generated from coulomb/repo-seed
90 lines
5.7 KiB
Markdown
90 lines
5.7 KiB
Markdown
# MinIO Compatibility Landscape - 2026-06-27
|
|
|
|
## Purpose
|
|
|
|
This note closes `ARTIFACT-STORE-WP-0007-T001` by recording the dated
|
|
object-store landscape that should guide artifact-store's S3-compatible backend
|
|
and any future MaxIO decision.
|
|
|
|
## Decision
|
|
|
|
Do not start a direct MaxIO server fork from artifact-store. Treat the near-term
|
|
work as a compatibility-profile lane:
|
|
|
|
- Keep Ceph RGW as the preferred Railiance production target because it has a
|
|
mature S3 compatibility matrix, multipart support, STS-related docs, and fits
|
|
existing cluster storage ownership.
|
|
- Keep upstream MinIO only as an opt-in compatibility target for development and
|
|
migration testing, pinned by source tag or an operator-provided image whose
|
|
provenance is documented.
|
|
- Treat OpenMaxIO as a console/UI signal, not a full object-store fork candidate
|
|
for artifact-store yet.
|
|
- Keep RustFS, Garage, and SeaweedFS as evaluation targets for later harness runs
|
|
if Ceph RGW or MinIO compatibility uncovers a gap.
|
|
- Do not adopt any "Pigsty MinIO fork" until a primary source repository,
|
|
license, release process, and security update path are verified.
|
|
|
|
## Source Status
|
|
|
|
- `minio/minio` was archived on GitHub on 2026-04-25 and is read-only. The tags
|
|
page shows `RELEASE.2025-10-15T17-29-55Z` as the newest visible tag on
|
|
2026-06-27, with a commit note pointing documentation toward source-only
|
|
releases.
|
|
- MinIO AIStor documentation still documents STS. It states STS can generate
|
|
temporary credentials and convert external identity-provider credentials into
|
|
AWS Signature V4-compatible credentials.
|
|
- `AssumeRoleWithWebIdentity` remains the relevant OIDC shape for future
|
|
short-lived object-store credentials, returning access key, secret key,
|
|
expiration, and session token fields.
|
|
|
|
## Candidate Comparison
|
|
|
|
| Candidate | Fit | Risks / notes | Current call |
|
|
| --- | --- | --- | --- |
|
|
| Upstream MinIO source tag | Strong S3 behavior baseline; familiar endpoint for development smoke tests. | Archived/read-only repository, AGPLv3 obligations, source-only release posture, and unclear long-term community patch path. | Use only as a pinned compatibility target, not the production platform default. |
|
|
| OpenMaxIO UI pieces | Active public UI fork signal; useful for console affordance research. | Repository is the object browser/console, not a full server fork. It is AGPLv3 and claims broader goals than the repo currently proves. | Do not treat as the object-store backend. Track only as UI/reference material. |
|
|
| Pigsty MinIO fork | Mentioned in the workplan as a candidate to compare. | No primary source repository was verified in this assessment pass. | Not pursued until provenance is clear. |
|
|
| Garage | Small, self-hostable object store with documented S3 API workflow, Docker quick start, single-node mode, and binary/source install paths. | Not a drop-in S3 clone; compatibility and operations profile differ from MinIO/RGW. | Good later compatibility target for lightweight deployments, not first production target. |
|
|
| RustFS | Apache-2.0, S3-compatible object-store project with MinIO/Ceph migration positioning, OIDC support notes, and Docker quick start. | Project maturity and feature status need live evaluation; some distributed/KMS features are marked under testing. | Worth an opt-in harness target after MinIO/RGW path is stable. |
|
|
| SeaweedFS S3 gateway | Mature file/object system with explicit S3 gateway, documented supported bucket/object/multipart APIs, and STS/OIDC/IAM API references. | Different storage model and bucket/collection semantics; may be more platform than artifact-store needs. | Evaluate only if large-scale filer/backup needs make it attractive. |
|
|
| Ceph RGW | Existing production-aligned target. Ceph documents S3 API compatibility, supported core bucket/object operations, multipart uploads, storage classes, STS, and Keycloak/OIDC references. | Needs cluster/operator storage ownership and explicit credential custody. | Preferred production target for Railiance. |
|
|
|
|
## Harness Implications
|
|
|
|
The compatibility harness should stay backend-agnostic and run against an
|
|
operator-provided S3 endpoint. For MinIO today, the repo now provides an opt-in
|
|
pytest module that:
|
|
|
|
- skips unless explicit `ARTIFACTSTORE_MINIO_*` environment variables are set;
|
|
- performs a small put/get/range/head/delete round trip;
|
|
- performs a multipart upload with a 5 MiB part size so MinIO-compatible servers
|
|
see realistic multipart behavior;
|
|
- avoids storing any secret values in Git, State Hub, test output, or docs.
|
|
|
|
The same shape can be reused later for Ceph RGW, RustFS, Garage, or SeaweedFS by
|
|
renaming the environment variables or parameterizing the fixture.
|
|
|
|
## STS Follow-Up
|
|
|
|
STS credential vending remains `ARTIFACT-STORE-WP-0007-T003`/`T004` work. The
|
|
source assessment confirms the shape to test, but implementation ownership still
|
|
belongs to identity/platform routing:
|
|
|
|
- issuer: KeyCape/local-identity or another approved OIDC issuer;
|
|
- custody: OpenBao/operator path for any long-lived bootstrap secret;
|
|
- consumer: artifact-store S3 backend can consume temporary access key, secret
|
|
key, and session token once the config supports session tokens or an external
|
|
refresher injects standard SDK credentials;
|
|
- audit: State Hub records only non-secret request metadata and evidence ids.
|
|
|
|
## Sources Checked
|
|
|
|
- https://github.com/minio/minio/tags
|
|
- https://docs.min.io/aistor/developers/security-token-service/
|
|
- https://docs.min.io/aistor/developers/security-token-service/assumerolewithwebidentity/
|
|
- https://github.com/OpenMaxIO/openmaxio-object-browser
|
|
- https://garagehq.deuxfleurs.fr/documentation/quick-start/
|
|
- https://github.com/rustfs/rustfs
|
|
- https://github.com/seaweedfs/seaweedfs/wiki/Amazon-S3-API
|
|
- https://docs.ceph.com/en/latest/radosgw/s3/
|