debug

config/minio/minio-policies-configmap.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: minio-policies
+  namespace: minio
+data:
+  # Policy: Vollzugriff auf tatort
+  policy-tatort.json: |
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetBucketLocation",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads"
+          ],
+          "Resource": ["arn:aws:s3:::tatort"]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListMultipartUploadParts",
+            "s3:AbortMultipartUpload"
+          ],
+          "Resource": ["arn:aws:s3:::tatort/*"]
+        }
+      ]
+    }
+
+  # Policy: Vollzugriff auf tatort-dev
+  policy-tatort-dev.json: |
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetBucketLocation",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads"
+          ],
+          "Resource": ["arn:aws:s3:::tatort-dev"]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListMultipartUploadParts",
+            "s3:AbortMultipartUpload"
+          ],
+          "Resource": ["arn:aws:s3:::tatort-dev/*"]
+        }
+      ]
+    }

config/minio/minio-setup-job.yaml

@@ -0,0 +1,77 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: minio-setup-users
+  namespace: minio
+spec:
+  ttlSecondsAfterFinished: 600
+  backoffLimit: 5
+  template:
+    spec:
+      restartPolicy: OnFailure
+      volumes:
+        - name: policies
+          configMap:
+            name: minio-policies
+      containers:
+        - name: mc
+          image: minio/mc:latest
+          volumeMounts:
+            - name: policies
+              mountPath: /policies
+          env:
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio
+                  key: root-password
+            - name: TATORT_ACCESS
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-access-key
+            - name: TATORT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-secret-key
+            - name: TATORT_DEV_ACCESS
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-dev-access-key
+            - name: TATORT_DEV_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-dev-secret-key
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+
+              echo "Warte auf MinIO..."
+              sleep 10
+
+              echo "Verbinde mit MinIO..."
+              mc alias set myminio http://minio:9000 admin $MINIO_ROOT_PASSWORD
+
+              echo "Erstelle Buckets (falls nicht vorhanden)..."
+              mc mb --ignore-existing myminio/tatort
+              mc mb --ignore-existing myminio/tatort-dev
+
+              echo "Erstelle Policies..."
+              mc admin policy create myminio policy-tatort /policies/policy-tatort.json || true
+              mc admin policy create myminio policy-tatort-dev /policies/policy-tatort-dev.json || true
+
+              echo "Erstelle Benutzer..."
+              mc admin user add myminio $TATORT_ACCESS $TATORT_SECRET || true
+              mc admin user add myminio $TATORT_DEV_ACCESS $TATORT_DEV_SECRET || true
+
+              echo "Weise Policies zu..."
+              mc admin policy attach myminio policy-tatort --user $TATORT_ACCESS
+              mc admin policy attach myminio policy-tatort-dev --user $TATORT_DEV_ACCESS
+
+              echo "Setup abgeschlossen!"
+              mc admin user list myminio

config/minio/minio-users-secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-users
+  namespace: minio
+type: Opaque
+stringData:
+  # tatort: Zugriff nur auf tatort
+  tatort-access-key: "GxKhfnfkNvlDU7qzsz0D"
+  tatort-secret-key: "cqSM5rIRr4MPtqzu2sNKgmB9k2OghPbyxwAWogeM"
+  # tatort-dev: Zugriff nur auf tatort-dev
+  tatort-dev-access-key: "AbCdEfGhIjKlMnOpQrSt"
+  tatort-dev-secret-key: "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"