From 3a52f00cb7156a020a72c2782267057b4687a71d Mon Sep 17 00:00:00 2001
From: Daryl White <53910321+djwfyi@users.noreply.github.com>
Date: Thu, 14 Mar 2024 17:28:29 -0400
Subject: [PATCH] Release work for two server releases (#1157)

Release work for Server RELEASE.2024-03-03T17-50-39Z

- Adds new NATS config
- Adds new ilm configs
- Adds info on having a KMS auto generate root credentials

Closes #1144

Release work for Server RELEASE.2024-03-10T02-53-48Z

- Corrects a missing URL excludes line for some builds
- Adds new webhook options

Closes #1155

Staged:
- [Webhook
config](http://192.241.195.202:9000/staging/release-work/linux/reference/minio-server/settings/metrics-and-logging.html#envvar.MINIO_AUDIT_WEBHOOK_BATCH_SIZE)
- [NATS
config](http://192.241.195.202:9000/staging/release-work/linux/reference/minio-server/settings/notifications/nats.html#user-credentials-file)
- [Root
credentials](http://192.241.195.202:9000/staging/release-work/linux/operations/install-deploy-manage/deploy-minio-single-node-single-drive.html#create-the-environment-variable-file)
- [ILM
config](http://192.241.195.202:9000/staging/release-work/linux/reference/minio-server/settings/ilm.html)
---
 source/includes/common/common-deploy.rst      | 26 +++++++++-
 ...s-deploy-minio-single-node-multi-drive.rst |  4 ++
 ...-deploy-minio-single-node-single-drive.rst |  4 ++
 ...s-deploy-minio-single-node-multi-drive.rst |  4 ++
 ...-deploy-minio-single-node-single-drive.rst |  4 ++
 ...s-deploy-minio-single-node-multi-drive.rst |  4 ++
 ...-deploy-minio-single-node-single-drive.rst |  4 ++
 .../reference/minio-server/minio-server.rst   |  1 +
 .../reference/minio-server/settings/ilm.rst   | 44 +++++++++++++++++
 .../settings/metrics-and-logging.rst          | 47 +++++++++++++++++++
 .../settings/notifications/nats.rst           | 20 ++++++++
 .../settings/root-credentials.rst             |  9 ++++
 source/url-excludes.yaml                      |  4 ++
 13 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 source/reference/minio-server/settings/ilm.rst

diff --git a/source/includes/common/common-deploy.rst b/source/includes/common/common-deploy.rst
index f7600458..e267db9b 100644
--- a/source/includes/common/common-deploy.rst
+++ b/source/includes/common/common-deploy.rst
@@ -32,10 +32,34 @@ The following example provides a starting environment file:
 
    #MINIO_SERVER_URL="http://minio.example.net:9000"
 
-Include any other environment variables as required for your local deployment.
+Include any other environment variables as required for your deployment.
 
 .. end-common-deploy-create-environment-file-single-drive
 
+.. start-common-deploy-create-unique-root-credentials
+
+.. versionadded:: Server RELEASE.2024-03-03T17-50-39Z
+
+   MinIO automatically generates unique root credentials if all of the following conditions are true:
+
+   - :kes-docs:`KES <tutorials/getting-started/>` Release 2024-03-01T18-06-46Z or later running
+   - **Have not** defined:
+     - ``MINIO_ROOT_USER`` variable 
+     - ``MINIO_ROOT_PASSWORD`` variable 
+  
+   - **Have**:
+     - set up KES with a :kes-docs:`supported KMS target <#supported-kms-targets>`
+     - disabled root access with the :ref:`MinIO environment variable <minio-disable-root-access>`
+
+   When those conditions are met at startup, MinIO uses the KMS to generate unique root credentials for the deployment using a `hash-based message authentication code (HMAC) <https://en.wikipedia.org/wiki/HMAC>`__.
+
+   If MinIO generates such credentials, the key used to generate the credentials **must** remain the same *and* continue to exist.
+   All data on the deployment is encrypted with this key!
+
+   To rotate the generated root credentials, generate a new key in the KMS, then update the value of the :envvar:`MINIO_KMS_KES_KEY_NAME` with the new key.
+
+.. end-common-deploy-create-unique-root-credentials
+
 .. start-common-deploy-create-environment-file-multi-drive
 
