minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

DOCS-1273: Operator 6.0.0 Deploy/Upgrade docs, removing Console references (#1284)

Browse Source 
Addresses #1273 

# Summary

This pass does three things:

1. Updates all tutorials related to Operator/Tenant deployment for
Kustomize and Helm
2. Removes references to Operator Console + updates to reference
Kustomize/Helm wherever possible
3. Slightly tidies up old or dangling references

This pass does not do these things:

- Link out heavily to Kubernetes docs (for later)
- Clean up organization (singleplat build handles this)
- Addresses OpenShift, Rancher, etc.

---------

Co-authored-by: Andrea Longo <feorlen@users.noreply.github.com>
Co-authored-by: Allan Roger Reid <allanrogerreid@gmail.com>
Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
This commit is contained in:
Ravind Kumar
2024-08-01 15:51:39 -04:00
committed by GitHub
parent 7722414e1b
commit 23253dd71c
20 changed files with 966 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
source/includes/common/common-install-operator-kustomize.rst
View File

@ -66,42 +66,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
.. _minio-k8s-deploy-operator-access-console:
#. *(Optional)* Configure access to the Operator Console service
The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access.
For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:
.. code-block:: shell
:class: copyable
kubectl patch service -n minio-operator console -p '
{
"spec": {
"ports": [
{
"name": "http",
"port": 9090,
"protocol": "TCP",
"targetPort": 9090,
"nodePort": 30090
},
{
"name": "https",
"port": 9443,
"protocol": "TCP",
"targetPort": 9443,
"nodePort": 30433
}
],
"type": "NodePort"
}
}'
The patch command should output ``service/console patched``.
You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes.
#. Verify the Operator installation
Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully.
@ -123,7 +87,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/operator ClusterIP 10.43.135.241 <none> 4221/TCP 5m20s
service/sts ClusterIP 10.43.117.251 <none> 4223/TCP 5m20s
service/console NodePort 10.43.235.38 <none> 9090:30090/TCP,9443:30433/TCP 5m20s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/console 1/1 1 1 5m20s
@ -133,63 +96,10 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
replicaset.apps/console-56c7d8bd89 1 1 1 5m20s
replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s
#. Retrieve the Operator Console JWT for login
#. Next Steps
.. code-block:: shell
:class: copyable
You can deploy MinIO tenants using the :ref:`MinIO CRD and Kustomize. <minio-k8s-deploy-minio-tenant>`
MinIO also provides a :ref:`Helm chart for deploying Tenants <deploy-tenant-helm>`.
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: console-sa-secret
namespace: minio-operator
annotations:
kubernetes.io/service-account.name: console-sa
type: kubernetes.io/service-account-token
EOF
SA_TOKEN=$(kubectl -n minio-operator get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode)
echo $SA_TOKEN
The output of this command is the JSON Web Token (JWT) login credential for Operator Console.
#. Log into the MinIO Operator Console
.. tab-set::
.. tab-item:: NodePort
:selected:
If you configured the service for access through a NodePort, specify the hostname of any worker node in the cluster with that port as ``HOSTNAME:NODEPORT`` to access the Console.
For example, a deployment configured with a NodePort of 30090 and the following ``InternalIP`` addresses can be accessed at ``http://172.18.0.5:30090``.
.. code-block:: shell
:class: copyable
kubectl get nodes -o custom-columns=IP:.status.addresses[:]
IP
map[address:172.18.0.5 type:InternalIP],map[address:k3d-MINIO-agent-3 type:Hostname]
map[address:172.18.0.6 type:InternalIP],map[address:k3d-MINIO-agent-2 type:Hostname]
map[address:172.18.0.2 type:InternalIP],map[address:k3d-MINIO-server-0 type:Hostname]
map[address:172.18.0.4 type:InternalIP],map[address:k3d-MINIO-agent-1 type:Hostname]
map[address:172.18.0.3 type:InternalIP],map[address:k3d-MINIO-agent-0 type:Hostname]
.. tab-item:: Ingress or Load Balancer
If you configured the ``svc/console`` service for access through ingress or a cluster load balancer, you can access the Console using the configured hostname and port.
.. tab-item:: Port Forwarding
You can use ``kubectl port forward`` to temporary forward ports for the Console:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/console -n minio-operator 9090:9090
You can then use ``http://localhost:9090`` to access the MinIO Operator Console.
Once you access the Console, use the Console JWT to log in.
You can now :ref:`deploy and manage MinIO Tenants using the Operator Console <deploy-minio-distributed>`.
MinIO recommends using the same method of Tenant deployment and management used to install the Operator.
Mixing Kustomize and Helm for Operator or Tenant management may increase operational complexity.

