s3: add minio in docker-compose.yaml

Signed-off-by: hmoazzem <[email protected]>

Author: hmoazzem

README.md

@@ -7,11 +7,11 @@
 edge configures and manages:
 
 * [PostgreSQL](https://www.postgresql.org/): The world's most advanced open source database
-* [ZITADEL](https://github.com/zitadel/zitadel) - Centralized identity provider (OIDC)
-* [SeaweedFS](https://github.com/seaweedfs/seaweedfs) - S3-compatible object storage
-* [edgeflare/pgo](https://github.com/edgeflare/pgo) - PostgREST-compatible API and Debezium-compatible CDC
-* [NATS](https://nats.io) - Message streaming platform
-* [envoyproxy](https://github.com/envoyproxy/envoy) - Cloud-native high-performance edge/middle/service proxy
+* [ZITADEL](https://github.com/zitadel/zitadel): Centralized identity provider (OIDC)
+* [MinIO](https://github.com/minio/minio) / [SeaweedFS](https://github.com/seaweedfs/seaweedfs): S3-compatible object storage
+* [NATS](https://nats.io): Message streaming platform
+* [envoy](https://github.com/envoyproxy/envoy): Cloud-native high-performance edge/middle/service proxy
+* [edgeflare/pgo](https://github.com/edgeflare/pgo): PostgREST-compatible API and Debezium-compatible CDC
 
 for a unified backend - similar to Firebase, Supabase, Pocketbase etc. And with scaling capabilities.
 
@@ -54,7 +54,7 @@ docker compose up -d
 
 #### Use the centralized IdP for authorization in Postgres via `pgo rest` (PostgREST API)
 
-Configure ZITADEL. Adjust the domain in env vars, and in `internal/util/envoy/config.yaml`
+Configure ZITADEL. Adjust the domain in env vars, and in `internal/stack/envoy/config.yaml`
 
 ```sh
 export ZITADEL_HOSTNAME=iam.192-168-0-121.sslip.io
@@ -65,14 +65,14 @@ export ZITADEL_JWK_URL=http://$ZITADEL_HOSTNAME/oauth/v2/keys
 ```
 
 ```sh
-go run ./internal/util/configure/...
+go run ./internal/stack/configure/...
 ```
 
 The above go code creates, among others, an OIDC client which pgo uses for authN/authZ. Any OIDC compliant Identity Provider (eg , Keycloak, Auth0) can be used; pgo just needs the client credentials.
 
 Once ZITADEL is configured, revert the ports (use 80 for envoy), and `docker compose down && docker compose up -d`
 
-Visit ZITADEL UI (eg at http://iam.192-168-0-121.sslip.io), login (see docker-compose.yaml) and regenerate client-secret for oauth2-proxy client in edge project. Then update `internal/util/pgo/config.yaml` with the values. Again, `docker compose down && docker compose up -d`
+Visit ZITADEL UI (eg at http://iam.192-168-0-121.sslip.io), login (see docker-compose.yaml) and regenerate client-secret for oauth2-proxy client in edge project. Then update `internal/stack/pgo/config.yaml` with the values. Again, `docker compose down && docker compose up -d`
 
 #### `pgo rest`: PostgREST-compatible REST API
 

docker-compose.yaml

@@ -76,7 +76,7 @@ services:
   envoy-controlplane:
     build:
       context: "."
-      dockerfile: "./internal/util/envoy/Containerfile"
+      dockerfile: "./internal/stack/envoy/Containerfile"
     entrypoint: /envoy-controlplane
     ports:
     - 18000:18000 # xds-server
@@ -92,8 +92,8 @@ services:
     - 9901:9901      # admin
     - 80:10080       # http-proxy
     volumes:
-    # - $PWD/internal/util/envoy/bootstrap.yaml:/etc/bootstrap.yaml:rw,Z   # when used with envoy-controlplane
-    - $PWD/internal/util/envoy/config.yaml:/etc/config.yaml:rw,Z           # hard-coded config
+    # - $PWD/internal/stack/envoy/bootstrap.yaml:/etc/bootstrap.yaml:rw,Z   # when used with envoy-controlplane
+    - $PWD/internal/stack/envoy/config.yaml:/etc/config.yaml:rw,Z           # hard-coded config
     depends_on:
     - envoy-controlplane
 
