;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
;MINIO_SECRET_ACCESS_KEY =
;;
+;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
+;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
+;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
+;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
+;; or the DefaultIAMRoleEndpoint if not provided otherwise.
+;MINIO_IAM_ENDPOINT =
+;;
;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET = gitea
;;
;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
;MINIO_SECRET_ACCESS_KEY =
;;
+;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
+;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
+;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
+;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
+;; or the DefaultIAMRoleEndpoint if not provided otherwise.
+;MINIO_IAM_ENDPOINT =
+;;
;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET = gitea
;;
Endpoint string `ini:"MINIO_ENDPOINT" json:",omitempty"`
AccessKeyID string `ini:"MINIO_ACCESS_KEY_ID" json:",omitempty"`
SecretAccessKey string `ini:"MINIO_SECRET_ACCESS_KEY" json:",omitempty"`
+ IamEndpoint string `ini:"MINIO_IAM_ENDPOINT" json:",omitempty"`
Bucket string `ini:"MINIO_BUCKET" json:",omitempty"`
Location string `ini:"MINIO_LOCATION" json:",omitempty"`
BasePath string `ini:"MINIO_BASE_PATH" json:",omitempty"`
cfg, err = NewConfigProviderFromData(`
[storage]
STORAGE_TYPE = minio
+MINIO_IAM_ENDPOINT = 127.0.0.1
+MINIO_USE_SSL = true
+MINIO_BASE_PATH = /prefix
+`)
+ assert.NoError(t, err)
+ assert.NoError(t, loadRepoArchiveFrom(cfg))
+ assert.EqualValues(t, "127.0.0.1", RepoArchive.Storage.MinioConfig.IamEndpoint)
+ assert.EqualValues(t, true, RepoArchive.Storage.MinioConfig.UseSSL)
+ assert.EqualValues(t, "/prefix/repo-archive/", RepoArchive.Storage.MinioConfig.BasePath)
+
+ cfg, err = NewConfigProviderFromData(`
+[storage]
+STORAGE_TYPE = minio
MINIO_ACCESS_KEY_ID = my_access_key
MINIO_SECRET_ACCESS_KEY = my_secret_key
MINIO_USE_SSL = true
}
minioClient, err := minio.New(config.Endpoint, &minio.Options{
- Creds: buildMinioCredentials(config, credentials.DefaultIAMRoleEndpoint),
+ Creds: buildMinioCredentials(config),
Secure: config.UseSSL,
Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: config.InsecureSkipVerify}},
Region: config.Location,
return p
}
-func buildMinioCredentials(config setting.MinioStorageConfig, iamEndpoint string) *credentials.Credentials {
+func buildMinioCredentials(config setting.MinioStorageConfig) *credentials.Credentials {
// If static credentials are provided, use those
if config.AccessKeyID != "" {
return credentials.NewStaticV4(config.AccessKeyID, config.SecretAccessKey, "")
&credentials.FileAWSCredentials{},
// read IAM role from EC2 metadata endpoint if available
&credentials.IAM{
- Endpoint: iamEndpoint,
+ // passing in an empty Endpoint lets the IAM Provider
+ // decide which endpoint to resolve internally
+ Endpoint: config.IamEndpoint,
Client: &http.Client{
Transport: http.DefaultTransport,
},
cfg := setting.MinioStorageConfig{
AccessKeyID: ExpectedAccessKey,
SecretAccessKey: ExpectedSecretAccessKey,
+ IamEndpoint: FakeEndpoint,
}
- creds := buildMinioCredentials(cfg, FakeEndpoint)
+ creds := buildMinioCredentials(cfg)
v, err := creds.Get()
assert.NoError(t, err)
})
t.Run("Chain", func(t *testing.T) {
- cfg := setting.MinioStorageConfig{}
+ cfg := setting.MinioStorageConfig{
+ IamEndpoint: FakeEndpoint,
+ }
t.Run("EnvMinio", func(t *testing.T) {
t.Setenv("MINIO_ACCESS_KEY", ExpectedAccessKey+"Minio")
t.Setenv("MINIO_SECRET_KEY", ExpectedSecretAccessKey+"Minio")
- creds := buildMinioCredentials(cfg, FakeEndpoint)
+ creds := buildMinioCredentials(cfg)
v, err := creds.Get()
assert.NoError(t, err)
t.Setenv("AWS_ACCESS_KEY", ExpectedAccessKey+"AWS")
t.Setenv("AWS_SECRET_KEY", ExpectedSecretAccessKey+"AWS")
- creds := buildMinioCredentials(cfg, FakeEndpoint)
+ creds := buildMinioCredentials(cfg)
v, err := creds.Get()
assert.NoError(t, err)
})
t.Run("FileMinio", func(t *testing.T) {
- t.Setenv("MINIO_SHARED_CREDENTIALS_FILE", "testdata/minio.json")
// prevent loading any actual credentials files from the user
+ t.Setenv("MINIO_SHARED_CREDENTIALS_FILE", "testdata/minio.json")
t.Setenv("AWS_SHARED_CREDENTIALS_FILE", "testdata/fake")
- creds := buildMinioCredentials(cfg, FakeEndpoint)
+ creds := buildMinioCredentials(cfg)
v, err := creds.Get()
assert.NoError(t, err)
t.Setenv("MINIO_SHARED_CREDENTIALS_FILE", "testdata/fake.json")
t.Setenv("AWS_SHARED_CREDENTIALS_FILE", "testdata/aws_credentials")
- creds := buildMinioCredentials(cfg, FakeEndpoint)
+ creds := buildMinioCredentials(cfg)
v, err := creds.Get()
assert.NoError(t, err)
defer server.Close()
// Use the provided EC2 Instance Metadata server
- creds := buildMinioCredentials(cfg, server.URL)
+ creds := buildMinioCredentials(setting.MinioStorageConfig{
+ IamEndpoint: server.URL,
+ })
v, err := creds.Get()
assert.NoError(t, err)
projects / gitea.git / commitdiff