 Create an environment variable file at ``/etc/default/minio``.
diff --git a/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst b/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst
index e8e664e1..7483b690 100644
--- a/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst
+++ b/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst
@@ -12,6 +12,10 @@
    :start-after: start-common-deploy-create-environment-file-multi-drive 
    :end-before: end-common-deploy-create-environment-file-multi-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 3) Create and Run the Container
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/includes/container/steps-deploy-minio-single-node-single-drive.rst b/source/includes/container/steps-deploy-minio-single-node-single-drive.rst
index 47841d60..5e6308d0 100644
--- a/source/includes/container/steps-deploy-minio-single-node-single-drive.rst
+++ b/source/includes/container/steps-deploy-minio-single-node-single-drive.rst
@@ -12,6 +12,10 @@
    :start-after: start-common-deploy-create-environment-file-single-drive 
    :end-before: end-common-deploy-create-environment-file-single-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 3) Create and Run the Container
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/includes/linux/steps-deploy-minio-single-node-multi-drive.rst b/source/includes/linux/steps-deploy-minio-single-node-multi-drive.rst
index 02facaab..c2afc3fd 100644
--- a/source/includes/linux/steps-deploy-minio-single-node-multi-drive.rst
+++ b/source/includes/linux/steps-deploy-minio-single-node-multi-drive.rst
@@ -19,6 +19,10 @@
    :start-after: start-common-deploy-create-environment-file-multi-drive 
    :end-before: end-common-deploy-create-environment-file-multi-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 4) Start the MinIO Service
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/includes/linux/steps-deploy-minio-single-node-single-drive.rst b/source/includes/linux/steps-deploy-minio-single-node-single-drive.rst
index 5c27c773..9d289688 100644
--- a/source/includes/linux/steps-deploy-minio-single-node-single-drive.rst
+++ b/source/includes/linux/steps-deploy-minio-single-node-single-drive.rst
@@ -19,6 +19,10 @@
    :start-after: start-common-deploy-create-environment-file-single-drive
    :end-before: end-common-deploy-create-environment-file-single-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 4) Start the MinIO Service
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst b/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst
index ce9b7538..f189a219 100644
--- a/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst
+++ b/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst
@@ -12,6 +12,10 @@
    :start-after: start-common-deploy-create-environment-file-multi-drive 
    :end-before: end-common-deploy-create-environment-file-multi-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 3) Start the MinIO Deployment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst b/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst
index 6fa74523..e1ed2f0b 100644
--- a/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst
+++ b/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst
@@ -12,6 +12,10 @@
    :start-after: start-common-deploy-create-environment-file-single-drive
    :end-before: end-common-deploy-create-environment-file-single-drive
 
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
+
 3) Start the MinIO Deployment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/reference/minio-server/minio-server.rst b/source/reference/minio-server/minio-server.rst
index f6d6b805..7726bf49 100644
--- a/source/reference/minio-server/minio-server.rst
+++ b/source/reference/minio-server/minio-server.rst
@@ -259,6 +259,7 @@ If you set both a configuration value and the matching environment variable, Min
    /reference/minio-server/settings/metrics-and-logging 
    /reference/minio-server/settings/notifications 
    /reference/minio-server/settings/iam 
+   /reference/minio-server/settings/ilm 
    /reference/minio-server/settings/kes 
    /reference/minio-server/settings/object-lambda
    /reference/minio-server/settings/deprecated
\ No newline at end of file
diff --git a/source/reference/minio-server/settings/ilm.rst b/source/reference/minio-server/settings/ilm.rst
new file mode 100644
index 00000000..45765c1c
--- /dev/null
+++ b/source/reference/minio-server/settings/ilm.rst
@@ -0,0 +1,44 @@
+.. _minio-server-envvar-ilm:
+
+============
+ILM Settings
+============
+
+.. default-domain:: minio
+
+.. contents:: Table of Contents
+   :local:
+   :depth: 2
+
+This page covers settings that control Information Lifecycle Management (ILM) for the MinIO process. 
+
+.. include:: /includes/common-mc-admin-config.rst
+   :start-after: start-minio-settings-defined
+   :end-before: end-minio-settings-defined
+
+.. include:: /includes/common-mc-admin-config.rst
+   :start-after: start-minio-settings-test-before-prod
+   :end-before: end-minio-settings-test-before-prod
+
+Expiration Workers
+------------------
+
+.. tab-set::
+
+   .. tab-item:: Environment Variable
+      :sync: envvar
+
+      .. envvar:: MINIO_ILM_EXPIRATION_WORKERS
+
+   .. tab-item:: Configuration Setting
+      :sync: config
+  
+      .. mc-conf:: ilm expiration_workers
+         :delimiter: " "
+
+.. versionadded:: MinIO Server RELEASE.2024-03-03T17-50-39Z
+
+Set the number of workers to use for :ref:`expiring objects <minio-lifecycle-management-expiration>`.
+Valid values are ``1`` to ``500``.
+
+The default value is ``100``.
diff --git a/source/reference/minio-server/settings/metrics-and-logging.rst b/source/reference/minio-server/settings/metrics-and-logging.rst
index f00d4757..0af724b7 100644
--- a/source/reference/minio-server/settings/metrics-and-logging.rst
+++ b/source/reference/minio-server/settings/metrics-and-logging.rst
@@ -210,6 +210,29 @@ Auth Token
    
          Consult the documentation for the desired service for more details.
 
