Merge pull request #616 from dheerajodha/add-minio-to-obs

feat: Adding minio with dex auth to nerc-ocp-obs cluster

cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
 - ../../bundles/prom-keycloak-proxy
 - ../../bundles/zookeeper
 - ../../bundles/solr
+- ../../bundles/minio
 - ../../base/core/namespaces/openshift-gitops
 - ../../base/core/namespaces/dex
 - ../../base/rbac.authorization.k8s.io/clusterroles/allow-edit-rbac

dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml

@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-infra/dex/dex-clients

dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml

@@ -21,6 +21,17 @@ staticClients:
     redirectURIs:
       - https://grafana.apps.obs.nerc.mghpcc.org/login/generic_oauth
     secretEnv: GRAFANA_SECRET
+  - id: minio
+    name: MinIO
+    redirectURIs:
+      - https://minio-console-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+      - https://minio-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+    secretEnv: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+  - id: ai-telemetry
+    name: AI Telemetry
+    redirectURIs:
+      - https://keycloak.apps.obs.nerc.mghpcc.org/realms/NERC/broker/OpenShift/endpoint
+    secretEnv: AI_TELEMETRY_AUTH_SECRET
 
 connectors:
   - type: openshift

dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml

@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-obs/dex/dex-clients

minio/base/deployment.yaml

@@ -16,7 +16,7 @@ spec:
         - configMapRef:
             name: minio-config
             optional: true
-        image: docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
+        image: quay.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
         ports:
         - containerPort: 9000
           name: object-storage

minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml

@@ -0,0 +1,12 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-admin-credentials
+  namespace: minio
+spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
+  dataFrom:
+    - extract:
+        key: nerc/nerc-ocp-obs/minio/minio-admin-credentials

minio/overlays/nerc-ocp-obs/files/minio-config.env

@@ -0,0 +1,11 @@
+# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.obs.nerc.mghpcc.org/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on
+
+# This tells minio to look up policy names in the "groups" claim (so e.g. if
+# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops"
+# policy to apply). A person cannot log in if there is no policy matches any of
+# the claim values.
+MINIO_IDENTITY_OPENID_CLAIM_NAME=groups

minio/overlays/nerc-ocp-obs/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+configMapGenerator:
+- name: minio-config
+  namespace: minio
+  envs:
+  - files/minio-config.env
+
+patches:
+  - path: externalsecrets/patch-minio-admin-credentials.yaml
+  - path: persistentvolumeclaims/patch-pvc.yaml

minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-data
+spec:
+  resources:
+    requests:
+      storage: 20Ti