diff --git a/docs/explanations/advanced.md b/docs/explanations/advanced.md index 02a2d46194..ee3cee554d 100644 --- a/docs/explanations/advanced.md +++ b/docs/explanations/advanced.md @@ -84,11 +84,11 @@ Deployments, Services, Ingresses and Secrets. Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces. -### Minio +### SeaweedFS -[Minio project link](https://github.com/minio/minio) +[SeaweedFS project link](https://github.com/seaweedfs/seaweedfs) -Minio is a storage solution implementing the same API as [Amazon S3](https://aws.amazon.com/s3/). +SeaweedFS is a distributed S3-compatible storage used by Epinio to store application source code. When the user pushes an application using a source code directory (with the [`epinio push`](../references/commands/cli/epinio_push.md) command), @@ -97,16 +97,16 @@ It then uploads it to the Epinio API server. The API server copies that to the configured S3 storage for use during the staging of the application. -When installing Epinio, you choose to use external S3 compatible storage, -or let Epinio install one of Minio or s3gw on the cluster. -You can see a [How-to here](../howtos/customization/setup_external_s3.md). +When installing Epinio, you can use external S3 compatible storage, +or let Epinio install SeaweedFS or s3gw on the cluster. +See [Setup external S3](../howtos/customization/setup_external_s3.md). ### s3gw [The s3gw project link](https://github.com/aquarist-labs/s3gw) S3gw is a lightweight S3-compatible solution. -You can specify it in the Epinio Helm chart as an alternative to Minio or an external S3 provider. +You can specify it in the Epinio Helm chart as an alternative to SeaweedFS or an external S3 provider. ### Container registry diff --git a/docs/explanations/detailed-push-process.md b/docs/explanations/detailed-push-process.md index 93cb0ba4f6..034ffe89e0 100644 --- a/docs/explanations/detailed-push-process.md +++ b/docs/explanations/detailed-push-process.md @@ -29,10 +29,10 @@ BasicAuth, a session cookie or, if using WebSockets, a token. ## Copying the code to S3 (step 2) -The Epinio helm-chart can install either [Minio](https://min.io/) (the default) +The Epinio helm-chart can install either [SeaweedFS](https://github.com/seaweedfs/seaweedfs) (the default) or [s3gw](https://s3gw.io/) on your cluster. You can also [configure external S3](../howtos/customization/setup_external_s3.md). -Both Minio and s3gw are S3-compatible storage solutions which Epinio uses to store application source code. +Both SeaweedFS and s3gw are S3-compatible storage solutions which Epinio uses to store application source code. The chosen S3 storage solution is later used by the staging job. After successful authentication (step 1), diff --git a/docs/explanations/epinio-push-detailed.svg b/docs/explanations/epinio-push-detailed.svg index 6be0a0fbb0..e82171b93c 100644 --- a/docs/explanations/epinio-push-detailed.svg +++ b/docs/explanations/epinio-push-detailed.svg @@ -266,7 +266,7 @@ sodipodi:role="line" id="tspan1306" x="367.26917" - y="325.30356">S3 (Minio) + y="325.30356">S3 (SeaweedFS) \ --set s3.region= \ diff --git a/docs/howtos/other/minio.md b/docs/howtos/other/minio.md deleted file mode 100644 index b38200b0bd..0000000000 --- a/docs/howtos/other/minio.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -sidebar_label: Epinio's MinIO service -sidebar_position: 30 -title: Accessing Epinio's internal MinIO service -description: How to access Epinio's internal MinIO service -keywords: [epinio, kubernetes, internal minio service] -doc-type: [how-to] -doc-topic: [epinio, how-to, other, access-minio-service] -doc-persona: [epinio-developer] ---- - -There are several ways to make Epinio's internal S3-compatible MinIO service available to use for debugging. -Here, two are covered, -first exposing the MinIO console web interface, -then accessing the MinIO service through the Amazon Web Services (AWS) CLI. -In both cases you expose the internal service through a Kubernetes `NodePort` service. - -:::caution - -For security reasons, make sure that you delete the exposed services immediately at the end of your debugging session. - -::: - -## Expose MinIO console web interface - -The simplest way to access Epinio's internal MinIO service is using a web browser. -Copy the block below and paste it to a terminal configured to have access to your Kubernetes cluster. - -```bash -kubectl expose pod minio-0 -n epinio --name epinio-console-np --port=9001 --type=NodePort -PORT=$(kubectl get svc -n epinio epinio-console-np -o jsonpath='{.spec.ports[0].nodePort}') -NODE=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") -MINIO_USER=$(kubectl get secrets/minio-creds -n