # reset `e` as active
  return 0
 }
 # checkPolicyExists ($policy)
 # Check if the policy exists, by using the exit code of `mc admin policy info`
 checkPolicyExists() {
  POLICY=$1
  CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
  return $?
 }
 # createPolicy($name)
 createPolicy () {
  NAME=$1
  # Create the name if it does not exist
  if ! checkPolicyExists $NAME ; then
    echo "Creating policy '$NAME'"
  else
    echo "Policy '$NAME' already exists."
  fi
  ${MC} admin policy add myminio $NAME /config/$NAME.json
 }
 # Try connecting to MinIO instance
 {{- if .Values.tls.enabled }}
 scheme=https
 {{- else }}
 scheme=http
 {{- end }}
 connectToMinio $scheme
 {{ if .Values.policies }}
 # Create the policies
 {{- range .Values.policies }}
 createPolicy {{ .name }}
 {{- end }}
 {{- end }}
--- a/helm/minio/templates/_helper_create_user.txt
+++ b/helm/minio/templates/_helper_create_user.txt
@ -78,6 +78,10 @@ connectToMinio $scheme
 {{ if .Values.users }}
 # Create the users
 {{- range .Values.users }}
 {{- if .existingSecret }}
 createUser {{ .accessKey }} $(cat /config/secrets/{{ .accessKey }}) {{ .policy }}
 {{ else }}
 createUser {{ .accessKey }} {{ .secretKey }} {{ .policy }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/helm/minio/templates/_helper_policy.tpl
+++ b/helm/minio/templates/_helper_policy.tpl
@ -0,0 +1,18 @@
 {{- $statements_length := len .statements -}}
 {{- $statements_length := sub $statements_length 1 -}}
 {
  "Version": "2012-10-17",
  "Statement": [
 {{- range $i, $statement := .statements }}
    {
      "Effect": "Allow",
      "Action": [
 "{{ $statement.actions | join "\",\n\"" }}"
      ],
      "Resource": [
 "{{ $statement.resources | join "\",\n\"" }}"
      ]
    }{{ if lt $i $statements_length }},{{end }}
 {{- end }}
  ]
 }
--- a/helm/minio/templates/configmap.yaml
+++ b/helm/minio/templates/configmap.yaml
@ -13,3 +13,9 @@ data:
 {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }}
  add-user: |-
 {{ include (print $.Template.BasePath "/_helper_create_user.txt") . | indent 4 }}
  add-policy: |-
 {{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }}
 {{- range .Values.policies }}
  {{ .name }}.json: |-
 {{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }}
 {{ end }}
--- a/helm/minio/templates/post-install-create-policy-job.yaml
+++ b/helm/minio/templates/post-install-create-policy-job.yaml
@ -0,0 +1,87 @@
 {{- if .Values.policies }}
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ template "minio.fullname" . }}-make-policies-job
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ template "minio.name" . }}-make-policies-job
    chart: {{ template "minio.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 {{- with .Values.makePolicyJob.annotations }}
 {{ toYaml . | indent 4 }}
 {{- end }}
 spec:
  template:
    metadata:
      labels:
        app: {{ template "minio.name" . }}-job
        release: {{ .Release.Name }}
 {{- if .Values.podLabels }}
 {{ toYaml .Values.podLabels | indent 8 }}
 {{- end }}
 {{- if .Values.makePolicyJob.podAnnotations }}
      annotations:
 {{ toYaml .Values.makePolicyJob.podAnnotations | indent 8 }}
 {{- end }}
    spec:
      restartPolicy: OnFailure
 {{- include "minio.imagePullSecrets" . | indent 6 }}
 {{- if .Values.nodeSelector }}
      nodeSelector:
 {{ toYaml .Values.makePolicyJob.nodeSelector | indent 8 }}
 {{- end }}
 {{- with .Values.makePolicyJob.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
 {{- end }}
 {{- with .Values.makePolicyJob.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
 {{- end }}
 {{- if .Values.makePolicyJob.securityContext.enabled }}
      securityContext:
        runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
        runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
        fsGroup: {{ .Values.makePolicyJob.securityContext.fsGroup }}
 {{- end }}
      volumes:
        - name: minio-configuration
          projected:
            sources:
            - configMap:
                name: {{ template "minio.fullname" . }}
            - secret:
                name: {{ template "minio.secretName" . }}
        {{- if .Values.tls.enabled }}
        - name: cert-secret-volume-mc
          secret:
            secretName: {{ .Values.tls.certSecret }}
            items:
            - key: {{ .Values.tls.publicCrt }}
              path: CAs/public.crt
        {{ end }}
      containers:
      - name: minio-mc
        image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
        imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
        command: ["/bin/sh", "/config/add-policy"]
        env:
          - name: MINIO_ENDPOINT
            value: {{ template "minio.fullname" . }}
          - name: MINIO_PORT
            value: {{ .Values.service.port | quote }}
        volumeMounts:
          - name: minio-configuration
            mountPath: /config
          {{- if .Values.tls.enabled }}
          - name: cert-secret-volume-mc
            mountPath: {{ .Values.configPathmc }}certs
          {{ end }}
        resources:
 {{ toYaml .Values.makePolicyJob.resources | indent 10 }}
 {{- end }}
--- a/helm/minio/templates/post-install-create-user-job.yaml
+++ b/helm/minio/templates/post-install-create-user-job.yaml
@ -57,6 +57,15 @@ spec:
                name: {{ template "minio.fullname" . }}
            - secret:
                name: {{ template "minio.secretName" . }}
            {{- range .Values.users }}
            {{- if .existingSecret }}
            - secret:
                name: {{ .existingSecret }}
                items:
                  - key: {{ .existingSecretKey }}
                    path: secrets/{{ .accessKey }}
            {{- end }}
            {{- end }}
        {{- if .Values.tls.enabled }}
        - name: cert-secret-volume-mc
          secret:
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -245,6 +245,62 @@ resources:
  requests:
    memory: 16Gi
 ## List of policies to be created after minio install
 ##
 ## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
 ## you can define additional policies with custom supported actions and resources
 policies: []
 ## writeexamplepolicy policy grants creation or deletion of buckets with name 
 ## starting with example. In addition, grants objects write permissions on buckets starting with
 ## example.
 # - name: writeexamplepolicy
 #   statements:
 #     - resources: 
 #         - 'arn:aws:s3:::example*/*'
 #       actions:
 #         - "s3:AbortMultipartUpload"
 #         - "s3:GetObject"
 #         - "s3:DeleteObject"
 #         - "s3:PutObject"
 #         - "s3:ListMultipartUploadParts"
 #     - resources: 
 #         - 'arn:aws:s3:::example*'
 #       actions:
 #         - "s3:CreateBucket"
 #         - "s3:DeleteBucket"
 #         - "s3:GetBucketLocation"
 #         - "s3:ListBucket"
 #         - "s3:ListBucketMultipartUploads"
 ## readonlyexamplepolicy policy grants access to buckets with name starting with example. 
 ## In addition, grants objects read permissions on buckets starting with example.
 # - name: readonlyexamplepolicy
 #   statements:
 #     - resources: 
 #         - 'arn:aws:s3:::example*/*'
 #       actions:
 #         - "s3:GetObject"
 #     - resources: 
 #         - 'arn:aws:s3:::example*'
 #       actions:
 #         - "s3:GetBucketLocation"
 #         - "s3:ListBucket"
 #         - "s3:ListBucketMultipartUploads"
 ## Additional Annotations for the Kubernetes Job makePolicyJob
 makePolicyJob:
  podAnnotations:
  annotations:
  securityContext:
    enabled: false
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  resources:
    requests:
      memory: 128Mi
  nodeSelector: {}
  tolerations: []
  affinity: {}
 ## List of users to be created after minio install
 ##
 users:
@ -256,6 +312,11 @@ users:
  - accessKey: console
    secretKey: console123
    policy: consoleAdmin
  # Or you can refer to specific secret
  #- accessKey: externalSecret
  #  existingSecret: my-secret
  #  existingSecretKey: password
  #  policy: readonly
 ## Additional Annotations for the Kubernetes Job makeUserJob