Skip to content

How to deploy MinIO in Openshift with Audit Log

Cesar Celis Hernandez edited this page Nov 3, 2022 · 18 revisions
  1. Assuming Operator is already deployed:
Screen Shot 2022-11-03 at 6 28 57 PM
  1. Create the tenant:
Screen Shot 2022-11-03 at 6 30 30 PM
  1. Disable TLS

  2. Disable Prometheus:

Screen Shot 2022-11-03 at 6 31 21 PM
  1. Start Addressing securityContext issues:
Screen Shot 2022-11-03 at 6 32 22 PM
  1. Under the name of the pool I will place an empty securityContext:
  pools:
  - affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: v1.min.io/tenant
              operator: In
              values:
              - thunov3629pm
            - key: v1.min.io/pool
              operator: In
              values:
              - pool-0
          topologyKey: kubernetes.io/hostname
    name: pool-0
    securityContext: {}
  1. Bound the PV with the PVC using the Storage Class defined:
spec:
 storageClassName: cesar
Screen Shot 2022-11-03 at 6 41 22 PM Screen Shot 2022-11-03 at 6 56 31 PM
  1. Fix Audit Logs:
Screen Shot 2022-11-03 at 6 43 28 PM
  log:
    audit:
      diskCapacityGB: 5
    db:
      resources: {}
      securityContext:
        fsGroup: 1000660000
        fsGroupChangePolicy: Always
        runAsGroup: 1000660000
        runAsNonRoot: true
        runAsUser: 1000660000
      volumeClaimTemplate:
        metadata:
          creationTimestamp: null
          name: thunov3629pm-log
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: "5368709120"
        status: {}
    resources: {}
    securityContext:
      fsGroup: 1000660000
      fsGroupChangePolicy: Always
      runAsGroup: 1000660000
      runAsNonRoot: true
      runAsUser: 1000660000
  1. For below we need a serviceAccountName: minio-operator with granted permissions because we can't change that context since is implemented by the operator code and tenant is not exposing this one:
Screen Shot 2022-11-03 at 6 46 05 PM
  log:
    audit:
      diskCapacityGB: 5
    db:
      resources: {}
      serviceAccountName: minio-operator
      securityContext:
        fsGroup: 1000660000
        fsGroupChangePolicy: Always
        runAsGroup: 1000660000
        runAsNonRoot: true
        runAsUser: 1000660000
oc create serviceaccount minio-operator -n thunov3629pm
oc adm policy add-scc-to-user privileged -n thunov3629pm -z minio-operator
  1. Wait some time and DB will be reached:
Screen Shot 2022-11-03 at 6 51 17 PM
  1. 3 pods running, 2 for logs and 1 for Minio:
Screen Shot 2022-11-03 at 6 52 23 PM
  1. Tenant ready:
Screen Shot 2022-11-03 at 6 53 12 PM
  1. Console Accesible:
Screen Shot 2022-11-03 at 6 53 24 PM
  1. Access those logs:

https://github.com/minio/operator/blob/master/logsearchapi/README.md

Screen Shot 2022-11-03 at 7 03 06 PM
  1. Access:
$ psql -U postgres
psql (13.8 (Debian 13.8-1.pgdg110+1))
Type "help" for help.

postgres=# 
postgres=# 
postgres=# 
  1. List dbs:
postgres=# \l
                                 List of databases
    Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges   
------------+----------+----------+------------+------------+-----------------------
 minio_logs | postgres | UTF8     | en_US.utf8 | en_US.utf8 | 
 postgres   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | 
 template0  | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
            |          |          |            |            | postgres=CTc/postgres
 template1  | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
            |          |          |            |            | postgres=CTc/postgres
(4 rows)
Clone this wiki locally