Add oauth to MinIO (#35)

I want to use OAuth everywhere it's possible, so I need to create accounts in gitea only Reviewed-on: https://git.badhouseplants.net/badhouseplants/k8s-cluster-config/pulls/35
2023-03-13 07:41:49 +00:00
parent 1553a906d8
commit db538f7181
4 changed files with 66 additions and 17 deletions
--- a/badhouseplants/helmfile.yaml
+++ b/badhouseplants/helmfile.yaml
@ -46,5 +46,5 @@ bases:
  - ../environments.yaml
  - ../repositories.yaml

-helmfiles:
-  - namespaces.yaml
+    #helmfiles:
+    #  - namespaces.yaml
--- a/badhouseplants/values/secrets.minio.yaml
+++ b/badhouseplants/values/secrets.minio.yaml
@ -2,7 +2,17 @@ rootPassword: ENC[AES256_GCM,data:7baD0HwMztU27TymEWp+Ad1s8Zc=,iv:CXiTBEGU1tr99i
 users:
    - accessKey: ENC[AES256_GCM,data:9ZhHOes+vQM=,iv:ltKbQ0KW8/Jmn7kmTaGaDcerlkquTXhGr0wbMMwxNgA=,tag:X6n+44dvPAm4v2rcxYkPEQ==,type:str]
      secretKey: ENC[AES256_GCM,data:mzWBQcPitrpwIMqBrbtBs3RBDg==,iv:cLA6Wvmf5il54DFkNbwQ27wPxAm/eqSrxAc3MVELero=,tag:nUc83Ctqw4PTwirkUr803A==,type:str]
-      policy: ENC[AES256_GCM,data:B7CQsSUaq3B/gO/X,iv:Z4DTTXk5TO288lIrjbvXQXsUt44WjvGLMGxXmnEnHGU=,tag:pvK4zoZGBbpithTBYVDKfQ==,type:str]
+      policy: ENC[AES256_GCM,data:szr/D/u/ng0=,iv:jzm7Q4zdKQpNV0FgJ4jA9CuN7r912ySBJHmxKeQGS2I=,tag:cKarFmhIbBEtslSxOc4mcA==,type:str]
+oidc:
+    enabled: ENC[AES256_GCM,data:lK45+A==,iv:NcoTJPt4XZGRlVRwpsmuI5nu66cGVksQBRAwRval5JY=,tag:kjtPLITQLBOqjF3IaJAL8w==,type:bool]
+    configUrl: ENC[AES256_GCM,data:ZNVvWPlFPA1xgfysavsEusfxE2ySIM9FYatYqfWPnUrHKMtCxYlrn1ip3nTYL2JHvjM3yltLBNbqWMCGlgtw,iv:p1F2DqCFaKvjYKhMieFytnMuggrec8DmBzDATLTVe+8=,tag:3EtpPSyRlGThov5OcZfV+g==,type:str]
+    clientId: ENC[AES256_GCM,data:kO7PkjN+5GqZCxChvtbTQb/5zo7nVxfh7MZqbDoJLIKMEfth,iv:ti3Xlc3sRVOVGtxGw/pT5iBy5rBqV2v+MhiNF3Krb9U=,tag:3LUDIkq08zGmvjJtSnE/jA==,type:str]
+    clientSecret: ENC[AES256_GCM,data:PVe+8SlNrznBiFVNpuQXIcuPkUXyUJ7DObZpRvlgA8JjUHXTy3VY7soyJVBZEMfYbNjSLLcKcWM=,iv:fbh2RcQdPf3jUt2AOI3xp09SSEaWzI4rLGZmlZY46uM=,tag:wvEBkkPsXoQXAP7fN1iDMA==,type:str]
+    claimName: ENC[AES256_GCM,data:K7IO7TyaAUr4U80Ni5Xt/bma,iv:R8RQLttCNMHpAit+3OQ/STXo7u6xqQ1+RYgGLpJTpn4=,tag:3Wsh7TNnh1V0GrqjF/4Uiw==,type:str]
+    redirectUri: ENC[AES256_GCM,data:+Q8cNCvslAcO4m7VJwNe/CpEntyHfuHOrHqqtlrDILkfc0IRAA8aSbZwbA2v+So=,iv:GwzNILyqLuAYUQFKbt5WE+VCdOzSTBmGCAHcCAnzxXk=,tag:p9/86/r2DfT1mkQu+aQJfQ==,type:str]
