--- id: ARTIFACT-STORE-WP-0007 type: workplan title: "MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending" repo: artifact-store domain: infotech status: active owner: codex topic_slug: stack planning_priority: high planning_order: 7 created: "2026-05-17" updated: "2026-06-27" state_hub_workstream_id: "2f34bb96-7206-4cb5-acdf-43880b57a9ec" --- # ARTIFACT-STORE-WP-0007: MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending ## Purpose Create a dedicated workstream for the work that should not keep artifact-store's S3 backend and guide-board pilot workstreams open: MinIO-compatible test infrastructure, the "MaxIO" fork/community opportunity, and whether NetKingdom already supports the Security Token Service credential-vending pattern for object storage. ## Context As of 2026-05-17, upstream `minio/minio` is archived/read-only on GitHub and the README says the repository is no longer maintained. The same README says Community Edition is now source-only, while the source remains AGPLv3. The latest GitHub release visible there is `RELEASE.2025-10-15T17-29-55Z`. Relevant source references: - https://github.com/minio/minio - https://min.io/docs/minio/linux/developers/security-token-service.html - https://min.io/docs/minio/linux/developers/security-token-service/AssumeRoleWithWebIdentity.html - https://github.com/OpenMaxIO/openmaxio-object-browser Initial local scan of `/home/worsch/net-kingdom` found credential bootstrap, Vault/KeePassXC, OIDC, Keycloak/Authelia, and static S3/MinIO backup references, but no explicit STS credential-vending implementation or MinIO `AssumeRoleWithWebIdentity` path yet. ## Constraints - Do not put MinIO fork or community governance assumptions into the artifact-store S3 adapter. - Treat AGPLv3, trademark/brand, release provenance, and security patch obligations as first-class risks before any "MaxIO" fork decision. - STS credential vending should issue short-lived credentials from workload/user identity; long-lived root access keys should not become the default integration pattern. - NetKingdom owns identity/security architecture; artifact-store owns whether its S3 backend can consume vendored temporary credentials. ## D7.1 - MinIO / Fork Landscape Assessment ```task id: ARTIFACT-STORE-WP-0007-T001 status: done priority: high state_hub_task_id: "11d84b56-be7a-4013-8e21-36b7b656b69b" ``` Acceptance: - Record a dated assessment of upstream MinIO status, latest usable source tag, AGPL obligations, removed/enterprise-shifted features, and available community forks. - Compare at least: upstream source build, OpenMaxIO UI pieces, Pigsty MinIO fork, Garage, RustFS, SeaweedFS, and Ceph RGW. - Decide whether "MaxIO" should be a direct fork, a packaging/build distribution, a compatibility profile, or not pursued. Progress 2026-06-27: - Added `docs/minio-compatibility-landscape-2026-06-27.md`, recording the dated source/fork/object-store assessment and deciding that artifact-store should pursue a compatibility profile rather than a direct MaxIO server fork. - Verified current source references for upstream MinIO archive/tag posture, MinIO AIStor STS/OIDC shape, OpenMaxIO UI scope, Garage, RustFS, SeaweedFS, and Ceph RGW. - D7.1 is done; follow-up implementation remains in D7.2-D7.5. ## D7.2 - MinIO Compatibility Harness ```task id: ARTIFACT-STORE-WP-0007-T002 status: done priority: high state_hub_task_id: "c826f3ac-2ed7-4150-aa7c-e778ae71a72b" ``` Acceptance: - Restore or define the dependency/bootstrap path for MinIO-compatible integration tests (`uv`/Python deps, Docker/testcontainers or a deterministic compose fixture). - Run artifact-store S3 backend tests against the selected MinIO or fork target. - Document manual smoke commands and expected health/verify outputs. Progress 2026-06-27: - Added skipped-by-default live MinIO tests in `tests/integration/test_storage_s3_minio.py`. The harness runs only when an operator supplies `ARTIFACTSTORE_MINIO_ENDPOINT_URL`, bucket, access key, and secret key through the local environment. - Added `make test-minio` and documented the manual MinIO smoke in `docs/OPERATOR.md`, including required permissions and the non-secret application-level `ARTIFACTSTORE_S3_*_REF` mapping. - Remaining D7.2 gate: run the harness against an approved MinIO-compatible endpoint and capture the health/round-trip/multipart result. Completed 2026-07-02: - Added the deterministic local fixture `scripts/minio_local_smoke.sh` and `make test-minio-local`: it starts a throwaway `minio/minio:latest` container bound to `127.0.0.1:19000` with one-run generated credentials, waits for `/minio/health/live` (HTTP 200), creates the smoke bucket via `mc`, runs `make test-minio`, and tears the container down on exit. - Live run passed against MinIO server (image digest `sha256:14cea493...`): `test_live_minio_round_trip_with_range` and `test_live_minio_multipart_upload` — 2 passed. Health, round-trip with range reads, and multipart upload are all verified against a real MinIO endpoint; no credentials persisted anywhere. - This closes D7.2's bootstrap-path, live-run, and documentation acceptance. Runs against a production/approved shared endpoint remain possible with the same `make test-minio` env contract whenever an operator supplies one. ## D7.3 - STS Credential Vending Assessment For NetKingdom ```task id: ARTIFACT-STORE-WP-0007-T003 status: done priority: high state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1" ``` Acceptance: - Inventory NetKingdom's current object-storage credential path, including backup jobs and any S3/MinIO secrets. - Determine whether Keycloak/Authelia/local-identity can act as the OIDC identity provider for MinIO-compatible `AssumeRoleWithWebIdentity`. - Produce a target architecture for credential vending: issuer, token audience, role/policy mapping, expiration, revocation, audit, and break-glass behavior. Completed 2026-07-02: added `docs/sts-credential-vending-assessment.md`, specializing the NetKingdom baseline (`net-kingdom/docs/object-storage-sts- credential-vending.md`, NK-WP-0007) for artifact-store. Inventory found no production-live object-storage credentials yet (artifact-store static-ref bridge, CNPG backup lane parked pre-provisioning), confirmed key-cape/Keycloak as viable MinIO `AssumeRoleWithWebIdentity` issuers (Authelia rejected — no IAM Profile claims; local-identity sandbox-only), and bound the target architecture: vending-service audience, flex-auth decision vocabulary, 15–60 min leases with refresh jitter, audit event shape, and break-glass rules. Key code finding for D7.4: `S3BackendConfig` lacks `session_token` and the `aioboto3.Session` omits `aws_session_token`, so STS credentials cannot be consumed until that lands. ## D7.4 - Artifact-Store Temporary Credential Support ```task id: ARTIFACT-STORE-WP-0007-T004 status: todo priority: medium state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d" ``` Acceptance: - Decide whether artifact-store's S3 backend needs dynamic credential refresh for STS-vended credentials or whether refresh belongs in a sidecar/secret controller. - If needed, design the minimal configuration shape for short-lived credentials without storing them in request bodies or event payloads. - Verify that `artifactstore storage verify --backend s3` can run with temporary credentials. ## D7.5 - Follow-Up Workstream Routing ```task id: ARTIFACT-STORE-WP-0007-T005 status: todo priority: medium state_hub_task_id: "614f7918-6fef-4460-b3fc-f9ff3c156422" ``` Acceptance: - Create or link NetKingdom follow-up work for STS credential vending if the implementation belongs outside artifact-store. - Create or link producer-side guide-board/open-cmis-tck work for the missing `reports/cmis-summary.md` fragment. - Close this workstream with a decision: adopt existing fork, build MaxIO, use another S3-compatible store, or defer. ## Success criteria - Artifact-store no longer treats MinIO as an incidental CI detail; it has a clear compatibility and governance strategy. - NetKingdom has a concrete answer on STS credential vending for object storage. - Any MaxIO fork work starts only after legal, security, governance, and community-support duties are explicit.