Skip to main content

BucketStateStore

Kratix supports writing to S3-Compatible buckets. See below for the API documentation:

apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
name: default
spec:
# Bucket name: required
bucketName: kratix
# The endpoint of the bucket provider: required
endpoint: s3.eu-west-2.amazonaws.com
# Skip TLS veritfication: optional, defaults to false
insecure: false
# The Top-level path in the Bucket repository to write to: optional
path: destinations/
# Valid options: accessKey, and IAM; defaults to accessKey
authMethod: accessKey
# Required when using accessKey auth method
secretRef:
# The name and namespace of the secret to use to authenticate
name: s3-credentials
namespace: default

S3-Compatible Providers

Any S3-Compatible provider will work with Kratix. See the documentation on how to use some of the available providers below:

For other providers see there documentation for setting up the bucket and credentials.

Auth

The .spec.authMethod key is used to determine which authentication method should be used when communicating to the S3-Compatible API. There are two supports types:

  • accessKey
  • IAM

Access Key

When authMethod: accessKey is set Kratix uses the credentials contained in the secretRef to authenticate with the S3-Compatible Bucket. The secret must contain accessKeyID and secretAccessKey. Example:

---
apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
name: default
spec:
endpoint: minio.kratix-platform-system.svc.cluster.local
insecure: true
bucketName: kratix
secretRef:
name: minio-credentials
namespace: default
---
apiVersion: v1
kind: Secret
metadata:
name: minio-credentials
namespace: default
type: Opaque
data:
accessKeyID: <base64 encoded accessKeyID>
secretAccessKey: <base64 encoded secretAccessKey>

IAM

When authMethod: IAM is set, Kratix will assume that the place in which it's running has been given permissions to authenticate with the S3 API using its IAM Role. In practise, this might mean that you are running Kratix in AWS, and that the node role for the instance Kratix is running on has been given permissions to read/write to the bucket. Similarly, rather than giving the node role permissions, you may be using IAM Roles for ServiceAccounts to give permissions to just the Kratix container. With both approaches the configuration for the State store is the same:

---
apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
name: default
spec:
bucketName: kratix-example-test
endpoint: s3.eu-west-2.amazonaws.com # ensure to change with your bucket region.
insecure: false
authMethod: IAM

When running in EKS you need to ensure your security group rules allow Kratix to access the S3 API. If you are running the cluster in a restricted setup you can grant the access to just the S3 API using gateway VPC endpoints


Require a different method of authentication? Get in touch with us at feedback@syntasso.io or open a GitHub Issue.