From 33e0b9c47d0c6a291b6d16fb4dffa557995901e5 Mon Sep 17 00:00:00 2001 From: sghosh23 Date: Fri, 26 Sep 2025 10:45:01 +0200 Subject: [PATCH 1/3] add minio setup with cargphold IAM user --- src/how-to/install/ansible-VMs.md | 62 ++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/src/how-to/install/ansible-VMs.md b/src/how-to/install/ansible-VMs.md index 442b364..044bafe 100644 --- a/src/how-to/install/ansible-VMs.md +++ b/src/how-to/install/ansible-VMs.md @@ -239,11 +239,63 @@ minio_secret_key = "REPLACE_THIS_WITH_THE_DESIRED_SECRET_KEY" minio_network_interface=ens3 ``` -- Use ansible, and deploy Minio: - -```default -ansible-playbook -i hosts.ini minio.yml -vv -``` +#### Configure Access Key and Secret Key for MinIO and Cargohold Service + +**Purpose**: Configure secure, least-privilege access for the Cargohold service to use MinIO object storage. + +**Security Model**: +- **MinIO root credentials**: Used only for administrative purposes +- **Cargohold IAM user**: Least privileged user with policy access only to the `assets` bucket +- **Service account**: Separate access/secret key pair for Cargohold service operations + +## Setup Process + +1. **Generate credentials**: Run `./bin/offline-secrets.sh` from the wire-server-deploy directory. + + This generates a `secrets.yaml` file in `ansible/inventory/offline/group_vars/all/` with: + ```yaml + minio_access_key: "" + minio_secret_key: "" + minio_cargohold_access_key: "" + minio_cargohold_secret_key: "" + ``` + +2. **For existing Wire systems** - backup and regenerate secrets: + ```bash + # Backup current secrets file + cp ansible/inventory/offline/group_vars/all/secrets.yaml \ + ansible/inventory/offline/group_vars/all/secrets.yaml.backup + + # Remove current secrets and generate new ones + rm ansible/inventory/offline/group_vars/all/secrets.yaml + ./bin/offline-secrets.sh + ``` + +3. **Migration step**: Replace the newly generated `minio_access_key` and `minio_secret_key` with the values from `secrets.yaml.backup` to maintain compatibility. + +4. **Deploy MinIO configuration**: + ```bash + ansible-playbook -i hosts.ini minio.yml -vv + ``` + +5. **Update Cargohold service configuration** in `values/wire-server/secrets.yaml`: + ```yaml + cargohold: + secrets: + # Replace with values from ansible/inventory/offline/group_vars/all/secrets.yaml + awsKeyId: dummykey # replace with minio_cargohold_access_key + awsSecretKey: dummysecret # replace with minio_cargohold_secret_key + ``` + +6. **Deploy updated Wire Server**: + ```bash + helm upgrade --install wire-server ./charts/wire-server \ + --timeout=15m0s \ + --values ./values/wire-server/values.yaml \ + --values ./values/wire-server/secrets.yaml + ``` + +This configures the Cargohold service with its IAM user credentials to securely manage the `assets` bucket. ### Restund From 4b76568fce1c34f8bf649c351875d7d51813e302 Mon Sep 17 00:00:00 2001 From: sghosh23 Date: Fri, 26 Sep 2025 10:48:26 +0200 Subject: [PATCH 2/3] remove old deeplink created part from the minio section --- src/how-to/install/ansible-VMs.md | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/src/how-to/install/ansible-VMs.md b/src/how-to/install/ansible-VMs.md index 044bafe..25d1a6f 100644 --- a/src/how-to/install/ansible-VMs.md +++ b/src/how-to/install/ansible-VMs.md @@ -217,23 +217,9 @@ this step. - In your ‘hosts.ini’ file, in the `[all:vars]` section, make sure you set the ‘minio_network_interface’ to the name of the interface you want minio nodes to talk to each other on. The default from the - playbook is not going to be correct for your machine. For example: -- In your ‘hosts.ini’ file, in the `[minio:vars]` section, ensure you - set minio_access_key and minio_secret key. -- If you intend to use a `deep link` to configure your clients to - talk to the backend, you need to specify your domain (and optionally - your prefix), so that links to your deep link json file are generated - correctly. By configuring these values, you fill in the blanks of - `https://{{ prefix }}assets.{{ domain }}`. + playbook is not going to be correct for your machine. ```ini -[minio:vars] -minio_access_key = "REPLACE_THIS_WITH_THE_DESIRED_SECRET_KEY" -minio_secret_key = "REPLACE_THIS_WITH_THE_DESIRED_SECRET_KEY" -# if you want to use deep links for client configuration: -#minio_deeplink_prefix = "" -#minio_deeplink_domain = "example.com" - [all:vars] # Default first interface on ubuntu on kvm: minio_network_interface=ens3 From d2daf684fb64a205cdd84c1fcde117ddde39db27 Mon Sep 17 00:00:00 2001 From: Sukanta Date: Mon, 29 Sep 2025 11:17:11 +0200 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Julia Longtin --- src/how-to/install/ansible-VMs.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/how-to/install/ansible-VMs.md b/src/how-to/install/ansible-VMs.md index 25d1a6f..f23bb26 100644 --- a/src/how-to/install/ansible-VMs.md +++ b/src/how-to/install/ansible-VMs.md @@ -227,11 +227,11 @@ minio_network_interface=ens3 #### Configure Access Key and Secret Key for MinIO and Cargohold Service -**Purpose**: Configure secure, least-privilege access for the Cargohold service to use MinIO object storage. +**Purpose**: Configure a secure, least-privilege access method for the Cargohold service to utilize the MinIO object storage. **Security Model**: - **MinIO root credentials**: Used only for administrative purposes -- **Cargohold IAM user**: Least privileged user with policy access only to the `assets` bucket +- **Cargohold IAM user**: A least privileged user with a policy that only gives access to the `assets` bucket - **Service account**: Separate access/secret key pair for Cargohold service operations ## Setup Process @@ -246,7 +246,7 @@ minio_network_interface=ens3 minio_cargohold_secret_key: "" ``` -2. **For existing Wire systems** - backup and regenerate secrets: +2. **For existing Wire systems** - Backup and regenerate secrets: ```bash # Backup current secrets file cp ansible/inventory/offline/group_vars/all/secrets.yaml \