Ansible playbook to configure our Ubuntu 22 servers to run a distributed MinIO S3 service. MicroK8s is used here as a sidecar to provide container platform capabilities, load balancing, and handle internet ingress.
Clone the repo:
git clone [email protected]:OwnTube-tv/minio-microk8s-ansible.git
cd minio-microk8s-ansible/
Create a virtual environment and install the dependencies:
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
Add the Ansible Vault password to a file named .ansible_vault_password
and restrict readability:
echo theSecretAnsibleVaultPassword > .ansible_vault_password
chmod og-r .ansible_vault_password
Verify that the hosts are reachable:
ansible minio_microk8s_servers -m ping
Run through the bootstrap playbook in --check
mode to verify that provisioning can execute:
ansible-playbook 0-bootstrap.yml --check
The initial setup steps for a live deployment are as follows:
-
Run the
0-bootstrap.yml
playbook to prepare the server baseline for MinIO and MicroK8s setup:ansible-playbook 0-bootstrap.yml
Follow the instructions in the end of the playbook to establish HA clustering for MicroK8s.
-
Run the
1-microk8s-cluster.yml
playbook to set up MicroK8s add-ons and configure the cluster:ansible-playbook 1-microk8s-cluster.yml
After the successful completion of the playbook, you can access the Kubernetes dashboard at https://k8s-dashboard.owntube.tv/ with a proper certificate and login with a token created from one of the MicroK8s cluster nodes:
kubectl get secret -n kube-system microk8s-dashboard-token \ -o jsonpath="{.data.token}" | base64 -d
-
Run the
2-minio-servers.yml
playbook to set up the MinIO S3 object storage service:ansible-playbook -e @secrets.yml 2-minio-servers.yml
After the successful completion of the playbook, you can access the MinIO web interface at https://minio.owntube.tv/ and be able to log in with the root username and password.
Setup steps to integrate MinIO with Auth0 OpenID Connect for user authentication and authorization:
-
Create an OpenID Connect application in your Auth0 tenant the following parameters:
application_type=Regular Web Application login_url=https://minio.owntube.tv/console/ callback_urls=https://minio.owntube.tv/console/oauth_callback logout_urls=https://minio.owntube.tv/console/ allowed_web_origins=https://minio.owntube.tv
-
Configure your Auth0 tenant with the Auth0 PostLogin Action "Add MinIO Policy OpenID Claim" and set the following "secrets":
POST_LOGIN_MINIO_CLAIM_PREFIX=https://minio.owntube.tv/console/ POST_LOGIN_MINIO_CLAIM_DEFAULT_POLICY=noaccess POST_LOGIN_MINIO_CLAIM_USER_POLICY_MAP={"[email protected]":"consoleAdmin,diagnostics","[email protected]":"swt-readwrite,ot-readwrite","[email protected]":"ot-readwrite","[email protected]":"ot-readwrite","[email protected]":"ot-readwrite"}
-
Configure the Ansible project
secrets.yml
with the config URL, client ID and client secret for the OpenID application (from setup step 1):minio_auth0_oauth_config_url: https://owntube-tv.eu.auth0.com/.well-known/openid-configuration minio_auth0_oauth_client_id: XIa**************************MzK minio_auth0_oauth_client_secret: 6-B**********************************************************koW
-
Run the
3-minio-auth0-oidc.yml
playbook to configure MinIO with Auth0 OpenID Connect:ansible-playbook -e @secrets.yml 3-minio-oidc.yml
After the successful completion of the playbook, you can access the MinIO web interface at https://minio.owntube.tv/ and find that the old username/password form have been replaced by a button with the text "GitHub-Auth0 authentication" and be able to authenticate using your GitHub identity. When returning to the login screen after GitHub-Auth0 authentication, you will find an error about the JWT Claim for policy does not exist; continue and set up in step 5.
-
Login to the MinIO web interface as admin using the "Other Authentication Methods" > "Use Credentials" drop-down menu and create the following policies and buckets:
-
Create a bucket named
"auth0-openid-noaccess"
, then configure a policy named"noaccess"
for unknown users to login and have only read access to the"auth0-openid-noaccess"
bucket:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:List*", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::auth0-openid-noaccess*" ] } ] }
-
Create a bucket named
"swt-pt-dev-1"
, then configure a policy named"swt-readwrite"
for special users that are mapped to this role using the Auth0 Action (setup step 2):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::swt-*" ] } ] }
-
Create a bucket named
"ot-pt-dev-1"
, then configure a policy named"ot-readwrite"
for special users that are mapped to this role using the Auth0 Action (setup step 2):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::ot-*" ] } ] }
-
-
Verify that the Auth0 OpenID Connect integration works by logging in to https://minio.owntube.tv/ with ...
-
a user that does not have a policy mapped to it, expect to only see the
"auth0-openid-noaccess"
bucket listed in the Object Browser, with read-only access only -
a user that has its email mapped to the policy
"ot-readwrite"
, expect to only see the"ot-pt-dev-1"
bucket listed in the Object Browser and verify that the user is able to administer the bucket via https://minio.owntube.tv/console/buckets/ot-pt-dev-1/admin/ -
a user that has its email mapped to the policy
"swt-readwrite"
, expect to only see the"swt-pt-dev-1"
bucket listed in the Object Browser and verify that the user is able to administer the bucket via https://minio.owntube.tv/console/buckets/swt-pt-dev-1/admin/
-
For ideas on enhancements, discussing worthwhile feature to have, or if you wish to contribute
improvements on your own, please reach out to @mblomdahl
⚡ by opening
a new Issue.