MC job to setup buckets using STS

Signed-off-by: pjuarezd <[email protected]>
minio · Nov 5, 2023 · 3acbed5 · 3acbed5
1 parent fc3d3f4
commit 3acbed5
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 12 deletions.
diff --git a/examples/kustomization/sts-example/sample-data/kustomization.yaml b/examples/kustomization/sts-example/sample-data/kustomization.yaml
@@ -1,4 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - iam-setup-bucket.yaml
+  - mc-job-sa.yaml
+  - mc-job-policy-binding.yaml
+  - mc-job-setup-bucket.yaml
diff --git a/examples/kustomization/sts-example/sample-data/mc-job-policy-binding.yaml b/examples/kustomization/sts-example/sample-data/mc-job-policy-binding.yaml
@@ -0,0 +1,11 @@
+apiVersion: sts.min.io/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: mc-job-binding
+  namespace: minio-tenant-1
+spec:
+  application:
+    namespace: minio-tenant-1
+    serviceaccount: mc-job-sa
+  policies:
+    - consoleAdmin
diff --git a/examples/kustomization/sts-example/sample-data/mc-job-sa.yaml b/examples/kustomization/sts-example/sample-data/mc-job-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: minio-tenant-1
+  name: mc-job-sa
diff --git a/...example/sample-data/iam-setup-bucket.yaml → ...mple/sample-data/mc-job-setup-bucket.yaml b/...example/sample-data/iam-setup-bucket.yaml → ...mple/sample-data/mc-job-setup-bucket.yaml
@@ -35,7 +35,8 @@ spec:
   backoffLimit: 5
   template:
     spec:
-      restartPolicy: OnFailure
+      serviceAccountName: mc-job-sa
+      restartPolicy: Never
       volumes:
         - name: start-config
           configMap:
@@ -49,15 +50,9 @@ spec:
             - name: start-config
               mountPath: /start-config/
           env:
-            - name: ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: storage-user
-                  key: CONSOLE_ACCESS_KEY
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: storage-user
-                  key: CONSOLE_SECRET_KEY
             - name: MC_HOST_local
               value: https://$(ACCESS_KEY):$(SECRET_KEY)@minio.minio-tenant-1.svc.cluster.local
+            - name: MC_STS_ENDPOINT
+              value: https://sts.minio-operator.svc.cluster.local:4223/sts/minio-tenant-1
+            - name: MC_WEB_IDENTITY_TOKEN_FILE
+              value: /var/run/secrets/kubernetes.io/serviceaccount/token