Use external S3-compatible object storage

6.6. Use external S3-compatible object storage#

Nubus for Kubernetes needs an S3-compatible object storage for various application components. This section describes how to configure Nubus for Kubernetes to use an external S3-compatible object storage. First, you need to prepare a bucket in your S3-compatible storage. Second, you must configure your Nubus deployment to use the storage.

Important

Nubus for Kubernetes includes a deployment for MinIO. However, Univention doesn’t provide support for the MinIO deployment within Nubus.

See also

S3-compatible object storage as architectural piece in Nubus

in Univention Nubus for Kubernetes - Architecture Manual [2] for information about application components using S3-compatible object storage.

6.6.1. Scenarios#

The S3-compatible object storage receives objects from the Portal Consumer and provides them to the Portal Server. The S3-compatible object storage doesn’t need public access. It involves the following actors inside the Kubernetes cluster:

  • Portal Consumer

  • Portal Server

6.6.2. Prepare external S3-compatible object storage for Nubus#

Before you can connect Nubus for Kubernetes to your S3-compatible storage, you need to prepare it properly. Also consider the Scenarios section. This section describes the necessary steps.

  1. Create a private bucket in your S3-compatible storage for the Nubus assets.

    Nubus creates various folders in it.

    Important:

    Make sure and verify that you configure the bucket as a private bucket.

  2. Create an account and a policy for read access to portal-data for the Portal Server. Remember the access key and the secret key for each account. You need those credentials for the configuration of the Nubus deployment. In MinIO the policy looks similar to Listing 6.11.

    Listing 6.11 Read-only access policy in MinIO as required by the Portal Server#
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::portal-data/*",
        "arn:aws:s3:::portal-data"
      ]
    }
  ]
}

  3. Create an account and a policy for read and write access to portal-data for the Portal Consumer. Remember the access key and the secret key for each account. You need those credentials for the configuration of the Nubus deployment. In MinIO the policy looks similar to Listing 6.12.

    Listing 6.12 Read and write access policy in MinIO as required by the Portal Consumer#
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::portal-data",
        "arn:aws:s3:::portal-data/*"
      ]
    }
  ]
}

  4. You need to collect the following information about your S3-compatible object storage:

    • Bucket name

    • Access key and secret key for each of the users in your storage you created before.

    • Endpoint URL of your S3-compatible storage. The endpoint URL is from the perspective of actors inside the Nubus deployment in the Kubernetes cluster.

      Example:

      https://external-storage.example.com:9000

      If your S3-compatible object storage is in the same cluster, it’s enough to use the Kubernetes service name for the pod of the object storage.

      Example:

      https://s3-storage.kubernetes-namespace:9000

After you have configured the bucket and the folders in your S3-compatible object storage, you can continue with Configure deployment for using external S3-compatible object storage.

6.6.3. Configure deployment for using external S3-compatible object storage#

Before you can configure the external S3-compatible object storage, consider the Scenarios section and Prepare external S3-compatible object storage for Nubus. To use an external S3-compatible object storage for Nubus, go through the following steps:

  1. Add the connection parameters for your external S3-compatible storage to your custom_values.yaml values file. The listing uses the following Helm Chart values:

    nubusPortalConsumer.objectStorage.bucketName

    Configures the name of the bucket in the object storage. The Portal Consumer needs to upload and write objects to this bucket.

    nubusPortalConsumer.objectStorage.endpoint

    Configures the S3-compatible API endpoint that the Portal Consumer uses to upload objects. The point of view is the service Portal Consumer inside the Kubernetes cluster.

    nubusPortalServer.objectStorage.bucketName

    Configures the name of the bucket in the object storage. The Portal Server uses it to read objects.

    nubusPortalServer.objectStorage.endpoint

    Configures the S3-compatible API endpoint. The Portal Server uses it to read objects. The point of view is the service Portal Server inside the Kubernetes cluster.

    In general, Listing 6.13 is a good start, where you configure the same bucketName for the Portal Consumer and the Portal Server, as well as, the endpoint. You need to configure the application components separately, as shown in Listing 6.14.

    Listing 6.13 Start configuration for object storage settings#
    nubusPortalConsumer.objectStorage.bucketName
   == nubusPortalServer.objectStorage.bucketName

nubusPortalConsumer.objectStorage.endpoint
   == nubusPortalServer.objectStorage.endpoint
    Listing 6.14 Configure parameters for external S3-compatible storage#
    nubusPortalConsumer:
  objectStorage:
    bucketName: "nubus"
    endpoint: "https://external-storage.example.com:9000"

nubusPortalServer:
  objectStorage:
    endpoint: "https://external-storage.example.com:9000"
    bucketName: "nubus"

  2. Add the credentials to the S3-compatible object storage. Make sure to use the right user account for the right section. You can either configure the custom credentials, or you can refer to existing Kubernetes Secrets objects. See the following examples.

    Custom credential configuration

    Use the example in Listing 6.15, if you want to provide custom credentials. The listing uses the following Helm Chart values:

    Listing 6.15 Configure custom credentials for external S3-compatible storage#
    nubusPortalConsumer:
  objectStorage:
    auth:
      accessKeyId: "<access-key-for-portal-consumer-user>"
      secretAccessKey: "<secret-key-for-portal-consumer-user>"

nubusPortalServer:
  objectStorage:
    auth:
      accessKeyId: "<access-key-for-portal-server-user>"
      secretAccessKey: "<secret-key-for-portal-server-user>"
    Kubernetes secrets for credentials configuration

    Use the example in Listing 6.16, if you want to use existing Kubernetes Secrets. The listing uses the following Helm Chart values:

    Listing 6.16 Configure existing Kubernetes Secrets for external S3-compatible storage#
    nubusPortalConsumer:
  objectStorage:
    auth:
      existingSecret:
        name: "name-of-secret-object-for-portal-consumer"
        access_key_id: "<key-in-secret-object-for-access-key>"
        secret_access_key: "<key-in-secret-object-for-secret-key>"

nubusPortalServer:
  objectStorage:
    auth:
      name: "name-of-secret-object-for-portal-server"
      access_key_id: "<key-in-secret-object-for-access-key>"
      secret_access_key: "<key-in-secret-object-for-secret-key>"

  3. To apply the configuration, follow the steps in Apply configuration.

    After you configured the settings in your values file, you need to make them known to your Nubus deployment.

  4. To verify the configuration, validate that the Portal loads correctly after deployment. The Portal Server reads its configuration from the S3-compatible object storage and customizes the experience that each user has with the Portal.

See also

Secrets in Nubus for Kubernetes

for information about different options using secrets in Nubus for Kubernetes.

On this page