diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index ece2512..e2167da 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -22,13 +22,41 @@ packages: # Test helm overrides to provision app specific buckets, policies and creds - path: apps value: - - name: mc-cli + - name: mc-cli-test namespace: mc-cli remoteSelector: - job-name: minio-job + job-name: minio-test-job bucketNames: - mc-cli-test-bucket - policy: "" + copyPassword: + enabled: true + secretName: "" + secretIDKey: "" + secretPasswordKey: "" + - name: mc-cli-policy + namespace: mc-cli + remoteSelector: + job-name: minio-policy-job + bucketNames: + - mc-cli-policy-bucket + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + {{- $lenBuckets := len .bucketNames }} + {{- range $index, $bucket := .bucketNames }} + "arn:aws:s3:::{{ $bucket }}"{{ if lt (add $index 1) $lenBuckets }},{{ end }} + {{- end }} + ] + } + ] + } copyPassword: enabled: true secretName: "" diff --git a/chart/templates/policy-cm.yaml b/chart/templates/policy-cm.yaml index b9312ef..bbcf7aa 100644 --- a/chart/templates/policy-cm.yaml +++ b/chart/templates/policy-cm.yaml @@ -1,9 +1,9 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- range .Values.apps }} -{{- if hasKey . "bucketNames" }} -{{- $bucketNames := .bucketNames | default list }} +{{- range $app := .Values.apps }} +{{- if or (not (hasKey $app "policy")) (eq $app.policy "") }} +{{- $bucketNames := $app.bucketNames | default list }} apiVersion: v1 kind: ConfigMap @@ -18,8 +18,9 @@ data: { "Effect": "Allow", "Action": [ + "s3:GetBucketLocation", "s3:ListBucket", - "s3:GetBucketLocation" + "s3:ListBucketMultipartUploads" ], "Resource": [ {{- range $index, $bucket := $bucketNames }} @@ -30,9 +31,11 @@ data: { "Effect": "Allow", "Action": [ - "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:DeleteObject", "s3:GetObject", - "s3:DeleteObject" + "s3:ListMultipartUploadParts", + "s3:PutObject" ], "Resource": [ {{- range $index, $bucket := $bucketNames }} @@ -51,7 +54,7 @@ metadata: namespace: minio data: policy.json: | - {{ .policy | indent 4 }} +{{ tpl $app.policy $app | indent 4 }} --- {{- end }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index f6ea0cd..58a4c47 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -2,15 +2,20 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: uds-minio + identityOpenidClientSecret: "replaceme" identityOpenidConfigUrl: + domain: ###ZARF_VAR_DOMAIN### + rootPassword: rootUser: minio + # sso disabled until we can define the protocol mappers via sso secret # or update the uds-core keycloak image sso: enabled: false + apps: [] # - name: test-app # namespace: "" @@ -28,4 +33,7 @@ apps: [] # secretIDKey: # secretPasswordKey: +mcImage: "" +mcShell: "" + custom: [] diff --git a/docs/configuration.md b/docs/configuration.md index adf095d..1473d2b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -95,7 +95,7 @@ This package facilitates the ability to provision multiple sets of buckets for a job-name: minio-job # Selector of the app that will be connecting to minio bucketNames: # list of buckets to be provisioned in tenant scoped to the app - mc-cli-test-bucket - policy: "" # Optional: policy override for the scoped resources is the standard policy does not meet the needs of the application use case. + policy: "" # Optional: template-able policy override for the scoped resources if the standard policy does not meet the needs of the application. copyPassword: # Whether to copy the secret to the apps namespace. Must be true or false. See below section of this page for more details. enabled: true secretName: "" diff --git a/tasks/test.yaml b/tasks/test.yaml index b827103..e30ab42 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -18,7 +18,15 @@ tasks: wait: cluster: kind: Job - name: minio-job + name: minio-test-job + namespace: mc-cli + condition: "'{.status.succeeded}'=1" + - description: Validate Policy Job Completed + maxTotalSeconds: 300 + wait: + cluster: + kind: Job + name: minio-policy-job namespace: mc-cli condition: "'{.status.succeeded}'=1" diff --git a/tests/minio/mc-cli-policy.yaml b/tests/minio/mc-cli-policy.yaml new file mode 100644 index 0000000..b08231e --- /dev/null +++ b/tests/minio/mc-cli-policy.yaml @@ -0,0 +1,49 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +apiVersion: batch/v1 +kind: Job +metadata: + name: minio-policy-job + namespace: mc-cli +spec: + template: + spec: + containers: + - name: minio-client + image: minio/mc + command: ["/bin/sh", "-c"] + args: + - | + BN="mc-cli-policy-bucket" + mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY + echo "Hello from Kubernetes Job!" > /tmp/hello.txt + if mc cp /tmp/hello.txt myminio/$BN/hello.txt; then + echo "Bucket upload should be disallowed but succeeded instead" + exit 1 + fi + mc ls myminio/$BN + echo "Bucket upload failed successfully and list completed successfully" + env: + - name: MINIO_SERVER + value: "http://uds-minio-hl.minio.svc.cluster.local:9000" + - name: MC_CONFIG_DIR + value: "/tmp/mc/" + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: minio-mc-cli-policy + key: accessKey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: minio-mc-cli-policy + key: secretKey + volumeMounts: + - name: config-volume + mountPath: /tmp + restartPolicy: Never + volumes: + - name: config-volume + emptyDir: {} + backoffLimit: 4 diff --git a/tests/minio/mc-cli.yaml b/tests/minio/mc-cli-test.yaml similarity index 87% rename from tests/minio/mc-cli.yaml rename to tests/minio/mc-cli-test.yaml index 226864f..104de37 100644 --- a/tests/minio/mc-cli.yaml +++ b/tests/minio/mc-cli-test.yaml @@ -4,7 +4,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: minio-job + name: minio-test-job namespace: mc-cli spec: template: @@ -16,10 +16,10 @@ spec: args: - | BN="mc-cli-test-bucket" - mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY && - echo "Hello from Kubernetes Job!" > /tmp/hello.txt && - mc cp /tmp/hello.txt myminio/$BN/hello.txt && - mc cp myminio/$BN/hello.txt /tmp/downloaded_hello.txt && + mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY + echo "Hello from Kubernetes Job!" > /tmp/hello.txt + mc cp /tmp/hello.txt myminio/$BN/hello.txt + mc cp myminio/$BN/hello.txt /tmp/downloaded_hello.txt echo "Bucket, upload, and download operations completed successfully" env: - name: MINIO_SERVER @@ -29,12 +29,12 @@ spec: - name: MINIO_ACCESS_KEY valueFrom: secretKeyRef: - name: minio-mc-cli + name: minio-mc-cli-test key: accessKey - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: - name: minio-mc-cli + name: minio-mc-cli-test key: secretKey volumeMounts: - name: config-volume diff --git a/tests/minio/uds-package.yaml b/tests/minio/uds-package.yaml index a0a800a..651e6bc 100644 --- a/tests/minio/uds-package.yaml +++ b/tests/minio/uds-package.yaml @@ -11,7 +11,6 @@ spec: allow: - direction: Egress selector: - job-name: minio-job remoteNamespace: minio remoteSelector: app: minio diff --git a/tests/minio/zarf.yaml b/tests/minio/zarf.yaml index 75958b5..6270c0e 100644 --- a/tests/minio/zarf.yaml +++ b/tests/minio/zarf.yaml @@ -16,6 +16,7 @@ components: namespace: mc-cli files: - uds-package.yaml - - mc-cli.yaml + - mc-cli-test.yaml + - mc-cli-policy.yaml images: - minio/mc:latest