@@ -103,7 +103,7 @@ services:
     ports:
     - 8080:8080
     volumes:
-    - $PWD/internal/util/pgo/config.yaml:/rest/config.yaml:rw,Z
+    - $PWD/internal/stack/pgo/config.yaml:/rest/config.yaml:rw,Z
     depends_on:
       app-db:
         condition: service_healthy
@@ -114,13 +114,48 @@ services:
     image: ghcr.io/edgeflare/pgo
     command: [pipeline, --config, /pipeline/config.yaml]
     volumes:
-    - $PWD/internal/util/pgo/config.yaml:/pipeline/config.yaml:rw,Z
+    - $PWD/internal/stack/pgo/config.yaml:/pipeline/config.yaml:rw,Z
     depends_on:
       auth-db:
         condition: service_healthy
       app-db:
         condition: service_healthy
 
+  minio:
+    image: quay.io/minio/minio
+    command: [server, --console-address, ":9001"]
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minio-secret-key-change-me
+      MINIO_VOLUMES: /mnt/data
+      MINIO_BROWSER_REDIRECT_URL: http://minio.127-0-0-1.sslip.io
+      # OIDC
+      MINIO_IDENTITY_OPENID_CLIENT_ID: "311219429557993516"
+      MINIO_IDENTITY_OPENID_CLIENT_SECRET: "PdcOM6b3h2pcdAVc3es83PY62EVLATiMjQrela1IYChAhTbkr1RX5MNqCvMMLauw"
+      MINIO_IDENTITY_OPENID_DISPLAY_NAME: "Login with SSO"
+      MINIO_IDENTITY_OPENID_CONFIG_URL: http://iam.192-168-0-121.sslip.io/.well-known/openid-configuration
+      MINIO_IDENTITY_OPENID_CLAIM_NAME: policy_minio
+      MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC: on
+      MINIO_IDENTITY_OPENID_CLAIM_USERINFO: on
+      MINIO_IDENTITY_OPENID_COMMENT: "OIDC Identity Provider"
+      # notify postgres
+      MINIO_NOTIFY_POSTGRES_ENABLE: on
+      MINIO_NOTIFY_POSTGRES_CONNECTION_STRING: "host=app-db port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer" 
+      MINIO_NOTIFY_POSTGRES_FORMAT: namespace
+      MINIO_NOTIFY_POSTGRES_ID: minioevents
+      MINIO_NOTIFY_POSTGRES_TABLE: minioevents
+    volumes:
+    - minio:/mnt/data
+    ports:
+    - 9000:9000
+    - 9001:9001
+    depends_on:
+      app-db:
+        condition: service_healthy
+      iam-zitadel:
+        condition: service_healthy
+      # should also wait for initdb, zitadel client creation
+
   init-app-db:
     image: docker.io/bitnami/postgresql:17
     environment:
@@ -167,11 +202,26 @@ services:
           END IF;
           GRANT anon TO authn;
           GRANT authn to pgo;
+          IF NOT EXISTS (
+            SELECT 1
+            FROM pg_roles
+            WHERE rolname = 'minio'
+          ) THEN
+            CREATE ROLE minio WITH LOGIN PASSWORD 'miniopw';
+          END IF;
         END
         \$\$;
+
+        CREATE TABLE IF NOT EXISTS public.minioevents (
+          key CHARACTER VARYING PRIMARY KEY
+        );
+        
+        GRANT USAGE ON SCHEMA public to minio;
+        GRANT ALL PRIVILEGES ON TABLE public.minioevents TO minio;
       "
     restart: on-failure
 
 volumes:
   app-db:
   auth-db:
+  minio:

internal/util/configure/main.go internal/stack/configure/main.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"github.com/edgeflare/edge/internal/util/zitadel"
+	"github.com/edgeflare/edge/internal/stack/zitadel"
 )
 
 func main() {

internal/util/emqx/configure.go internal/stack/emqx/configure.go

@@ -8,9 +8,9 @@ COPY ./go.mod go.mod
 COPY ./go.sum go.sum
 RUN go mod download
 
-COPY ./internal/util/envoy internal/util/envoy
+COPY ./internal/stack/envoy internal/stack/envoy
 
