From 51a986b324d1f7c5d82ea007ae093eeee436cc49 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 11:52:30 +0300 Subject: [PATCH 1/9] Change claimName --- manifests/minio-bitnami/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/minio-bitnami/values.yaml b/manifests/minio-bitnami/values.yaml index 36eed74..a401d1a 100644 --- a/manifests/minio-bitnami/values.yaml +++ b/manifests/minio-bitnami/values.yaml @@ -35,7 +35,7 @@ auth: clientId: minio clientSecret: "xODiTgMmbW9ijiC4bMcRzaf2BXdKqH3P" redirectUri: https://minio.dvirlabs.com/oauth_callback - claimName: groups + claimName: policy scopes: openid,email,profile displayName: MinIO-OIDC userClaim: "" From 778a39aeece9915bf7a85ef120e267d00624b313 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 11:56:02 +0300 Subject: [PATCH 2/9] Add default permission to oidc users --- manifests/minio-bitnami/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/minio-bitnami/values.yaml b/manifests/minio-bitnami/values.yaml index a401d1a..7caaafa 100644 --- a/manifests/minio-bitnami/values.yaml +++ b/manifests/minio-bitnami/values.yaml @@ -55,4 +55,6 @@ extraEnvVars: value: openid,email,profile - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME value: MinIO-OIDC + - name: MINIO_IDENTITY_OPENID_ROLE_POLICY + value: "minio-readonly" From 343c19f4321c2250d3dc5a6808f776285819a55c Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 11:59:29 +0300 Subject: [PATCH 3/9] Remove default permission to oidc users --- manifests/minio-bitnami/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/minio-bitnami/values.yaml b/manifests/minio-bitnami/values.yaml index 7caaafa..a401d1a 100644 --- a/manifests/minio-bitnami/values.yaml +++ b/manifests/minio-bitnami/values.yaml @@ -55,6 +55,4 @@ extraEnvVars: value: openid,email,profile - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME value: MinIO-OIDC - - name: MINIO_IDENTITY_OPENID_ROLE_POLICY - value: "minio-readonly" From 11ab85168d004e998715f8845df24bbc9d5dd568 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 12:03:11 +0300 Subject: [PATCH 4/9] Add default permission to oidc users --- manifests/minio-bitnami/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/minio-bitnami/values.yaml b/manifests/minio-bitnami/values.yaml index a401d1a..2f4e795 100644 --- a/manifests/minio-bitnami/values.yaml +++ b/manifests/minio-bitnami/values.yaml @@ -50,7 +50,7 @@ extraEnvVars: - name: MINIO_IDENTITY_OPENID_REDIRECT_URI value: https://minio.dvirlabs.com/oauth_callback - name: MINIO_IDENTITY_OPENID_CLAIM_NAME - value: groups + value: policy - name: MINIO_IDENTITY_OPENID_SCOPES value: openid,email,profile - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME From 46fbb1e8e2a1800d85fd74935772202aea85d506 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 13:22:37 +0300 Subject: [PATCH 5/9] Back to groups --- manifests/minio-bitnami/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/minio-bitnami/values.yaml b/manifests/minio-bitnami/values.yaml index 2f4e795..36eed74 100644 --- a/manifests/minio-bitnami/values.yaml +++ b/manifests/minio-bitnami/values.yaml @@ -35,7 +35,7 @@ auth: clientId: minio clientSecret: "xODiTgMmbW9ijiC4bMcRzaf2BXdKqH3P" redirectUri: https://minio.dvirlabs.com/oauth_callback - claimName: policy + claimName: groups scopes: openid,email,profile displayName: MinIO-OIDC userClaim: "" @@ -50,7 +50,7 @@ extraEnvVars: - name: MINIO_IDENTITY_OPENID_REDIRECT_URI value: https://minio.dvirlabs.com/oauth_callback - name: MINIO_IDENTITY_OPENID_CLAIM_NAME - value: policy + value: groups - name: MINIO_IDENTITY_OPENID_SCOPES value: openid,email,profile - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME From 01f50c143d2cfa01d77503a1870982515682f7e9 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 14:23:11 +0300 Subject: [PATCH 6/9] Fix job --- .../oidc-bootstrap/minio/minio-bootstrap-job.