epinio -o=go-template='{{index .data "rootUser" | base64decode}}') -MINIO_PASS=$(kubectl get secrets/minio-creds -n epinio -o=go-template='{{index .data "rootPassword" | base64decode}}') -echo "Minio Console https://$NODE:$PORT, Username: $MINIO_USER Password: $MINIO_PASS" -``` - -The output from the command on the last line is similar to: - -```console -Minio Console https://10.0.0.12:31689, Username: 20bDikQsszYpcrBc Password: kDRHftasmW0CyRjy -``` - -Now you can point your web browser to the MinIO console using the provided URL and credentials. - -At the end of your debugging session delete the created service by running: - -```console -kubectl delete service epinio-console-np -n epinio -``` - -## Access Epinio's MinIO through the AWS CLI - -Another method is using the AWS CLI to communicate with the internal S3-compatible MinIO API endpoint. -If you choose this method copy the block below and paste it to a terminal configured to have access to your Kubernetes cluster. - -```bash -kubectl expose pod minio-0 -n epinio --name epinio-api-np --port=9000 --type=NodePort -PORT=$(kubectl get svc -n epinio epinio-api-np -o jsonpath='{.spec.ports[0].nodePort}') -NODE=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") -MINIO_KEY=$(kubectl get secrets/minio-creds -n epinio -o=go-template='{{index .data "accesskey" | base64decode}}') -MINIO_SECRET=$(kubectl get secrets/minio-creds -n epinio -o=go-template='{{index .data "secretkey" | base64decode}}') -``` - -Install AWS CLI according to Amazon's -[Getting Started Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) -and configure it to access the internal MinIO/S3 service as follows: - -```bash -aws configure set aws_access_key_id $MINIO_KEY -aws configure set aws_secret_access_key $MINIO_SECRET -aws configure set default.region us-east-1 -echo "Usage: aws --no-verify-ssl --endpoint-url https://$NODE:$PORT s3 ls" -``` - -For more information about using AWS CLI with S3, see Amazon's -[Getting Started Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) -and also the documentation from -[MinIO](https://min.io/docs/minio/linux/integrations/aws-cli-with-minio.html) on this topic. - -At the end of your debugging session delete the created service by running: - -```console -kubectl delete service epinio-api-np -n epinio -``` diff --git a/docs/howtos/other/seaweedfs.md b/docs/howtos/other/seaweedfs.md new file mode 100644 index 0000000000..73bc1173b4 --- /dev/null +++ b/docs/howtos/other/seaweedfs.md @@ -0,0 +1,62 @@ +--- +sidebar_label: Epinio's SeaweedFS (S3) service +sidebar_position: 30 +title: Accessing Epinio's internal SeaweedFS S3 service +description: How to access Epinio's internal SeaweedFS S3-compatible service +keywords: [epinio, kubernetes, internal seaweedfs, s3 service] +doc-type: [how-to] +doc-topic: [epinio, how-to, other, access-s3-service] +doc-persona: [epinio-developer] +--- + +Epinio uses [SeaweedFS](https://github.com/seaweedfs/seaweedfs) as its default S3-compatible storage for application source code. +You can expose the internal S3 API for debugging, for example using the Amazon Web Services (AWS) CLI or the MinIO Client (`mc`). +In both cases you expose the internal service through a Kubernetes `NodePort` service. + +:::caution + +For security reasons, delete the exposed services when you finish debugging. + +::: + +## Access Epinio's S3 storage through the AWS CLI + +Expose the SeaweedFS S3 service and use the AWS CLI to talk to it. + +```bash +# Expose the SeaweedFS S3 service (service name may vary; typically seaweedfs-s3) +kubectl expose deployment seaweedfs-s3 -n epinio --name epinio-s3-np --port=8333 --type=NodePort +# If the S3 component is a different workload type, use the appropriate resource (e.g. pod or service) +PORT=$(kubectl get svc -n epinio epinio-s3-np -o jsonpath='{.spec.ports[0].nodePort}') +NODE=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") +S3_KEY=$(kubectl get secrets/seaweedfs-creds -n epinio -o=go-template='{{index .data "accesskey" | base64decode}}') +S3_SECRET=$(kubectl get secrets/seaweedfs-creds -n epinio -o=go-template='{{index .data "secretkey" | base64decode}}') +``` + +Install the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and configure it for the internal S3 endpoint: + +```bash +aws configure set aws_access_key_id $S3_KEY +aws configure set aws_secret_access_key $S3_SECRET +aws configure set default.region us-east-1 +echo "Usage: aws --no-verify-ssl --endpoint-url https://$NODE:$PORT s3 ls" +``` + +To list the Epinio bucket: + +```bash +aws --no-verify-ssl --endpoint-url https://$NODE:$PORT s3 ls s3://epinio/ +``` + +When you are done, remove the NodePort service: + +```console +kubectl delete service epinio-s3-np -n epinio +``` + +## Access using MinIO Client (mc) + +You can also use the [MinIO Client](https://min.io/docs/minio/linux/reference/minio-mc.html) (`mc`), which works with any S3-compatible API. +After exposing the S3 service as above, configure an alias and use `mc ls`, `mc cp`, etc. as needed. + +For more on S3-compatible access, see [AWS CLI S3](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [MinIO Client with S3](https://min.io/docs/minio/linux/integrations/aws-cli-with-minio.html). diff --git a/docs/installation/install_epinio.md b/docs/installation/install_epinio.md index 7d33f1e66f..e257b0c282 100644 --- a/docs/installation/install_epinio.md +++ b/docs/installation/install_epinio.md @@ -9,7 +9,7 @@ keywords: [epinio, kubernetes, k8s, installation, install] ## Introduction Epinio is installed from a single Helm chart. -This also installs Reflector, [`MinIO`](#s3-storage), [`Dex`](#dex) and a [container registry](#container-registry) in your Kubernetes cluster. +This also installs Reflector, [SeaweedFS](#s3-storage) (S3-compatible storage), [`Dex`](#dex) and a [container registry](#container-registry) in your Kubernetes cluster. You can disable the installation of these additional "sub" charts by changing the settings as described in their sections below. ## Prerequisites @@ -233,11 +233,11 @@ The configurations under `server.stagingWorkloads` gets mapped to the build scri ### S3 storage Epinio uses an S3 compatible storage to store the application source code. -This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is +This chart will install [SeaweedFS](https://github.com/seaweedfs/seaweedfs) when `.Values.seaweedfs.enabled` is `true` (default). -In addition to Minio, Epinio offers [s3gw](https://s3gw.io/) as another S3 compatible store. -It is installed when `.Values.minio.enabled` is set to `false` and `.Values.s3gw.enabled` is set to `true`. +In addition to SeaweedFS, Epinio offers [s3gw](https://s3gw.io/) as another S3 compatible store. +It is installed when `.Values.seaweedfs.enabled` is set to `false` and `.Values.s3gw.enabled` is set to `true`. :::caution The s3gw support is __experimental__. @@ -248,12 +248,12 @@ If there is an outage of the node where s3gw's pod is currently deployed, k8s wi Both choices for internal S3 compatible storage can be configured to use a user-defined storageClass. If no StorageClass is defined, the default storageClass is used. -When using Minio set the custom storageClass to the value of `.Values.persistance.storageClass`. +When using SeaweedFS set the custom storageClass to the value of `.Values.seaweedfs.persistence.storageClass`. When using s3gw set the custom storageClass to the value of `.Values.s3gw.storageClass.name`. -Use any external S3 compatible solution by setting `.Values.minio.enabled` to `false` +Use any external S3 compatible solution by setting `.Values.seaweedfs.enabled` to `false` (`.Values.s3gw.enabled` is `false` by default) and using -[the values under `s3`](https://github.com/epinio/helm-charts/blob/b389a4875af9f03b484a911c49a14f834ba04b64/chart/epinio/values.yaml#L44) +[the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml) to point to the required S3 server. ### Dex diff --git a/docs/references/authorization.md b/docs/references/authorization.md index 56b51009eb..9b7fd60b83 100644 --- a/docs/references/authorization.md +++ b/docs/references/authorization.md @@ -128,15 +128,27 @@ These actions enable operations on Namespace commands and resources. These actions enable operations on App commands and resources. They also enable commands related to AppCharts (`epinio app chart`) and application environment variables. -| Action ID | Description -|-----------------|------------- -| `app_read` | Read permissions (app list and show, env list and show) -| `app_logs` | Read application logs -| `app_restart` | Restart permission (without write permissions)
Depends on: `app_read` -| `app_write` | Write permissions (app create, delete, push, export, stage, env set and unset)
Depends on: `app_read`, `app_logs` -| `app_exec` | Perform an exec into a running application -| `app_portforward` | Open a tunnel with the `port-forward` command -| `app` | All the above
Depends on: `app_read`, `app_logs`, `app_write`, `app_exec`, `app_portforward` +| Action ID | Description +|-----------------------|------------- +| `app_read` | Read permissions (app list and show, env list and show) +| `app_logs` | Read application logs +| `app_restart` | Restart permission (without write permissions)
Depends on: `app_read` +| `app_create` | Create and upload/import applications
