minio-operator-ext

The MinIO Operator currently is capable of deploying MinIO tenants - but does not expose any mechanisms by which one could declaratively manage resources within a MinIO tenant.

This repo extends the MinIO Operator (i.e., minio-operator-ext(ension)) - providing an additional operator and CRDs that allow one to declaratiely manage users, buckets, policies and policy bindings.

Resources

Currently, this operator manages the following resources:

Users (MinioUser)
Buckets (MinioBucket)
Groups (MinioGroup)
Group Membership (MinioGroupBinding)
Policies (MinioPolicy)
Policy Membership (MinioPolicyBinding)

Examples of these resources can be found here.

Installation

Installation is a two-step process:

Deploy the CRDs
Deploy the operator (example)

Image

The operator is hosted on docker hub and can be found at docker.io/benfiola/minio-operator-ext.

The following arguments/environment variables configure the operator:

CLI	Env	Default	Description
--log-level	_MINIO_OPERATOR_EXT_LOGLEVEL	`info`	Logging verbosity for the operator
--kube-config	_MINIO_OPERATOR_EXT_KUBECONFIG	`null`	Optional path to a kubeconfig file. When omitted, uses in-cluster configuration.

RBAC

The operator requires the a service account with the following RBAC settings:

Resource	Verbs	Why
minio.min.io/v2/Tenant	Get, Watch, List, Patch	Used to discover MinIO tenants
v1/Event	Create	Used to publish events whenever activity is performed
v1/ConfigMap	Get	Used to obtain the CA bundle used to generate a MinIO tenant's TLS certificates (- for HTTP client cert validation)
v1/Secret	Get	Used to fetch a MinIO tenant's configuration (which is stored as a secret)
v1/Services	Get	Used to determine a MinIO tenant's internal endpoint

Limitations

Not all minio resource properties can be updated. These properties are treated as immutable. Attempts to modify immutable properties will be ignored and warning events will be logged to the resource in question.

Some examples of immutable properties:

Bucket names
Group names
User access keys
Policy names

Development

I personally use vscode as an IDE. For a consistent development experience, this project is also configured to utilize devcontainers. If you're using both - and you have the Dev Containers extension installed - you can follow the introductory docs to quickly get started.

NOTE: Helper scripts are written under the assumption that they're being executed within a dev container.

Creating a development environment

From the project root, run the following to create a development cluster to test the operator with:

cd /workspaces/minio-operator-ext
./dev/create-cluster.sh

This will:

Delete an existing dev cluster if one exists
Create a new dev cluster
Install the minio operator
Create a minio tenant
Deploy an ldap server
Apply the custom resources
Apply the example resources
Waits for minio tenant to finish deploying
Forward all services locally under their cluster-local DNS names

Testing LDAP identities

After creating a local development cluster, you can configure minio to use the deployed LDAP server as its identity provider:

cd /workspaces/minio-operator-ext
./dev/use-ldap.sh

NOTE: With an identity provider configured, attempts to operate on builtin identities will fail.

Creating a launch script

Copy the dev.template.py script to dev.py, then run it to start the operator against the local development environment.

If placed in the top-level directory, dev.py is gitignored and you can change this file as needed without worrying about committing it to git.

Additionally, the devcontainer is configured with vscode launch configurations that point to a top-level dev.py file. You should be able to launch (and attach a debugger to) the operator by launching it natively through vscode.

benfiola / minio-operator-ext

readme