Configure Minio buckets, policies, and users

infra/fridge/Pulumi.dev.yaml

@@ -4,7 +4,10 @@ config:
     - https://graph.microsoft.com/Group.Read.All
     - email
   fridge:argo_fqdn_prefix: argo
-  fridge:base_fqdn: fridge.develop.turingsafehaven.ac.uk
+  fridge:azure_disk_encryption_set: fridge-disk-encryption-set
+  fridge:azure_subscription_id: "36cfe11d-bfcd-4dce-9b70-c3905a4f3d01"
+  fridge:azure_resource_group: fridge-one
+  fridge:base_fqdn: aks.fridge.develop.turingsafehaven.ac.uk
   fridge:harbor_admin_password:
     secure: v1:3+jAcVhe/3xj57pG:EEgytR6DgCOZqJrJsoHyLNEwWPOLxW5/
   fridge:harbor_ip: 10.0.50.50
@@ -29,4 +32,8 @@ config:
   pulumi:autonaming:
     mode: verbatim
   kubernetes:context: cluster
+  fridge:fridge_api_admin:
+    secure: v1:nn2LgdxeGCv5c0Lv:pr4uv23iVaHqcZ9cq0FqZnNtKNaRCciG
+  fridge:fridge_api_password:
+    secure: v1:x/BGXr+SaRLFlvZf:KN9s8Tu7wbRc/Pk3yOBv6Jp0VHsjp64UXZw=
 encryptionsalt: v1:UMTR46NTSCc=:v1:dRO4tTAutzORsIcQ:BEEfHoJF1QYioY1S3mfhAsEth2I7AA==

infra/fridge/Pulumi.local-k3s.yaml

@@ -1,7 +1,7 @@
 encryptionsalt: v1:ykjzeFXxJjM=:v1:lelRqe5sSoksTSch:PoR4OU+t4z2i7P1rWQorCrsPlKOT4w==
 config:
   kubernetes:context: default
-  fridge:tls_environment: staging
+  fridge:tls_environment: development
   fridge:k8s_env: K3s
   fridge:argo_fqdn_prefix: argo
   fridge:base_fqdn: fridge.internal

infra/fridge/__main__.py

@@ -100,7 +100,7 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 for namespace in standard_namespaces:
     patch_namespace(namespace, PodSecurityStandard.RESTRICTED)
 
-# Minio
+# MinIO
 minio = components.ObjectStorage(
     "minio",
     args=components.ObjectStorageArgs(
@@ -117,6 +117,22 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
     ),
 )
 
+# MinIO configuration job
+minio_config = components.MinioConfigJob(
+    name=f"{stack_name}-minio-config-job",
+    args=components.MinioConfigArgs(
+        minio_tenant_ns=minio.minio_tenant_ns,
+        minio_tenant=minio.minio_tenant,
+        minio_credentials={
+            "minio_root_user": config.require_secret("minio_root_user"),
+            "minio_root_password": config.require_secret("minio_root_password"),
+        },
+    ),
+    opts=ResourceOptions(
+        depends_on=[minio],
+    ),
+)
+
 # Argo Workflows
 enable_sso = k8s_environment is not K8sEnvironment.K3S
 

infra/fridge/components/__init__.py

@@ -2,6 +2,7 @@
 from .cert_manager import CertManager, CertManagerArgs
 from .container_registry import ContainerRegistry, ContainerRegistryArgs
 from .ingress import Ingress, IngressArgs
+from .minio_config import MinioConfigJob, MinioConfigArgs
 from .network_policies import NetworkPolicies
 from .object_storage import ObjectStorage, ObjectStorageArgs
 from .storage_classes import StorageClasses, StorageClassesArgs

