minio fixes

2026-05-27 23:08:28 +02:00
parent b26f4d5a59
commit 466a83fcaf
4 changed files with 23 additions and 20 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1122,7 +1122,7 @@ mode: standalone
 persistence:
  size: 50Gi
 consoleIngress:
-  hosts: [minio.forteapps.net]
+  hosts: [zipline.forteapps.net]
 ingress:
  hosts: [s3.forteapps.net]
 ```
@@ -1134,7 +1134,7 @@ ingress:
 **SSO**: Native OIDC via Keycloak `forte` realm (client ID: `minio`). Self-service client config Secret (`keycloak-client-minio`) triggers registrar. Policy claim mapper maps user attributes to MinIO policies.

 **Endpoints**:
- Console: `https://minio.forteapps.net`
+- Console: `https://zipline.forteapps.net`
 - S3 API: `https://s3.forteapps.net`

 **Secrets**:
--- a/infra/overlays/upc-dev/minio/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/minio/keycloak-client-config.yaml
@@ -10,8 +10,8 @@ stringData:
    {
      "clientId": "minio",
      "name": "MinIO",
-      "redirectUris": ["https://minio.forteapps.net/oauth_callback"],
-      "webOrigins": ["https://minio.forteapps.net"],
+      "redirectUris": ["https://zipline.forteapps.net/oauth_callback"],
+      "webOrigins": ["https://zipline.forteapps.net"],
      "protocolMappers": [
        {
          "name": "minio-policy-mapper",
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -338,7 +338,8 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  # NOTE: intentionally no -f; we need to capture HTTP 404 without curl exiting 22
+                  code=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -347,7 +348,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    code=$(curl -s -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -394,7 +395,7 @@ extraDeploy:

                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')

@@ -409,7 +410,7 @@ extraDeploy:

                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -433,12 +434,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -sf -o /dev/null \
+                  curl -s -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
                }

                # =============================================
--- a/infra/values/upc-dev/minio-values.yaml
+++ b/infra/values/upc-dev/minio-values.yaml
@@ -39,14 +39,16 @@ ingress:
    - s3.forteapps.net

 ## Native OIDC via Keycloak
+## TEMPORARILY disabled: the registrar needs time to create minio-oidc-credentials.
+## Re-enable once `kubectl get secret minio-oidc-credentials -n minio` succeeds.
 oidc:
-  enabled: true
-  configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-  clientId: "minio"
-  existingClientSecretName: "minio-oidc-credentials"
-  existingClientSecretKey: "client-secret"
-  claimName: "policy"
-  scopes: "openid,email,profile"
-  redirectUri: "https://zipline.forteapps.net/oauth_callback"
-  claimPrefix: ""
-  comment: ""
+  enabled: false
+  # configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+  # clientId: "minio"
+  # existingClientSecretName: "minio-oidc-credentials"
+  # existingClientSecretKey: "client-secret"
+  # claimName: "policy"
+  # scopes: "openid,email,profile"
+  # redirectUri: "https://zipline.forteapps.net/oauth_callback"
+  # claimPrefix: ""
+  # comment: ""