Example k8s job to setup buckets using STS and mc (#1850)

Signed-off-by: pjuarezd <pjuarezd@users.noreply.github.com>
minio · Nov 27, 2023 · f6a9687 · f6a9687
1 parent 8d22587
commit f6a9687
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 13 deletions.
diff --git a/examples/kustomization/sts-example/sample-data/kustomization.yaml b/examples/kustomization/sts-example/sample-data/kustomization.yaml
@@ -1,4 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - iam-setup-bucket.yaml
+  - mc-job-sa.yaml
+  - mc-job-policy-binding.yaml
+  - mc-job-setup-bucket.yaml
diff --git a/examples/kustomization/sts-example/sample-data/mc-job-policy-binding.yaml b/examples/kustomization/sts-example/sample-data/mc-job-policy-binding.yaml
@@ -0,0 +1,11 @@
+apiVersion: sts.min.io/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: mc-job-binding
+  namespace: minio-tenant-1
+spec:
+  application:
+    namespace: minio-tenant-1
+    serviceaccount: mc-job-sa
+  policies:
+    - consoleAdmin
diff --git a/examples/kustomization/sts-example/sample-data/mc-job-sa.yaml b/examples/kustomization/sts-example/sample-data/mc-job-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: minio-tenant-1
+  name: mc-job-sa
diff --git a/...example/sample-data/iam-setup-bucket.yaml → ...mple/sample-data/mc-job-setup-bucket.yaml b/...example/sample-data/iam-setup-bucket.yaml → ...mple/sample-data/mc-job-setup-bucket.yaml
@@ -35,6 +35,7 @@ spec:
   backoffLimit: 5
   template:
     spec:
+      serviceAccountName: mc-job-sa
       restartPolicy: OnFailure
       volumes:
         - name: start-config
@@ -49,15 +50,9 @@ spec:
             - name: start-config
               mountPath: /start-config/
           env:
-            - name: ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: storage-user
-                  key: CONSOLE_ACCESS_KEY
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: storage-user
-                  key: CONSOLE_SECRET_KEY
             - name: MC_HOST_local
               value: https://$(ACCESS_KEY):$(SECRET_KEY)@minio.minio-tenant-1.svc.cluster.local
+            - name: MC_STS_ENDPOINT
+              value: https://sts.minio-operator.svc.cluster.local:4223/sts/minio-tenant-1
+            - name: MC_WEB_IDENTITY_TOKEN_FILE
+              value: /var/run/secrets/kubernetes.io/serviceaccount/token
diff --git a/testing/common.sh b/testing/common.sh
@@ -349,13 +349,13 @@ function install_tenant() {
 }
 
 function setup_sts_bucket() {
-  echo "Installing setub bucket job"
+  echo "Installing setup bucket job"
   try kubectl apply -k "${SCRIPT_DIR}/../examples/kustomization/sts-example/sample-data"
   namespace="minio-tenant-1"
   condition="condition=Complete"
   selector="metadata.name=setup-bucket"
   try wait_for_resource_field_selector $namespace job $condition $selector
-  echo "Installing setub bucket job: DONE"
+  echo "Installing setup bucket job: DONE"
 }
 
 function install_sts_client() {