Skip to content

How to deploy MinIO in Openshift with Audit Log

Cesar Celis Hernandez edited this page Nov 3, 2022 · 18 revisions
  1. Assuming Operator is already deployed:
Screen Shot 2022-11-03 at 6 28 57 PM
  1. Create the tenant:
Screen Shot 2022-11-03 at 6 30 30 PM
  1. Disable TLS

  2. Disable Prometheus:

Screen Shot 2022-11-03 at 6 31 21 PM
  1. Start Addressing securityContext issues:
Screen Shot 2022-11-03 at 6 32 22 PM
  1. Under the name of the pool I will place an empty securityContext:
  pools:
  - affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: v1.min.io/tenant
              operator: In
              values:
              - thunov3629pm
            - key: v1.min.io/pool
              operator: In
              values:
              - pool-0
          topologyKey: kubernetes.io/hostname
    name: pool-0
    securityContext: {}
  1. Bound the PV with the PVC using the Storage Class defined:
spec:
 storageClassName: cesar
Screen Shot 2022-11-03 at 6 41 22 PM Screen Shot 2022-11-03 at 6 56 31 PM
  1. Fix Audit Logs:
Screen Shot 2022-11-03 at 6 43 28 PM
  log:
    audit:
      diskCapacityGB: 5
    db:
      resources: {}
      securityContext:
        fsGroup: 1000660000
        fsGroupChangePolicy: Always
        runAsGroup: 1000660000
        runAsNonRoot: true
        runAsUser: 1000660000
      volumeClaimTemplate:
        metadata:
          creationTimestamp: null
          name: thunov3629pm-log
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: "5368709120"
        status: {}
    resources: {}
    securityContext:
      fsGroup: 1000660000
      fsGroupChangePolicy: Always
      runAsGroup: 1000660000
      runAsNonRoot: true
      runAsUser: 1000660000
  1. For below we need a serviceAccountName: minio-operator with granted permissions because we can't change that context since is implemented by the operator code and tenant is not exposing this one:
Screen Shot 2022-11-03 at 6 46 05 PM
  log:
    audit:
      diskCapacityGB: 5
    db:
      resources: {}
      serviceAccountName: minio-operator
      securityContext:
        fsGroup: 1000660000
        fsGroupChangePolicy: Always
        runAsGroup: 1000660000
        runAsNonRoot: true
        runAsUser: 1000660000
oc create serviceaccount minio-operator -n thunov3629pm
oc adm policy add-scc-to-user privileged -n thunov3629pm -z minio-operator
  1. Wait some time and DB will be reached:
Screen Shot 2022-11-03 at 6 51 17 PM
  1. 3 pods running, 2 for logs and 1 for Minio:
Screen Shot 2022-11-03 at 6 52 23 PM
  1. Tenant ready:
Screen Shot 2022-11-03 at 6 53 12 PM
  1. Console Accesible:
Screen Shot 2022-11-03 at 6 53 24 PM
  1. Access those logs:

https://github.com/minio/operator/blob/master/logsearchapi/README.md

Screen Shot 2022-11-03 at 7 03 06 PM
  1. Access:
$ psql -U postgres
psql (13.8 (Debian 13.8-1.pgdg110+1))
Type "help" for help.

postgres=# 
postgres=# 
postgres=# 
  1. List dbs:
postgres=# \l
                                 List of databases
    Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges   
------------+----------+----------+------------+------------+-----------------------
 minio_logs | postgres | UTF8     | en_US.utf8 | en_US.utf8 | 
 postgres   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | 
 template0  | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
            |          |          |            |            | postgres=CTc/postgres
 template1  | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
            |          |          |            |            | postgres=CTc/postgres
(4 rows)
  1. Connect to DB:
postgres=# \connect minio_logs
You are now connected to database "minio_logs" as user "postgres".
  1. List all tables:
minio_logs=# \dt
                          List of relations
 Schema |            Name             |       Type        |  Owner   
--------+-----------------------------+-------------------+----------
 public | audit_log_events            | partitioned table | postgres
 public | audit_log_events_2022_10_25 | table             | postgres
 public | audit_log_events_2022_11_01 | table             | postgres
 public | audit_log_events_2022_11_09 | table             | postgres
 public | request_info                | partitioned table | postgres
 public | request_info_2022_10_25     | table             | postgres
 public | request_info_2022_11_01     | table             | postgres
 public | request_info_2022_11_09     | table             | postgres
(8 rows)
  1. See the logs:
minio_logs=# select * from audit_log_events limit 1;
          event_time           |                                                                                                              
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              
                                                            log                                                                               
                                                                                                                                              
                                                                                                                                              
                                                                                                                                              
                                                                                            
-------------------------------+--------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
 2022-11-03 08:10:29.304667+00 | {"api": {"name": "SetConfigKV", "status": "OK", "accessKey": "CPTT25Z5ML2T2JPD", "statusCode": 200, "timeToRe
sponse": 137173542}, "time": "2022-11-03T08:10:29.304666745Z", "version": "1", "requestID": "172404CA59A00D54", "userAgent": "MinIO (linux; ar
m64) madmin-go/0.0.1", "remotehost": "10.217.1.108", "deploymentid": "46257f3a-fb33-4396-b580-38ea6823045c", "requestHeader": {"User-Agent": "
MinIO (linux; arm64) madmin-go/0.0.1", "X-Amz-Date": "20221103T081029Z", "Authorization": "AWS4-HMAC-SHA256 Credential=CPTT25Z5ML2T2JPD/202211
03//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=14a39f307ad880593314c24ff9a7d0c30ffc4d7f14f8204de40d03d59b8
f9796", "Content-Length": "242", "X-Amz-Content-Sha256": "a82b1265768167dc603ed8aa8551a2394860c012c4abb3222ca9309e7df1dc67"}, "responseHeader"
: {"Vary": "Origin,Accept-Encoding", "Server": "MinIO", "Accept-Ranges": "bytes", "Content-Length": "0", "X-Amz-Request-Id": "172404CA59A00D54
", "X-Xss-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "X-Minio-Config-Applied": "true", "Content-Security-Policy": "blo
ck-all-mixed-content", "Strict-Transport-Security": "max-age=31536000; includeSubDomains"}}
(1 row)
Clone this wiki locally