Files
artifact-store/workplans/ARTIFACT-STORE-WP-0007-minio-maxio-sts-vending.md

213 lines
8.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: ARTIFACT-STORE-WP-0007
type: workplan
title: "MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending"
repo: artifact-store
domain: infotech
status: active
owner: codex
topic_slug: stack
planning_priority: high
planning_order: 7
created: "2026-05-17"
updated: "2026-06-27"
state_hub_workstream_id: "2f34bb96-7206-4cb5-acdf-43880b57a9ec"
---
# ARTIFACT-STORE-WP-0007: MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending
## Purpose
Create a dedicated workstream for the work that should not keep
artifact-store's S3 backend and guide-board pilot workstreams open:
MinIO-compatible test infrastructure, the "MaxIO" fork/community
opportunity, and whether NetKingdom already supports the Security Token
Service credential-vending pattern for object storage.
## Context
As of 2026-05-17, upstream `minio/minio` is archived/read-only on
GitHub and the README says the repository is no longer maintained.
The same README says Community Edition is now source-only, while the
source remains AGPLv3. The latest GitHub release visible there is
`RELEASE.2025-10-15T17-29-55Z`.
Relevant source references:
- https://github.com/minio/minio
- https://min.io/docs/minio/linux/developers/security-token-service.html
- https://min.io/docs/minio/linux/developers/security-token-service/AssumeRoleWithWebIdentity.html
- https://github.com/OpenMaxIO/openmaxio-object-browser
Initial local scan of `/home/worsch/net-kingdom` found credential
bootstrap, Vault/KeePassXC, OIDC, Keycloak/Authelia, and static S3/MinIO
backup references, but no explicit STS credential-vending implementation
or MinIO `AssumeRoleWithWebIdentity` path yet.
## Constraints
- Do not put MinIO fork or community governance assumptions into the
artifact-store S3 adapter.
- Treat AGPLv3, trademark/brand, release provenance, and security patch
obligations as first-class risks before any "MaxIO" fork decision.
- STS credential vending should issue short-lived credentials from
workload/user identity; long-lived root access keys should not become
the default integration pattern.
- NetKingdom owns identity/security architecture; artifact-store owns
whether its S3 backend can consume vendored temporary credentials.
## D7.1 - MinIO / Fork Landscape Assessment
```task
id: ARTIFACT-STORE-WP-0007-T001
status: done
priority: high
state_hub_task_id: "11d84b56-be7a-4013-8e21-36b7b656b69b"
```
Acceptance:
- Record a dated assessment of upstream MinIO status, latest usable
source tag, AGPL obligations, removed/enterprise-shifted features,
and available community forks.
- Compare at least: upstream source build, OpenMaxIO UI pieces, Pigsty
MinIO fork, Garage, RustFS, SeaweedFS, and Ceph RGW.
- Decide whether "MaxIO" should be a direct fork, a packaging/build
distribution, a compatibility profile, or not pursued.
Progress 2026-06-27:
- Added `docs/minio-compatibility-landscape-2026-06-27.md`, recording the dated
source/fork/object-store assessment and deciding that artifact-store should
pursue a compatibility profile rather than a direct MaxIO server fork.
- Verified current source references for upstream MinIO archive/tag posture,
MinIO AIStor STS/OIDC shape, OpenMaxIO UI scope, Garage, RustFS, SeaweedFS,
and Ceph RGW.
- D7.1 is done; follow-up implementation remains in D7.2-D7.5.
## D7.2 - MinIO Compatibility Harness
```task
id: ARTIFACT-STORE-WP-0007-T002
status: done
priority: high
state_hub_task_id: "c826f3ac-2ed7-4150-aa7c-e778ae71a72b"
```
Acceptance:
- Restore or define the dependency/bootstrap path for MinIO-compatible
integration tests (`uv`/Python deps, Docker/testcontainers or a
deterministic compose fixture).
- Run artifact-store S3 backend tests against the selected MinIO or fork
target.
- Document manual smoke commands and expected health/verify outputs.
Progress 2026-06-27:
- Added skipped-by-default live MinIO tests in
`tests/integration/test_storage_s3_minio.py`. The harness runs only when an
operator supplies `ARTIFACTSTORE_MINIO_ENDPOINT_URL`, bucket, access key, and
secret key through the local environment.
