Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/linka-cloud/minio-bucket-controller

A kubernetes controller to manage MinIO buckets
https://github.com/linka-cloud/minio-bucket-controller

controller kube-builder kubernetes minio s3

Last synced: 6 days ago
JSON representation

A kubernetes controller to manage MinIO buckets

Host: GitHub
URL: https://github.com/linka-cloud/minio-bucket-controller
Owner: linka-cloud
Created: 2023-01-10T14:27:50.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2023-12-09T15:46:04.000Z (about 1 year ago)
Last Synced: 2024-11-15T01:21:04.953Z (about 2 months ago)
Topics: controller, kube-builder, kubernetes, minio, s3
Language: Go
Homepage:
Size: 148 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 2
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# minio-bucket-controller

A simple controller to create buckets and corresponding users in MinIO.

**Note**: *The controller does not intend to be a replacement for the [COSI](https://container-object-storage-interface.github.io/) project.
It is not as structured and does not have the same level of abstraction as the COSI.
It is not meant to be a generic bucket controller, but rather a simple controller to create app buckets and users in MinIO.
It covers a specific need: manage application's MinIO buckets and access lifecycle inside Kubernetes*

## Description

This controller allows to manage buckets directly from Kubernetes:

```yaml
apiVersion: s3.linka.cloud/v1alpha1
kind: Bucket
metadata:
labels:
app.kubernetes.io/name: bucket
app.kubernetes.io/instance: bucket-sample
app.kubernetes.io/part-of: minio-bucket-controller
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: minio-bucket-controller
name: bucket-sample
spec:
reclaimPolicy: Delete
secretName: bucket-sample-creds
```

When a new bucket resource is created, the corresponding minio bucket is created
with a new user `bucket.s3.linka.cloud/bucket-sample` and an assigned policy that allows read/write access to the bucket only:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET}"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${BUCKET}/*"
]
}
]
}
```

Then a service account is created for the user.
The service account credentials are stored in a secret:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: ${BUCKET}-bucket-credentials
namespace: $NAMESPACE
stringData:
MINIO_ACCESS_KEY: $ACCESS_KEY
MINIO_SECRET_KEY: $SECRET_KEY
MINIO_ENDPOINT: $ENDPOINT
MINIO_BUCKET: $BUCKET
MINIO_SECURE: $SECURE
```

## Getting Started
You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).

### Preparation

#### Create a MinIO Service Account for the controller

You need to have a MinIO user with the right permissions (e.g. console admin) for the controller service account.

If you don't have one, you can create one with the following command:

```sh
mc admin user add myminio myminio-admin myminio-password
```

Assign the policy `consoleAdmin` to the user:

```sh
mc admin policy set myminio consoleAdmin user=myminio-admin
```

Create the controller service account:

```sh
mc admin user svcacct add myminio myminio-admin
```

```
Access Key:
Secret Key:
```

Export the credentials as environment variables:

```sh
export MINIO_ACCESS_KEY=""
export MINIO_SECRET_KEY=""
export MINIO_ENDPOINT="myminio:9000"
```

Create a `policy.json` file with the service account IAM definition:

```shell
cat < policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:CreateUser",
"admin:DeleteUser",
"admin:ListUsers",
"admin:CreatePolicy",
"admin:DeletePolicy",
"admin:GetPolicy",
"admin:ListUserPolicies",
"admin:CreateServiceAccount",
"admin:UpdateServiceAccount",
"admin:RemoveServiceAccount",
"admin:ListServiceAccounts"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ForceDeleteBucket,
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
EOF
```

Then assign the policy to the service account:

```sh
mc admin user svcacct edit myminio --policy policy.json
```

### Running on the cluster

#### Install Custom Resources and deploy the controller

```sh
kubectl apply -f https://raw.githubusercontent.com/linka-cloud/minio-bucket-controller/main/deploy/manifests.yaml
```

The controller will not be created as it requires a secret named **minio-bucket-controller-credentials** with the MinIO credentials.

Create the secret containing the credentials:

```sh
cat <
Annotations:

Type: Opaque

Data
====
config.json: 254 bytes
MINIO_ACCESS_KEY: 20 bytes
MINIO_BUCKET: 13 bytes
MINIO_ENDPOINT: 18 bytes
MINIO_SECRET_KEY: 40 bytes
MINIO_SECURE: 4 bytes
```

You can get more information about the bucket, like the created minio service account and the endpoint:

```sh
kubectl get buckets -n default -o wide
```

```
NAME RECLAIM STATUS ENDPOINT SERVICE ACCOUNT SECRET AGE
bucket-sample Delete Ready myminio:9000 bucket-sample bucket-sample-creds 6s
```

We can now create a sample application that uses the bucket.

The deployment uses the secret to configure the `mc` client and then runs a container that does nothing but keep the pod alive:

```sh
cat <