Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

minio fixes

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-05-27 23:08:28 +02:00
parent b26f4d5a59
commit 466a83fcaf
4 changed files with 23 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/REFERENCE.md
View File

@@ -1122,7 +1122,7 @@ mode: standalone
persistence: persistence:
size: 50Gi size: 50Gi
consoleIngress: consoleIngress:
hosts: [minio.forteapps.net] hosts: [zipline.forteapps.net]
ingress: ingress:
hosts: [s3.forteapps.net] hosts: [s3.forteapps.net]
``` ```
@@ -1134,7 +1134,7 @@ ingress:
**SSO**: Native OIDC via Keycloak `forte` realm (client ID: `minio`). Self-service client config Secret (`keycloak-client-minio`) triggers registrar. Policy claim mapper maps user attributes to MinIO policies. **SSO**: Native OIDC via Keycloak `forte` realm (client ID: `minio`). Self-service client config Secret (`keycloak-client-minio`) triggers registrar. Policy claim mapper maps user attributes to MinIO policies.
**Endpoints**: **Endpoints**:
- Console: `https://minio.forteapps.net` - Console: `https://zipline.forteapps.net`
- S3 API: `https://s3.forteapps.net` - S3 API: `https://s3.forteapps.net`
**Secrets**: **Secrets**:

4
infra/overlays/upc-dev/minio/keycloak-client-config.yaml
View File

@@ -10,8 +10,8 @@ stringData:
{ {
"clientId": "minio", "clientId": "minio",
"name": "MinIO", "name": "MinIO",
"redirectUris": ["https://minio.forteapps.net/oauth_callback"], "redirectUris": ["https://zipline.forteapps.net/oauth_callback"],
"webOrigins": ["https://minio.forteapps.net"], "webOrigins": ["https://zipline.forteapps.net"],
"protocolMappers": [ "protocolMappers": [
{ {
"name": "minio-policy-mapper", "name": "minio-policy-mapper",

13
infra/values/base/keycloak-values.yaml
View File

@@ -338,7 +338,8 @@ extraDeploy:
upsert_secret() { upsert_secret() {
local ns="$1" name="$2" manifest="$3" local ns="$1" name="$2" manifest="$3"
local code local code
code=$(curl -sf -o /dev/null -w "%{http_code}" \ # NOTE: intentionally no -f; we need to capture HTTP 404 without curl exiting 22
code=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -347,7 +348,7 @@ extraDeploy:
if [ "$code" = "200" ]; then if [ "$code" = "200" ]; then
echo " Updated secret '${ns}/${name}'" echo " Updated secret '${ns}/${name}'"
elif [ "$code" = "404" ]; then elif [ "$code" = "404" ]; then
code=$(curl -sf -o /dev/null -w "%{http_code}" \ code=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -394,7 +395,7 @@ extraDeploy:
# Get the client secret from Keycloak # Get the client secret from Keycloak
local secret_value local secret_value
secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
| jq -r '.value') | jq -r '.value')
@@ -409,7 +410,7 @@ extraDeploy:
# Write to target namespace (if it exists) # Write to target namespace (if it exists)
local ns_status local ns_status
ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \ ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${target_ns}") "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -433,12 +434,12 @@ extraDeploy:
local ns="$1" name="$2" key="$3" value="$4" local ns="$1" name="$2" key="$3" value="$4"
local patch local patch
patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value") patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
curl -sf -o /dev/null \ curl -s -o /dev/null \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/strategic-merge-patch+json" \ -H "Content-Type: application/strategic-merge-patch+json" \
-X PATCH -d "$patch" \ -X PATCH -d "$patch" \
"${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
} }
# ============================================= # =============================================

22
infra/values/upc-dev/minio-values.yaml
View File

@@ -39,14 +39,16 @@ ingress:
- s3.forteapps.net - s3.forteapps.net
## Native OIDC via Keycloak ## Native OIDC via Keycloak
## TEMPORARILY disabled: the registrar needs time to create minio-oidc-credentials.
## Re-enable once `kubectl get secret minio-oidc-credentials -n minio` succeeds.
oidc: oidc:
enabled: true enabled: false
configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration" # configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
clientId: "minio" # clientId: "minio"
existingClientSecretName: "minio-oidc-credentials" # existingClientSecretName: "minio-oidc-credentials"
existingClientSecretKey: "client-secret" # existingClientSecretKey: "client-secret"
claimName: "policy" # claimName: "policy"
scopes: "openid,email,profile" # scopes: "openid,email,profile"
redirectUri: "https://zipline.forteapps.net/oauth_callback" # redirectUri: "https://zipline.forteapps.net/oauth_callback"
claimPrefix: "" # claimPrefix: ""
comment: "" # comment: ""