From 5daf3387bf51d934f424915b8c72e4a8869c90f6 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 23 Sep 2025 00:56:11 +0200 Subject: [PATCH] web-app-minio: enable OIDC integration and policy handling - Added OIDC and LDAP feature flags in config - Introduced API/Console URL vars for proxy alignment - Implemented automatic MinIO policy creation for OIDC admin group - Replaced static env.J2 with dynamic env.j2 (OIDC-aware) - Added policy.json.j2 template with full admin rights - Cleaned up tasks to use stdin instead of file for mc policy apply Ref: https://chatgpt.com/share/68d1d3ef-ca84-800f-abe2-11ab70e20c4e --- roles/web-app-minio/config/main.yml | 4 +++- roles/web-app-minio/tasks/main.yml | 15 +++++++++++++++ roles/web-app-minio/templates/env.J2 | 3 --- roles/web-app-minio/templates/env.j2 | 19 +++++++++++++++++++ roles/web-app-minio/templates/policy.json.j2 | 16 ++++++++++++++++ roles/web-app-minio/vars/main.yml | 10 ++++++++-- 6 files changed, 61 insertions(+), 6 deletions(-) delete mode 100644 roles/web-app-minio/templates/env.J2 create mode 100644 roles/web-app-minio/templates/env.j2 create mode 100644 roles/web-app-minio/templates/policy.json.j2 diff --git a/roles/web-app-minio/config/main.yml b/roles/web-app-minio/config/main.yml index f20a16af..8012c74b 100644 --- a/roles/web-app-minio/config/main.yml +++ b/roles/web-app-minio/config/main.yml @@ -6,6 +6,8 @@ features: logout: true javascript: false local_ai: true + oidc: true + ldap: false # OIDC is already activated so LDAP isn't necessary server: domains: canonical: @@ -22,7 +24,7 @@ server: #style-src: # unsafe-inline: true whitelist: - font-src: [] + font-src: [] connect-src: [] docker: services: diff --git a/roles/web-app-minio/tasks/main.yml b/roles/web-app-minio/tasks/main.yml index bbde7518..7f0716a1 100644 --- a/roles/web-app-minio/tasks/main.yml +++ b/roles/web-app-minio/tasks/main.yml @@ -23,3 +23,18 @@ loop: "{{ MINIO_FRONT_PROXY_MATRIX }}" loop_control: label: "{{ item.domain }} -> {{ item.http_port }}" + +- block: + - name: "Render MinIO policy into variable" + set_fact: + minio_policy_content: "{{ lookup('template', 'policy.json.j2') }}" + + - name: "Apply MinIO policy {{ MINIO_OIDC_POLICY_NAME }}" + shell: | + set -euo pipefail + mc alias set minio {{ MINIO_API_URL }} {{ users.administrator.username }} {{ users.administrator.password }} + mc admin policy create minio {{ MINIO_OIDC_POLICY_NAME }} /dev/stdin || true + args: + executable: /bin/bash + stdin: "{{ minio_policy_content }}" + when: MINIO_OIDC_ENABLED | bool diff --git a/roles/web-app-minio/templates/env.J2 b/roles/web-app-minio/templates/env.J2 deleted file mode 100644 index 1c3caaae..00000000 --- a/roles/web-app-minio/templates/env.J2 +++ /dev/null @@ -1,3 +0,0 @@ -# MINIO -MINIO_ROOT_USER=admin -MINIO_ROOT_PASSWORD=adminadmin \ No newline at end of file diff --git a/roles/web-app-minio/templates/env.j2 b/roles/web-app-minio/templates/env.j2 new file mode 100644 index 00000000..5794d997 --- /dev/null +++ b/roles/web-app-minio/templates/env.j2 @@ -0,0 +1,19 @@ +# MINIO +MINIO_ROOT_USER={{ users.administrator.username }} +MINIO_ROOT_PASSWORD={{ users.administrator.password }} + +{% if MINIO_OIDC_ENABLED | bool %} +# OIDC basics +MINIO_IDENTITY_OPENID_CONFIG_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }} +MINIO_IDENTITY_OPENID_CLIENT_ID={{ OIDC.CLIENT.ID }} +MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }} +MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,groups +MINIO_IDENTITY_OPENID_DISPLAY_NAME={{ OIDC.BUTTON_TEXT }} + +# We read policies from the custom 'policy' claim +MINIO_IDENTITY_OPENID_CLAIM_NAME={{ RBAC.GROUP.CLAIM }} + +# Good practice behind proxies +MINIO_SERVER_URL={{ MINIO_API_URL }} +MINIO_BROWSER_REDIRECT_URL={{ MINIO_CONSOLE_URL }} +{% endif %} \ No newline at end of file diff --git a/roles/web-app-minio/templates/policy.json.j2 b/roles/web-app-minio/templates/policy.json.j2 new file mode 100644 index 00000000..79d275ca --- /dev/null +++ b/roles/web-app-minio/templates/policy.json.j2 @@ -0,0 +1,16 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*", + "admin:*" + ], + "Resource": [ + "arn:aws:s3:::*", + "arn:minio:admin:::*" + ] + } + ] +} diff --git a/roles/web-app-minio/vars/main.yml b/roles/web-app-minio/vars/main.yml index 82fceeef..af5c4874 100644 --- a/roles/web-app-minio/vars/main.yml +++ b/roles/web-app-minio/vars/main.yml @@ -14,18 +14,24 @@ MINIO_VOLUME: "{{ applications | get_app_conf(application_id, ## Api MINIO_API_DOMAIN: "{{ applications | get_app_conf(application_id, 'server.domains.canonical.api') }}" +MINIO_API_URL: "{{ WEB_PROTOCOL }}://{{ MINIO_API_DOMAIN }}" MINIO_API_PORT_INTERNAL: 9000 MINIO_API_PORT_PUBLIC: "{{ ports.localhost.http[application_id ~ '_api'] }}" ## Console MINIO_CONSOLE_DOMAIN: "{{ applications | get_app_conf(application_id, 'server.domains.canonical.console') }}" +MINIO_CONSOLE_URL: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}" MINIO_CONSOLE_PORT_INTERNAL: 9001 MINIO_CONSOLE_PORT_PUBLIC: "{{ ports.localhost.http[application_id ~ '_console'] }}" +## OIDC +MINIO_OIDC_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') }}" +MINIO_OIDC_POLICY_NAME: "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}" + MINIO_FRONT_PROXY_MATRIX: >- {{ [ { 'domain': MINIO_CONSOLE_DOMAIN, 'http_port': MINIO_CONSOLE_PORT_PUBLIC }, - { 'domain': MINIO_API_DOMAIN, 'http_port': MINIO_API_PORT_PUBLIC } + { 'domain': MINIO_API_DOMAIN, 'http_port': MINIO_API_PORT_PUBLIC } ] - }} \ No newline at end of file + }}