senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/ansible/roles/minio/readme.md
okinrev 327ac36a30 BASE: completing the initial repo state
2025-12-03 22:56:50 +01:00

135 lines
6.6 KiB
Markdown
Raw Blame History

# minio role
Install a single minio instance with:
* a single directory as volume ("/srv/minio")
* HAproxy as reverse-proxy
<!-- TOC -->
* [minio role](#minio-role)
* [Server management](#server-management)
* [Admin user](#admin-user)
* [Update](#update)
* [Variable reference](#variable-reference)
* [Mandatory variables](#mandatory-variables)
* [Optional variables](#optional-variables)
* [Complexe variables examples](#complexe-variables-examples)
* [AUTH_TYPE](#auth_type)
* [Apply change via restart](#apply-change-via-restart)
* [LOCAL](#local)
* [LDAP](#ldap)
* [Monitoring zabbix](#monitoring-zabbix)
<!-- TOC -->
## Server management
There are two ways to connect to the server:
* the webui available on port 443 at `minio_fqdn`
* install the cli tool [minio client](https://min.io/docs/minio/linux/reference/minio-mc.html) on your PC.
In both case you will need thte admin username is `minioadmin` and its password is in hashicorp vault `minio_root_password`.
### Admin user
The admin username is `minioadmin` and the password is hashicorp vault `minio_root_password`.
## Update
**WARNING:** This role automatically restart the minio systemd service after installing/updating the package. Therefore you should NOT use this role as it is to update a cluster, as cluster nodes have to be restarted together using the command `mc admin service restart`.
To update it, please pass `--extra-vars "{ 'minio_update_now': true }"` as parameter
## Variable reference
### Mandatory variables
| Variable | Description | Example value |
|-----------------|-----------------------------|--------------------------------------------------|
| minio_auth_type | minio authentification type | `ldap` or `local` |
### Optional variables
| Variable | Description | Default value |
|--------------------------|----------------------------------------------------------------|--------------------------------------------------|
| minio_haproxy | install a HAproxy with a TLS cert and enable the webui | `true` |
| minio_fqdn | minio fqdn (only necessary when `minio_haproxy` is enable | `veza-storage-prod-global-1.int.talas.veza` |
| minio_version | minio version | `latest` |
| minio_buckets | list of minio buckets to create | none |
| minio_users | list of minio users to create when using local minio_auth_type | none |
| minio_bucket_policies | list of dictionnaries of per bucket policies | none |
| minio_anonymous_policies | list of dictionnaries of anonymous policies | none |
| minio_global_policies | list of dictionnaries of global policies | none |
### Complexe variables examples
```yaml
minio_bucket_policies:
- bucket: veza-http-product-pictures-demo-1 # Name of the bucket to apply the policy to
permissions: read-write # permissions given by this policy; supported values are `read-write` and `read-only`
users: # List of users whom you want the policy to apply to
- veza-http-product-pictures-demo-1
groups:
- devop # List of groups whom you want the policy to apply to. Local groups
```
If it does not exist already a policy matching the bucket name and the permission will be created by the role.
The policy will be named: `{{ bucket }}_{{ permissions }}`
```yaml
minio_global_policies:
- policy: veza-http-product-pictures-demo-1 # Name of the policy
users: # List of users whom you want the policy to apply to
- adm-martin
- jean
groups: # List of groups whom you want the policy to apply to
- "cn=minio-admin,ou=system,ou=groups,dc=talas,dc=com"
```
The policy must already exist in minio. By default, the next five policies already exist in minio:
* consoleAdmin
* diagnostics
* readonly
* readwrite
* writeonly
```yaml
minio_anonymous_policies:
- path: "myvault/dir1" # bucket name or folder/file path in a bucket
permission: "download" # Allowed policies are: private, public, download, upload.
```
By default all minio paths have anonymous access set to private.
To reset a policy you can either set the permission to private or in you ansible config or run the following config on the minio server `mcli anonymous set private minio_on_localhost/{{ path }}`
# AUTH_TYPE
Minio does not support using multiple auth time at the same type, therefore Minio needs to be restarted at each auth_type configuration change. This even includes ldap parameters modifications.
## Apply change via restart
By default, this role doesn't restart the minio service to avoid a disruption. You can override this by setting this variable:
```
minio_restart_on_auth_type_change: true
```
You can also add it on the command line via
```
--extra-vars '{ "minio_restart_on_auth_type_change" : true }'
```
## LOCAL
This role handle the creation of local users account but not of local groups. If needed we should be able to add it pretty easily by copiyng the tasks used to create local users.
## LDAP
Users and groups have to be created in the LDAP prior to the role execution.
User password must be added in Hashicorp vault hosts_var of the ansible_hostname. The password key must be match the username and be prefixed by `minio_` and suffixed by `ldappass`
App user account must be created in `ou=minio,ou=bot,ou=people,dc=talas,dc=com`
Full DN of LDAP objects must be provided to minio.
If this auth_type is used, the ldap group `minio-admin` will always be added to minio with consoleAdmin rights.
## Monitoring zabbix
Current configuration on zabbix server only gathers metrics for single-node deployment and it has only been tested with a single drive.
In case of cluster deployment create the items and discover rules needed for cluster monitoring.
If deploying a single node with multiple drives, check that the [latency item prototype](https://zabbix.talas.com/disc_prototypes.php?parent_discoveryid=4831493) creates one item for each drive/api couple.
Reference in a new issue View git blame Copy permalink