SSO: Wire MinIO → Keycloak OIDC #339

New issue

Closed

opened 2026-05-05 04:06:30 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-05-05 04:06:30 +00:00

Contributor

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform admin
I want to access MinIO console via SSO
So that I can manage object storage without a separate login

Context

MinIO supports OpenID Connect natively. Configuration sets the OIDC provider URL, client ID/secret, and maps claims to MinIO policies. The console login will redirect to Keycloak and return with admin policy assigned.

File Targets

Files the agent should modify or create:

terraform/modules/storage/main.tf — add OIDC config to MinIO deployment or Helm values

Files the agent should NOT touch:

terraform/modules/keycloak/main.tf — realm managed separately
MinIO bucket policies — those are for app access, not admin auth

Acceptance Criteria

MinIO console shows "Login with SSO" option
ldraney lands with consoleAdmin policy after Keycloak login
No second login prompt when navigating from pal-e-admin
Service account keys for apps continue to work

Test Expectations

Integration: authenticate via Keycloak, verify MinIO console access
Verify: existing service account access tokens still work
Run command: curl -s https://minio.tail5b443a.ts.net/minio/health/live

Constraints

Service accounts (used by apps for S3 access) must remain functional
OIDC client secret stored in k8s secret
Map Keycloak admin role → MinIO consoleAdmin policy

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — platform project

### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform admin I want to access MinIO console via SSO So that I can manage object storage without a separate login ### Context MinIO supports OpenID Connect natively. Configuration sets the OIDC provider URL, client ID/secret, and maps claims to MinIO policies. The console login will redirect to Keycloak and return with admin policy assigned. ### File Targets Files the agent should modify or create: - `terraform/modules/storage/main.tf` — add OIDC config to MinIO deployment or Helm values Files the agent should NOT touch: - `terraform/modules/keycloak/main.tf` — realm managed separately - MinIO bucket policies — those are for app access, not admin auth ### Acceptance Criteria - [ ] MinIO console shows "Login with SSO" option - [ ] ldraney lands with consoleAdmin policy after Keycloak login - [ ] No second login prompt when navigating from pal-e-admin - [ ] Service account keys for apps continue to work ### Test Expectations - [ ] Integration: authenticate via Keycloak, verify MinIO console access - [ ] Verify: existing service account access tokens still work - Run command: `curl -s https://minio.tail5b443a.ts.net/minio/health/live` ### Constraints - Service accounts (used by apps for S3 access) must remain functional - OIDC client secret stored in k8s secret - Map Keycloak admin role → MinIO consoleAdmin policy ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project