feat: allow for template-able policies for configured apps

bundle/uds-bundle.yaml

@@ -22,13 +22,41 @@ packages:
             # Test helm overrides to provision app specific buckets, policies and creds
             - path: apps
               value:
-                - name: mc-cli
+                - name: mc-cli-test
                   namespace: mc-cli
                   remoteSelector:
-                    job-name: minio-job
+                    job-name: minio-test-job
                   bucketNames:
                     - mc-cli-test-bucket
-                  policy: ""
+                  copyPassword:
+                    enabled: true
+                    secretName: ""
+                    secretIDKey: ""
+                    secretPasswordKey: ""
+                - name: mc-cli-policy
+                  namespace: mc-cli
+                  remoteSelector:
+                    job-name: minio-policy-job
+                  bucketNames:
+                    - mc-cli-policy-bucket
+                  policy: |
+                    {
+                      "Version": "2012-10-17",
+                      "Statement": [
+                        {
+                          "Effect": "Allow",
+                          "Action": [
+                            "s3:ListBucket"
+                          ],
+                          "Resource": [
+                            {{- $lenBuckets := len .bucketNames }}
+                            {{- range $index, $bucket := .bucketNames }}
+                            "arn:aws:s3:::{{ $bucket }}"{{ if lt (add $index 1) $lenBuckets }},{{ end }}
+                            {{- end }}
+                          ]
+                        }
+                      ]
+                    }
                   copyPassword:
                     enabled: true
                     secretName: ""

chart/templates/policy-cm.yaml

@@ -1,9 +1,9 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
-{{- range .Values.apps }}
-{{- if hasKey . "bucketNames" }}
-{{- $bucketNames := .bucketNames | default list }}
+{{- range $app := .Values.apps }}
+{{- if or (not (hasKey $app "policy")) (eq $app.policy "") }}
+{{- $bucketNames := $app.bucketNames | default list }}
 
 apiVersion: v1
 kind: ConfigMap
@@ -18,8 +18,9 @@ data:
         {
           "Effect": "Allow",
           "Action": [
+            "s3:GetBucketLocation",
             "s3:ListBucket",
-            "s3:GetBucketLocation"
+            "s3:ListBucketMultipartUploads"
           ],
           "Resource": [
             {{- range $index, $bucket := $bucketNames }}
@@ -30,9 +31,11 @@ data:
         {
           "Effect": "Allow",
           "Action": [
-            "s3:PutObject",
+            "s3:AbortMultipartUpload",
+            "s3:DeleteObject",
             "s3:GetObject",
-            "s3:DeleteObject"
+            "s3:ListMultipartUploadParts",
+            "s3:PutObject"
           ],
           "Resource": [
             {{- range $index, $bucket := $bucketNames }}
@@ -51,7 +54,7 @@ metadata:
   namespace: minio
 data:
   policy.json: |
-    {{ .policy | indent 4 }}
+{{ tpl $app.policy $app | indent 4 }}
 ---
 {{- end }}
 {{- end }}

chart/values.yaml

@@ -2,15 +2,20 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: uds-minio
+
 identityOpenidClientSecret: "replaceme"
 identityOpenidConfigUrl:
+
 domain: ###ZARF_VAR_DOMAIN###
+
 rootPassword:
 rootUser: minio
+
 # sso disabled until we can define the protocol mappers via sso secret
 # or update the uds-core keycloak image
 sso:
   enabled: false
+
 apps: []
   # - name: test-app
   #   namespace: ""
@@ -28,4 +33,7 @@ apps: []
   #     secretIDKey:
   #     secretPasswordKey:
 
