Document OpenShift service certificates for Operator deployments (#1002)

MinIO Operator on OpenShift may require manual configuration of TLS cert
management via the OpenShift `service-ca` Operator. (For deployments
that are _not_ done through Red Hat OperatorHub.)

Document the needed envvars, `volumes`, and `volumeMounts` to enable
`service-ca` and avoid the need to manually renew certs.

~Note: This presumes kustomize, additional research/testing required to
determine configuration for Helm chart deployments.~

Staged

http://192.241.195.202:9000/staging/DOCS-991/openshift/operations/installation.html#procedure

See also:
https://github.com/minio/wiki/wiki/Besides-MINIO_OPERATOR_RUNTIME-what-else-is-needed-in-Operator%3F

Fixes https://github.com/minio/docs/issues/991 (remaining item for
v5.0.8)

---------

Co-authored-by: Ravind Kumar <ravind@min.io>

source/default-conf.py

@@ -65,7 +65,7 @@ extlinks = {
     'podman-docs'     : ('https://docs.podman.io/en/latest/%s', None),
     'podman-git'      : ('https://github.com/containers/podman/%s', None),
     'docker-docs'     : ('https://docs.docker.com/%s', None),
-    'openshift-docs'  : ('https://docs.openshift.com/container-platform/4.11/%s', None),
+    'openshift-docs'  : ('https://docs.openshift.com/container-platform/4.13/%s', None),
     'influxdb-docs'   : ('https://docs.influxdata.com/influxdb/v2.4/%s', None),
     'eks-docs'        : ('https://docs.aws.amazon.com/eks/latest/userguide/%s', None),
     'minio-web'       : ('https://min.io/%s?ref=docs', None),

source/includes/k8s/deploy-operator.rst

@@ -95,7 +95,7 @@ Kubernetes TLS Certificate API
    The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API <tasks/tls/managing-tls-in-a-cluster/>` to create signed TLS certificates in the following circumstances:
    
    - When ``autoCert`` is enabled.
-   - For the MinIO Console when the :envvar:`OPERATOR_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
+   - For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
    - For :ref:`STS service <minio-security-token-service>` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``.
    - For retrieving the health of the cluster.
    

source/includes/openshift/deploy-minio-on-openshift.rst

@@ -1,3 +1,4 @@
+
 .. _deploy-operator-openshift:
 
 =========================================
@@ -16,7 +17,7 @@ Overview
 Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. 
 OpenShift includes an enterprise-grade Linux operating system, container runtime, networking, monitoring, registry, and authentication and authorization solutions. 
 
-You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.7+ <welcome/index.html>`. 
+You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.8+ <welcome/index.html>`. 
 You can deploy and manage MinIO Tenants through OpenShift after deploying the MinIO Operator. 
 This procedure includes instructions for the following deployment paths:
 
@@ -26,15 +27,15 @@ This procedure includes instructions for the following deployment paths:
 After deploying the MinIO Operator into your OpenShift cluster, you can create and manage MinIO Tenants through the :openshift-docs:`OperatorHub <operators/understanding/olm-understanding-operatorhub.html>` user interface.
 
 This documentation assumes familiarity with all referenced Kubernetes and OpenShift concepts, utilities, and procedures. 
-While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or OpenShift-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>` and :openshift-docs:`OpenShift Container Platform 4.7+ Documentation <welcome/index.html>`.
+While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or OpenShift-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>` and :openshift-docs:`OpenShift Container Platform 4.8+ Documentation <welcome/index.html>`.
 
