[installer]: configure minio to act as gateway to azure blob storage

Author: Simon Emms

installer/pkg/common/storage.go

@@ -7,13 +7,24 @@ package common
 import (
 	"fmt"
 	storageconfig "github.com/gitpod-io/gitpod/content-service/api/config"
+	"k8s.io/utils/pointer"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/utils/pointer"
 )
 
 // StorageConfig produces config service configuration from the installer config
 
+func useMinio(context *RenderContext) bool {
+	// Minio is used for in-cluster storage and as a facade to non-GCP providers
+	if pointer.BoolDeref(context.Config.ObjectStorage.InCluster, false) {
+		return true
+	}
+	if context.Config.ObjectStorage.Azure != nil {
+		return true
+	}
+	return false
+}
+
 func StorageConfig(context *RenderContext) storageconfig.StorageConfig {
 	var res *storageconfig.StorageConfig
 	if context.Config.ObjectStorage.CloudStorage != nil {
@@ -28,21 +39,8 @@ func StorageConfig(context *RenderContext) storageconfig.StorageConfig {
 			},
 		}
 	}
-	if context.Config.ObjectStorage.S3 != nil {
-		// TODO(cw): where do we get the AWS secretKey and accessKey from?
-		res = &storageconfig.StorageConfig{
-			Kind: storageconfig.MinIOStorage,
-			MinIOConfig: storageconfig.MinIOConfig{
-				Endpoint:        "some-magic-amazon-value?",
-				AccessKeyID:     "TODO",
-				SecretAccessKey: "TODO",
-				Secure:          true,
-				Region:          context.Config.Metadata.Region,
-				ParallelUpload:  6,
-			},
-		}
-	}
-	if b := context.Config.ObjectStorage.InCluster; b != nil && *b {
+
+	if useMinio(context) {
 		res = &storageconfig.StorageConfig{
 			Kind: storageconfig.MinIOStorage,
 			MinIOConfig: storageconfig.MinIOConfig{
@@ -120,14 +118,10 @@ func AddStorageMounts(ctx *RenderContext, pod *corev1.PodSpec, container ...stri
 		return nil
 	}
 
-	if ctx.Config.ObjectStorage.S3 != nil {
-		return nil
-	}
-
-	if pointer.BoolDeref(ctx.Config.ObjectStorage.InCluster, false) {
+	if useMinio(ctx) {
 		// builtin storage needs no extra mounts
 		return nil
 	}
 
-	return fmt.Errorf("no valid storage confniguration set")
+	return fmt.Errorf("no valid storage configuration set")
 }

installer/pkg/components/minio/azure/minio.go

@@ -0,0 +1,39 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package azure
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/helm"
+	"github.com/gitpod-io/gitpod/installer/third_party/charts"
+	"helm.sh/helm/v3/pkg/cli/values"
+)
+
+var Helm = func(apiPort int32, consolePort int32) common.HelmFunc {
+	return common.CompositeHelmFunc(
+		helm.ImportTemplate(charts.Minio(), helm.TemplateConfig{}, func(cfg *common.RenderContext) (*common.HelmConfig, error) {
+			return &common.HelmConfig{
+				Enabled: true,
+				Values: &values.Options{
+					Values: []string{
+						helm.KeyValue("minio.gateway.enabled", "true"),
+						helm.KeyValue("minio.gateway.auth.azure.accessKey", cfg.Values.StorageAccessKey), // Azure value actually taken from secret - used for console/API access
+						helm.KeyValue("minio.gateway.auth.azure.secretKey", cfg.Values.StorageSecretKey), // Ditto
+						helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
+						helm.KeyValue("minio.gateway.auth.azure.storageAccountNameExistingSecretKey", "accountName"),
+						helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecret", cfg.Config.ObjectStorage.Azure.Credentials.Name),
+						helm.KeyValue("minio.gateway.auth.azure.storageAccountKeyExistingSecretKey", "accountKey"),
+						helm.KeyValue("minio.gateway.replicaCount", "2"),
+						helm.KeyValue("minio.gateway.type", "azure"),
+						helm.KeyValue("minio.persistence.enabled", "false"),
+						helm.KeyValue("minio.service.ports.api", fmt.Sprintf("%d", apiPort)),
+						helm.KeyValue("minio.service.ports.console", fmt.Sprintf("%d", consolePort)),
+					},
+				},
+			}, nil
+		}),
+	)
+}

installer/pkg/components/minio/helm.go

@@ -2,12 +2,13 @@
 // Licensed under the GNU Affero General Public License (AGPL).
 // See License-AGPL.txt in the project root for license information.
 
-// Minio is used for both incluster deployments and as a facade for non-GCP storage providers
+// Minio is used for both in-cluster deployments and as a facade for non-GCP storage providers
 
 package minio
 
 import (
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/components/minio/azure"
 	"github.com/gitpod-io/gitpod/installer/pkg/components/minio/incluster"
 	"k8s.io/utils/pointer"
 )
@@ -17,6 +18,9 @@ var Helm = common.CompositeHelmFunc(
 		if pointer.BoolDeref(cfg.Config.ObjectStorage.InCluster, false) {
 			return incluster.Helm(ServiceAPIPort, ServiceConsolePort)(cfg)
 		}
+		if cfg.Config.ObjectStorage.Azure != nil {
+			return azure.Helm(ServiceAPIPort, ServiceConsolePort)(cfg)
+		}
 
 		return nil, nil
 	},

installer/pkg/config/v1/config.go

@@ -123,6 +123,7 @@ type ObjectStorage struct {
 	InCluster    *bool                      `json:"inCluster,omitempty"`
 	S3           *ObjectStorageS3           `json:"s3,omitempty"`
 	CloudStorage *ObjectStorageCloudStorage `json:"cloudStorage,omitempty"`
+	Azure        *ObjectStorageAzure        `json:"azure,omitempty"`
 }
 
 type ObjectStorageS3 struct {
@@ -134,6 +135,10 @@ type ObjectStorageCloudStorage struct {
 	Project        string    `json:"project" validate:"required"`
 }
 
+type ObjectStorageAzure struct {
+	Credentials ObjectRef `json:"credentials"`
+}
+
 type InstallationKind string
 
 const (

installer/pkg/config/v1/validation.go

@@ -77,6 +77,11 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
 		res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData("service-account.json")))
 	}
 
+	if cfg.ObjectStorage.Azure != nil {
+		secretName := cfg.ObjectStorage.Azure.Credentials.Name
+		res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData("accountName", "accountKey")))
+	}
+
 	if cfg.ContainerRegistry.External != nil {
 		secretName := cfg.ContainerRegistry.External.Certificate.Name
 		res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData(".dockerconfigjson")))