Final pass on platformization (#555)

2025-07-28 19:42:10 +03:00 · 2022-09-16 16:40:20 -04:00
parent 5efcffbff1
commit d815aa9ce8
144 changed files with 1510 additions and 1102 deletions
--- a/source/includes/k8s/common-minio-kes.rst
+++ b/source/includes/k8s/common-minio-kes.rst
@ -4,7 +4,8 @@ This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io

 - For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.

- For Vault deployments external to the Kubernetes cluster, you must configure Ingress or a similar network control plane component to allow the MinIO Tenant to establish connectivity to Vault.
+- For Vault deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
+  This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

 Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.

@ -80,7 +81,7 @@ You can use either the MinIO Tenant Console or the MinIO :mc:`mc` CLI to enable
 .. start-kes-generate-key-desc

 MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
-You can use the :mc:`mc admin kms key create` command against the MinIO Tenant.
+You can use the :mc-cmd:`mc admin kms key create` command against the MinIO Tenant.

 You must ensure your local host can access the MinIO Tenant pods and services before using :mc:`mc` to manage the Tenant.
 You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.
--- a/source/includes/k8s/common-operator.rst
+++ b/source/includes/k8s/common-operator.rst
@ -0,0 +1,10 @@
+.. start-requires-operator-plugin
+
+Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator.
+The host machine from which you perform the procedure should have a matching installation of the MinIO Kubernetes Plugin
+
+This documentation assumes the latest stable Operator and Plugin version |operator-version-stable|.
+
+.. end-requires-operator-plugin
+
+
--- a/source/includes/k8s/quickstart.rst
+++ b/source/includes/k8s/quickstart.rst
@ -144,7 +144,7 @@ Procedure

 #. **(Optional) Connect the MinIO Client**

-   If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc-cmd:`mc alias set` command to authenticate and connect to the MinIO deployment:
+   If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc:`mc alias set` command to authenticate and connect to the MinIO deployment:

   .. code-block:: shell
      :class: copyable
--- a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst
+++ b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst
@ -0,0 +1,141 @@
+Deploy MinIO Tenant with Active Directory / LDAP Identity Management
+--------------------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+If you are modifying an existing Tenant, select that Tenant from the list. 
+The following steps reference the necessary sections and configuration settings for existing Tenants.
+
+2) Complete the :guilabel:`Identity Provider` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To enable external identity management with an Active Directory / LDAP provider, select the :guilabel:`Identity Provider` section.
+You can then change the radio button to :guilabel:`Active Directory` to display the configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-identity-provider-adldap.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - LDAP Server Address
+     - The hostname of the Active Directory or LDAP server.
+
+   * - Lookup Bind DN
+     - The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server.
+
+       See :ref:`minio-external-identity-management-ad-ldap-lookup-bind` for more information.
+
+   * - List of user DNs (Distinguished Names) to be Tenant Administrators
+     - Specify a user :abbr:`DNs (Distinguished Names)` which MinIO assigns a :ref:`policy <minio-policy>` with administrative permissions for the Tenant.
+       You can specify multiple :abbr:`DNs (Distinguished Names)` by selecting the plus :octicon:`plus-circle` icon.
+       You can delete a DN by selecting the trash can :octicon:`trash` icon for that DN.
+
+Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Assign Policies to AD/LDAP Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+MinIO by default assigns no :ref:`policies <minio-policy>` to AD/LDAP users or groups.
+You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.
+
+The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
+See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
+
+Use the :mc-cmd:`mc admin policy set` command to assign a user or group DN to an existing MinIO Policy:
+
+.. code-block:: shell
+   :class: copyable
+
+   mc admin policy set minio-tenant POLICY user='uid=primary,cn=applications,dc=domain,dc=com'
+   mc admin policy set minio-tenant policy group='cn=applications,ou=groups,dc=domain,dc=com'
+
+Replace ``POLICY`` with the name of the MinIO policy to assign to the user or group DN.
+
+See :ref:`minio-external-identity-management-ad-ldap-access-control` for more information on access control with AD/LDAP users and groups.
+
+4) Use the MinIO Tenant Console to Log In with AD/LDAP Credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
+
+See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
+
+If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials.
+
+Enter the user's AD/LDAP credentials and log in to access the Console.
+
+Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-ad-ldap-access-control>`. 
+
+You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO. 
+Service accounts are long-lived credentials which inherit their privileges from the parent user.
+The parent user can further restrict those privileges while creating the service account. 
+
+5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint. 
+MinIO provides an example Go application :minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` with an example of managing this workflow.
+
+.. code-block:: shell
+
+   POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
+   &LDAPUsername=USERNAME
+   &LDAPPassword=PASSWORD
+   &Version=2011-06-15
+   &Policy={}
+
+- Replace ``minio.example.net`` with the hostname or URL for the MinIO Tenant service.
+
+- Replace the ``LDAPUsername`` with the username of the AD/LDAP user.
+
+- Replace the ``LDAPPassword`` with the password of the AD/LDAP user.
+
+- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials. 
+
+  Omit to use the :ref:`policy whose name matches <minio-external-identity-management-ad-ldap-access-control>` the Distinguished Name (DN) of the AD/LDAP user. 
+
+The API response consists of an XML document containing the access key, secret key, session token, and expiration date. 
+Applications can use the access key and secret key to access and perform operations on MinIO.
+
+See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation.
--- a/source/includes/k8s/steps-configure-minio-kes-aws.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-aws.rst
@ -35,8 +35,6 @@ Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
 2) Complete the :guilabel:`Encryption` Section
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
-
 To enable |SSE| with AWS Key Management Service during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. 
 You can then change the :guilabel:`Vault` Radio button to :guilabel:`AWS` to display the configuration settings.