 Prerequisites
 -------------
 
-RedHat OpenShift 4.7+
+RedHat OpenShift 4.8+
 ~~~~~~~~~~~~~~~~~~~~~
 
-The MinIO Kubernetes Operator is available starting with `OpenShift 4.7+ <https://docs.openshift.com/container-platform/4.7/welcome/index.html>`__.
+The MinIO Kubernetes Operator is available starting with `OpenShift 4.8+ <https://docs.openshift.com/container-platform/4.13/welcome/index.html>`__.
 
 Red Hat Marketplace installation requires registration of the OpenShift cluster with the Marketplace for the necessary namespaces.
 See `Register OpenShift cluster with Red Hat Marketplace <https://marketplace.redhat.com/en-us/documentation/clusters>`__ for complete instructions.
@@ -70,6 +71,22 @@ Select the tab that corresponds to your preferred installation method:
 
 .. tab-set::
 
+   .. tab-item:: Red Hat OperatorHub
+
+      Log into the OpenShift Web Console as a user with ``cluster-admin`` privileges. 
+
+      From the :guilabel:`Administrator` panel, select :guilabel:`Operators`, then :guilabel:`OperatorHub`.
+
+      From the :guilabel:`OperatorHub` page, type "MinIO" into the :guilabel:`Filter` text entry. Select the :guilabel:`MinIO Operator` tile from the search list.
+
+      .. image:: /images/openshift/minio-openshift-select-minio.png
+         :align: center
+         :width: 90%
+         :class: no-scaled-link
+         :alt: From the OperatorHub, search for MinIO, then select the MinIO Tile.
+
+      Select the :guilabel:`MinIO Operator` tile, then click :guilabel:`Install` to begin the installation.
+
    .. tab-item:: Red Hat Marketplace
 
       Open the `MinIO Red Hat Marketplace listing <https://marketplace.redhat.com/en-us/products/minio-hybrid-cloud-object-storage>`__ in your browser.
@@ -87,23 +104,6 @@ Select the tab that corresponds to your preferred installation method:
 
       Click :guilabel:`MinIO Hybrid Cloud Object Storage` and select :guilabel:`Install Operator` to start the Operator Installation procedure in OpenShift.
 
-   .. tab-item:: Red Hat OperatorHub
-
-      Log into the OpenShift Web Console as a user with ``cluster-admin`` privileges. 
-      
-      From the :guilabel:`Administrator` panel, select :guilabel:`Operators`, then :guilabel:`OperatorHub`.
-      
-      From the :guilabel:`OperatorHub` page, type "MinIO" into the :guilabel:`Filter` text entry. Select the :guilabel:`MinIO Operator` tile from the search list.
-      
-      .. image:: /images/openshift/minio-openshift-select-minio.png
-         :align: center
-         :width: 90%
-         :class: no-scaled-link
-         :alt: From the OperatorHub, search for MinIO, then select the MinIO Tile.
-
-      Select the :guilabel:`MinIO Operator` tile, then click 
-      :guilabel:`Install` to begin the installation.
-
 2) Configure and Deploy the Operator
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -136,10 +136,156 @@ The web console displays a widget for tracking the installation progress.
 
 Once installation completes, click :guilabel:`View Operator` to view the MinIO Operator page. 
 
-3) Open the MinIO Operator Interface
+3) Configure TLS Certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator <security/certificate_types_descriptions/service-ca-certificates.html>`.
+This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants.
+It automatically renews and rotates the certificates 13 months before expiration.
+No additional action is required.
+
+For Operator installations deployed by other methods, configure the :openshift-docs:`Service CA certificates <security/certificate_types_descriptions/service-ca-certificates.html>` manually.
+See the dropdowns below for details.
+
+.. dropdown:: OpenShift Service CA Certificate configuration
+
+   To manually enable the ``service-ca`` Operator to manage TLS certificates:
+
+   #. Use the following :openshift-docs:`oc <cli_reference/openshift_cli/getting-started-cli.html>` command to edit the deployment:
+
+      .. code-block:: shell
+         :class: copyable
+
+         oc edit deployment minio-operator  -n minio-operator
+
+      If needed, replace ``minio-operator`` with the name and namespace of your deployment.
+      ``oc edit`` opens the deployment configuration file in an editor.
+
+   #. In the ``spec`` section, add the highlighted MinIO Operator :ref:`environment variables <minio-server-environment-variables>`:
+
+      .. code-block:: shell
+         :class: copyable
+         :emphasize-lines: 5-8
+
+         containers:
+         - args:
+           - controller
+           env:
+            - name: MINIO_CONSOLE_TLS_ENABLE
+              value: 'on'
+            - name: MINIO_OPERATOR_RUNTIME
+              value: OpenShift
+
+   #. In the ``volumes`` section, add the following volumes and volume mounts:
