Skip to content

Configure Minio buckets, policies, and users #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 45 commits into from
Oct 31, 2025
Merged

Configure Minio buckets, policies, and users #48

Show file tree
Hide file tree
Changes from 44 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
939bc38
Add k8s job to interact with minio server
craddm May 1, 2025
b6497ea
Merge remote-tracking branch 'upstream/cilium' into configure-minio
craddm May 1, 2025
f71086b
use job to give set up a container with minio credentials
craddm May 1, 2025
7afd928
Merge remote-tracking branch 'upstream/main' into configure-minio
craddm May 6, 2025
e26c69b
Mount script and policies using configmap, then run job to configure …
craddm May 6, 2025
d915ff1
Create Minio buckets using helm chart
craddm May 6, 2025
757a85f
Fix typo
craddm May 6, 2025
3b49c27
strip json from filename for policy name
craddm May 7, 2025
d8da113
Add pulumi random to requirements
craddm May 7, 2025
5933dcb
create some initial secrets with account details
craddm May 7, 2025
0ebd29f
Add depends on secrets
craddm May 7, 2025
363f016
specify user names in minio tenant values
craddm May 7, 2025
2a38503
Merge remote-tracking branch 'upstream/main' into configure-minio
craddm May 7, 2025
ca3f047
Use minio_alias variable in template
craddm May 7, 2025
fad0c0b
Add some additional comments to the code
craddm May 14, 2025
a6280d1
Merge remote-tracking branch 'upstream/main' into configure-minio
craddm May 14, 2025
1a677ae
Merge branch 'main' into configure-minio
craddm May 21, 2025
089ef92
Merge remote-tracking branch 'upstream/main' into configure-minio
craddm May 21, 2025
5f132e6
Merge branch 'main' into configure-minio
craddm Aug 4, 2025
46a41c4
Take minio config code out of main and into its own component file
craddm Aug 5, 2025
cbdbe8a
Add minio config component to init
craddm Aug 5, 2025
181be87
Refactoring minio configuration files
craddm Aug 5, 2025
8818825
Make network policies depend on minio config completion
craddm Aug 5, 2025
9df84ba
Correct shell script syntax
craddm Aug 5, 2025
a6fd45f
Delete unneeded files
craddm Aug 5, 2025
0913ef9
Add policy to be used for argo workflows pods
craddm Aug 5, 2025
d7c7595
Add policy for argo workflow pods
craddm Aug 5, 2025
e9fea99
Add rule to allow minio config job to access MinIO service
craddm Aug 5, 2025
deffadd
Move policies to separate directory and load them dynamically
craddm Aug 6, 2025
e298a73
Merge branch 'main' into configure-minio
craddm Sep 26, 2025
55e0119
Modify minio component to expose namespaces and charts as attributes
craddm Sep 26, 2025
384a7de
Remove unneeded imports and fix references to instance variables
craddm Sep 26, 2025
4de7a87
Rename policy files
craddm Sep 26, 2025
6b695e9
Pass minio resources to MinioConfigJob
craddm Sep 26, 2025
7743103
Add network rules to allow Minio Config jobs to access Minio
craddm Sep 26, 2025
af03327
Add ingress and egress buckets
LakshithadeSilva Oct 15, 2025
b6a8a6c
Setup anonymous access on ingress/egress buckests
LakshithadeSilva Oct 15, 2025
5861beb
Merge branch 'main' into configure-minio
craddm Oct 21, 2025
2e7fec3
Delete superfluous minio policy folder
craddm Oct 21, 2025
aeac722
Remove unused 'load_policy' function
LakshithadeSilva Oct 22, 2025
9e801c5
Update infra/fridge/__main__.py
craddm Oct 22, 2025
8adcfef
Update infra/fridge/requirements.txt
craddm Oct 22, 2025
64b3be3
Fix linting
craddm Oct 22, 2025
ea2cf73
Merge branch 'main' into configure-minio
craddm Oct 22, 2025
7905150
Modify script for configuring MinIO to use environment variables
craddm Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion infra/fridge/__main__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
for namespace in standard_namespaces:
patch_namespace(namespace, PodSecurityStandard.RESTRICTED)

# Minio
# MinIO
minio = components.ObjectStorage(
"minio",
args=components.ObjectStorageArgs(
Expand All @@ -119,6 +119,22 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
),
)

# MinIO configuration
minio_config = components.MinioConfigJob(
name=f"{stack_name}-minio-config-job",
args=components.MinioConfigArgs(
minio_tenant_ns=minio.minio_tenant_ns,
minio_tenant=minio.minio_tenant,
minio_credentials={
"minio_root_user": config.require_secret("minio_root_user"),
"minio_root_password": config.require_secret("minio_root_password"),
},
),
opts=ResourceOptions(
depends_on=[minio],
),
)

