web-app-minio: enable OIDC integration and policy handling

- Added OIDC and LDAP feature flags in config
- Introduced API/Console URL vars for proxy alignment
- Implemented automatic MinIO policy creation for OIDC admin group
- Replaced static env.J2 with dynamic env.j2 (OIDC-aware)
- Added policy.json.j2 template with full admin rights
- Cleaned up tasks to use stdin instead of file for mc policy apply

Ref: https://chatgpt.com/share/68d1d3ef-ca84-800f-abe2-11ab70e20c4e

roles/web-app-minio/config/main.yml

@@ -6,6 +6,8 @@ features:
   logout:           true
   javascript:       false
   local_ai:         true
+  oidc:             true
+  ldap:             false # OIDC is already activated so LDAP isn't necessary
 server:
   domains:
     canonical:

roles/web-app-minio/tasks/main.yml

@@ -23,3 +23,18 @@
   loop: "{{ MINIO_FRONT_PROXY_MATRIX }}"
   loop_control:
     label: "{{ item.domain }} -> {{ item.http_port }}"
+
+- block:
+    - name: "Render MinIO policy into variable"
+      set_fact:
+        minio_policy_content: "{{ lookup('template', 'policy.json.j2') }}"
+
+    - name: "Apply MinIO policy {{ MINIO_OIDC_POLICY_NAME }}"
+      shell: |
+        set -euo pipefail
+        mc alias set minio {{ MINIO_API_URL }} {{ users.administrator.username }} {{ users.administrator.password }}
+        mc admin policy create minio {{ MINIO_OIDC_POLICY_NAME }} /dev/stdin || true
+      args:
+        executable: /bin/bash
+        stdin: "{{ minio_policy_content }}"
+  when: MINIO_OIDC_ENABLED | bool

roles/web-app-minio/templates/env.J2

@@ -1,3 +0,0 @@
-# MINIO
-MINIO_ROOT_USER=admin
-MINIO_ROOT_PASSWORD=adminadmin

roles/web-app-minio/templates/env.j2

@@ -0,0 +1,19 @@
+# MINIO
+MINIO_ROOT_USER={{ users.administrator.username }}
+MINIO_ROOT_PASSWORD={{ users.administrator.password }}
+
+{% if MINIO_OIDC_ENABLED | bool %}
+# OIDC basics
+MINIO_IDENTITY_OPENID_CONFIG_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
+MINIO_IDENTITY_OPENID_CLIENT_ID={{ OIDC.CLIENT.ID }}
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
+MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,groups
+MINIO_IDENTITY_OPENID_DISPLAY_NAME={{ OIDC.BUTTON_TEXT }}
+
+# We read policies from the custom 'policy' claim
+MINIO_IDENTITY_OPENID_CLAIM_NAME={{ RBAC.GROUP.CLAIM }}
+
+# Good practice behind proxies
+MINIO_SERVER_URL={{ MINIO_API_URL }}
+MINIO_BROWSER_REDIRECT_URL={{ MINIO_CONSOLE_URL }}
+{% endif %}

roles/web-app-minio/templates/policy.json.j2

@@ -0,0 +1,16 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*",
+        "admin:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*",
+        "arn:minio:admin:::*"
+      ]
+    }
+  ]
+}

roles/web-app-minio/vars/main.yml

@@ -14,18 +14,24 @@ MINIO_VOLUME:                   "{{ applications | get_app_conf(application_id,
 
 ## Api
 MINIO_API_DOMAIN:               "{{ applications | get_app_conf(application_id, 'server.domains.canonical.api') }}"
+MINIO_API_URL:                  "{{ WEB_PROTOCOL }}://{{ MINIO_API_DOMAIN }}"
 MINIO_API_PORT_INTERNAL:        9000
 MINIO_API_PORT_PUBLIC:          "{{ ports.localhost.http[application_id ~ '_api'] }}"
 
 ## Console
 MINIO_CONSOLE_DOMAIN:           "{{ applications | get_app_conf(application_id, 'server.domains.canonical.console') }}"
+MINIO_CONSOLE_URL:              "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 MINIO_CONSOLE_PORT_INTERNAL:    9001
 MINIO_CONSOLE_PORT_PUBLIC:      "{{ ports.localhost.http[application_id ~ '_console'] }}"
 
+## OIDC
+MINIO_OIDC_ENABLED:             "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+MINIO_OIDC_POLICY_NAME:         "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}"
+
 MINIO_FRONT_PROXY_MATRIX: >-
   {{
     [
       { 'domain': MINIO_CONSOLE_DOMAIN, 'http_port': MINIO_CONSOLE_PORT_PUBLIC },
-      { 'domain': MINIO_API_DOMAIN,   'http_port': MINIO_API_PORT_PUBLIC }
+      { 'domain': MINIO_API_DOMAIN,     'http_port': MINIO_API_PORT_PUBLIC }
     ]
   }}