+Batch Size
+++++++++++
+
+.. versionadded:: MinIO Server RELEASE.2024-03-10T02-53-48Z
+
+*Optional*
+
+.. tab-set::
+
+   .. tab-item:: Environment Variable
+      :sync: envvar
+
+      .. envvar:: MINIO_LOGGER_WEBHOOK_BATCH_SIZE
+
+   .. tab-item:: Configuration Setting
+      :sync: config
+
+      .. mc-conf:: logger_webhook batch_size
+         :delimiter: " "
+
+Collect and send the specified number of events to the webhook as a batch.
+If not set, MinIO sends one event per request.
+
 Client Certificate
 ++++++++++++++++++
 
@@ -500,6 +523,30 @@ Depending on the endpoint, you may need to include additional information.
 
 Consult the documentation for the desired service for more details.
 
+Batch Size
+++++++++++
+
+.. versionadded:: MinIO Server RELEASE.2024-03-10T02-53-48Z
+
+*Optional*
+
+.. tab-set::
+
+   .. tab-item:: Environment Variable
+      :sync: envvar
+
+      .. envvar:: MINIO_AUDIT_WEBHOOK_BATCH_SIZE
+
+  
+   .. tab-item:: Configuration Setting
+      :sync: config
+
+      .. mc-conf:: audit_webhook batch_size
+         :delimiter: " "
+
+Collect and send the specified number of events to the webhook as a batch.
+If not set, MinIO sends one event per request.
+
 Client Certificate
 ++++++++++++++++++
 
diff --git a/source/reference/minio-server/settings/notifications/nats.rst b/source/reference/minio-server/settings/notifications/nats.rst
index 137555d8..2797c166 100644
--- a/source/reference/minio-server/settings/notifications/nats.rst
+++ b/source/reference/minio-server/settings/notifications/nats.rst
@@ -222,6 +222,26 @@ Specify the token for connecting to the NATS service endpoint.
 
    MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
 
+User Credentials File
+~~~~~~~~~~~~~~~~~~~~~
+
+*Optional*
+
+.. tab-set::
+
+   .. tab-item:: Environment Variable
+      :sync: envvar
+
+      .. envvar:: MINIO_NOTIFY_NATS_USER_CREDENTIALS
+
+   .. tab-item:: Configuration Setting
+      :sync: config
+
+      .. mc-conf:: notify_nats user_credentials
+         :delimiter: " "
+
+Specify the to the `user credentials file <https://docs.nats.io/using-nats/developer/connecting/creds>` to use to connect to the NATS service endpoint.
+
 TLS
 ~~~
 
diff --git a/source/reference/minio-server/settings/root-credentials.rst b/source/reference/minio-server/settings/root-credentials.rst
index 7f1e9afd..cd29dbee 100644
--- a/source/reference/minio-server/settings/root-credentials.rst
+++ b/source/reference/minio-server/settings/root-credentials.rst
@@ -70,6 +70,8 @@ Root Password
       This setting does not have a configuration variable setting.
       Use the Environment Variable instead.
 
+.. _minio-disable-root-access:
+
 Root Access
 -----------
 
@@ -99,3 +101,10 @@ You can use this variable to temporarily override the configuration setting and
 
 To reset after an unintentional lock, set :envvar:`MINIO_API_ROOT_ACCESS` ``on`` to override this setting and temporarily re-enable the root account.
 You can then change this setting to ``on`` *or* make the necessary user/policy changes to ensure normal administrative access through other non-root accounts.
+
+Unique Root Credentials
+-----------------------
+
+.. include:: /includes/common/common-deploy.rst
+   :start-after: start-common-deploy-create-unique-root-credentials 
+   :end-before: end-common-deploy-create-unique-root-credentials
\ No newline at end of file
diff --git a/source/url-excludes.yaml b/source/url-excludes.yaml
index f2c25e97..8ba5a3d5 100644
--- a/source/url-excludes.yaml
+++ b/source/url-excludes.yaml
@@ -27,6 +27,7 @@ excludes:
 - 'reference/operator-crd.rst'
 - 'reference/operator-chart-values.rst'
 - 'reference/operator-environment-variables.rst'
+- 'reference/tenant-chart-values.rst'
 ---
 tag: macos
 excludes:
@@ -50,6 +51,7 @@ excludes:
 - 'reference/operator-crd.rst'
 - 'reference/operator-chart-values.rst'
 - 'reference/operator-environment-variables.rst'
+- 'reference/tenant-chart-values.rst'
 - 'developers/*'
 - 'integrations/*'
 ---
@@ -80,6 +82,7 @@ excludes:
 - 'reference/operator-crd.rst'
 - 'reference/operator-chart-values.rst'
 - 'reference/operator-environment-variables.rst'
+- 'reference/tenant-chart-values.rst'
 - 'developers/*'
 - 'integrations/*'
 ---
@@ -106,6 +109,7 @@ excludes:
 - 'reference/operator-crd.rst'
 - 'reference/operator-chart-values.rst'
 - 'reference/operator-environment-variables.rst'
+- 'reference/tenant-chart-values.rst'
 - 'developers/*'
 - 'integrations/*'
 ---