Depends on: `app_read`, `app_logs` +| `app_update` | Generic application update (patch) covering routes, chart values, instances and settings +| `app_scale` | Scale applications by changing the desired number of instances (implemented via the `AppUpdate` endpoint) +| `app_update_env` | Update application environment variables (set and unset) +| `app_update_configs` | Manage application configuration bindings (create and delete) +| `app_update_routes` | Update application routes/domains (implemented via the `AppUpdate` endpoint) +| `app_update_settings` | Update application settings (chart values) stored on the App resource (implemented via the `AppUpdate` endpoint) +| `app_update_chart` | Update application chart selection and values (implemented via the `AppUpdate` endpoint) +| `app_stage` | Stage an application
Depends on: `app_read`, `app_logs` +| `app_deploy` | Deploy an application
Depends on: `app_read`, `app_logs` +| `app_export` | Export an application image and metadata +| `app_delete` | Delete applications +| `app_write` | Backward-compatible umbrella for app create/update/delete/export/stage/deploy and all application update operations (including scale, routes, settings, chart and env/config updates) +| `app_exec` | Perform an exec into a running application +| `app_portforward` | Open a tunnel with the `port-forward` command +| `app` | All app permissions (including granular app actions, logs, exec and port-forward) ### Configuration @@ -178,6 +190,17 @@ This action enable operations on Export Registries commands and resources. Only |---------------------------|------------- | `export_registries_read` | Read permissions +## Built-in Role Examples + +The following roles are shipped as ConfigMaps and can be assigned directly to users: + +| Role ID | Intended scope | +|---------|----------------| +| `view_only` | Read-only access to application, configuration, service, gitconfig and export-registry resources | +| `application_developer` | Create/update applications without application delete and without non-application write permissions | +| `application_manager` | Full application CRUD and runtime operations, without non-application write permissions | +| `system_manager` | No-delete role: application create/update/runtime operations plus read-only access on other resource types | + ## Assign Roles to User diff --git a/docs/references/cert-manager.md b/docs/references/cert-manager.md index 6837ca2e1c..77c969accf 100644 --- a/docs/references/cert-manager.md +++ b/docs/references/cert-manager.md @@ -54,7 +54,7 @@ The Epinio chart then falls back to the data for `epinio`. The information is ignored when the `dex` and/or `ui` components are disabled. The `s3` information applies to whichever internal S3-compatible store is configured when installing -Epinio, i.e. `minio` or `s3gw`. The `s3` information is not applied when Epinio is configured to use +Epinio, i.e. `seaweedfs` or `s3gw`. The `s3` information is not applied when Epinio is configured to use an external S3 store. :::note @@ -62,16 +62,16 @@ an external S3 store. The certificates for `epinio` (including workloads) and `dex` are served through public domains and are permitted to use wildcard domains (e.g. `*.1.2.3.4.nip.io`) in their `CN`/`SAN` fields. -The certificates for `registry` and `s3`(minio) are inter-cluster "private" domains +The certificates for `registry` and `s3` (SeaweedFS) are inter-cluster "private" domains (`registry..svc.cluster.local` and -`minio..svc.cluster.local`). +`seaweedfs-s3..svc.cluster.local`). The placeholder `` refers to the namespace Epinio is installed in. ::: :::caution -When used with Minio the `s3` certificate cannot use wildcard domains in its `CN`/`SAN` fields. +When used with SeaweedFS the `s3` certificate cannot use wildcard domains in its `CN`/`SAN` fields. ::: diff --git a/docs/references/customization/sources.md b/docs/references/customization/sources.md index e03e3da02d..02b3d7d3ed 100644 --- a/docs/references/customization/sources.md +++ b/docs/references/customization/sources.md @@ -8,11 +8,11 @@ sidebar_label: "Source Code Storage" Epinio saves the uploaded sources of applications to be deployed to an S3 compatible storage system. The staging process then retrieves the sources from that storage. -By default Epinio uses [minio](https://min.io/) as the store, as an internal component. +By default Epinio uses [SeaweedFS](https://github.com/seaweedfs/seaweedfs) as the S3-compatible store, as an internal component. To use an external S3 compatible storage it is necessary to - - Set chart key `minio.enabled=false`, and + - Set chart key `seaweedfs.enabled=false`, and - the various S3 connection keys, i.e. - `s3.endpoint`