https://github.com/linka-cloud/minio-bucket-controller
A kubernetes controller to manage MinIO buckets
https://github.com/linka-cloud/minio-bucket-controller
controller kube-builder kubernetes minio s3
Last synced: about 2 months ago
JSON representation
A kubernetes controller to manage MinIO buckets
- Host: GitHub
- URL: https://github.com/linka-cloud/minio-bucket-controller
- Owner: linka-cloud
- Created: 2023-01-10T14:27:50.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2026-01-15T16:46:54.000Z (5 months ago)
- Last Synced: 2026-01-15T19:10:16.315Z (5 months ago)
- Topics: controller, kube-builder, kubernetes, minio, s3
- Language: Go
- Homepage:
- Size: 319 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# minio-bucket-controller
A simple controller to create buckets and corresponding users in MinIO.
**Note**: *The controller does not intend to be a replacement for the [COSI](https://container-object-storage-interface.github.io/) project.
It is not as structured and does not have the same level of abstraction as the COSI.
It is not meant to be a generic bucket controller, but rather a simple controller to create app buckets and users in MinIO.
It covers a specific need: manage application's MinIO buckets and access lifecycle inside Kubernetes*
## Description
This controller allows to manage buckets directly from Kubernetes:
```yaml
apiVersion: s3.linka.cloud/v1alpha1
kind: Bucket
metadata:
labels:
app.kubernetes.io/name: bucket
app.kubernetes.io/instance: bucket-sample
app.kubernetes.io/part-of: minio-bucket-controller
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: minio-bucket-controller
name: bucket-sample
spec:
reclaimPolicy: Delete
secretName: bucket-sample-creds
```
When a new bucket resource is created, the corresponding minio bucket is created
with a new user `bucket.s3.linka.cloud/bucket-sample` and an assigned policy that allows read/write access to the bucket only:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET}"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${BUCKET}/*"
]
}
]
}
```
Then a service account is created for the user.
The service account credentials are stored in a secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: ${BUCKET}-bucket-credentials
namespace: $NAMESPACE
stringData:
MINIO_ACCESS_KEY: $ACCESS_KEY
MINIO_SECRET_KEY: $SECRET_KEY
MINIO_ENDPOINT: $ENDPOINT
MINIO_BUCKET: $BUCKET
MINIO_SECURE: $SECURE
```
## Getting Started
You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
### Preparation
#### Create a MinIO Service Account for the controller
You need to have a MinIO user with the right permissions (e.g. console admin) for the controller service account.
If you don't have one, you can create one with the following command:
```sh
mc admin user add myminio myminio-admin myminio-password
```
Assign the policy `consoleAdmin` to the user:
```sh
mc admin policy set myminio consoleAdmin user=myminio-admin
```
Create the controller service account:
```sh
mc admin user svcacct add myminio myminio-admin
```
```
Access Key:
Secret Key:
```
Export the credentials as environment variables:
```sh
export MINIO_ACCESS_KEY=""
export MINIO_SECRET_KEY=""
export MINIO_ENDPOINT="myminio:9000"
```
Create a `policy.json` file with the service account IAM definition:
```shell
cat < policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:CreateUser",
"admin:DeleteUser",
"admin:ListUsers",
"admin:CreatePolicy",
"admin:DeletePolicy",
"admin:GetPolicy",
"admin:ListUserPolicies",
"admin:CreateServiceAccount",
"admin:UpdateServiceAccount",
"admin:RemoveServiceAccount",
"admin:ListServiceAccounts"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ForceDeleteBucket,
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
EOF
```
Then assign the policy to the service account:
```sh
mc admin user svcacct edit myminio --policy policy.json
```
### Running on the cluster
#### Install Custom Resources and deploy the controller
```sh
kubectl apply -f https://raw.githubusercontent.com/linka-cloud/minio-bucket-controller/main/deploy/manifests.yaml
```
The controller should soon be running:
```sh
kubectl get po -n minio-bucket-controller-system
```
```
NAME READY STATUS RESTARTS AGE
minio-bucket-controller-controller-manager-857dd9d7ff-279n6 2/2 Running 0 12m
```
Create the BucketProvider and the secret containing the credentials:
```sh
cat <
Annotations:
Type: Opaque
Data
====
config.json: 254 bytes
MINIO_ACCESS_KEY: 20 bytes
MINIO_BUCKET: 13 bytes
MINIO_ENDPOINT: 18 bytes
MINIO_SECRET_KEY: 40 bytes
MINIO_SECURE: 4 bytes
```
You can get more information about the bucket, like the created minio service account and the endpoint:
```sh
kubectl get buckets -n default -o wide
```
```
NAME RECLAIM STATUS ENDPOINT SERVICE ACCOUNT SECRET AGE
bucket-sample Delete Ready myminio:9000 bucket-sample bucket-sample-creds 6s
```
We can now create a sample application that uses the bucket.
The deployment uses the secret to configure the `mc` client and then runs a container that does nothing but keep the pod alive:
```sh
cat <