name: IAM integration on: pull_request: branches: - master # This ensures that previous jobs for the PR are canceled when the PR is # updated. concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true permissions: contents: read jobs: iam-matrix-test: name: "[Go=${{ matrix.go-version }}|ldap=${{ matrix.ldap }}|etcd=${{ matrix.etcd }}|openid=${{ matrix.openid }}]" runs-on: ubuntu-latest services: openldap: image: quay.io/minio/openldap ports: - "389:389" - "636:636" env: LDAP_ORGANIZATION: "MinIO Inc" LDAP_DOMAIN: "min.io" LDAP_ADMIN_PASSWORD: "admin" etcd: image: "quay.io/coreos/etcd:v3.5.1" env: ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379" ports: - "2379:2379" options: >- --health-cmd "etcdctl endpoint health" --health-interval 10s --health-timeout 5s --health-retries 5 openid: image: quay.io/minio/dex ports: - "5556:5556" env: DEX_LDAP_SERVER: "openldap:389" openid2: image: quay.io/minio/dex ports: - "5557:5557" env: DEX_LDAP_SERVER: "openldap:389" DEX_ISSUER: "http://127.0.0.1:5557/dex" DEX_WEB_HTTP: "0.0.0.0:5557" strategy: # When ldap, etcd or openid vars are empty below, those external servers # are turned off - i.e. if ldap="", then ldap server is not enabled for # the tests. matrix: go-version: [1.22.x] ldap: ["", "localhost:389"] etcd: ["", "http://localhost:2379"] openid: ["", "http://127.0.0.1:5556/dex"] exclude: # exclude combos where all are empty. - ldap: "" etcd: "" openid: "" # exclude combos where both ldap and openid IDPs are specified. - ldap: "localhost:389" openid: "http://127.0.0.1:5556/dex" steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: ${{ matrix.go-version }} check-latest: true - name: Test LDAP/OpenID/Etcd combo env: _MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }} _MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }} _MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }} run: | sudo sysctl net.ipv6.conf.all.disable_ipv6=0 sudo sysctl net.ipv6.conf.default.disable_ipv6=0 make test-iam - name: Test with multiple OpenID providers if: matrix.openid == 'http://127.0.0.1:5556/dex' env: _MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }} _MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }} _MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }} _MINIO_OPENID_TEST_SERVER_2: "http://127.0.0.1:5557/dex" run: | sudo sysctl net.ipv6.conf.all.disable_ipv6=0 sudo sysctl net.ipv6.conf.default.disable_ipv6=0 make test-iam - name: Test with Access Management Plugin enabled env: _MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }} _MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }} _MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }} _MINIO_POLICY_PLUGIN_TEST_ENDPOINT: "http://127.0.0.1:8080" run: | sudo sysctl net.ipv6.conf.all.disable_ipv6=0 sudo sysctl net.ipv6.conf.default.disable_ipv6=0 go run docs/iam/access-manager-plugin.go & make test-iam - name: Test MinIO Old Version data to IAM import current version if: matrix.ldap == 'ldaphost:389' env: _MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }} run: | make test-iam-ldap-upgrade-import - name: Test LDAP for automatic site replication if: matrix.ldap == 'localhost:389' run: | make test-site-replication-ldap - name: Test OIDC for automatic site replication if: matrix.openid == 'http://127.0.0.1:5556/dex' run: | make test-site-replication-oidc iam-import-with-missing-entities: name: Test IAM import in new cluster with missing entities runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: ${{ matrix.go-version }} check-latest: true - name: Checkout minio-iam-testing uses: actions/checkout@v4 with: repository: minio/minio-iam-testing path: minio-iam-testing - name: Test import of IAM artifacts when in fresh cluster there are missing groups etc run: | make test-iam-import-with-missing-entities