fix(setup): enable minio as gateway for azure blob storage

Author: mrsimonemms

README.md

@@ -23,8 +23,8 @@ The whole process takes around twenty minutes. In the end, the following resourc
 
 - an AKS cluster running Kubernetes v1.20.
 - Azure load balancer.
-- ~~Azure MySQL database.~~ MySQL will be provided by Helm under [#5508](https://github.com/gitpod-io/gitpod/issues/5508) solved
-- ~~Azure Blob Storage.~~ Minio will be used until [Azure storage gateway](https://github.com/gitpod-io/gitpod-azure-aks-guide/issues/1) is configured
+- ~~Azure MySQL database.~~ MySQL will be provided by Helm until [#5508](https://github.com/gitpod-io/gitpod/issues/5508) solved.
+- Azure Blob Storage.
 - Azure DNS zone.
 - Azure container registry.
 - [calico](https://docs.projectcalico.org) as CNI and NetworkPolicy implementation.

charts/assets/gitpod-values.yaml

@@ -5,8 +5,6 @@
 # - MYSQL_GITPOD_PASSWORD
 # - MYSQL_INSTANCE_NAME
 # - LOCATION
-# - MINIO_ACCESS_KEY
-# - MINIO_SECRET_KEY
 
 hostname: $DOMAIN
 
@@ -68,8 +66,16 @@ mysql:
 # Azure blob storage isn't S3 compatible
 minio:
   enabled: true
-  accessKey: $MINIO_ACCESS_KEY
-  secretKey: $MINIO_SECRET_KEY
+  accessKey: $STORAGE_ACCOUNT_NAME
+  secretKey: $STORAGE_ACCOUNT_KEY
+  fullnameOverride: minio
+  azuregateway:
+    enabled: true
+  persistence:
+    enabled: false
+  serviceAccount:
+    create: true
+    name: minio
 
 docker-registry:
   enabled: false

setup.sh

@@ -214,6 +214,8 @@ EOF
   kubectl apply -f gitpod-certificate.yaml
   rm gitpod-certificate.yaml
 
+  kubectl rollout restart deployment/server
+
   echo "Gitpod successfully installed to ${DOMAIN}..."
 }
 
@@ -390,28 +392,36 @@ function setup_mysql_database() {
 }
 
 function setup_storage() {
-#  @todo use Minio as Azure facade https://docs.min.io/docs/minio-gateway-for-azure.html
-#
-#  if [ "$(az storage account show --name ${STORAGE_ACCOUNT_NAME} --resource-group ${RESOURCE_GROUP} --query "name == '${STORAGE_ACCOUNT_NAME}'" || echo "empty")" == "true" ]; then
-#    echo "Storage account exists..."
-#  else
-#    echo "Create storage account..."
-#    az storage account create \
-#      --access-tier Hot \
-#      --kind StorageV2 \
-#      --name "${STORAGE_ACCOUNT_NAME}" \
-#      --resource-group "${RESOURCE_GROUP}" \
-#      --sku Standard_LRS
-#  fi
-
-  export MINIO_ACCESS_KEY=$(openssl rand -base64 20)
-  export MINIO_SECRET_KEY=$(openssl rand -base64 20)
-
-#  export STORAGE_ACCOUNT_KEY=$(az storage account keys list \
-#      --account-name "${STORAGE_ACCOUNT_NAME}" \
-#      --resource-group "${RESOURCE_GROUP}" \
-#      --output json \
-#        | jq -r '.[] | select(.keyName == "key1") | .value')
+  if [ "$(az storage account show --name ${STORAGE_ACCOUNT_NAME} --resource-group ${RESOURCE_GROUP} --query "name == '${STORAGE_ACCOUNT_NAME}'" || echo "empty")" == "true" ]; then
+    echo "Storage account exists..."
+  else
+    echo "Create storage account..."
+    az storage account create \
+      --access-tier Hot \
+      --kind StorageV2 \
+      --name "${1}" \
+      --resource-group "${RESOURCE_GROUP}" \
+      --sku Standard_LRS
+  fi
+
+  PRINCIPAL_ID=$(az aks show --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --query "identityProfile.kubeletidentity.objectId" -o tsv)
+  STORAGE_ACCOUNT_ID=$(az storage account show \
+    --name "${STORAGE_ACCOUNT_NAME}" \
+    --output tsv \
+    --query id \
+    --resource-group "${RESOURCE_GROUP}" )
+
+  echo "Allow Kubernetes managed identity to access the storage account..."
+  az role assignment create \
+    --assignee "${PRINCIPAL_ID}" \
+    --role "Storage Blob Data Contributor" \
+    --scope "${STORAGE_ACCOUNT_ID}"
+
+  export STORAGE_ACCOUNT_KEY=$(az storage account keys list \
+      --account-name "${STORAGE_ACCOUNT_NAME}" \
+      --resource-group "${RESOURCE_GROUP}" \
+      --output json \
+        | jq -r '.[] | select(.keyName == "key1") | .value')
 }
 
 function uninstall() {