web-app-minio: enable OIDC integration and policy handling

- Added OIDC and LDAP feature flags in config - Introduced API/Console URL vars for proxy alignment - Implemented automatic MinIO policy creation for OIDC admin group - Replaced static env.J2 with dynamic env.j2 (OIDC-aware) - Added policy.json.j2 template with full admin rights - Cleaned up tasks to use stdin instead of file for mc policy apply Ref: https://chatgpt.com/share/68d1d3ef-ca84-800f-abe2-11ab70e20c4e
2025-11-10 15:16:31 +00:00 · 2025-09-23 00:56:11 +02:00
parent 6da7f28370
commit 5daf3387bf
6 changed files with 61 additions and 6 deletions
--- a/roles/web-app-minio/templates/env.J2
+++ b/roles/web-app-minio/templates/env.J2
@@ -1,3 +0,0 @@
-# MINIO
-MINIO_ROOT_USER=admin
-MINIO_ROOT_PASSWORD=adminadmin
--- a/roles/web-app-minio/templates/env.j2
+++ b/roles/web-app-minio/templates/env.j2
@@ -0,0 +1,19 @@
+# MINIO
+MINIO_ROOT_USER={{ users.administrator.username }}
+MINIO_ROOT_PASSWORD={{ users.administrator.password }}
+
+{% if MINIO_OIDC_ENABLED | bool %}
+# OIDC basics
+MINIO_IDENTITY_OPENID_CONFIG_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
+MINIO_IDENTITY_OPENID_CLIENT_ID={{ OIDC.CLIENT.ID }}
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
+MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,groups
+MINIO_IDENTITY_OPENID_DISPLAY_NAME={{ OIDC.BUTTON_TEXT }}
+
+# We read policies from the custom 'policy' claim
+MINIO_IDENTITY_OPENID_CLAIM_NAME={{ RBAC.GROUP.CLAIM }}
+
+# Good practice behind proxies
+MINIO_SERVER_URL={{ MINIO_API_URL }}
+MINIO_BROWSER_REDIRECT_URL={{ MINIO_CONSOLE_URL }}
+{% endif %}
--- a/roles/web-app-minio/templates/policy.json.j2
+++ b/roles/web-app-minio/templates/policy.json.j2
@@ -0,0 +1,16 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*",
+        "admin:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*",
+        "arn:minio:admin:::*"
+      ]
+    }
+  ]
+}