+
+      - ``sts-tls``
+      - ``openshift-service-ca``
+      - ``openshift-csr-signer-ca``
+
+      The added volume configuration resembles the following:
+
+      .. code-block:: shell
+         :class: copyable
+
+         volumes:
+           - name: sts-tls
+             projected:
+               sources:
+                 - secret:
+                     name: sts-tls
+                     items:
+                       - key: tls.crt
+                         path: public.crt
+                       - key: tls.key
+                         path: private.key
+                     optional: true
+               defaultMode: 420
+           - name: openshift-service-ca
+             configMap:
+               name: openshift-service-ca.crt
+               items:
+                 - key: service-ca.crt
+                   path: service-ca.crt
+               defaultMode: 420
+               optional: true
+           - name: openshift-csr-signer-ca
+             projected:
+               sources:
+                 - secret:
+                     name: openshift-csr-signer-ca
+                     items:
+                       - key: tls.crt
+                         path: tls.crt
+                     optional: true
+               defaultMode: 420
+             volumeMounts:
+               - name: openshift-service-ca
+                 mountPath: /tmp/service-ca
+               - name: openshift-csr-signer-ca
+                 mountPath: /tmp/csr-signer-ca
+               - name: sts-tls
+                 mountPath: /tmp/sts
+
+.. dropdown:: OpenShift Service CA Certificate for Helm deployments
+
+   For Helm deployments on OpenShift, add the following :ref:`environment variables <minio-server-environment-variables>` and volumes to the ``values.yaml`` in the Operator Helm chart before deploying.
+
+   The added YAML configuration for the ``operator`` pod resembles the following:
+
+   .. code-block::
+      :class: copyable
+
+      operator:
+        env:
+          - name: MINIO_OPERATOR_RUNTIME
+            value: "OpenShift"
+          - name: MINIO_CONSOLE_TLS_ENABLE
+            value: "on"
+
+        volumes:
+          - name: sts-tls
+            projected:
+              sources:
+                - secret:
+                    name: sts-tls
+                    items:
+                      - key: tls.crt
+                        path: public.crt
+                      - key: tls.key
+                        path: private.key
+                    optional: true
+              defaultMode: 420
+          - name: openshift-service-ca
+            configMap:
+              name: openshift-service-ca.crt
+              items:
+                - key: service-ca.crt
+                  path: service-ca.crt
+              defaultMode: 420
+              optional: true
+          - name: openshift-csr-signer-ca
+            projected:
+              sources:
+                - secret:
+                    name: openshift-csr-signer-ca
+                    items:
+                      - key: tls.crt
+                        path: tls.crt
+                    optional: true
+              defaultMode: 420
+        volumeMounts:
+          - name: openshift-service-ca
+            mountPath: /tmp/service-ca
+          - name: openshift-csr-signer-ca
+            mountPath: /tmp/csr-signer-ca
+          - name: sts-tls
+            mountPath: /tmp/sts
+	     
+
+4) Open the MinIO Operator Interface
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-You can find the MinIO Operator Interface from the :guilabel:`Operators` left-hand navigation header.
+You can find the MinIO Operator Interface from the :guilabel:`Operators` left-hand navigation header
 
 1. Go to :guilabel:`Operators`, then :guilabel:`Installed Operators`.
 
@@ -148,7 +294,7 @@ You can find the MinIO Operator Interface from the :guilabel:`Operators` left-ha
 3. Select :guilabel:`MinIO Operators` from the list of installed operators.
    The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface.
 
-4) Access the Operator Console
+5) Access the Operator Console
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.
@@ -175,5 +321,3 @@ The Operator Console still requires using the generated JWT token for access, wh
 
 After deploying the MinIO Operator, you can create a new MinIO Tenant.
 To deploy a MinIO Tenant using OpenShift, see :ref:`deploy-minio-tenant-redhat-openshift`.
-
-

source/reference/kubectl-minio-plugin.rst

@@ -165,7 +165,7 @@ Available MinIO Operator Environment Variables
 
    When not specified, the default value is ``operator``.
 
-.. envvar:: OPERATOR_CONSOLE_TLS_ENABLE
+.. envvar:: MINIO_CONSOLE_TLS_ENABLE
 
    Toggle Console TLS service ``on`` or ``off``.