docs: Add S3 compliant storage (#4954)

* docs: Add S3 compliant storage * docs: remote storage state (#4949) * docs: remote storage state document new remote storage state on the worker * docs: Add link on worker storage page * docs: Address feedback * docs: Call out example * docs: Fix a typo * Update website/content/docs/configuration/session-recording/create-storage-bucket.mdx Co-authored-by: Robin Beck <stellarsquall@users.noreply.github.com> * Apply batch of suggestions from code review Co-authored-by: Hugo <10965479+hugoghx@users.noreply.github.com> * docs: Clarify support statement * docs: Revise support statement --------- Co-authored-by: Elim Tsiagbey <elim.tsiagbey@hashicorp.com> Co-authored-by: Robin Beck <stellarsquall@users.noreply.github.com> Co-authored-by: Hugo <10965479+hugoghx@users.noreply.github.com>
2 years ago · c4a01eb398
parent 85b9adea81
commit c4a01eb398
6 changed files with 192 additions and 3 deletions
--- a/website/content/docs/configuration/session-recording/configure-worker-storage.mdx
+++ b/website/content/docs/configuration/session-recording/configure-worker-storage.mdx
@ -64,7 +64,7 @@ Workers can have the following permission states:

 Boundary uses the permission states to determine the remote storage state of a worker. The worker can have the following remote storage states:
 - `available`: All permission states are healthy. The worker has the required access to the external storage.
- `error`: One or more of the permission sates are not healthy. Workers may not be able to perform certain actions on the external storage.
+- `error`: One or more of the permission states are not healthy. Workers may not be able to perform certain actions on the external storage.

 Boundary periodically checks the states of any workers that use the external storage, and then reports them back to the controller.

@ -112,4 +112,4 @@ worker {

 ## Next steps

-After you configure worker storage, you can configure the external storage provider for [Amazon S3](/boundary/docs/configuration/session-recording/storage-providers/configure-s3) or [MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio).
+After you configure worker storage, you can configure the external storage for [Amazon S3](/boundary/docs/configuration/session-recording/storage-providers/configure-s3), [MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio), or an [S3-compliant provider](/boundary/docs/configuration/session-recording/storage-providers/configure-s3-compliant).
--- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
+++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
@ -25,6 +25,7 @@ Before you create a storage bucket in Boundary, you must:
 - Configure one of the following storage providers:
   - [Amazon S3](/boundary/docs/configuration/session-recording/storage-providers/configure-s3)
   - [MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio)
+   - [S3-compliant](/boundary/docs/configuration/session-recording/storage-providers/configure-s3-compliant)

 ## Create a storage bucket

@ -314,6 +315,83 @@ Complete the following steps to create a storage bucket in Boundary.
 </Tab>
 </Tabs>

