Install a single minio instance with:
There are two ways to connect to the server:
minio_fqdnIn both case you will need thte admin username is minioadmin and its password is in hashicorp vault minio_root_password.
The admin username is minioadmin and the password is hashicorp vault minio_root_password.
WARNING: This role automatically restart the minio systemd service after installing/updating the package. Therefore you should NOT use this role as it is to update a cluster, as cluster nodes have to be restarted together using the command mc admin service restart.
To update it, please pass --extra-vars "{ 'minio_update_now': true }" as parameter
| Variable | Description | Example value |
|---|---|---|
| minio_auth_type | minio authentification type | ldap or local |
| Variable | Description | Default value |
|---|---|---|
| minio_haproxy | install a HAproxy with a TLS cert and enable the webui | true |
| minio_fqdn | minio fqdn (only necessary when minio_haproxy is enable |
center-storage-prod-global-1.int.cosium.center |
| minio_version | minio version | latest |
| minio_buckets | list of minio buckets to create | none |
| minio_users | list of minio users to create when using local minio_auth_type | none |
| minio_bucket_policies | list of dictionnaries of per bucket policies | none |
| minio_anonymous_policies | list of dictionnaries of anonymous policies | none |
| minio_global_policies | list of dictionnaries of global policies | none |
minio_bucket_policies:
- bucket: center-http-product-pictures-demo-1 # Name of the bucket to apply the policy to
permissions: read-write # permissions given by this policy; supported values are `read-write` and `read-only`
users: # List of users whom you want the policy to apply to
- center-http-product-pictures-demo-1
groups:
- devop # List of groups whom you want the policy to apply to. Local groups
If it does not exist already a policy matching the bucket name and the permission will be created by the role.
The policy will be named: {{ bucket }}_{{ permissions }}
minio_global_policies:
- policy: center-http-product-pictures-demo-1 # Name of the policy
users: # List of users whom you want the policy to apply to
- adm-martin
- jean
groups: # List of groups whom you want the policy to apply to
- "cn=minio-admin,ou=system,ou=groups,dc=cosium,dc=com"
The policy must already exist in minio. By default, the next five policies already exist in minio:
minio_anonymous_policies:
- path: "myvault/dir1" # bucket name or folder/file path in a bucket
permission: "download" # Allowed policies are: private, public, download, upload.
By default all minio paths have anonymous access set to private.
To reset a policy you can either set the permission to private or in you ansible config or run the following config on the minio server mcli anonymous set private minio_on_localhost/{{ path }}
Minio does not support using multiple auth time at the same type, therefore Minio needs to be restarted at each auth_type configuration change. This even includes ldap parameters modifications.
By default, this role doesn't restart the minio service to avoid a disruption. You can override this by setting this variable:
minio_restart_on_auth_type_change: true
You can also add it on the command line via
--extra-vars '{ "minio_restart_on_auth_type_change" : true }'
This role handle the creation of local users account but not of local groups. If needed we should be able to add it pretty easily by copiyng the tasks used to create local users.
Users and groups have to be created in the LDAP prior to the role execution.
User password must be added in Hashicorp vault hosts_var of the ansible_hostname. The password key must be match the username and be prefixed by minio_ and suffixed by ldappass
App user account must be created in ou=minio,ou=bot,ou=people,dc=cosium,dc=com
Full DN of LDAP objects must be provided to minio.
If this auth_type is used, the ldap group minio-admin will always be added to minio with consoleAdmin rights.
Current configuration on zabbix server only gathers metrics for single-node deployment and it has only been tested with a single drive. In case of cluster deployment create the items and discover rules needed for cluster monitoring. If deploying a single node with multiple drives, check that the latency item prototype creates one item for each drive/api couple.