add oidc environment variables

2025-02-10 15:26:05 -05:00 · 2025-02-10 15:26:05 -05:00 · b47d0c065c
commit b47d0c065c
parent 4e202ba7d5
3 changed files with 73 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@ -5,5 +5,25 @@ DOMAIN=minio.example.com
 #EXTRA_DOMAINS=', `www.minio.example.com`'
 LETS_ENCRYPT_ENV=production

+COMPOSE_FILE=compose.yml
+
 SECRET_SECRET_KEY_VERSION=v1 # length=20
 SECRET_ACCESS_KEY_VERSION=v1 # length=40
+
+#######################
+##### OIDC CONFIG #####
+#######################
+
+##### Required
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
+#MINIO_IDENTITY_OPENID_CONFIG_URL=
+#MINIO_IDENTITY_OPENID_CLIENT_ID=
+#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
+
+##### Optional
+
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=
+#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
+#MINIO_IDENTITY_OPENID_SCOPES=
+#MINIO_IDENTITY_OPENID_COMMENT=
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oidc_secret
+    environment:
+      - MINIO_IDENTITY_OPENID_CONFIG_URL
+      - MINIO_IDENTITY_OPENID_CLIENT_ID
+      - MINIO_IDENTITY_OPENID_CLIENT_SECRET
+      - MINIO_IDENTITY_OPENID_CLAIM_NAME
+      - MINIO_IDENTITY_OPENID_CLAIM_PREFIX
+      - MINIO_IDENTITY_OPENID_SCOPES
+      - MINIO_IDENTITY_OPENID_REDIRECT_URI
+      - MINIO_IDENTITY_OPENID_COMMENT
+
+secrets:
+  oidc_secret:
+    name: ${STACK_NAME}_oidc_secret_${SECRET_OIDC_SECRET_VERSION}
+    external: true
--- a/entrypoint.sh.tml
+++ b/entrypoint.sh.tml
@ -0,0 +1,33 @@
+#!/bin/sh
+
+
+if [ -f /run/secrets/oidc_secret ]; then
+  export MINIO_IDENTITY_OPENID_CLIENT_SECRET=$(cat /run/secrets/oidc_secret)
+else
+  echo "OIDC secret not found, skipping."
+fi
+
+
+# If command starts with an option, prepend minio.
+if [ "${1}" != "minio" ]; then
+	if [ -n "${1}" ]; then
+		set -- minio "$@"
+	fi
+fi
+
+docker_switch_user() {
+	if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then
+		if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then
+			chroot --userspec=${MINIO_UID}:${MINIO_GID} / "$@"
+		else
+			echo "${MINIO_USERNAME}:x:1000:1000:${MINIO_USERNAME}:/:/sbin/nologin" >>/etc/passwd
+			echo "${MINIO_GROUPNAME}:x:1000" >>/etc/group
+			chroot --userspec=${MINIO_USERNAME}:${MINIO_GROUPNAME} / "$@"
+		fi
+	else
+		exec "$@"
+	fi
+}
+
+## DEPRECATED and unsupported - switch to user if applicable.
+docker_switch_user "$@"