+</Tab>
+
+<Tab heading="S3-compliant">
+
+Complete the following steps to create a storage bucket in Boundary using an S3-compliant storage provider. Hitachi Content Platform is used as an example below.
+
+<Note>
+
+  S3-compliant storage requires a service account and its associated access keys to set up a Boundary storage bucket. Refer to the [Configure S3-compliant storage](/boundary/docs/configuration/session-recording/storage-providers/configure-s3-compliant#s3-compliant-storage-provider-requirements) page to learn more.
+
+</Note>
+
+<Tabs>
+<Tab heading="UI">
+
+1. Log in to Boundary.
+1. Click **Storage Buckets** in the navigation bar.
+1. Click **New Storage Bucket**.
+1. Complete the following fields to create the Boundary storage bucket:
+   - **Name**: (Optional) The name field is optional, but if you enter a name it must be unique.
+   - **Description**: (Optional) An optional description of the Boundary storage bucket for identification purposes.
+   - **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope.
+   It can only be associated with targets from the scope it belongs to.
+   - **Provider**: (Required) The external storage bucket provider.
+   For S3-compliant storage, select **MinIO**.
+   - **Endpoint URL**: (Required) The fully-qualified endpoint pointing to a storage provider's S3 API, such as `https://my-hitachi-instance.dev:9000`.
+   - **Bucket name**: (Required) Name of the S3-compliant storage bucket you want to associate with the Boundary storage bucket.
+   - **Region**: (Optional) The region to configure the storage bucket for.
+   - **Access key ID** (Required): The storage provider's service account's access key to use with this storage bucket.
+   - **Secret access key** (Required): The storage provider's service account's secret key to use with this storage bucket.
+   - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
+   - **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new storage service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new storage service account, then delete the incoming credentials.
+
+     Note that credential rotation is not supported for Hitachi Content Platform, and it may not function for other S3-compatible providers.
+
+1. Click **Save**.
+
+</Tab>
+<Tab heading="CLI">
+
+1. Log in to Boundary.
+1. Use the following command to create a storage bucket in Boundary:
+
+   ```shell-session
+   $ boundary storage-buckets create \
+      -bucket-name mystoragebucket \
+      -plugin-name minio \
+      -scope-id o_1234567890 \
+      -bucket-prefix="foo/bar/zoo" \
+      -worker-filter '"dev" in "/tags/type"' \
+      -attr endpoint_url="https://my-hitachi-instance.dev:9000" \
+      -attr region="REGION" \
+      -attr disable_credential_rotation=true \
+      -secret access_key_id="KEY" \
+      -secret secret_access_key="SECRET"
+   ```
+
+   Replace the values above with the following required secrets and any optional [attributes](/boundary/docs/concepts/domain-model/storage-buckets) you want to associate with the Boundary storage bucket:
+
+   - `bucket-name`: (Required) Name of the S3-compliant storage bucket you want to associate with the Boundary storage bucket.
+   - `plugin-name`: (Required) The name of the Boundary storage plugin.
+   Use the `minio` plugin for S3-compatible storage.
+   - `scope_id`: (Required) A storage bucket can belong to the Global scope or an Org scope.
+   - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
+   - `secret`: (Required) The storage provider's credentials to use.
+      - `access_key_id` (Required): The storage provider's service account's access key to use with this storage bucket.
+      - `secret_access_key` (Required): The storage provider's service account's secret key to use with this storage bucket.
+   - `attributes` or `-attr`: Attributes of the S3-compliant storage bucket.
+      - `endpoint_url` (Required): Fully-qualified endpoint pointing to an S3-compliant API. This example uses Hitachi, but you should substitute your storage provider's endpoint.
+      - `region`: (Optional) The region to configure the storage bucket for.
+      - `disable_credential_rotation`: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new storage service account. If this attribute is set to `false`, or not provided, the plugin will rotate the incoming credentials to create a new storage service account, then delete the incoming credentials.
+
+      Note that credential rotation is not supported for Hitachi Content Platform, and it may not function for other S3-compatible providers.
+
+</Tab>
+</Tabs>
+
 </Tab>
 </Tabs>

--- a/website/content/docs/configuration/session-recording/index.mdx
+++ b/website/content/docs/configuration/session-recording/index.mdx
@ -40,6 +40,7 @@ To enable session recording, you must:
 1. Configure an external storage provider:
   - [Amazon S3](/boundary/docs/configuration/session-recording/storage-providers/configure-s3)
   - [MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio)
+   - [S3-compliant](/boundary/docs/configuration/session-recording/storage-providers/configure-s3-compliant)
 1. [Create a storage bucket](/boundary/docs/configuration/session-recording/create-storage-bucket)
 1. [Enable session recording on a target](/boundary/docs/configuration/session-recording/enable-session-recording)

