Shared Object Storage

SD Elements shares files between services using using shared object storage (e.g., AWS S3). Customers not deploying SD Elements in an AWS environment can use the bundled MinIO service or configure an existing S3-compatible object storage solution.

AWS S3

SD Elements supports AWS S3 authentication using access keys or IAM Roles.

Access Key Authentication

Prerequisites

  • An existing S3 bucket

  • An AWS IAM service account that has list, read, and write access to the S3 bucket

  • The Access Key and Secret Key for the IAM service account

See the resources below for documentation on how IAM works with S3 and guidance on policy creation.

Configure object storage in the global.sharedStorage section of the custom values file.

global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: https://s3.{REGION}.amazonaws.com
    s3AccessKey: {ACCESS_KEY}
    s3SecretKey: {SECRET_KEY}

IAM Role Authentication

S3 authentication using an IAM Role is accomplished through a Kubernetes Service Account in same namespace as SD Elements. In addition to global.sharedStorage, additional values must be set in the sde.serviceAccount section of the custom values file.

Prerequisites

  • An existing S3 bucket

  • An AWS IAM Role that has list, read, and write access to the S3 bucket

Setting sde.serviceAccount.enabled to true will autocreate a Service Account using the provided IAM Role upon installation or upgrade. The Service Account will be named {RELEASE_NAME}-sa.

global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: https://s3.{REGION}.amazonaws.com
sde:
  serviceAccount:
    enabled: true
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::{AWS_ACCOUNT_ID}:role/{IAM_ROLE_NAME}

(Optional) Specify the Service Account name

The auto-created Service Account name can be set using sde.serviceAccount.name.

global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: https://s3.{REGION}.amazonaws.com
sde:
  serviceAccount:
    enabled: true
    name: sdelements-service-account
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::{AWS_ACCOUNT_ID}:role/{IAM_ROLE_NAME}

(Optional) Reference an existing secret

An existing Service Account in the same namespace as SD Elements can be referenced instead of being auto-created by the chart by setting sde.serviceAccount.externalName.

global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: https://s3.{REGION}.amazonaws.com
sde:
  serviceAccount:
    externalName: {EXISTING_SERVICE_ACCOUNT_NAME}

When referencing an existing Service Account ensure sde.serviceAccount.enabled is set to false or removed from the values file entirely.

(Optional) Enabling S3 Transfer Acceleration

To enable the use of S3 Transfer Acceleration in SD Elements when performing S3 operations, add the following environment in your values.yaml overlay:

worker:
  extraEnvVars:
    - name: S3_USE_ACCELERATE_ENDPOINT
      value: "true"

(Optional) AWS S3 endpoint configuration

When using AWS S3 as shared storage in an IPv6-only mode, the value for global.sharedStorage.s3Url must be adjusted to use dual-stack endpoints following the format s3.dualstack.AWS-REGION.amazonaws.com.

For instance, to access S3 in the us-east-1 region, the endpoint url should be updated to https://s3.dualstack.us-east-1.amazonaws.com.

global:
  sharedStorage:
    s3Url: https://s3.dualstack.us-east-1.amazonaws.com

MinIO for S3-Compatible Object Storage

For deployments in non-AWS environments, or where AWS S3 is otherwise not available, SD Elements can be configured to use an S3-compatible object storage solution such as MinIO. For ease of deployment SD Elements is bundle with MinIO out of the box.

Existing MinIO Deployment

SD Elements can be pointed toward an existing MinIO deployment in the sde.sharedStorage section of the custom values file.

global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: http://minio-address:9000
    s3AccessKey: {ACCESS_KEY}
    s3SecretKey: {SECRET_KEY}

Bundled MinIO Subchart

Otherwise, SD Elements provides two ways to set up MinIO: 1. Using MinIO subchart within SD Elements. 2. Using MinIO Tenant subchart for MinIO Operator.

