generated from coulomb/repo-seed
213 lines
8.2 KiB
Markdown
213 lines
8.2 KiB
Markdown
---
|
||
id: ARTIFACT-STORE-WP-0007
|
||
type: workplan
|
||
title: "MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending"
|
||
repo: artifact-store
|
||
domain: infotech
|
||
status: active
|
||
owner: codex
|
||
topic_slug: stack
|
||
planning_priority: high
|
||
planning_order: 7
|
||
created: "2026-05-17"
|
||
updated: "2026-06-27"
|
||
state_hub_workstream_id: "2f34bb96-7206-4cb5-acdf-43880b57a9ec"
|
||
---
|
||
|
||
# ARTIFACT-STORE-WP-0007: MinIO Compatibility, MaxIO Fork Assessment, And STS Credential Vending
|
||
|
||
## Purpose
|
||
|
||
Create a dedicated workstream for the work that should not keep
|
||
artifact-store's S3 backend and guide-board pilot workstreams open:
|
||
MinIO-compatible test infrastructure, the "MaxIO" fork/community
|
||
opportunity, and whether NetKingdom already supports the Security Token
|
||
Service credential-vending pattern for object storage.
|
||
|
||
## Context
|
||
|
||
As of 2026-05-17, upstream `minio/minio` is archived/read-only on
|
||
GitHub and the README says the repository is no longer maintained.
|
||
The same README says Community Edition is now source-only, while the
|
||
source remains AGPLv3. The latest GitHub release visible there is
|
||
`RELEASE.2025-10-15T17-29-55Z`.
|
||
|
||
Relevant source references:
|
||
|
||
- https://github.com/minio/minio
|
||
- https://min.io/docs/minio/linux/developers/security-token-service.html
|
||
- https://min.io/docs/minio/linux/developers/security-token-service/AssumeRoleWithWebIdentity.html
|
||
- https://github.com/OpenMaxIO/openmaxio-object-browser
|
||
|
||
Initial local scan of `/home/worsch/net-kingdom` found credential
|
||
bootstrap, Vault/KeePassXC, OIDC, Keycloak/Authelia, and static S3/MinIO
|
||
backup references, but no explicit STS credential-vending implementation
|
||
or MinIO `AssumeRoleWithWebIdentity` path yet.
|
||
|
||
## Constraints
|
||
|
||
- Do not put MinIO fork or community governance assumptions into the
|
||
artifact-store S3 adapter.
|
||
- Treat AGPLv3, trademark/brand, release provenance, and security patch
|
||
obligations as first-class risks before any "MaxIO" fork decision.
|
||
- STS credential vending should issue short-lived credentials from
|
||
workload/user identity; long-lived root access keys should not become
|
||
the default integration pattern.
|
||
- NetKingdom owns identity/security architecture; artifact-store owns
|
||
whether its S3 backend can consume vendored temporary credentials.
|
||
|
||
## D7.1 - MinIO / Fork Landscape Assessment
|
||
|
||
```task
|
||
id: ARTIFACT-STORE-WP-0007-T001
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "11d84b56-be7a-4013-8e21-36b7b656b69b"
|
||
```
|
||
|
||
Acceptance:
|
||
|
||
- Record a dated assessment of upstream MinIO status, latest usable
|
||
source tag, AGPL obligations, removed/enterprise-shifted features,
|
||
and available community forks.
|
||
- Compare at least: upstream source build, OpenMaxIO UI pieces, Pigsty
|
||
MinIO fork, Garage, RustFS, SeaweedFS, and Ceph RGW.
|
||
- Decide whether "MaxIO" should be a direct fork, a packaging/build
|
||
distribution, a compatibility profile, or not pursued.
|
||
|
||
|
||
Progress 2026-06-27:
|
||
|
||
- Added `docs/minio-compatibility-landscape-2026-06-27.md`, recording the dated
|
||
source/fork/object-store assessment and deciding that artifact-store should
|
||
pursue a compatibility profile rather than a direct MaxIO server fork.
|
||
- Verified current source references for upstream MinIO archive/tag posture,
|
||
MinIO AIStor STS/OIDC shape, OpenMaxIO UI scope, Garage, RustFS, SeaweedFS,
|
||
and Ceph RGW.
|
||
- D7.1 is done; follow-up implementation remains in D7.2-D7.5.
|
||
|
||
## D7.2 - MinIO Compatibility Harness
|
||
|
||
```task
|
||
id: ARTIFACT-STORE-WP-0007-T002
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "c826f3ac-2ed7-4150-aa7c-e778ae71a72b"
|
||
```
|
||
|
||
Acceptance:
|
||
|
||
- Restore or define the dependency/bootstrap path for MinIO-compatible
|
||
integration tests (`uv`/Python deps, Docker/testcontainers or a
|
||
deterministic compose fixture).
|
||
- Run artifact-store S3 backend tests against the selected MinIO or fork
|
||
target.
|
||
- Document manual smoke commands and expected health/verify outputs.
|
||
|
||
|
||
Progress 2026-06-27:
|
||
|
||
- Added skipped-by-default live MinIO tests in
|
||
`tests/integration/test_storage_s3_minio.py`. The harness runs only when an
|
||
operator supplies `ARTIFACTSTORE_MINIO_ENDPOINT_URL`, bucket, access key, and
|
||
secret key through the local environment.