--- a/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx
+++ b/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx
@ -0,0 +1,106 @@
+---
+layout: docs
+page_title: Configure S3-compliant storage
+description: |-
+  How to configure an S3-compliant storage provider for Boundary session recording.
+---
+
+# Configure an S3-compliant storage provider
+
+<EnterpriseAlert product="boundary">This feature requires <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a></EnterpriseAlert>
+
+The [MinIO plugin](https://github.com/hashicorp/boundary-plugin-minio/) lets you configure S3-compliant storage providers for session recording.
+
+HashiCorp has tested and confirmed that you can configure the following S3-compliant storage products for session recording using the MinIO plugin:
+
+- [Hitachi Content Platform](#hitachi-content-platform-configuration)
+
+You can also configure other providers' S3-compliant storage products for session recording storage.
+We will update the list of providers as we test them.
+
+## Requirements
+
+Before you can create a storage bucket in Boundary, you must ensure that your environment meets certain requirements.
+
+Session recording requires specific configuration for both the external storage provider and the Boundary worker.
+
+Refer to [Configure workers for session recording](/boundary/docs/configuration/session-recording/configure-worker-storage) to learn about configuring self-managed workers for session recording.
+
+When you determine storage requirements for the external bucket, you should consider:
+
+- [BSR storage considerations](/boundary/docs/configuration/session-recording#storage-considerations)
+- [Storage bucket retention policies](/boundary/docs/configuration/session-recording/configure-storage-policy)
+
+### S3-compliant storage provider requirements
+
+- A storage bucket
+
+   You must associate the Boundary storage bucket with a third-party storage bucket. A third-party storage bucket contains the bucket name, endpoint URL, optional region, optional prefix, and the service account credentials needed to access the bucket.
+
+- A service account and access keys for the storage provider
+
+   You must provide service account access keys when you configure a Boundary storage bucket later on.
+
+   Refer to your storage provider's documentation to learn how to set up a service account.
+
+- The storage bucket must be configured with R/W access. If you use a
+  restricted IAM user policy, the following policy actions must be allowed at a minimum.
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+        {
+           "Action": [
+             "s3:PutObject",
+             "s3:GetObject",
+             "s3:GetObjectAttributes",
+             "s3:DeleteObject"
+           ],
+           "Effect": "Allow",
+           "Resource": "arn:aws:s3:::test-session-recording-bucket/*"
+        },
+        {
+           "Action": "s3:ListBucket",
+           "Effect": "Allow",
+           "Resource": "arn:aws:s3:::test-session-recording-bucket"
+        }
+     ]
+   }
+   ```
+
+### Hitachi Content Platform configuration
+
+HashiCorp has tested and confirmed that you can configure the Hitachi Content Platform for external session recording storage using the MinIO plugin.
+It is included as an example in this topic.
+You should be able to configure other S3-compliant storage providers to work for session recording storage as well, but we have not tested other providers.
+
+You must have an account with Hitachi Content Platform to create storage buckets.
+You can sign up for an account at the following URL:
+
+[https://trycontent.hitachivantara.com](https://trycontent.hitachivantara.com)
+
+When you sign up for an account, Hitachi sends you the details you need to connect to the instance including the endpoint, S3 access key ID, and S3 secret key.
+Log in to Hitachi's S3 console to create a storage bucket, and make a note of the bucket's name.
+
+In Boundary, set the following environment variables using your Hitachi credentials and the name of the bucket:
+
+```
+export BUCKET_NAME=<YOUR_HITACHI_BUCKET_NAME>
+export STORAGE_ACCESS_KEY_ID=<YOUR_HITACHI_ACCESS_KEY_ID>
+export STORAGE_SECRET_ACCESS_KEY=<YOUR_HITACHI_SECRET_KEY>
+```
+
+<Note>
+
+Credential rotation is not supported for Hitachi Content Platform.
+
+</Note>
+
+## Resources
+
+Refer to your S3-compliant storage provider's documentation for more information about configuring storage buckets and service accounts.
+
+## Next steps
+
+After you configure the external storage provider, you can [create the storage bucket](/boundary/docs/configuration/session-recording/create-storage-bucket) in Boundary.
--- a/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx
+++ b/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx
@ -2,7 +2,7 @@
 layout: docs
 page_title: Configure Amazon S3
 description: |-
-  How to Amazon S3 as a storage provider for Boundary session recording.
+  How to configure Amazon S3 as a storage provider for Boundary session recording.
 ---

 # Configure Amazon S3 as a storage provider
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@ -545,6 +545,10 @@
              {
                "title": "MinIO",
                "path": "configuration/session-recording/storage-providers/configure-minio"
+              },
+              {
+                "title": "S3-compliant",
+                "path": "configuration/session-recording/storage-providers/configure-s3-compliant"
              }
            ]
          },