This role install and configure Minio in a linux server.
None
Available variables are listed below along with default values (see defaults\main.yaml)
-
Wheter to install or not minio server and minio client
minio_install_server: true minio_install_client: true
-
Minio server installation details
Minio UNIX user/group
minio_group: minio minio_user: minio
Minio installation directories to place server configuration (
minio_etc_dir), TLS certificates (minio_cert_dir) and user access policies (minio_policy_dir)minio_etc_dir: /etc/minio minio_cert_dir: "{{ minio_etc_dir }}/ssl" minio_policy_dir: "{{ minio_etc_dir }}/policy"
Minio server IP address (
minio_server_address), if empty server listen in all available IP addresses, and server/console listening ports (minio_server_portandminio_console_port)minio_server_port: "9091" minio_server_addr: "" minio_console_port: "9092"
Minio admin user and password
minio_root_user: "" minio_root_password: ""
Minio site region
minio_site_region: "eu-west-1"
Minio data directories (
minio_server_datadirs) and whether force the creation in case they do not exist (minio_server_make_datadirs)minio_server_make_datadirs: true minio_server_datadirs: - /var/lib/minio
minio_server_cluster_nodes: []
Set a list of nodes to create a distributed cluster (Multi-Node Multi-Drive deployment).
In this mode, ansible will create your server datadirs (
minio_serverdata_dirs), but use this list (minio_server_cluster_nodes) for the server startup.Multi-drive configuration requires datadirs on separate disks to satisfy Minio's distributed storage requirements.
See recommendations for using, same configuration in all nodes, sequential hostnames and local-atached storage with sequential mounts in the documentation (https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html)
Example:
minio_server_datadirs: - '/mnt/disk1/minio' - '/mnt/disk2/minio' - '/mnt/disk3/minio' - '/mnt/disk4/minio' minio_server_cluster_nodes: - 'https://minio{1...4}.example.net:9091/mnt/disk{1...4}/minio'
-
Minio client configuration
Connection alias name
minio_aliasand whether validate or not SSL certificates (minio_validate_certificates)minio_validate_certificate: true minio_alias: "myminio"
-
Configuration of TLS
To enable configuration of TLS set
minio_enable_tlsto true and provide the private key and public certificate as content loaded intominio_keyandminio_certvariables.They can be loaded from files using an ansible task like:
- name: Load tls key and cert from files set_fact: minio_key: "{{ lookup('file','certificates/{{ inventory_hostname }}_private.key') }}" minio_cert: "{{ lookup('file','certificates/{{ inventory_hostname }}_public.crt') }}"
minio_urlmight be needed in case MinIO Server TLS certificates do not contain any IP Subject Alternative Names (SAN). See MINIO_SERVER_URL environment variable definition.minio_url: "https://minio.ricsanfre.com:{{ minio_server_port }}"
-
Buckets to be created
Variable
minio_bucketscreate the list of provided buckets, and applying a specifc policy. For creating the buckets, a modified version of Ansible Module from Alexis Facques is used (https://github.com/alexisfacques/ansible-module-s3-minio-bucket)minio_buckets: - name: bucket1 policy: read-only - name: bucket2 policy: read-write - name: bucket3 policy: private
NOTE The module use remote connection to Minio Server using Python API (
miniopython package). Role ensure that PIP is installed and installminiopackage.During bucket creation three types of policy can be specified:
private,read-onlyorread-writebuckets. -
Users to be created and buckets ACLs
Users can be automatically created using
minio_usersvariable: a list of users can be provided, each user with three variablesname(user name),password(user password) andbuckets_acllist of buckets and type of access granted to each bucket (read-only or read-write). The role automatically create policy json files containing the user policy statements and load them into the server.Predefined
read-onlyandread-writepolicies, containing pre-defined access statements, can be used. Custom policies can be also defined usingcustompolicy. In this case list of access statements need to be provided.minio_users: - name: user1 password: supers1cret0 buckets_acl: - name: bucket1 policy: read-write - name: bucket2 policy: read-only - name: bucket3 policy: custom custom: - rule: | "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::bucket3/*" ] - rule: | "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket3" ]
The previous configuration will create the following policy.json file for the user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket2",
"arn:aws:s3:::bucket2/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket3/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket3"
]
}
]
}-
Generate Prometheus bearer token
minio_prometheus_bearer_token: false prometheus_bearer_token_output: "{{ minio_etc_dir }}/prometheus_bearer.json"
Setting
minio_prometheus_bearer_tokento true, generates a file/etc/minio/prometheus_bearer.jsonwhich contains the result of executing the command:mc admin prometheus generate myminio -json
None
The following playbook install and configure minio server and client, enabling TLS and generating self-signed SSL certificates. It also create some buckets and users with proper ACLs
---
- name: Install and configure Minio Server
hosts: minio
become: true
gather_facts: true
vars:
server_hostname: minio.example.com
ssl_key_size: 4096
ssl_certificate_provider: selfsigned
pre_tasks:
- name: Generate self-signed SSL certificates for minio
include_tasks: generate_selfsigned_cert.yml
args:
apply:
delegate_to: localhost
become: false
- name: Load tls key and cert
set_fact:
minio_key: "{{ lookup('file','certificates/' + inventory_hostname + '_private.key') }}"
minio_cert: "{{ lookup('file','certificates/' + inventory_hostname + '_public.crt') }}"
roles:
- role: ricsanfre.minio
minio_root_user: "miniadmin"
minio_root_password: "supers1cret0"
minio_enable_tls: true
minio_url: "https://{{ server_hostname }}:{{ minio_server_port }}"
minio_buckets:
- name: bucket1
policy: read-write
- name: bucket2
policy: read-write
minio_users:
- name: user1
password: supers1cret0
buckets_acl:
- name: bucket1
policy: read-write
- name: bucket2
policy: read-only
pre-tasks section include tasks to generate a private key and a self-signed certificate and load them into minio_key and minio_cert variables.
Where generate_selfsigned_cert.yml contain the tasks for generating a Private Key and SSL self-signed certificate:
---
- name: Create private certificate
openssl_privatekey:
path: "certificates/{{ inventory_hostname }}_private.key"
size: "{{ ssl_key_size | int }}"
mode: 0644
- name: Create CSR
openssl_csr:
path: "certificates/{{ inventory_hostname }}_cert.csr"
privatekey_path: "certificates/{{ inventory_hostname }}_private.key"
common_name: "{{ server_hostname }}"
- name: Create certificates for keystore
openssl_certificate:
csr_path: "certificates/{{ inventory_hostname }}_cert.csr"
path: "certificates/{{ inventory_hostname }}_public.crt"
privatekey_path: "certificates/{{ inventory_hostname }}_private.key"
provider: "{{ ssl_certificate_provider }}"
MIT
Created by Ricardo Sanchez (ricsanfre) Bucket creation ansible module based on module from Alexix Facques (https://github.com/alexisfacques/ansible-module-s3-minio-bucket)