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/manifests/oidc-bootstrap/minio/minio-bootstrap-job.yaml b/manifests/oidc-bootstrap/minio/minio-bootstrap-job.yaml index 8fcc655..8c79dc9 100644 --- a/manifests/oidc-bootstrap/minio/minio-bootstrap-job.yaml +++ b/manifests/oidc-bootstrap/minio/minio-bootstrap-job.yaml @@ -16,16 +16,19 @@ spec: - | set -e - echo "🔐 Setting up mc alias..." - mc alias set myminio http://minio-bitnami.infra.svc.cluster.local:9000 minioadmin minioadmin + echo "🔐 Waiting for MinIO readiness..." + until mc alias set myminio http://minio-bitnami.infra.svc.cluster.local:9000 minioadmin minioadmin; do + echo "⏳ Retrying..." + sleep 5 + done echo "📜 Creating policies..." mc admin policy create myminio admin-policy /config/admin-policy.json || true mc admin policy create myminio user-policy /config/user-policy.json || true echo "🔗 Attaching policies to OIDC groups..." - mc admin policy set myminio admin-policy group=minio-admins || true - mc admin policy set myminio user-policy group=minio-users || true + mc admin policy attach myminio admin-policy --group minio-admins || true + mc admin policy attach myminio user-policy --group minio-users || true echo "✅ MinIO OIDC bootstrap complete." volumeMounts: From b7f472902852e4bbec68da4954cd101c393cef19 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 21:52:52 +0300 Subject: [PATCH 7/9] Add extra-resources app --- argocd-apps/extra-resources.yaml | 20 ++++++++++++++++ .../extra-resources/minio/ingress-api.yaml | 24 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 argocd-apps/extra-resources.yaml create mode 100644 manifests/extra-resources/minio/ingress-api.yaml diff --git a/argocd-apps/extra-resources.yaml b/argocd-apps/extra-resources.yaml new file mode 100644 index 0000000..6b2ba61 --- /dev/null +++ b/argocd-apps/extra-resources.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: extra-resources + namespace: argocd +spec: + project: infra + source: + repoURL: https://gitea.dvirlabs.com/infra.git + targetRevision: HEAD + path: manifests/extra-resources + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: infra + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/manifests/extra-resources/minio/ingress-api.yaml b/manifests/extra-resources/minio/ingress-api.yaml new file mode 100644 index 0000000..65b06f7 --- /dev/null +++ b/manifests/extra-resources/minio/ingress-api.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: minio-api + namespace: infra + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + ingressClassName: traefik + rules: + - host: s3.dvirlabs.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: minio + port: + number: 9000 + tls: + - hosts: + - s3.dvirlabs.com From ec59b2804f8a2bc35210c915fd9d6f409b72c889 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 21:54:22 +0300 Subject: [PATCH 8/9] fix repoURL --- argocd-apps/extra-resources.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd-apps/extra-resources.yaml b/argocd-apps/extra-resources.yaml index 6b2ba61..7933d5c 100644 --- a/argocd-apps/extra-resources.yaml +++ b/argocd-apps/extra-resources.yaml @@ -6,7 +6,7 @@ metadata: spec: project: infra source: - repoURL: https://gitea.dvirlabs.com/infra.git + repoURL: https://git.dvirlabs.com/infra.git targetRevision: HEAD path: manifests/extra-resources directory: From be4739447a7bc4bf743c904db5e98c0fd1fbf180 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 3 Jun 2025 21:56:20 +0300 Subject: [PATCH 9/9] fix repoURL --- argocd-apps/extra-resources.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/argocd-apps/extra-resources.yaml b/argocd-apps/extra-resources.yaml index 7933d5c..4c09b5b 100644 --- a/argocd-apps/extra-resources.yaml +++ b/argocd-apps/extra-resources.yaml @@ -6,7 +6,7 @@ metadata: spec: project: infra source: - repoURL: https://git.dvirlabs.com/infra.git + repoURL: https://git.dvirlabs.com/dvirlabs/infra.git targetRevision: HEAD path: manifests/extra-resources directory: