Skip to content

README.md

Latest commit

 

History

History
340 lines (268 loc) · 16.5 KB

README.md

File metadata and controls

340 lines (268 loc) · 16.5 KB

MinIO Azure Container App

This repository provides both local development and Azure production deployment for MinIO object storage with Keycloak SSO authentication, Coraza WAF protection, and opkssh SSH certificate authentication.

🚀 Quick Start

Local Development

For local testing and development:

cd docker-compose
./setup-local.sh

See docker-compose/README.md for complete local development documentation.

Azure Deployment

For production deployment to Azure:

terraform init
terraform plan
terraform apply

See Terraform Usage below for details.

📁 Repository Structure

.
├── docker-compose/           # Local development environment
│   ├── README.md            # Complete local dev documentation
│   ├── setup-local.sh       # Automated local setup
│   └── ...                  # Docker Compose configuration
│
├── main.tf                  # Terraform Azure deployment
├── variables.tf             # Terraform variables
├── outputs.tf              # Terraform outputs
└── README.md               # This file

🏗️ Architecture

Azure Production Architecture

graph TD
    subgraph "Client Access"
        Client[External Traffic<br/>HTTPS: 443, 8443, 8444<br/>IP Restricted]
    end

    subgraph "Azure Virtual Network"
        subgraph "Application Gateway Subnet"
            AppGW[Azure Application Gateway<br/>SSL Termination<br/>Load Balancing]
        end

        subgraph "Container Instances Subnet"
            subgraph "WAF Layer"
                WAF[Coraza WAF<br/>Caddy Reverse Proxy<br/>:8080, :8081, :8082]
            end

            subgraph "Application Services"
                MinIO[MinIO Object Storage<br/>UI: :9001<br/>API: :9000]
                Keycloak[Keycloak<br/>OIDC Provider<br/>:8083]
            end

            subgraph "Data Layer"
                DB[(MariaDB<br/>:3306)]
                MinIOStorage[(Azure File Share<br/>MinIO Data)]
                KeycloakStorage[(Azure File Share<br/>Keycloak Data)]
                DBStorage[(Azure File Share<br/>MariaDB Data)]
            end
        end
    end

    Client --> AppGW
    AppGW --> WAF
    WAF -->|:8080/:8081| MinIO
    WAF -->|:8082| Keycloak
    MinIO --> MinIOStorage
    MinIO -.OIDC Auth.-> Keycloak
    Keycloak --> DB
    Keycloak --> KeycloakStorage
    DB --> DBStorage

    style Client fill:#e3f2fd
    style AppGW fill:#fff3e0
    style WAF fill:#ff9800
    style MinIO fill:#2196f3
    style Keycloak fill:#4caf50
    style DB fill:#607d8b
    style MinIOStorage fill:#b0bec5
    style KeycloakStorage fill:#b0bec5
    style DBStorage fill:#b0bec5
Loading

🧩 Components

Core Services

  • MinIO: S3-compatible object storage with OIDC authentication
  • Keycloak: Enterprise identity and access management
  • MariaDB: Database backend for Keycloak
  • Coraza WAF: OWASP Core Rule Set protection with rate limiting

Azure Infrastructure

  • Application Gateway: SSL termination, load balancing, IP restrictions (ports 443/8443/8444)
  • Network Security Group: IP-based access control
  • Azure File Shares: Persistent storage for MinIO, MariaDB, and Keycloak data
  • Virtual Network: Network isolation with dedicated subnets
  • Key Vault: Secure certificate storage

Additional Features

  • opkssh: SSH certificate-based authentication using OIDC (local development only)

🛠️ Terraform Deployment

Prerequisites

  • Azure Subscription
  • Terraform >= 1.0
  • Azure CLI (logged in)

Variables

Create a terraform.tfvars file from the example:

cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values

Minimum required variables:

resource_group_name      = "minio-production"
public_url_domain_name   = "minio-prod"
minio_root_password      = "your-secure-password"
keycloak_admin_password  = "your-keycloak-admin-password"
allowed_ip_addresses     = "203.0.113.0/32,198.51.100.0/24"

See terraform.tfvars.example for all available options.

Deployment

terraform init
terraform plan
terraform apply

Outputs

After deployment, Terraform provides:

  • console_url: MinIO web console URL
  • s3_api_url: MinIO S3 API endpoint
  • keycloak_url: Keycloak admin console
  • fqdn: Fully qualified domain name
  • mc_alias_command: MinIO client configuration command
  • certificate_download_command: Download self-signed certificate

🌐 Accessing Services (Azure)

MinIO Web Console

https://your-domain.azurecontainer.io/

Login with:

  • Root credentials: Configured via minio_root_user and minio_root_password
  • SSO: Click "Login with SSO" for Keycloak authentication

MinIO S3 API

https://your-domain.azurecontainer.io:8443/

Keycloak Admin Console

https://your-domain.azurecontainer.io:8444/

Default realm: minio_realm

  • Admin user: admin (password from keycloak_admin_password)
  • Test user: testuser / test@test.com