In this scenario, you should configure both the global.sharedStorage and minio sections in your values.yaml overlay and ensure certain properties match.

minIO bucket naming conventions are the same as those of Amazon S3. See Amazon S3 bucket naming rules for more information.
minIO secretKey values must be at least 8 characters in length.
global:
  sharedStorage:
    bucketName: {BUCKET_NAME}         # If using MinIO, ensure value matches a bucket in `minio` section
    s3Url: http://{release_name}-minio:9000
    s3AccessKey: {ACCESS_KEY}         # If using MinIO, ensure value matches `accessKey` in `minio` section
    s3SecretKey: {SECRET_KEY}         # If using MinIO, ensure value matches `secretKey` in `minio` section
minio:
  enabled: true
  rootUser: admin
  rootPassword: Password
  persistence:
    storageClass: myStorageclassName
  buckets:
    - name: {BUCKET_NAME}             # should match global.sharedStorage.bucketName
      policy: none
      purge: false
  users:
    - accessKey: {ACCESS_KEY}         # should match global.sharedStorage.s3AccessKey
      secretKey: {SECRET_KEY}         # should match global.sharedStorage.s3SecretKey
      policy: readwrite
  imagePullSecrets:
    - name: "security-compass-secret"

TLS can be enabled for minIO by providing the name of the secret containing the certificate and private key.

minio:
  ...
  tls:
    enabled: true
    certSecret: my-secret-name
    publicCrt: "tls.crt"
    privateKey: "tls.key"

If you do not have an external certificate secret, you may choose to use the self signed certificate provided by the Helm chart. In this configuration, SD Elements needs to be configured to trust third party CA certificates and the certificate added to the trust.

The name of the self-signed certificate is formatted based on the release name.
global:
  thirdPartyCACertificates:
    enabled: true
    minioSelfSignedCertSecret: {release_name}-minio-server-tls-secrets
minio:
  ...
  tlsCreateSelfSigned: true
  tls:
    enabled: true
    certSecret: {release_name}-minio-server-tls-secrets

Alternatively, S3 certificate validation may be disabled.

worker:
  extraEnvVars:
    - name: AWS_S3_VERIFY
      value: "False"

(Optional) Bundled MinIO Tenant Subchart

In this scenario, you should configure both the global.sharedStorage and minio-tenant sections in your values.yaml overlay and ensure certain properties match.

This configuration is only compatible with SD Elements versions newer than 2023.4 and requires MinIO Operator to be already installed in the cluster.
global:
  sharedStorage:
    bucketName: {BUCKET_NAME}
    s3Url: http://sdelements-minio-hl:9000
    s3AccessKey: {ACCESS_KEY}
    s3SecretKey: {SECRET_KEY}
minio-tenant:
  enabled: true
  tenant:
    imagePullSecret:
      name: security-compass-secret
    env:
      - name: MINIO_BROWSER
        value: "off"                            # switch to "on" to enable the MinIO Console UI
    pools:
      - servers: 1                              # number of MinIO nodes running
        name: pool-0
        volumesPerServer: 1                     # number of volumes per MinIO node
        size: 100Gi                             # size of each volume
        storageClassName: myStorageclassName
    buckets:
      - name: {BUCKET_NAME}                     # should match global.sharedStorage.bucketName
    configuration:
      name: sdelements-minio-env-configuration  # should match the secret name below
  secrets:
    name: sdelements-minio-env-configuration
    accessKey: {ACCESS_KEY}                     # should match global.sharedStorage.s3AccessKey
    secretKey: {SECRET_KEY}                     # should match global.sharedStorage.s3SecretKey

TLS can be enabled by providing the name of the secret containing the certificate and private key.

minio-tenant:
  ...
  tenant:
    ...
    certificate:
      externalCertSecret:
        - name: my-secret-name
          type: kubernetes.io/tls     # type can also be cert-manager.io/v1alpha2 or cert-manager.io/v1

For further details on how to create a TLS certificate, see MinIO’s documentation.

If you do not have an external certificate secret, you may choose to use the self-signed certificate generated by the Helm chart. In this configuration, SD Elements needs to disable checking S3 certificate validity.

minio-tenant:
  ...
  tenant:
    ...
    certificate:
      requestAutoCert: true
worker:
  extraEnvVars:
    - name: AWS_S3_USE_SSL
      value: "False"
In versions older than 2023.1, replace AWS_S3_VERIFY with AWS_S3_USE_SSL

Other S3-Compatible Object Storage

See the Bundled MinIO Subchart section for instructions on configuring SD Elements to use other S3-compatible object storage solutions.

Security Compass recommends using AWS S3 or MinIO where possible. While any other S3-compatible object storage solution is expected to work, pre-release testing is completed using AWS S3 and MinIO.

Configuring an external database

This section has moved to Database.

results matching ""

    No results matching ""