Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

NERSC/minio-helm

BranchesTags
Open more actions menu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
1 Commit
charts/minio-chainguard
charts/minio-chainguard
 
 
docs
docs
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

MinIO on Example HPC Example Kubernetes Platform with Chainguard

This repository contains a Helm chart for deploying a single-node MinIO service in the s3 namespace on the Example Kubernetes Platform development cluster.

The chart starts from the local conventions used by api-oidc-demo:

  • nginx Ingress
  • nfs-client persistent storage
  • Keycloak/OIDC settings from https://oidc.example.org
  • a Example Kubernetes Platform ACME-style HTTP-01 certificate renewal job using the existing kubeconfig secret pattern
  • MinIO runs as UID/GID 1000 by default to match the Example HPC identity expected by the development s3 namespace PVCs.

Chart

charts/minio-chainguard

Required Secrets

Create the MinIO root credential secret before installing:

kubectl create secret generic minio-root-credentials \
  --namespace s3 \
  --from-literal=rootUser='<admin-user>' \
  --from-literal=rootPassword='<admin-password>'

Create the OIDC client secret after creating the OIDC client in Keycloak:

kubectl create secret generic minio-oidc-client \
  --namespace s3 \
  --from-literal=clientId='minio' \
  --from-literal=clientSecret='<oidc-client-secret>'

The ACME job expects the namespace to contain the kubeconfig secret used by the Example Kubernetes Platform ACME workflow. The s3 namespace already has this secret at the time this chart was scaffolded.

Development Install

Review and update the public hostnames in charts/minio-chainguard/values-development.yaml before installing. The DNS names must point at the Example Kubernetes Platform ingress address before ACME can issue certificates. Keep acme.domains aligned with the public hosts covered by the TLS secret.

helm upgrade --install minio-chainguard \
  ./charts/minio-chainguard \
  --namespace s3 \
  --kube-context development \
  -f ./charts/minio-chainguard/values-development.yaml

OIDC STS CLI Credentials

Users can get temporary S3 credentials through Keycloak Device Authorization Grant and MinIO STS:

eval "$(MINIO_OIDC_CLIENT_SECRET='<oidc-client-secret>' \
  ./scripts/minio-oidc-sts-device-flow.sh)"

mc ls s3
aws --endpoint-url "$AWS_ENDPOINT_URL_S3" s3 ls

The script prints the Keycloak device login URL to stderr and credential exports to stdout, so the eval form is safe for shell setup. For the current confidential Keycloak client, pass the client secret with MINIO_OIDC_CLIENT_SECRET or --client-secret-file. For broader sharing, a dedicated public device-flow client or the planned STS broker is preferable to distributing a client secret.

To write an mc config alias directly instead:

MINIO_OIDC_CLIENT_SECRET='<oidc-client-secret>' \
  ./scripts/minio-oidc-sts-device-flow.sh \
  --format mc-config \
  --mc-config-dir /tmp/minio-mc \
  --mc-alias oidc-sts

MC_CONFIG_DIR=/tmp/minio-mc mc ls oidc-sts

Notes

The chart uses Chainguard's MinIO image. Chainguard documents the starter pull path as cgr.dev/chainguard/minio, and notes that private organization images use cgr.dev/ORGANIZATION/minio.

MinIO OIDC configuration is provided with environment variables. The important settings are:

  • MINIO_IDENTITY_OPENID_CONFIG_URL
  • MINIO_IDENTITY_OPENID_CLIENT_ID
  • MINIO_IDENTITY_OPENID_CLIENT_SECRET
  • MINIO_IDENTITY_OPENID_CLAIM_NAME
  • MINIO_IDENTITY_OPENID_SCOPES
  • MINIO_BROWSER_REDIRECT_URL
  • MINIO_SERVER_URL

The chart exposes two service ports:

  • api: MinIO S3 API on port 9000
  • console: MinIO Console on port 9001

The optional OIDC STS broker exposes a browser login helper that exchanges a Keycloak login for temporary MinIO STS credentials. For the development deployment it is served at:

https://s3-login.example.org

Create its cookie-signing secret before enabling it:

kubectl create secret generic minio-sts-broker \
  --namespace s3 \
  --from-literal=cookieSecret="$(openssl rand -base64 48)"

The development cluster admission policy allows only one *.example.org hostname per Ingress. The starting development values therefore use the internal Example Kubernetes Platform hostname for the Console and the public hostname for the S3 API.

Example Kubernetes Platform creates the internal DNS name from the Ingress object name:

<ingress name>.<namespace>.<cluster>.svc.example.org

The chart derives the internal host from ingress.name, .Release.Namespace, and ingress.internal.clusterDomain. For the development defaults this is:

minio.s3.development.svc.example.org

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.