# Argo Workflows
enable_sso = k8s_environment is not K8sEnvironment.K3S

Expand Down
1 change: 1 addition & 0 deletions infra/fridge/components/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from .cert_manager import CertManager, CertManagerArgs
from .container_registry import ContainerRegistry, ContainerRegistryArgs
from .ingress import Ingress, IngressArgs
from .minio_config import MinioConfigJob, MinioConfigArgs
from .network_policies import NetworkPolicies
from .object_storage import ObjectStorage, ObjectStorageArgs
from .storage_classes import StorageClasses, StorageClassesArgs
Expand Down
140 changes: 140 additions & 0 deletions infra/fridge/components/minio_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
import os
from pulumi import ComponentResource, ResourceOptions
from pulumi_kubernetes.batch.v1 import (
Job,
JobSpecArgs,
)
from pulumi_kubernetes.core.v1 import (
ConfigMap,
ConfigMapVolumeSourceArgs,
ContainerArgs,
EnvVarArgs,
Namespace,
PodSpecArgs,
PodTemplateSpecArgs,
SecurityContextArgs,
VolumeMountArgs,
VolumeArgs,
)
from pulumi_kubernetes.helm.v4 import Chart
from pulumi_kubernetes.meta.v1 import ObjectMetaArgs


class MinioConfigArgs:
def __init__(
self, minio_tenant_ns: Namespace, minio_tenant: Chart, minio_credentials: dict
):
self.minio_tenant_ns = minio_tenant_ns
self.minio_tenant = minio_tenant
self.minio_credentials = minio_credentials


class MinioConfigJob(ComponentResource):
def __init__(
self, name: str, args: MinioConfigArgs, opts: ResourceOptions | None = None
) -> None:
super().__init__("fridge:k8s:MinioConfigJob", name, {}, opts)
child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))

minio_setup_sh = """
echo "Configuring ingress and egress buckets with anonymous S3 policies"
mc anonymous set upload $1/egress
mc anonymous set download $1/ingress
"""

# Create a ConfigMap for MinIO configuration
minio_config_map = ConfigMap(
"minio-configuration",
metadata=ObjectMetaArgs(
name="minio-configuration",
namespace=args.minio_tenant_ns.metadata.name,
),
data={
"MINIO_ALIAS": "argoartifacts",
"MINIO_URL": "http://minio.argo-artifacts.svc.cluster.local:80",
"MINIO_NAMESPACE": args.minio_tenant_ns.metadata.name,
"setup.sh": minio_setup_sh,
},
opts=child_opts,
)

# Create a Job to configure MinIO
Job(
"minio-config-job",
metadata=ObjectMetaArgs(
name="minio-config-job",
namespace=args.minio_tenant_ns.metadata.name,
labels={"app": "minio-config-job"},
),
spec=JobSpecArgs(
backoff_limit=1,
template=PodTemplateSpecArgs(
spec=PodSpecArgs(
containers=[
ContainerArgs(
name="minio-config-job",
image="minio/mc:latest",
command=[
"/bin/sh",
"-c",
],
args=[
"mc --insecure alias set argoartifacts http://minio.argo-artifacts.svc.cluster.local:80 $(MINIO_ROOT_USER) $(MINIO_ROOT_PASSWORD) &&"
"/tmp/scripts/setup.sh argoartifacts;",
],
Comment on lines 84 to 86
Copy link
Member

@JimMadge JimMadge Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to pass some commands as an argument here and others in a script?

Copy link
Collaborator

@LakshithadeSilva LakshithadeSilva Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@craddm possibly explain better, but 'mc' expects the alias to set first so the subsequent commands can refer to that alias. The script includes a bunch of mc commands, but alternatively we can have those here as well.

Copy link
Contributor Author

@craddm craddm Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this.

Copy link
Member

@JimMadge JimMadge Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, does it not work if the mc alias set command is in the script?

Copy link
Contributor Author

@craddm craddm Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modified this so all the commands are in the script, and the script now gets everything from the environment variables instead

resources={
"requests": {
"cpu": "100m",
"memory": "128Mi",
},
"limits": {
"cpu": "100m",
"memory": "128Mi",
},
},
env=[
EnvVarArgs(name="MC_CONFIG_DIR", value="/tmp/.mc"),
EnvVarArgs(
name="MINIO_ROOT_USER",
value=args.minio_credentials.get(
"minio_root_user", ""
),
),
EnvVarArgs(
name="MINIO_ROOT_PASSWORD",
value=args.minio_credentials.get(
"minio_root_password", ""
),
),
],
security_context=SecurityContextArgs(
allow_privilege_escalation=False,
capabilities={"drop": ["ALL"]},
run_as_group=1000,
run_as_non_root=True,
run_as_user=1000,
seccomp_profile={"type": "RuntimeDefault"},
),
volume_mounts=[
VolumeMountArgs(
name="minio-config-volume",
mount_path="/tmp/scripts/",
)
],
)
],
volumes=[
VolumeArgs(
name="minio-config-volume",
config_map=ConfigMapVolumeSourceArgs(
name=minio_config_map.metadata.name,
default_mode=0o777,
),
)
],
restart_policy="Never",
),
),
),
opts=child_opts,
)
62 changes: 31 additions & 31 deletions infra/fridge/components/object_storage.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ def __init__(
super().__init__("fridge:ObjectStorage", name, {}, opts)
child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))