+mcImage: ""
+mcShell: ""
+
 custom: []

docs/configuration.md

@@ -95,7 +95,7 @@ This package facilitates the ability to provision multiple sets of buckets for a
                     job-name: minio-job # Selector of the app that will be connecting to minio
                   bucketNames: # list of buckets to be provisioned in tenant scoped to the app
                     - mc-cli-test-bucket
-                  policy: "" # Optional: policy override for the scoped resources is the standard policy does not meet the needs of the application use case.
+                  policy: "" # Optional: template-able policy override for the scoped resources if the standard policy does not meet the needs of the application.
                   copyPassword: # Whether to copy the secret to the apps namespace. Must be true or false. See below section of this page for more details.
                     enabled: true
                     secretName: ""

tasks/test.yaml

@@ -18,7 +18,15 @@ tasks:
         wait:
           cluster:
             kind: Job
-            name: minio-job
+            name: minio-test-job
+            namespace: mc-cli
+            condition: "'{.status.succeeded}'=1"
+      - description: Validate Policy Job Completed
+        maxTotalSeconds: 300
+        wait:
+          cluster:
+            kind: Job
+            name: minio-policy-job
             namespace: mc-cli
             condition: "'{.status.succeeded}'=1"
 

tests/minio/mc-cli-policy.yaml

@@ -0,0 +1,49 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: minio-policy-job
+  namespace: mc-cli
+spec:
+  template:
+    spec:
+      containers:
+        - name: minio-client
+          image: minio/mc
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              BN="mc-cli-policy-bucket"
+              mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY
+              echo "Hello from Kubernetes Job!" > /tmp/hello.txt
+              if mc cp /tmp/hello.txt myminio/$BN/hello.txt; then
+                echo "Bucket upload should be disallowed but succeeded instead"
+                exit 1
+              fi
+              mc ls myminio/$BN
+              echo "Bucket upload failed successfully and list completed successfully"
+          env:
+            - name: MINIO_SERVER
+              value: "http://uds-minio-hl.minio.svc.cluster.local:9000"
+            - name: MC_CONFIG_DIR
+              value: "/tmp/mc/"
+            - name: MINIO_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-mc-cli-policy
+                  key: accessKey
+            - name: MINIO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-mc-cli-policy
+                  key: secretKey
+          volumeMounts:
+            - name: config-volume
+              mountPath: /tmp
+      restartPolicy: Never
+      volumes:
+        - name: config-volume
+          emptyDir: {}
+  backoffLimit: 4

tests/minio/mc-cli.yaml → tests/minio/mc-cli-test.yaml

@@ -4,7 +4,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: minio-job
+  name: minio-test-job
   namespace: mc-cli
 spec:
   template:
@@ -16,10 +16,10 @@ spec:
           args:
             - |
               BN="mc-cli-test-bucket"
-              mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY &&
-              echo "Hello from Kubernetes Job!" > /tmp/hello.txt &&
-              mc cp /tmp/hello.txt myminio/$BN/hello.txt &&
-              mc cp myminio/$BN/hello.txt /tmp/downloaded_hello.txt &&
+              mc alias set myminio $MINIO_SERVER $MINIO_ACCESS_KEY $MINIO_SECRET_KEY
+              echo "Hello from Kubernetes Job!" > /tmp/hello.txt
+              mc cp /tmp/hello.txt myminio/$BN/hello.txt
+              mc cp myminio/$BN/hello.txt /tmp/downloaded_hello.txt
               echo "Bucket, upload, and download operations completed successfully"
           env:
             - name: MINIO_SERVER
@@ -29,12 +29,12 @@ spec:
             - name: MINIO_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
-                  name: minio-mc-cli
+                  name: minio-mc-cli-test
                   key: accessKey
             - name: MINIO_SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: minio-mc-cli
+                  name: minio-mc-cli-test
                   key: secretKey
           volumeMounts:
             - name: config-volume

tests/minio/uds-package.yaml

@@ -11,7 +11,6 @@ spec:
     allow:
       - direction: Egress
         selector:
-          job-name: minio-job
         remoteNamespace: minio
         remoteSelector:
           app: minio

tests/minio/zarf.yaml

@@ -16,6 +16,7 @@ components:
         namespace: mc-cli
         files:
           - uds-package.yaml
-          - mc-cli.yaml
+          - mc-cli-test.yaml
+          - mc-cli-policy.yaml
     images:
       - minio/mc:latest