- Added `make test-minio` and documented the manual MinIO smoke in
`docs/OPERATOR.md`, including required permissions and the non-secret
application-level `ARTIFACTSTORE_S3_*_REF` mapping.
- Remaining D7.2 gate: run the harness against an approved MinIO-compatible
endpoint and capture the health/round-trip/multipart result.
Completed 2026-07-02:
- Added the deterministic local fixture `scripts/minio_local_smoke.sh` and
`make test-minio-local`: it starts a throwaway `minio/minio:latest`
container bound to `127.0.0.1:19000` with one-run generated credentials,
waits for `/minio/health/live` (HTTP 200), creates the smoke bucket via
`mc`, runs `make test-minio`, and tears the container down on exit.
- Live run passed against MinIO server (image digest `sha256:14cea493...`):
`test_live_minio_round_trip_with_range` and
`test_live_minio_multipart_upload` — 2 passed. Health, round-trip with
range reads, and multipart upload are all verified against a real MinIO
endpoint; no credentials persisted anywhere.
- This closes D7.2's bootstrap-path, live-run, and documentation acceptance.
Runs against a production/approved shared endpoint remain possible with the
same `make test-minio` env contract whenever an operator supplies one.
## D7.3 - STS Credential Vending Assessment For NetKingdom
```task
id: ARTIFACT-STORE-WP-0007-T003
status: done
priority: high
state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1"
```
Acceptance:
- Inventory NetKingdom's current object-storage credential path,
including backup jobs and any S3/MinIO secrets.
- Determine whether Keycloak/Authelia/local-identity can act as the OIDC
identity provider for MinIO-compatible `AssumeRoleWithWebIdentity`.
- Produce a target architecture for credential vending: issuer,
token audience, role/policy mapping, expiration, revocation, audit,
and break-glass behavior.
Completed 2026-07-02: added `docs/sts-credential-vending-assessment.md`,
specializing the NetKingdom baseline (`net-kingdom/docs/object-storage-sts-
credential-vending.md`, NK-WP-0007) for artifact-store. Inventory found no
production-live object-storage credentials yet (artifact-store static-ref
bridge, CNPG backup lane parked pre-provisioning), confirmed key-cape/Keycloak
as viable MinIO `AssumeRoleWithWebIdentity` issuers (Authelia rejected —
no IAM Profile claims; local-identity sandbox-only), and bound the target
architecture: vending-service audience, flex-auth decision vocabulary, 1560
min leases with refresh jitter, audit event shape, and break-glass rules.
Key code finding for D7.4: `S3BackendConfig` lacks `session_token` and the
`aioboto3.Session` omits `aws_session_token`, so STS credentials cannot be
consumed until that lands.
## D7.4 - Artifact-Store Temporary Credential Support
```task
id: ARTIFACT-STORE-WP-0007-T004
status: todo
priority: medium
state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d"
```
Acceptance:
- Decide whether artifact-store's S3 backend needs dynamic credential
refresh for STS-vended credentials or whether refresh belongs in a
sidecar/secret controller.
- If needed, design the minimal configuration shape for short-lived
credentials without storing them in request bodies or event payloads.
- Verify that `artifactstore storage verify --backend s3` can run with
temporary credentials.
## D7.5 - Follow-Up Workstream Routing
```task
id: ARTIFACT-STORE-WP-0007-T005
status: todo
priority: medium
state_hub_task_id: "614f7918-6fef-4460-b3fc-f9ff3c156422"
```
Acceptance:
- Create or link NetKingdom follow-up work for STS credential vending if
the implementation belongs outside artifact-store.
- Create or link producer-side guide-board/open-cmis-tck work for the
missing `reports/cmis-summary.md` fragment.
- Close this workstream with a decision: adopt existing fork, build
MaxIO, use another S3-compatible store, or defer.
## Success criteria
- Artifact-store no longer treats MinIO as an incidental CI detail; it
has a clear compatibility and governance strategy.
- NetKingdom has a concrete answer on STS credential vending for object
storage.
- Any MaxIO fork work starts only after legal, security, governance,
and community-support duties are explicit.