minio_operator_ns = Namespace(
self.minio_operator_ns = Namespace(
"minio-operator-ns",
metadata=ObjectMetaArgs(
name="minio-operator",
Expand All @@ -44,7 +44,7 @@ def __init__(
opts=child_opts,
)

minio_tenant_ns = Namespace(
self.minio_tenant_ns = Namespace(
"minio-tenant-ns",
metadata=ObjectMetaArgs(
name="argo-artifacts",
Expand All @@ -53,29 +53,29 @@ def __init__(
opts=child_opts,
)

minio_operator = Chart(
self.minio_operator = Chart(
"minio-operator",
namespace=minio_operator_ns.metadata.name,
namespace=self.minio_operator_ns.metadata.name,
chart="operator",
repository_opts=RepositoryOptsArgs(
repo="https://operator.min.io",
),
version="7.1.1",
opts=ResourceOptions.merge(
child_opts,
ResourceOptions(depends_on=[minio_operator_ns]),
ResourceOptions(depends_on=[self.minio_operator_ns]),
),
)

minio_fqdn = ".".join(
self.minio_fqdn = ".".join(
(
args.config.require("minio_fqdn_prefix"),
args.config.require("base_fqdn"),
)
)

minio_cluster_url = pulumi.Output.concat(
"minio.", minio_tenant_ns.metadata.name, ".svc.cluster.local"
self.minio_cluster_url = pulumi.Output.concat(
"minio.", self.minio_tenant_ns.metadata.name, ".svc.cluster.local"
)

minio_config_env = Output.format(
Expand All @@ -85,8 +85,8 @@ def __init__(
"export MINIO_ROOT_USER={2}\n"
"export MINIO_ROOT_PASSWORD={3}"
),
minio_fqdn,
minio_cluster_url,
self.minio_fqdn,
self.minio_cluster_url,
args.config.require_secret("minio_root_user"),
args.config.require_secret("minio_root_password"),
)
Expand All @@ -95,21 +95,21 @@ def __init__(
"minio-env-secret",
metadata=ObjectMetaArgs(
name="argo-artifacts-env-configuration",
namespace=minio_tenant_ns.metadata.name,
namespace=self.minio_tenant_ns.metadata.name,
),
type="Opaque",
string_data={
"config.env": minio_config_env,
},
opts=ResourceOptions.merge(
child_opts,
ResourceOptions(depends_on=[minio_tenant_ns]),
ResourceOptions(depends_on=[self.minio_tenant_ns]),
),
)

minio_tenant = Chart(
self.minio_tenant = Chart(
"minio-tenant",
namespace=minio_tenant_ns.metadata.name,
namespace=self.minio_tenant_ns.metadata.name,
chart="tenant",
name="argo-artifacts",
version="7.1.1",
Expand All @@ -121,6 +121,8 @@ def __init__(
"name": "argo-artifacts",
"buckets": [
{"name": "argo-artifacts"},
{"name": "ingress"},
{"name": "egress"},
],
"certificate": {
"requestAutoCert": "false",
Expand All @@ -136,10 +138,10 @@ def __init__(
},
"features": {
"domains": {
"console": minio_fqdn,
"console": self.minio_fqdn,
"minio": [
Output.concat(minio_fqdn, "/api"),
minio_cluster_url,
Output.concat(self.minio_fqdn, "/api"),
self.minio_cluster_url,
],
}
},
Expand Down Expand Up @@ -169,18 +171,18 @@ def __init__(
ResourceOptions(
depends_on=[
minio_env_secret,
minio_operator,
minio_tenant_ns,
self.minio_operator,
self.minio_tenant_ns,
]
),
),
)

minio_ingress = Ingress(
self.minio_ingress = Ingress(
"minio-ingress",
metadata=ObjectMetaArgs(
name="minio-ingress",
namespace=minio_tenant_ns.metadata.name,
namespace=self.minio_tenant_ns.metadata.name,
annotations={
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
Expand All @@ -193,7 +195,7 @@ def __init__(
ingress_class_name="nginx",
rules=[
IngressRuleArgs(
host=minio_fqdn,
host=self.minio_fqdn,
http={
"paths": [
{
Expand All @@ -212,26 +214,24 @@ def __init__(
],
tls=[
IngressTLSArgs(
hosts=[minio_fqdn],
hosts=[self.minio_fqdn],
secret_name="argo-artifacts-tls",
)
],
),
opts=ResourceOptions.merge(
child_opts,
ResourceOptions(depends_on=[minio_tenant]),
ResourceOptions(depends_on=[self.minio_tenant]),
),
)

self.minio_fqdn = minio_fqdn
self.minio_cluster_url = minio_cluster_url
self.register_outputs(
{
"minio_ingress": minio_ingress,
"minio_tenant": minio_tenant,
"minio_operator": minio_operator,
"minio_ingress": self.minio_ingress,
"minio_tenant": self.minio_tenant,
"minio_operator": self.minio_operator,
"minio_env_secret": minio_env_secret,
"minio_tenant_ns": minio_tenant_ns,
"minio_operator_ns": minio_operator_ns,
"minio_tenant_ns": self.minio_tenant_ns,
"minio_operator_ns": self.minio_operator_ns,
}
)
Loading
Loading