--- a/source/includes/k8s/steps-configure-openid-external-identity-management.rst
+++ b/source/includes/k8s/steps-configure-openid-external-identity-management.rst
@ -0,0 +1,163 @@
+Deploy MinIO Tenant with OpenID Connect Identity Management
+-----------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+If you are modifying an existing Tenant, select that Tenant from the list. 
+The following steps reference the necessary sections and configuration settings for existing Tenants.
+
+2) Complete the :guilabel:`Identity Provider` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To enable external identity management with an OIDC select the :guilabel:`Identity Provider` section.
+You can then change the radio button to :guilabel:`OIDC` to display the configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-identity-provider-openid.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - Configuration URL
+     - The hostname of the OpenID ``.well-known/openid-configuration`` file.
+
+   * - | Client ID
+       | Secret ID
+     - The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service.
+
+   * - Claim Name
+     - The OIDC Claim MinIO uses for identifying the :ref:`policies <minio-policy>` to attach to the authenticated user.
+
+Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Assign Policies to OIDC Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+MinIO by default assigns no :ref:`policies <minio-policy>` to OIDC users.
+MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user.
+If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.
+
+The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
+See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
+
+Consider the following example policy that grants general S3 API access on only the ``data`` bucket:
+
+.. code-block:: json
+   :class: copyable
+
+   {
+      "Version": "2012-10-17",
+      "Statement": [
+         {
+            "Effect": "Allow",
+            "Action": [
+               "s3:*"
+            ],
+            "Resource": [
+               "arn:aws:s3:::data",
+               "arn:aws:s3:::data/*"
+            ]
+         }
+      ]
+   }
+
+Use the :mc-cmd:`mc admin policy add` command to create a policy for use by an OIDC user:
+
+.. code-block:: shell
+   :class: copyable
+
+   mc admin policy add minio-tenant datareadonly /path/to/datareadonly.json
+
+MinIO attaches the ``datareadonly`` policy to any authenticated OIDC user with ``datareadonly`` included in the configured claim.
+
+See :ref:`minio-external-identity-management-openid-access-control` for more information on access control with OIDC users and groups.
+
+4) Use the MinIO Tenant Console to Log In with OIDC Credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
+
+See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
+
+If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials.
+
+Enter the user's OIDC credentials and log in to access the Console.
+
+Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-openid-access-control>`. 
+
+You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO. 
+Service accounts are long-lived credentials which inherit their privileges from the parent user.
+The parent user can further restrict those privileges while creating the service account. 
+
+5) Generate S3-Compatible Temporary Credentials using OIDC Credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider.
+
+The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session. 
+Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. 
+MinIO provides an example Go application :minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` with an example of managing this workflow.
+
+
+Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials:
+
+.. code-block:: shell
+   :class: copyable
+
+   POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
+   &WebIdentityToken=TOKEN
+   &Version=2011-06-15
+   &DurationSeconds=86400
+   &Policy=Policy
+
+- Replace ``minio.example.net`` with the hostname or URL of the MinIO Tenant service.
+- Replace the ``TOKEN`` with the JWT token returned in the previous step.
+- Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours.
+- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials. 
+
+  Omit to use the policy associated to the OpenID user :ref:`policy claim <minio-external-identity-management-openid-access-control>`.
+
+The API response consists of an XML document containing the access key, secret key, session token, and expiration date. 
+Applications can use the access key and secret key to access and perform operations on MinIO.
+
+See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.