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o envoy-controlplane ./internal/util/envoy
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o envoy-controlplane ./internal/stack/envoy
 
 # runtime image
 FROM gcr.io/distroless/static:nonroot

internal/util/envoy/Containerfile internal/stack/envoy/Containerfile

@@ -53,6 +53,38 @@ static_resources:
                 allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                 max_age: "1728000"
                 expose_headers: custom-header-1,grpc-status,grpc-message
+            - name: minio_console_service
+              domains: ["minio.127-0-0-1.sslip.io"]
+              routes:
+              - match: { prefix: "/" }
+                route:
+                  cluster: minio_console_service
+                  timeout: 0s
+                  max_stream_duration:
+                    grpc_timeout_header_max: 0s
+              cors:
+                allow_origin_string_match:
+                - prefix: "*"
+                allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                max_age: "1728000"
+                expose_headers: custom-header-1,grpc-status,grpc-message
+            - name: minio_s3_service
+              domains: ["s3.127-0-0-1.sslip.io"]
+              routes:
+              - match: { prefix: "/" }
+                route:
+                  cluster: minio_s3_service
+                  timeout: 0s
+                  max_stream_duration:
+                    grpc_timeout_header_max: 0s
+              cors:
+                allow_origin_string_match:
+                - prefix: "*"
+                allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                max_age: "1728000"
+                expose_headers: custom-header-1,grpc-status,grpc-message
           http_filters:
           - name: envoy.filters.http.grpc_web
             typed_config:
@@ -72,7 +104,6 @@ static_resources:
       envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
         "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
         explicit_http_config:
-          # http_protocol_options: {}
           http2_protocol_options: {}
     lb_policy: round_robin
     load_assignment:
@@ -84,7 +115,6 @@ static_resources:
               socket_address:
                 address: iam-zitadel
                 port_value: 8080
-
   - name: pgo_rest_service
     connect_timeout: 0.25s
     type: LOGICAL_DNS
@@ -93,7 +123,6 @@ static_resources:
         "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
         explicit_http_config:
           http_protocol_options: {}
-          # http2_protocol_options: {}
     lb_policy: round_robin
     load_assignment:
       cluster_name: pgo_rest_cluster
@@ -104,3 +133,39 @@ static_resources:
               socket_address:
                 address: pgo-rest
                 port_value: 8080
+  - name: minio_console_service
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http_protocol_options: {}
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: minio_console_cluster
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: minio
+                port_value: 9001
+  - name: minio_s3_service
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http_protocol_options: {}
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: minio_s3_cluster
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: minio
+                port_value: 9000