+    comment: ENC[AES256_GCM,data:TO3kA0i503ZA+EFhKa2AZw==,iv:Cl3NvvgXz71AaCgMl062urNtcBtgk832vtxTs9MJwik=,tag:JwerK2q1L7xMv/NIoWkESw==,type:str]
+    claimPrefix: ""
+    scopes: ENC[AES256_GCM,data:kyewug7Dv2UOcsc8UWe1ssepra8uBW7uYw==,iv:RfQQiwBWWSd9DSgSlYZFwyZy2xaizMuVjeCZAws3ddM=,tag:jnegIPBviRTPi4kwM1jexQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -18,8 +28,8 @@ sops:
            NFd0WDBXRERZc2ZDbWhDTFhnZExjVmcKDKHKoouDK66AYXenznGjTMnahqIwbp1y
            zA+MZx0FPO7xm9UCGaxIFzdLXK6O2ctw9fDceR6oMj+YehLOKwEmoA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-19T20:48:11Z"
-    mac: ENC[AES256_GCM,data:MTcZ//5+uC+yFp+TmLhqdGIBpcaW96HpfUZeIUZijOffss401/XMOYprIILTPRq2B8kaCW2jp8hkL3oFDxSce0BGeqdRsFOlRL9vbtpyBPTUoGBnr6u/HK1G09zqtlsA/RZTvpBNoKrfdSvoWwoFIjs5oWPbi1f44gkgAl85ENM=,iv:07nSOo1F63sPgadSHtdI9JjtKjH/F9ThFW4sxWVGTxs=,tag:fFOO4sT6EFsAKje5llEUqg==,type:str]
+    lastmodified: "2023-03-12T10:17:38Z"
+    mac: ENC[AES256_GCM,data:I6DCLZNMl3LuGif/mDDNKKODZ6O/CSYty0+N60Xw4go2mH9J8/PPX0fEYL0ilRG2VDLuZ86RTiPCwAtUXVrtu1jzlkajbZPytWMpURZk+4m2XxXSDrTHNt6KJglF29DhENCkVXeZ75fHSKOS0yliZ+Q/90Ye18FJSlvVUy6HSfM=,iv:4y4pU0OTK6c2Oj5LvoJALtcn5TJ7OQFNys2swbYkodU=,tag:GSPQ64Ntu/oYnz6BfWXOTg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/badhouseplants/values/values.minio.yaml
+++ b/badhouseplants/values/values.minio.yaml
@ -1,3 +1,4 @@
+---
 rootUser: 'overlord'
 replicas: 1
 mode: standalone
@ -24,13 +25,51 @@ resources:
  requests:
    memory: 2Gi
 buckets:
-  - name: allanger
-    policy: none
+  - name: badhouseplants-net
+    policy: download
    purge: false
-    versioning: true
+    versioning: false
+  - name: badhouseplants-net-main
+    policy: download
+    purge: false
+    versioning: false
 metrics:
  serviceMonitor:
    enabled: false
    public: true
    additionalLabels: {}
-
+policies:
+  - name: allanger
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: badhouseplants:owners
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: badhouseplants
+    statements:
+      - resources:
+          - 'arn:aws:s3:::badhouseplants'
+        actions:
+          - "s3:*"
+      - resources:
+          - 'arn:aws:s3:::badhouseplants/*'
+        actions:
+          - "s3:*"