MinIO Client Setup

# Get the setup command from Terraform output
terraform output -raw mc_alias_command

# Or manually configure
mc alias set myminio https://your-fqdn.azurecontainer.io:8443 minioadmin your-password

# Download certificate if needed
terraform output -raw certificate_pem > minio-cert.pem

🔒 Security Features

WAF Protection (Coraza + OWASP CRS)

  • OWASP Core Rule Set v4
  • SQL injection prevention
  • XSS protection
  • Command injection blocking
  • Path traversal prevention
  • Rate limiting per source IP
  • Audit logging

Infrastructure Security

  • IP Restrictions: NSG rules limit access to specified IPs
  • SSL Termination: Azure Application Gateway encrypts all traffic
  • Network Isolation: Dedicated VNet with subnet segmentation
  • Internal Communication: Container-to-container traffic stays within group
  • Certificate Storage: Azure Key Vault for SSL certificates
  • No Direct Access: MinIO/Keycloak ports not exposed externally

📦 Azure Resources Created

  • Application Gateway: SSL termination, load balancing (ports 443, 8443, 8444)
  • Virtual Network: Network isolation with Application Gateway + Container Instance subnets
  • Network Security Group: IP-based access restrictions
  • Container Group: Hosts MinIO, Keycloak, MariaDB, and Coraza WAF
  • Storage Account: Persistent storage backend
  • Storage Shares: Separate shares for MinIO, MariaDB, and Keycloak data
  • Key Vault: Secure certificate storage
  • Log Analytics Workspace: Monitoring and diagnostics

📚 Additional Documentation

Requirements

Name Version
azurerm 4.36.0
random ~> 3.1

Modules

No modules.

Resources

Name Type
azurerm_application_gateway.minio_agw resource
azurerm_container_group.minio_aci_container_group resource
azurerm_key_vault.minio_kv resource
azurerm_key_vault_access_policy.agw_policy resource
azurerm_key_vault_access_policy.minio_cert_policy resource
azurerm_key_vault_certificate.minio_cert resource
azurerm_log_analytics_workspace.minio_law resource
azurerm_network_security_group.agw_nsg resource
azurerm_network_security_rule.allow_agw_management resource
azurerm_network_security_rule.allow_azureloadbalancer resource
azurerm_network_security_rule.allow_https_api resource
azurerm_network_security_rule.allow_https_keycloak resource
azurerm_network_security_rule.allow_https_ui resource
azurerm_network_security_rule.deny_all resource
azurerm_public_ip.agw_pip resource
azurerm_resource_group.minio_rg resource
azurerm_storage_account.minio_storage_account resource
azurerm_storage_share.keycloak_share resource
azurerm_storage_share.mariadb_share resource
azurerm_storage_share.minio_share resource
azurerm_subnet.aci_subnet resource
azurerm_subnet.agw_subnet resource
azurerm_subnet_network_security_group_association.agw_nsg_association resource
azurerm_user_assigned_identity.agw_identity resource
azurerm_virtual_network.minio_vnet resource
random_password.keycloak_client_secret resource
random_password.mariadb_password resource
random_string.storage_suffix resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
allowed_ip_addresses Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs. string "10.10.10.2/32" no
coraza_waf_image Coraza WAF container image string "ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.9.1-coraza-v2.0.0" no
keycloak_admin_password Keycloak admin password string n/a yes
keycloak_admin_user Keycloak admin username string "admin" no
keycloak_test_user_email Keycloak test user email string "test@test.com" no
keycloak_test_user_password Keycloak test user password string "password" no
keycloak_test_user_username Keycloak test user username string "testuser" no
location Azure region for deployment string "germanywestcentral" no
mariadb_database MariaDB database name for Keycloak string "mariadb" no
mariadb_user MariaDB username string "keycloak" no
minio_image MinIO container image string "quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z" no
minio_root_password MinIO root password for admin access string n/a yes
minio_root_user MinIO root username for admin access string "minioadmin" no
nginx_image Nginx container image string "mcr.microsoft.com/azurelinux/base/nginx:1.25" no
opkssh_redirect_uris OpenPubkey SSH client redirect URIs for local development list(string) 
[
  "http://localhost:3000/login-callback",
  "http://localhost:10001/login-callback",
  "http://localhost:11110/login-callback"
]
 no
public_url_domain_name Domain name for the public URL (e.g., 'miniotest' creates 'miniotest.westeurope.azurecontainer.io') string n/a yes
resource_group_name Name of the Resource Group where you want to deploy MinIO string n/a yes
storage_account_name Storage Account Name prefix (random suffix will be added for global uniqueness) string "miniostorage" no
storage_share_size Storage space needed in GBs (minimum 1GB, maximum 5120GB/5TB) number 100 no

Outputs

Name Description
certificate_download_command Command to download certificate locally
certificate_pem Self-signed certificate in PEM format (public cert)
console_url MinIO Web Console URL
fqdn Fully qualified domain name
keycloak_client_secret Generated Keycloak OIDC client secret for MinIO
keycloak_url Keycloak admin console URL
mc_alias_command MinIO client setup command
public_ip Public IP address
s3_api_url MinIO S3 API endpoint
storage_account_name Azure Storage Account name