infra/fridge/components/minio_config.py

@@ -0,0 +1,150 @@
+import os
+from pulumi import ComponentResource, ResourceOptions
+from pulumi_kubernetes.batch.v1 import (
+    Job,
+    JobSpecArgs,
+)
+from pulumi_kubernetes.core.v1 import (
+    ConfigMap,
+    ConfigMapVolumeSourceArgs,
+    ContainerArgs,
+    EnvVarArgs,
+    Namespace,
+    PodSpecArgs,
+    PodTemplateSpecArgs,
+    SecurityContextArgs,
+    VolumeMountArgs,
+    VolumeArgs,
+)
+from pulumi_kubernetes.helm.v4 import Chart
+from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
+
+
+def load_policy(name: str) -> str:
+    """
+    Load a policy from the policies directory.
+    """
+    with open(
+        os.path.join(os.path.dirname(__file__), "minio_policies", name), "r"
+    ) as f:
+        return f.read()
+
+
+class MinioConfigArgs:
+    def __init__(
+        self, minio_tenant_ns: Namespace, minio_tenant: Chart, minio_credentials: dict
+    ):
+        self.minio_tenant_ns = minio_tenant_ns
+        self.minio_tenant = minio_tenant
+        self.minio_credentials = minio_credentials
+
+
+class MinioConfigJob(ComponentResource):
+    def __init__(
+        self, name: str, args: MinioConfigArgs, opts: ResourceOptions | None = None
+    ) -> None:
+        super().__init__("fridge:k8s:MinioConfigJob", name, {}, opts)
+        child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
+
+        minio_setup_sh = """
+            echo "Configuring ingress and egress buckets with anonymous S3 policies"
+            mc anonymous set upload $1/egress
+            mc anonymous set download $1/ingress
+        """
+
+        # Create a ConfigMap for MinIO configuration
+        minio_config_map = ConfigMap(
+            "minio-configuration",
+            metadata=ObjectMetaArgs(
+                name="minio-configuration",
+                namespace=args.minio_tenant_ns.metadata.name,
+            ),
+            data={
+                "MINIO_ALIAS": "argoartifacts",
+                "MINIO_URL": "http://minio.argo-artifacts.svc.cluster.local:80",
+                "MINIO_NAMESPACE": args.minio_tenant_ns.metadata.name,
+                "setup.sh": minio_setup_sh,
+            },
+            opts=child_opts,
+        )
+
+        # Create a Job to configure MinIO
+        Job(
+            "minio-config-job",
+            metadata=ObjectMetaArgs(
+                name="minio-config-job",
+                namespace=args.minio_tenant_ns.metadata.name,
+                labels={"app": "minio-config-job"},
+            ),
+            spec=JobSpecArgs(
+                backoff_limit=1,
+                template=PodTemplateSpecArgs(
+                    spec=PodSpecArgs(
+                        containers=[
+                            ContainerArgs(
+                                name="minio-config-job",
+                                image="minio/mc:latest",
+                                command=[
+                                    "/bin/sh",
+                                    "-c",
+                                ],
+                                args=[
+                                    "mc --insecure alias set argoartifacts http://minio.argo-artifacts.svc.cluster.local:80 $(MINIO_ROOT_USER) $(MINIO_ROOT_PASSWORD) &&"
+                                    "/tmp/scripts/setup.sh argoartifacts;",
+                                ],
+                                resources={
+                                    "requests": {
+                                        "cpu": "100m",
+                                        "memory": "128Mi",
+                                    },
+                                    "limits": {
+                                        "cpu": "100m",
+                                        "memory": "128Mi",
+                                    },
+                                },
+                                env=[
+                                    EnvVarArgs(name="MC_CONFIG_DIR", value="/tmp/.mc"),
+                                    EnvVarArgs(
+                                        name="MINIO_ROOT_USER",
+                                        value=args.minio_credentials.get(
+                                            "minio_root_user", ""
+                                        ),
+                                    ),
+                                    EnvVarArgs(
+                                        name="MINIO_ROOT_PASSWORD",
+                                        value=args.minio_credentials.get(
+                                            "minio_root_password", ""
+                                        ),
+                                    ),
+                                ],
+                                security_context=SecurityContextArgs(
+                                    allow_privilege_escalation=False,
+                                    capabilities={"drop": ["ALL"]},
+                                    run_as_group=1000,
+                                    run_as_non_root=True,
+                                    run_as_user=1000,
+                                    seccomp_profile={"type": "RuntimeDefault"},
+                                ),
+                                volume_mounts=[
+                                    VolumeMountArgs(
+                                        name="minio-config-volume",
+                                        mount_path="/tmp/scripts/",
+                                    )
+                                ],
+                            )
+                        ],
+                        volumes=[
+                            VolumeArgs(
+                                name="minio-config-volume",
+                                config_map=ConfigMapVolumeSourceArgs(
+                                    name=minio_config_map.metadata.name,
+                                    default_mode=0o777,
+                                ),
+                            )
+                        ],
+                        restart_policy="Never",
+                    ),
+                ),
+            ),
+            opts=child_opts,
+        )