|
||
- Added `make test-minio` and documented the manual MinIO smoke in
|
||
`docs/OPERATOR.md`, including required permissions and the non-secret
|
||
application-level `ARTIFACTSTORE_S3_*_REF` mapping.
|
||
- Remaining D7.2 gate: run the harness against an approved MinIO-compatible
|
||
endpoint and capture the health/round-trip/multipart result.
|
||
|
||
Completed 2026-07-02:
|
||
|
||
- Added the deterministic local fixture `scripts/minio_local_smoke.sh` and
|
||
`make test-minio-local`: it starts a throwaway `minio/minio:latest`
|
||
container bound to `127.0.0.1:19000` with one-run generated credentials,
|
||
waits for `/minio/health/live` (HTTP 200), creates the smoke bucket via
|
||
`mc`, runs `make test-minio`, and tears the container down on exit.
|
||
- Live run passed against MinIO server (image digest `sha256:14cea493...`):
|
||
`test_live_minio_round_trip_with_range` and
|
||
`test_live_minio_multipart_upload` — 2 passed. Health, round-trip with
|
||
range reads, and multipart upload are all verified against a real MinIO
|
||
endpoint; no credentials persisted anywhere.
|
||
- This closes D7.2's bootstrap-path, live-run, and documentation acceptance.
|
||
Runs against a production/approved shared endpoint remain possible with the
|
||
same `make test-minio` env contract whenever an operator supplies one.
|
||
|
||
## D7.3 - STS Credential Vending Assessment For NetKingdom
|
||
|
||
```task
|
||
id: ARTIFACT-STORE-WP-0007-T003
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1"
|
||
```
|
||
|
||
Acceptance:
|
||
|
||
- Inventory NetKingdom's current object-storage credential path,
|
||
including backup jobs and any S3/MinIO secrets.
|
||
- Determine whether Keycloak/Authelia/local-identity can act as the OIDC
|
||
identity provider for MinIO-compatible `AssumeRoleWithWebIdentity`.
|
||
- Produce a target architecture for credential vending: issuer,
|
||
token audience, role/policy mapping, expiration, revocation, audit,
|
||
and break-glass behavior.
|
||
|
||
Completed 2026-07-02: added `docs/sts-credential-vending-assessment.md`,
|
||
specializing the NetKingdom baseline (`net-kingdom/docs/object-storage-sts-
|
||
credential-vending.md`, NK-WP-0007) for artifact-store. Inventory found no
|
||
production-live object-storage credentials yet (artifact-store static-ref
|
||
bridge, CNPG backup lane parked pre-provisioning), confirmed key-cape/Keycloak
|
||
as viable MinIO `AssumeRoleWithWebIdentity` issuers (Authelia rejected —
|
||
no IAM Profile claims; local-identity sandbox-only), and bound the target
|
||
architecture: vending-service audience, flex-auth decision vocabulary, 15–60
|
||
min leases with refresh jitter, audit event shape, and break-glass rules.
|
||
Key code finding for D7.4: `S3BackendConfig` lacks `session_token` and the
|
||
`aioboto3.Session` omits `aws_session_token`, so STS credentials cannot be
|
||
consumed until that lands.
|
||
|
||
## D7.4 - Artifact-Store Temporary Credential Support
|
||
|
||
```task
|
||
id: ARTIFACT-STORE-WP-0007-T004
|
||
status: todo
|
||
priority: medium
|
||
state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d"
|
||
```
|
||
|
||
Acceptance:
|
||
|
||
- Decide whether artifact-store's S3 backend needs dynamic credential
|
||
refresh for STS-vended credentials or whether refresh belongs in a
|
||
sidecar/secret controller.
|
||
- If needed, design the minimal configuration shape for short-lived
|
||
credentials without storing them in request bodies or event payloads.
|
||
- Verify that `artifactstore storage verify --backend s3` can run with
|
||
temporary credentials.
|
||
|
||
## D7.5 - Follow-Up Workstream Routing
|
||
|
||
```task
|
||
id: ARTIFACT-STORE-WP-0007-T005
|
||
status: todo
|
||
priority: medium
|
||
state_hub_task_id: "614f7918-6fef-4460-b3fc-f9ff3c156422"
|
||
```
|
||
|
||
Acceptance:
|
||
|
||
- Create or link NetKingdom follow-up work for STS credential vending if
|
||
the implementation belongs outside artifact-store.
|
||
- Create or link producer-side guide-board/open-cmis-tck work for the
|
||
missing `reports/cmis-summary.md` fragment.
|
||
- Close this workstream with a decision: adopt existing fork, build
|
||
MaxIO, use another S3-compatible store, or defer.
|
||
|
||
## Success criteria
|
||
|
||
- Artifact-store no longer treats MinIO as an incidental CI detail; it
|
||
has a clear compatibility and governance strategy.
|
||
- NetKingdom has a concrete answer on STS credential vending for object
|
||
storage.
|
||
- Any MaxIO fork work starts only after legal, security, governance,
|
||
and community-support duties are explicit.
|