Prerequisites

• A DC/OS Service Account with a secret stored in the DC/OS Secret Store.

• DC/OS Superuser permissions for modifying the permissions of the service account.

• DC/OS CLI, either Enterprise or Open Source:

  • DC/OS CLI installed and be logged in as a superuser.
  • Enterprise DC/OS CLI 1.10 or later installed.

• If your security mode is permissive or strict, you must get the root cert before issuing the curl commands in this section.

Provisioning a service account

This section describes how to configure DC/OS access for Minio. Depending on your security mode, Minio may require service authentication for access to DC/OS.

A service like Minio typically performs certain privileged actions on the cluster, which might require authenticating with the cluster. A service account associated with the service is used to authenticate with the DC/OS cluster. It is recommended to provisioning a separate service account for each service that would perform privileged operations. Service accounts authenticate using public-private keypair. The public key is used to create the service account in the cluster, while the corresponding private key is stored in the secret store. The service account and the service account secret are passed to the service as install time options.

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.

Prerequisites:

• DC/OS CLI installed and be logged in as a superuser.
• Enterprise DC/OS CLI 0.4.14 or later installed.

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a new service account (for example, minio) containing the public key (<your-public-key>.pem).

dcos security org service-accounts create -p <your-public-key>.pem -d <description> minio

You can verify your new service account using the following command.

dcos security org service-accounts show minio

Create a Secret

Create a secret (miniod/<secret-name>) with your service account and private key specified (<private-key>.pem).

NOTE: If you store your secret in a path that matches the service name, for example, service name and secret path are both minio, then only the service named minio can access it.

dcos security secrets create-sa-secret <private-key>.pem <service-account-id> minio/<secret-name>

NOTE: If you are running, now EOL-ed, DC/OS 1.11 or older you would need to add --strict to the above command. For example, dcos security secrets --strict create-sa-secret .pem minio/sa-secret .

You can list the secrets with this command:

dcos security secrets list /

Prerequisites

• A DC/OS Service Account with a secret stored in the DC/OS Secret Store.
• DC/OS Superuser permissions for modifying the permissions of the Service Account.

Configure Transport Encryption

Set up the service account

Grant the service account the correct permissions.

• In DC/OS 1.10, the required permission is dcos:superuser full.
• In DC/OS 1.11 and later, the required permissions are:

dcos:secrets:default:/<service name>/* full
dcos:secrets:list:default:/<service name> read
dcos:adminrouter:ops:ca:rw full
dcos:adminrouter:ops:ca:ro full

where <service name> is the name of the service to be installed.

Run the following DC/OS Enterprise CLI commands to set permissions for the service account on a strict cluster:

dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:app_id:<service/name> create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:dev_hdfs create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:dev_hdfs create

Install the service

Install the DC/OS Minio service including the following options in addition to your own:

{
    "service": {
        "service_account": "<your service account name>",
        "service_account_secret": "<full path of service secret>",
        "security": {
            "transport_encryption": {
                "enabled": true
            }
        }
    }
}

Accessing the Minio web interface with Edge-LB TLS configuration

Pre-requisites for EdgeLB with TLS configuration

1. DC/OS cluster with Service account and Service account secret configured.

2. Minio service installed with TLS enabled.

Steps

For Edge-LB pool configuration:

1. Add repo of Edge-LB-aws.

   dcos package repo add --index=0 edgelb-aws \https://edge-lb-infinity-artifacts.s3.amazonaws.com/autodelete7d/master/edgelb/stub-universe-edgelb.json
   

2. Add repo of Edge-LB-Pool-aws.

   dcos package repo add --index=0 edgelb-pool-aws \https://edge-lb-infinity-artifacts.s3.amazonaws.com/autodelete7d/master/edgelb-pool/stub-universe-edgelb-pool.json
   

3. Install the Edge-LB package:

   dcos package install edgelb --yes
   

4. Create the configuration JSON file with required parameters to access DC/OS Minio:

   {
   "apiVersion": "V2",
   "name": "minio",
   "count": 1,
   "autoCertificate": true,
   "haproxy": {
      "frontends": [
         {
         "bindPort": 9001,
         "protocol": "HTTPS",
         "certificates": [
            "$AUTOCERT"
         ],
         "linkBackend": {
            "defaultBackend": "miniodemo"
         }
         }
      ],
      "backends": [
      {
         "name": "miniodemo",
         "protocol": "HTTPS",
         "rewriteHttp": {
            "host": "miniod.miniodemo.l4lb.thisdcos.directory"
            },
            "request": {
               "forwardfor": true,
               "xForwardedPort": true,
               "xForwardedProtoHttpsIfTls": true,
               "setHostHeader": true,
               "rewritePath": true
         },
         "services": [{
         "endpoint": {
            "type": "ADDRESS",
            "address": "miniod.miniodemo.l4lb.thisdcos.directory",
            "port": 9000
         }
         }]
         }
         ]
      }
   }
   
   

5. Create edge-pool using the JSON file created in the preceding step:

   dcos edgelb create edgelb-pool-config.json
   

6. Accessing Minio:

   https://<Public IP of the Public Node of the cluster>>:9001/minio
   

   The Minio server can be accessed using the Minio client by registering it to the Minio Server. To register a Minio client, specify the public IP of the Public Agent running EdgeLB.

   

   Figure 1. - Minio browser

   For more details on the Minio Client, refer to the link: minio-client-complete-guide

Installing the service

1. Install the DC/OS Minio Service, including the following options in addition to your own:

   {
      "service": {
         "service_account": "<your service account name>",
         "service_account_secret": "<full path of service secret>",
         "security": {
            "tls_ssl": {
               "enabled": true
                     }
                     }
               }
   }
   

   

   Figure 2. - TLS service view

2. Running stage view

   Figure 3. - The Running stage view will display the progress of your installation.

3. Verify your installation by viewing the log:

   

   Figure 4. - Successful execution