2
source/includes/common/common-k8s-connect-operator-console-no-plugin.rst
View File

@ -1,8 +1,6 @@
The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
Instead, you must configure a network control plane component, such as a load balancer or ingress, to grant external access.
.. cond:: k8s
For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:
.. code-block:: shell

36
source/includes/k8s/deploy-operator.rst
View File

@ -31,16 +31,15 @@ While this documentation *may* provide guidance for configuring or deploying Kub
MinIO Operator Components
-------------------------
The MinIO Operator exists in its own namespace.
Within the Operator's namespace, the MinIO Operator utilizes two pods:
The MinIO Operator exists in its own namespace in which it creates Kubernetes resources.
Those resources includes pods, services, replicasets, and deployments.
- The Operator pod for the base Operator functions to deploy, manage, modify, and maintain tenants.
- Console pod for the Operator's Graphical User Interface, the Operator Console.
The Operator pods monitor all namespaces by default for objects using the MinIO CRD and manages those resources automatically.
When you use the Operator to create a tenant, the tenant *must* have its own namespace.
Within that namespace, the Operator generates the pods required by the tenant configuration.
Each pod runs three containers:
Each Tenant pod runs three containers:
- MinIO Container that runs all of the standard MinIO functions, equivalent to basic MinIO installation on baremetal.
This container stores and retrieves objects in the provided mount points (persistent volumes).
@ -51,32 +50,29 @@ Each pod runs three containers:
- SideCar container that monitors configuration secrets for the tenant and updates them as they change.
This container also monitors for root credentials and creates an error if it does not find root credentials.
Starting with v5.0.6, the MinIO Operator supports custom :kube-docs:`init containers <concepts/workloads/pods/init-containers>` for additional pod initialization that may be required for your environment.
The tenant utilizes Persistent Volume Claims to talk to the Persistent Volumes that store the objects.
.. image:: /images/k8s/OperatorsComponent-Diagram.png
:width: 600px
:alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
:align: center
.. Image references Console pods, need to fix this up
.. .. image:: /images/k8s/OperatorsComponent-Diagram.png
.. :width: 600px
.. :alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
.. :align: center
.. _minio-operator-prerequisites:
Prerequisites
-------------
Kubernetes Version 1.21.0
~~~~~~~~~~~~~~~~~~~~~~~~~
Kubernetes Version |k8s-floor|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
MinIO tests |operator-version-stable| against a floor of Kubernetes API of |k8s-floor|.
MinIO **strongly recommends** maintaining Kubernetes infrastructure using `actively maintained Kubernetes API versions <https://kubernetes.io/releases/>`__.
MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__ Kubernetes APIs.
Starting with v5.0.0, MinIO **requires** Kubernetes 1.21.0 or later for both the infrastructure and the ``kubectl`` CLI tool.
MinIO **strongly recommends** upgrading Kubernetes clusters running with `End-Of-Life API versions <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__
.. versionadded:: Operator 5.0.6
For Kubernetes 1.25.0 and later, MinIO supports deploying in environments with the :kube-docs:`Pod Security admission (PSA) <concepts/security/pod-security-admission>` ``restricted`` policy enabled.
Kustomize and ``kubectl``
@ -100,7 +96,7 @@ Kubernetes TLS Certificate API
The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API <tasks/tls/managing-tls-in-a-cluster/>` to create signed TLS certificates in the following circumstances:
- When ``autoCert`` is enabled.
- For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
- For the MinIO Tenant Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
- For :ref:`STS service <minio-security-token-service>` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``.
- For retrieving the health of the cluster.

48
source/includes/k8s/steps-configure-keycloak-identity-management.rst
View File

