The MinIO Operator currently is capable of deploying MinIO tenants - but does not expose any mechanisms by which one could declaratively manage resources within a MinIO tenant.
This repo extends the MinIO Operator (i.e., minio-operator-ext(ension)) - providing an additional operator and CRDs that allow one to declaratiely manage users, buckets, policies and policy bindings.
Currently, this operator manages the following resources:
MinioUser
)MinioBucket
)MinioGroup
)MinioGroupBinding
)MinioPolicy
)MinioPolicyBinding
)Examples of these resources can be found here.
Installation is a two-step process:
The operator is hosted on docker hub and can be found at docker.io/benfiola/minio-operator-ext.
The following arguments/environment variables configure the operator:
CLI | Env | Default | Description |
---|---|---|---|
--log-level | _MINIO_OPERATOR_EXT_LOGLEVEL | info |
Logging verbosity for the operator |
--kube-config | _MINIO_OPERATOR_EXT_KUBECONFIG | null |
Optional path to a kubeconfig file. When omitted, uses in-cluster configuration. |
The operator requires the a service account with the following RBAC settings:
Resource | Verbs | Why |
---|---|---|
minio.min.io/v2/Tenant | Get, Watch, List, Patch | Used to discover MinIO tenants |
v1/Event | Create | Used to publish events whenever activity is performed |
v1/ConfigMap | Get | Used to obtain the CA bundle used to generate a MinIO tenant's TLS certificates (- for HTTP client cert validation) |
v1/Secret | Get | Used to fetch a MinIO tenant's configuration (which is stored as a secret) |
v1/Services | Get | Used to determine a MinIO tenant's internal endpoint |
Not all minio resource properties can be updated. These properties are treated as immutable. Attempts to modify immutable properties will be ignored and warning events will be logged to the resource in question.
Some examples of immutable properties:
I personally use vscode as an IDE. For a consistent development experience, this project is also configured to utilize devcontainers. If you're using both - and you have the Dev Containers extension installed - you can follow the introductory docs to quickly get started.
NOTE: Helper scripts are written under the assumption that they're being executed within a dev container.
From the project root, run the following to create a development cluster to test the operator with:
cd /workspaces/minio-operator-ext
./dev/create-cluster.sh
This will:
After creating a local development cluster, you can configure minio to use the deployed LDAP server as its identity provider:
cd /workspaces/minio-operator-ext
./dev/use-ldap.sh
NOTE: With an identity provider configured, attempts to operate on builtin identities will fail.
Copy the dev.template.py script to dev.py
, then run it to start the operator against the local development environment.
If placed in the top-level directory, dev.py
is gitignored and you can change this file as needed without worrying about committing it to git.
Additionally, the devcontainer is configured with vscode launch configurations that point to a top-level dev.py
file. You should be able to launch (and attach a debugger to) the operator by launching it natively through vscode.