Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Adding minio with dex auth to nerc-ocp-obs cluster #616

Merged
merged 4 commits into from
Dec 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ resources:
- ../../bundles/prom-keycloak-proxy
- ../../bundles/zookeeper
- ../../bundles/solr
- ../../bundles/minio
- ../../base/core/namespaces/openshift-gitops
- ../../base/core/namespaces/dex
- ../../base/rbac.authorization.k8s.io/clusterroles/allow-edit-rbac
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ kind: ExternalSecret
metadata:
name: dex-clients
spec:
secretStoreRef:
name: nerc-cluster-secrets
kind: ClusterSecretStore
dataFrom:
- extract:
key: nerc-ocp-infra/dex/dex-clients
11 changes: 11 additions & 0 deletions dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,17 @@ staticClients:
redirectURIs:
- https://grafana.apps.obs.nerc.mghpcc.org/login/generic_oauth
secretEnv: GRAFANA_SECRET
- id: minio
name: MinIO
redirectURIs:
- https://minio-console-minio.apps.obs.nerc.mghpcc.org/oauth_callback
- https://minio-minio.apps.obs.nerc.mghpcc.org/oauth_callback
secretEnv: MINIO_IDENTITY_OPENID_CLIENT_SECRET
- id: ai-telemetry
name: AI Telemetry
redirectURIs:
- https://keycloak.apps.obs.nerc.mghpcc.org/realms/NERC/broker/OpenShift/endpoint
secretEnv: AI_TELEMETRY_AUTH_SECRET

connectors:
- type: openshift
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ kind: ExternalSecret
metadata:
name: dex-clients
spec:
secretStoreRef:
name: nerc-cluster-secrets
kind: ClusterSecretStore
dataFrom:
- extract:
key: nerc-ocp-obs/dex/dex-clients
2 changes: 1 addition & 1 deletion minio/base/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ spec:
- configMapRef:
name: minio-config
optional: true
image: docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
image: quay.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
ports:
- containerPort: 9000
name: object-storage
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: minio-admin-credentials
namespace: minio
spec:
secretStoreRef:
name: nerc-cluster-secrets
kind: ClusterSecretStore
dataFrom:
- extract:
key: nerc/nerc-ocp-obs/minio/minio-admin-credentials
11 changes: 11 additions & 0 deletions minio/overlays/nerc-ocp-obs/files/minio-config.env
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html

MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.obs.nerc.mghpcc.org/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID=minio
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on

# This tells minio to look up policy names in the "groups" claim (so e.g. if
# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops"
# policy to apply). A person cannot log in if there is no policy matches any of
# the claim values.
MINIO_IDENTITY_OPENID_CLAIM_NAME=groups
14 changes: 14 additions & 0 deletions minio/overlays/nerc-ocp-obs/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base

configMapGenerator:
- name: minio-config
namespace: minio
envs:
- files/minio-config.env

patches:
- path: externalsecrets/patch-minio-admin-credentials.yaml
- path: persistentvolumeclaims/patch-pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: minio-data
spec:
resources:
requests:
storage: 20Ti
Loading