Should minio be accessible when enabling internalFilestore through the helm chart?

[christianshub]

Such a great product you guys made 🚀

I have a somewhat silly question. How do you access the internal filestore (minio)? Is it intended that it should be accessible when run internally?

I was thinking I could access minio like I could access kibana for example.

The following are my running services:

NAME                              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)             AGE
apm                               ClusterIP   None           <none>        8200/TCP            32m
assemblyline-kube-state-metrics   ClusterIP   10.43.67.103   <none>        8080/TCP            32m
datastore-master                  ClusterIP   10.43.248.85   <none>        9200/TCP,9300/TCP   32m
datastore-master-headless         ClusterIP   None           <none>        9200/TCP,9300/TCP   32m
elastic-helper                    ClusterIP   None           <none>        8000/TCP            32m
filestore                         ClusterIP   10.43.48.23    <none>        9000/TCP            32m
frontend                          ClusterIP   None           <none>        3000/TCP            32m
internal-ui                       ClusterIP   None           <none>        5000/TCP            32m
kibana                            ClusterIP   10.43.190.8    <none>        5601/TCP            32m
redis-persistent                  ClusterIP   None           <none>        6379/TCP            32m
redis-volatile                    ClusterIP   None           <none>        6379/TCP            32m
service-server                    ClusterIP   None           <none>        5003/TCP            32m
socketio                          ClusterIP   None           <none>        5002/TCP            32m
ui                                ClusterIP   None           <none>        5000/TCP            32m
ui-ingest                         ClusterIP   None           <none>        5000/TCP            32m

Assemblyline-ingress:

✗ kubectl describe ingress assemblyline-ingress 
Name:             assemblyline-ingress
Labels:           <none>
Namespace:        assemblyline
Address:          192.168.50.117,192.168.50.173,192.168.50.189,192.168.50.71
Ingress Class:    traefik
Default backend:  <default>
TLS:
  assemblyline-generated-cert terminates assemblyline.local
Rules:
  Host                Path  Backends
  ----                ----  --------
  assemblyline.local  
                      /                 frontend:3000 (10.42.3.205:3000)
                      /socket.io/       socketio:5002 (10.42.1.199:5002)
                      /api/             ui:5000 (10.42.2.177:5000)
                      /api/v4/ingest/   ui-ingest:5000 (10.42.0.168:5000)
                      /kibana/          kibana:5601 (10.42.1.198:5601)
Annotations:          <none>
Events:               <none>

assemblyline.local is just a locally created DNS pointing at one of my master nodes (192.168.50.117).

I am using the newest helm chart. These are my settings relevant to filestore (sorry if I missed something):

enableLogging: true
enableCoreDebugging: false
enableMetrics: true
enableMetricbeat: true
internalELKStack: true
seperateInternalELKStack: false
internalFilestore: true
separateIngestAPI: true
enableAPM: true
...
configuration:
  ...
  filestore:
    archive: []
    cache:
      [
        "s3://${INTERNAL_FILESTORE_ACCESS}:${INTERNAL_FILESTORE_KEY}@filestore:9000?s3_bucket=al-cache&use_ssl=False",
      ]
    storage:
      [
        "s3://${INTERNAL_FILESTORE_ACCESS}:${INTERNAL_FILESTORE_KEY}@filestore:9000?s3_bucket=al-storage&use_ssl=False",
      ]
...
filestore:
  fullnameOverride: "filestore"
  podLabels:
    section: core
    component: filestore
  existingSecret: internal-filestore-keys

I've tried to edit the service account of filestore to be of type LoadBalancer and NodePort to be able to call the site externally, this did not work sadly.
Just wanted to confirm that minio is supposed to be accessible when internalFilestore is enabled.

Best regards

[cccs-rs]

Hello!

The internal filestore endpoint isn't supposed to be accessible from outside the cluster, unlike for Kibana.
Enabling internalFilestore just provides a way to hosting an in-cluster filestore if you don't have an external filestore(s) to use.

That being said, is there a particular use-case that you have where you would want to peruse the filestore?

[cccs-sgaron]

If I might add to that, we cannot make the filestore externally accessible as it would bypass internal document security checks (classification markings). You can always us the /api/v4/file/download// API to get to those files.

[christianshub]

Thank you for the quick response-time 👍

Hello!

The internal filestore endpoint isn't supposed to be accessible from outside the cluster, unlike for Kibana. Enabling internalFilestore just provides a way to hosting an in-cluster filestore if don't have an external filestore(s) to use.

That being said, is there a particular use-case that you have where you would want to peruse the filestore?

I had trouble running service-extract and pe with their default settings (privileged: true) when running an external minio database. And it solved my issue to just use an internal minio instance, but then I gave up the access to minio.

If I might add to that, we cannot make the filestore externally accessible as it would bypass internal document security checks (classification markings). You can always us the /api/v4/file/download// API to get to those files.

All I needed was to have the opportunity to access the files - which I see I have through the API. So its all fine :-)

[cccs-sgaron]

One piece of advice if you use external file storage, there is a values.yml variable privilegedSafelistedCIDRs that you can use to create extra routes so your components can use external filestores. You can add this to your values.yml and replace 127.0.0.1/32 with the cidr representation of your file storage IP:

privilegedSafelistedCIDRs: ["127.0.0.1/32"]