From 75c36a1d71435ff9e0856dd0826a1216eaf1ade8 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 23 Sep 2025 02:33:35 +0200
Subject: [PATCH] web-app-minio: manage OIDC policy via containerized mc and
 fix policy JSON
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use dockerized mc with MC_HOST_minio (stateless), no temp files/dirs
- Create only RAW policy name with slash to match Keycloak claim
- Split policy: s3:* on S3 ARNs; admin:* on Resource "*"
- Add mc vars (image, MC_HOST components) to vars/main.yml
- Remove unused Ollama dependency block from tasks

Refs: ChatGPT conversation → https://chatgpt.com/share/68d1eab9-a35c-800f-aa81-76fb2101bd93
---
 roles/web-app-minio/tasks/main.yml           | 43 ++++++++++++--------
 roles/web-app-minio/templates/policy.json.j2 | 12 +++---
 roles/web-app-minio/vars/main.yml            | 12 ++++++
 3 files changed, 44 insertions(+), 23 deletions(-)

diff --git a/roles/web-app-minio/tasks/main.yml b/roles/web-app-minio/tasks/main.yml
index 7f0716a1..5be6f55e 100644
--- a/roles/web-app-minio/tasks/main.yml
+++ b/roles/web-app-minio/tasks/main.yml
@@ -1,13 +1,4 @@
 ---
-- name: "Install Ollama Dependency"
-  include_role:
-    name: svc-ai-ollama
-  vars:
-    flush_handlers: true
-  when:    
-    - run_once_svc_ai_ollama is not defined
-    - OLLAMA_LOCAL_ENABLED | bool
-
 - name: "load docker and db for {{ application_id }}"
   include_role:
     name: sys-stk-back-stateless
@@ -25,16 +16,32 @@
     label: "{{ item.domain }} -> {{ item.http_port }}"
 
 - block:
-    - name: "Render MinIO policy into variable"
-      set_fact:
-        minio_policy_content: "{{ lookup('template', 'policy.json.j2') }}"
+    - name: "Check policy (RAW with slash) exists"
+      no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+      shell: >
+        docker run --rm
+        -e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }}
+        {{ MINIO_MC_IMAGE }}
+        admin policy info minio {{ MINIO_OIDC_POLICY_NAME | quote }}
+      register: mc_policy_info_raw
+      failed_when: false
+      changed_when: false
 
-    - name: "Apply MinIO policy {{ MINIO_OIDC_POLICY_NAME }}"
+    - name: "Create policy (RAW with slash) if missing"
       shell: |
         set -euo pipefail
-        mc alias set minio {{ MINIO_API_URL }} {{ users.administrator.username }} {{ users.administrator.password }}
-        mc admin policy create minio {{ MINIO_OIDC_POLICY_NAME }} /dev/stdin || true
-      args:
-        executable: /bin/bash
-        stdin: "{{ minio_policy_content }}"
+        printf '%s' '{{ (MINIO_OIDC_POLICY_CONTENT | from_yaml | to_json) | b64encode }}' \
+          | base64 -d \
+          | docker run --rm -i \
+              -e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }} \
+              {{ MINIO_MC_IMAGE }} \
+              admin policy create minio {{ MINIO_OIDC_POLICY_NAME | quote }} /dev/stdin
+      args: { executable: /bin/bash }
+      no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+      async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+      poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+      when:
+        - mc_policy_info_raw.rc != 0
+
   when: MINIO_OIDC_ENABLED | bool
+
diff --git a/roles/web-app-minio/templates/policy.json.j2 b/roles/web-app-minio/templates/policy.json.j2
index 79d275ca..fa566952 100644
--- a/roles/web-app-minio/templates/policy.json.j2
+++ b/roles/web-app-minio/templates/policy.json.j2
@@ -3,14 +3,16 @@
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": [
-        "s3:*",
-        "admin:*"
-      ],
+      "Action": ["s3:*"],
       "Resource": [
         "arn:aws:s3:::*",
-        "arn:minio:admin:::*"
+        "arn:aws:s3:::*/*"
       ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["admin:*"],
+      "Resource": ["*"]
     }
   ]
 }
diff --git a/roles/web-app-minio/vars/main.yml b/roles/web-app-minio/vars/main.yml
index af5c4874..0c12dbac 100644
--- a/roles/web-app-minio/vars/main.yml
+++ b/roles/web-app-minio/vars/main.yml
@@ -24,9 +24,21 @@ MINIO_CONSOLE_URL:              "{{ domains | get_url(application_id, WEB_PROTOC
 MINIO_CONSOLE_PORT_INTERNAL:    9001
 MINIO_CONSOLE_PORT_PUBLIC:      "{{ ports.localhost.http[application_id ~ '_console'] }}"
 
+## MC
+MINIO_MC_IMAGE:                 "quay.io/minio/mc:latest"
+MINIO_MC_INSECURE:              false   # set to true if you use self-signed TLS
+MINIO_MC_SCHEME:                "{{ 'https' if (MINIO_API_URL is match('^https://')) else 'http' }}"
+MINIO_MC_HOST_ONLY:             "{{ MINIO_API_URL | regex_replace('^https?://', '') }}"
+MINIO_MC_USER:                  "{{ users.administrator.username | urlencode }}"
+MINIO_MC_PASS:                  "{{ users.administrator.password | urlencode }}"
+MINIO_MC_INSECURE_SUFFIX:       "{{ '?insecure=true' if (MINIO_MC_INSECURE | bool) else '' }}"
+MINIO_MC_HOST_ENV:              "{{ MINIO_MC_SCHEME }}://{{ MINIO_MC_USER }}:{{ MINIO_MC_PASS }}@{{ MINIO_MC_HOST_ONLY }}{{ MINIO_MC_INSECURE_SUFFIX }}"
+
 ## OIDC
 MINIO_OIDC_ENABLED:             "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
 MINIO_OIDC_POLICY_NAME:         "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}"
+MINIO_OIDC_POLICY_CONTENT:      "{{ lookup('template', 'policy.json.j2') }}"
+MINIO_OIDC_POLICY_NAME_SAFE:    "{{ (MINIO_OIDC_POLICY_NAME | regex_replace('^/+','')) | regex_replace('/','-') }}"
 
 MINIO_FRONT_PROXY_MATRIX: >-
   {{