Files
artifact-store/workplans/ARTIFACT-STORE-WP-0007-minio-maxio-sts-vending.md

160 lines
5.3 KiB
Markdown

---
id: ARTIFACT-STORE-WP-0007
type: workplan
title: "MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending"
repo: artifact-store
domain: stack
status: active
owner: codex
topic_slug: stack
planning_priority: high
planning_order: 7
created: "2026-05-17"
updated: "2026-05-17"
state_hub_workstream_id: "2f34bb96-7206-4cb5-acdf-43880b57a9ec"
---
# ARTIFACT-STORE-WP-0007: MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending
## Purpose
Create a dedicated workstream for the work that should not keep
artifact-store's S3 backend and guide-board pilot workstreams open:
MinIO-compatible test infrastructure, the "MaxIO" fork/community
opportunity, and whether NetKingdom already supports the Security Token
Service credential-vending pattern for object storage.
## Context
As of 2026-05-17, upstream `minio/minio` is archived/read-only on
GitHub and the README says the repository is no longer maintained.
The same README says Community Edition is now source-only, while the
source remains AGPLv3. The latest GitHub release visible there is
`RELEASE.2025-10-15T17-29-55Z`.
Relevant source references:
- https://github.com/minio/minio
- https://min.io/docs/minio/linux/developers/security-token-service.html
- https://min.io/docs/minio/linux/developers/security-token-service/AssumeRoleWithWebIdentity.html
- https://github.com/OpenMaxIO/openmaxio-object-browser
Initial local scan of `/home/worsch/net-kingdom` found credential
bootstrap, Vault/KeePassXC, OIDC, Keycloak/Authelia, and static S3/MinIO
backup references, but no explicit STS credential-vending implementation
or MinIO `AssumeRoleWithWebIdentity` path yet.
## Constraints
- Do not put MinIO fork or community governance assumptions into the
artifact-store S3 adapter.
- Treat AGPLv3, trademark/brand, release provenance, and security patch
obligations as first-class risks before any "MaxIO" fork decision.
- STS credential vending should issue short-lived credentials from
workload/user identity; long-lived root access keys should not become
the default integration pattern.
- NetKingdom owns identity/security architecture; artifact-store owns
whether its S3 backend can consume vendored temporary credentials.
## D7.1 - MinIO / Fork Landscape Assessment
```task
id: ARTIFACT-STORE-WP-0007-T001
status: todo
priority: high
state_hub_task_id: "11d84b56-be7a-4013-8e21-36b7b656b69b"
```
Acceptance:
- Record a dated assessment of upstream MinIO status, latest usable
source tag, AGPL obligations, removed/enterprise-shifted features,
and available community forks.
- Compare at least: upstream source build, OpenMaxIO UI pieces, Pigsty
MinIO fork, Garage, RustFS, SeaweedFS, and Ceph RGW.
- Decide whether "MaxIO" should be a direct fork, a packaging/build
distribution, a compatibility profile, or not pursued.
## D7.2 - MinIO Compatibility Harness
```task
id: ARTIFACT-STORE-WP-0007-T002
status: todo
priority: high
state_hub_task_id: "c826f3ac-2ed7-4150-aa7c-e778ae71a72b"
```
Acceptance:
- Restore or define the dependency/bootstrap path for MinIO-compatible
integration tests (`uv`/Python deps, Docker/testcontainers or a
deterministic compose fixture).
- Run artifact-store S3 backend tests against the selected MinIO or fork
target.
- Document manual smoke commands and expected health/verify outputs.
## D7.3 - STS Credential Vending Assessment For NetKingdom
```task
id: ARTIFACT-STORE-WP-0007-T003
status: todo
priority: high
state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1"
```
Acceptance:
- Inventory NetKingdom's current object-storage credential path,
including backup jobs and any S3/MinIO secrets.
- Determine whether Keycloak/Authelia/local-identity can act as the OIDC
identity provider for MinIO-compatible `AssumeRoleWithWebIdentity`.
- Produce a target architecture for credential vending: issuer,
token audience, role/policy mapping, expiration, revocation, audit,
and break-glass behavior.
## D7.4 - Artifact-Store Temporary Credential Support
```task
id: ARTIFACT-STORE-WP-0007-T004
status: todo
priority: medium
state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d"
```
Acceptance:
- Decide whether artifact-store's S3 backend needs dynamic credential
refresh for STS-vended credentials or whether refresh belongs in a
sidecar/secret controller.
- If needed, design the minimal configuration shape for short-lived
credentials without storing them in request bodies or event payloads.
- Verify that `artifactstore storage verify --backend s3` can run with
temporary credentials.
## D7.5 - Follow-Up Workstream Routing
```task
id: ARTIFACT-STORE-WP-0007-T005
status: todo
priority: medium
state_hub_task_id: "614f7918-6fef-4460-b3fc-f9ff3c156422"
```
Acceptance:
- Create or link NetKingdom follow-up work for STS credential vending if
the implementation belongs outside artifact-store.
- Create or link producer-side guide-board/open-cmis-tck work for the
missing `reports/cmis-summary.md` fragment.
- Close this workstream with a decision: adopt existing fork, build
MaxIO, use another S3-compatible store, or defer.
## Success criteria
- Artifact-store no longer treats MinIO as an incidental CI detail; it
has a clear compatibility and governance strategy.
- NetKingdom has a concrete answer on STS credential vending for object
storage.
- Any MaxIO fork work starts only after legal, security, governance,
and community-support duties are explicit.