kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-24 11:06:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

web-app-minio: manage OIDC policy via containerized mc and fix policy JSON

Browse Source 
- Use dockerized mc with MC_HOST_minio (stateless), no temp files/dirs
- Create only RAW policy name with slash to match Keycloak claim
- Split policy: s3:* on S3 ARNs; admin:* on Resource "*"
- Add mc vars (image, MC_HOST components) to vars/main.yml
- Remove unused Ollama dependency block from tasks

Refs: ChatGPT conversation → https://chatgpt.com/share/68d1eab9-a35c-800f-aa81-76fb2101bd93
This commit is contained in:
Kevin Veen-Birkenbach
2025-09-23 02:33:35 +02:00
parent 7a119c3175
commit 75c36a1d71
3 changed files with 44 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
roles/web-app-minio/tasks/main.yml
View File

@@ -1,13 +1,4 @@
--- ---
- name: "Install Ollama Dependency"
include_role:
name: svc-ai-ollama
vars:
flush_handlers: true
when:
- run_once_svc_ai_ollama is not defined
- OLLAMA_LOCAL_ENABLED | bool
- name: "load docker and db for {{ application_id }}" - name: "load docker and db for {{ application_id }}"
include_role: include_role:
name: sys-stk-back-stateless name: sys-stk-back-stateless
@@ -25,16 +16,32 @@
label: "{{ item.domain }} -> {{ item.http_port }}" label: "{{ item.domain }} -> {{ item.http_port }}"
- block: - block:
- name: "Render MinIO policy into variable" - name: "Check policy (RAW with slash) exists"
set_fact: no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
minio_policy_content: "{{ lookup('template', 'policy.json.j2') }}" shell: >
docker run --rm
-e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }}
{{ MINIO_MC_IMAGE }}
admin policy info minio {{ MINIO_OIDC_POLICY_NAME | quote }}
register: mc_policy_info_raw
failed_when: false
changed_when: false
- name: "Apply MinIO policy {{ MINIO_OIDC_POLICY_NAME }}" - name: "Create policy (RAW with slash) if missing"
shell: | shell: |
set -euo pipefail set -euo pipefail
mc alias set minio {{ MINIO_API_URL }} {{ users.administrator.username }} {{ users.administrator.password }} printf '%s' '{{ (MINIO_OIDC_POLICY_CONTENT | from_yaml | to_json) | b64encode }}' \
mc admin policy create minio {{ MINIO_OIDC_POLICY_NAME }} /dev/stdin || true | base64 -d \
args: | docker run --rm -i \
executable: /bin/bash -e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }} \
stdin: "{{ minio_policy_content }}" {{ MINIO_MC_IMAGE }} \
admin policy create minio {{ MINIO_OIDC_POLICY_NAME | quote }} /dev/stdin
args: { executable: /bin/bash }
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
when:
- mc_policy_info_raw.rc != 0
when: MINIO_OIDC_ENABLED | bool when: MINIO_OIDC_ENABLED | bool

12
roles/web-app-minio/templates/policy.json.j2
View File

@@ -3,14 +3,16 @@
"Statement": [ "Statement": [
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": ["s3:*"],
"s3:*",
"admin:*"
],
"Resource": [ "Resource": [
"arn:aws:s3:::*", "arn:aws:s3:::*",
"arn:minio:admin:::*" "arn:aws:s3:::*/*"
] ]
},
{
"Effect": "Allow",
"Action": ["admin:*"],
"Resource": ["*"]
} }
] ]
} }

12
roles/web-app-minio/vars/main.yml
View File

@@ -24,9 +24,21 @@ MINIO_CONSOLE_URL: "{{ domains | get_url(application_id, WEB_PROTOC
MINIO_CONSOLE_PORT_INTERNAL: 9001 MINIO_CONSOLE_PORT_INTERNAL: 9001
MINIO_CONSOLE_PORT_PUBLIC: "{{ ports.localhost.http[application_id ~ '_console'] }}" MINIO_CONSOLE_PORT_PUBLIC: "{{ ports.localhost.http[application_id ~ '_console'] }}"
## MC
MINIO_MC_IMAGE: "quay.io/minio/mc:latest"
MINIO_MC_INSECURE: false # set to true if you use self-signed TLS
MINIO_MC_SCHEME: "{{ 'https' if (MINIO_API_URL is match('^https://')) else 'http' }}"
MINIO_MC_HOST_ONLY: "{{ MINIO_API_URL | regex_replace('^https?://', '') }}"
MINIO_MC_USER: "{{ users.administrator.username | urlencode }}"
MINIO_MC_PASS: "{{ users.administrator.password | urlencode }}"
MINIO_MC_INSECURE_SUFFIX: "{{ '?insecure=true' if (MINIO_MC_INSECURE | bool) else '' }}"
MINIO_MC_HOST_ENV: "{{ MINIO_MC_SCHEME }}://{{ MINIO_MC_USER }}:{{ MINIO_MC_PASS }}@{{ MINIO_MC_HOST_ONLY }}{{ MINIO_MC_INSECURE_SUFFIX }}"
## OIDC ## OIDC
MINIO_OIDC_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') }}" MINIO_OIDC_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
MINIO_OIDC_POLICY_NAME: "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}" MINIO_OIDC_POLICY_NAME: "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}"
MINIO_OIDC_POLICY_CONTENT: "{{ lookup('template', 'policy.json.j2') }}"
MINIO_OIDC_POLICY_NAME_SAFE: "{{ (MINIO_OIDC_POLICY_NAME | regex_replace('^/+','')) | regex_replace('/','-') }}"
MINIO_FRONT_PROXY_MATRIX: >- MINIO_FRONT_PROXY_MATRIX: >-
{{ {{