web-app-minio: enable OIDC integration and policy handling

- Added OIDC and LDAP feature flags in config - Introduced API/Console URL vars for proxy alignment - Implemented automatic MinIO policy creation for OIDC admin group - Replaced static env.J2 with dynamic env.j2 (OIDC-aware) - Added policy.json.j2 template with full admin rights - Cleaned up tasks to use stdin instead of file for mc policy apply Ref: https://chatgpt.com/share/68d1d3ef-ca84-800f-abe2-11ab70e20c4e
2025-09-24 11:06:24 +02:00 · 2025-09-23 00:56:11 +02:00
parent 6da7f28370
commit 5daf3387bf
6 changed files with 61 additions and 6 deletions
--- a/roles/web-app-minio/templates/env.j2
+++ b/roles/web-app-minio/templates/env.j2
@@ -0,0 +1,19 @@
+# MINIO
+MINIO_ROOT_USER={{ users.administrator.username }}
+MINIO_ROOT_PASSWORD={{ users.administrator.password }}
+
+{% if MINIO_OIDC_ENABLED | bool %}
+# OIDC basics
+MINIO_IDENTITY_OPENID_CONFIG_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
+MINIO_IDENTITY_OPENID_CLIENT_ID={{ OIDC.CLIENT.ID }}
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
+MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,groups
+MINIO_IDENTITY_OPENID_DISPLAY_NAME={{ OIDC.BUTTON_TEXT }}
+
+# We read policies from the custom 'policy' claim
+MINIO_IDENTITY_OPENID_CLAIM_NAME={{ RBAC.GROUP.CLAIM }}
+
+# Good practice behind proxies
+MINIO_SERVER_URL={{ MINIO_API_URL }}
+MINIO_BROWSER_REDIRECT_URL={{ MINIO_CONSOLE_URL }}
+{% endif %}