BucketStateStore

Kratix supports writing to S3-Compatible buckets. See below for the API documentation:

apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
  name: default
spec:
  # Bucket name: required
  bucketName: kratix
  # The endpoint of the bucket provider: required
  endpoint: s3.eu-west-2.amazonaws.com
  # Skip TLS veritfication: optional, defaults to false
  insecure: false
  # The Top-level path in the Bucket repository to write to: optional
  path: destinations/
  # Valid options: accessKey, and IAM; defaults to accessKey
  authMethod: accessKey
  # Required when using accessKey auth method
  secretRef:
    # The name and namespace of the secret to use to authenticate 
    name: s3-credentials
    namespace: default

S3-Compatible Providers

Any S3-Compatible provider will work with Kratix. See the documentation on how to use some of the available providers below:

• AWS S3
• GCS S3-compatible storage
• MinIO

For other providers see there documentation for setting up the bucket and credentials.

Auth

The .spec.authMethod key is used to determine which authentication method should be used when communicating to the S3-Compatible API. There are two supports types:

• accessKey
• IAM

Access Key

When authMethod: accessKey is set Kratix uses the credentials contained in the secretRef to authenticate with the S3-Compatible Bucket. The secret must contain accessKeyID and secretAccessKey. Example:

---
apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
  name: default
spec:
  endpoint: minio.kratix-platform-system.svc.cluster.local
  insecure: true
  bucketName: kratix
  secretRef:
    name: minio-credentials
    namespace: default
---
apiVersion: v1
kind: Secret
metadata:
  name: minio-credentials
  namespace: default
type: Opaque
data:
  accessKeyID: <base64 encoded accessKeyID>
  secretAccessKey: <base64 encoded secretAccessKey>

IAM

When authMethod: IAM is set, Kratix will assume that the place in which it's running has been given permissions to authenticate with the S3 API using its IAM Role. In practise, this might mean that you are running Kratix in AWS, and that the node role for the instance Kratix is running on has been given permissions to read/write to the bucket. Similarly, rather than giving the node role permissions, you may be using IAM Roles for ServiceAccounts to give permissions to just the Kratix container. With both approaches the configuration for the State store is the same:

---
apiVersion: platform.kratix.io/v1alpha1
kind: BucketStateStore
metadata:
  name: default
spec:
  bucketName: kratix-example-test
  endpoint: s3.eu-west-2.amazonaws.com # ensure to change with your bucket region.
  insecure: false
  authMethod: IAM

When running in EKS you need to ensure your security group rules allow Kratix to access the S3 API. If you are running the cluster in a restrictred setup you can grant the access to just the S3 API using gateway VPC endpoints

---

Require a different method of authentication? Get in touch with us at feedback@syntasso.io or open a GitHub Issue.