internal/util/envoy/bootstrap.yaml internal/stack/envoy/bootstrap.yaml

@@ -1,11 +1,11 @@
-set xds_cluster socket_address to `address: 0.0.0.0` in `internal/util/envoy/bootstrap.yaml`
+set xds_cluster socket_address to `address: 0.0.0.0` in `internal/stack/envoy/bootstrap.yaml`
 
 ```sh
-envoy --config-path internal/util/envoy/bootstrap.yaml --base-id 1
+envoy --config-path internal/stack/envoy/bootstrap.yaml --base-id 1
 ```
 
 ```sh
-go run ./internal/util/envoy
+go run ./internal/stack/envoy
 ```
 
 ```sh

internal/util/envoy/config.yaml internal/stack/envoy/config.yaml

@@ -5,7 +5,7 @@ import (
 	"flag"
 	"os"
 
-	"github.com/edgeflare/edge/internal/util/envoy/controlplane"
+	"github.com/edgeflare/edge/internal/stack/envoy/controlplane"
 	"github.com/envoyproxy/go-control-plane/pkg/cache/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/server/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/test/v3"

internal/util/envoy/controlplane/logger.go internal/stack/envoy/controlplane/logger.go

@@ -25,16 +25,17 @@ import (
 
 var (
 	logger  *zap.Logger
-	issuer  = cmp.Or(os.Getenv("ZITADEL_ISSUER"), "http://iam.example.local")
-	api     = cmp.Or(os.Getenv("ZITADEL_API"), "iam.example.local:80")
+	issuer  = cmp.Or(os.Getenv("ZITADEL_ISSUER"), "http://iam.127-0-0-1.sslip.io")
+	api     = cmp.Or(os.Getenv("ZITADEL_API"), "iam.127-0-0-1.sslip.io:80")
 	keyPath = cmp.Or(os.Getenv("ZITADEL_KEY_PATH"), "__zitadel-machinekey/zitadel-admin-sa.json")
 )
 
 const (
 	EDGE_PROJECT_NAME       = "edge"
 	OIDC_CLIENT_EDGE        = "edge-ui"
 	OIDC_CLIENT_OAUTH2PROXY = "oauth2-proxy"
-	// OIDC_CLIENT_S3          = "seaweedfs"
+	OIDC_CLIENT_MINIO       = "minio"
+	OIDC_CLIENT_S3          = "seaweedfs"
 )
 
 func init() {
@@ -89,11 +90,11 @@ func Configure() {
 	}
 	logger.Info("ensured OAuth2 Proxy app", zap.Any("app", oauth2ProxyApp))
 
-	// minioClientApp, err := ensureMinioClientApp(ctx, client, createdProject.Id)
-	// if err != nil {
-	// 	logger.Fatal("failed to ensure MinIO client app", zap.Error(err))
-	// }
-	// logger.Info("ensured MinIO client app", zap.Any("app", minioClientApp))
+	minioClientApp, err := ensureMinioClientApp(ctx, client, createdProject.Id)
+	if err != nil {
+		logger.Fatal("failed to ensure MinIO client app", zap.Error(err))
+	}
+	logger.Info("ensured MinIO client app", zap.Any("app", minioClientApp))
 }
 
 func createZitadelClient(issuer, api string) (*management.Client, error) {
@@ -450,6 +451,55 @@ func setTriggers(ctx context.Context, client *management.Client, actionIds []str
 	return nil
 }
 
+func ensureMinioClientApp(ctx context.Context, client *management.Client, projectID string) (*app.App, error) {
+	apps, err := listApps(ctx, client, projectID)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, app := range apps {
+		if app.Name == OIDC_CLIENT_MINIO {
+			return app, nil
+		}
+	}
+
+	// Create OIDC app for MinIO
+	createdMinioApp, err := client.AddOIDCApp(ctx, &managementpb.AddOIDCAppRequest{
+		ProjectId: projectID,
+		Name:      OIDC_CLIENT_MINIO,
+		RedirectUris: []string{
+			// TODO: don't hardcode
+			"http://127.0.0.1:9001/oauth_callback",
+			"http://minio.127-0-0-1.sslip.io/oauth_callback",
+		},
+		ResponseTypes: []app.OIDCResponseType{app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE},
+		GrantTypes: []app.OIDCGrantType{
+			app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+			app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN,
+		},
+		AppType: app.OIDCAppType_OIDC_APP_TYPE_WEB,
+
+		AuthMethodType: app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	createdApp, err := client.GetAppByID(ctx, &managementpb.GetAppByIDRequest{
+		ProjectId: projectID,
+		AppId:     createdMinioApp.AppId,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return createdApp.App, nil
+}
+
 /*
 // setPasswordChangeRequired sets ChangeRequired=false for the admin user
 func setPasswordChangeRequired(ctx context.Context, client *userv2.Client) (*user.SetPasswordResponse, error) {