@ -37,59 +37,11 @@ Set the value to any :ref:`policy <minio-policy>` on the MinIO deployment.
MinIO supports multiple methods for configuring Keycloak authentication:
- Using the MinIO Operator Console
- Using the MinIO Tenant Console
- Using a terminal/shell and the :mc:`mc idp openid` command
.. tab-set::
.. tab-item:: MinIO Operator Console
You can use the MinIO Operator Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
See :ref:`minio-operator-console-connect` for specific instructions.
Select :guilabel:`Identity Provider` from the left-hand navigation bar, then select :guilabel:`OpenID`.
Select :guilabel:`Create Configuration` to create a new configuration.
Enter the following information into the modal:
.. list-table::
:stub-columns: 1
:widths: 30 70
:width: 100%
* - :guilabel:`Name`
- Enter a unique name for the Keycloak instance
* - :guilabel:`Config URL`
- Specify the address of the Keycloak OpenID configuration document (|KEYCLOAK_URL|)
Ensure the ``REALM`` matches the Keycloak realm you want to use for authenticating users to MinIO
* - :guilabel:`Client ID`
- Specify the name of the Keycloak client created in Step 1
* - :guilabel:`Client Secret`
- Specify the secret credential value for the Keycloak client created in Step 1
* - :guilabel:`Display Name`
- Specify the user-facing name the MinIO Console should display as part of the Single-Sign On (SSO) workflow for the configured Keycloak service
* - :guilabel:`Scopes`
- Specify the OpenID scopes to include in the JWT, such as ``preferred_username`` or ``email``
You can reference these scopes using supported OpenID policy variables for the purpose of programmatic policy configurations
* - :guilabel:`Redirect URI Dynamic`
- Toggle to ``on``
Substitutes the MinIO Console address used by the client as part of the Keycloak redirect URI.
Keycloak returns authenticated users to the Console using the provided URI.
For MinIO Console deployments behind a reverse proxy, load balancer, or similar network control plane, you can instead use the :envvar:`MINIO_BROWSER_REDIRECT_URL` variable to set the redirect address for Keycloak to use.
Select :guilabel:`Save` to apply the configuration.
.. tab-item:: MinIO Tenant Console
You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.

25
source/includes/openshift/deploy-minio-on-openshift.rst
View File

@ -133,7 +133,7 @@ Once installation completes, click :guilabel:`View Operator` to view the MinIO O
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator <security/certificate_types_descriptions/service-ca-certificates.html>`.
This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants.
This Operator manages the TLS certificates required to access MinIO Tenants.
It automatically renews and rotates the certificates 13 months before expiration.
No additional action is required.
@ -287,29 +287,8 @@ You can find the MinIO Operator Interface from the :guilabel:`Operators` left-ha
3. Select :guilabel:`MinIO Operators` from the list of installed operators.
The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface.
5) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.
.. include:: /includes/common/common-k8s-connect-operator-console.rst
You can create a permanent routing rule by creating a :openshift-docs:`Route or Ingress <networking/understanding-networking.html#nw-ne-comparing-ingress-route_understanding-networking>` to allow access from external clients, such as your local computer browser.
The following steps provides a summary of actions necessary to create a Route.
#. From :guilabel:`Networking`, go to :guilabel:`Routes`
#. Create a new Route in the MinIO Operator project.
Select a recognizable route name, such as ``operator-console-route``.
#. Set the :guilabel:`Hostname` as per your organizations networking and hostname topology.
Omit the hostname to allow OpenShift to generate it automatically
#. Set the :guilabel:`Service` to :guilabel:`console`
#. Set the :Guilabel:`Target Port` to ``9090``
You can then access the Operator Console using the configured Route.
The Operator Console still requires using the generated JWT token for access, which you can generate at any time using ``oc minio port-forward``.
6) Next Steps
5) Next Steps
~~~~~~~~~~~~~
After deploying the MinIO Operator, you can create a new MinIO Tenant.