DOCS-690, DOCS-707: Release updates (#720)

Closes #690 

Closes #707 

Partially addresses scheduled removal of Console Audit Log and Tenant
Prometheus deployments

source/administration/console/managing-deployment.rst

@@ -55,6 +55,11 @@ Select the :guilabel:`Start Logs` button to begin collecting logs using the sele
 Audit
 ~~~~~
 
+.. important::
+
+   MinIO plans to deprecate the Tenant Console Audit Log feature and remove it in an upcoming release.
+   As an alternative, use any webhook-capable database or logging service to capture :ref:`audit logs <minio-logging-publish-audit-logs>` from the Tenant.
+
 The Audit Log section provides an interface for viewing :ref:`audit logs <minio-logging>` collected by a configured PostgreSQL service.
 
 The Audit Logging feature is configured and enabled automatically for MinIO deployments created using the :ref:`MinIO Operator Console <minio-operator-console>`.
@@ -109,6 +114,21 @@ The :guilabel:`Site Replication` section provides an interface for adding and ma
 
 Configuring site replication requires that only a single site have existing buckets or objects (if any).
 
+.. _minio-console-encryption:
+
+Encryption
+----------
+
+The :guilabel:`Encryption` setting provides an interface for listing, creating, and deleting keys for use with :ref:`MinIO Server-Side Encryption <minio-sse>`.
+
+You can use keys created or listed in this view for object encryption operations, including setting a :ref:`bucket-level default key <minio-console-buckets>`.
+
+.. important::
+
+   Deleting a key prevents MinIO from decrypting any objects protected with that key.
+   If no backups of that key exist, deleting a key renders objects permanently unreadable.
+   See :ref:`minio-encryption-sse-secure-erasure-locking` for more information.
+
 .. _minio-console-settings:
 
 Settings

source/administration/console/managing-objects.rst

@@ -49,6 +49,8 @@ Example actions the user may be able to perform include:
 
 .. _minio-console-buckets:
 
+.. _minio-console-admin-buckets:
+
 Buckets
 -------
 
@@ -86,7 +88,7 @@ When managing a bucket, your access settings may allow you to view or change any
 
 - The :guilabel:`Summary` section displays a summary of the bucket's configuration.
 
-  Use this section to view and modify the bucket's policy, encryption, quota, and tags.
+  Use this section to view and modify the bucket's access policy, encryption, quota, and tags.
 
 - Configure alerts in the :guilabel:`Events` section to trigger :ref:`notification events <minio-bucket-notifications>` when a user uploads, accesses, or deletes matching objects.
 

source/includes/common/common-k8s-deprecation-audit-prometheus.rst

@@ -0,0 +1,21 @@
+.. start-deprecate-audit-logs
+
+.. important::
+
+   MinIO plans to deprecate the Tenant Console Audit Log feature and remove it in an upcoming release.
+   MinIO recommends disabling this feature in preparation for this change.
+
+   As an alternative, use any webhook-capable database or logging service to capture :ref:`audit logs <minio-logging-publish-audit-logs>` from the Tenant.
+
+.. end-deprecate-audit-logs
+
+.. start-deprecate-prometheus
+
+.. important::
+
+   MinIO plans to deprecate the Tenant Prometheus pod feature and remove it in an upcoming release.
+   MinIO recommends setting this value to ``false`` in preparation for this change.
+
+   As an alternative, use any Prometheus service deployed within the Kubernetes cluster or externally to :ref:`capture Tenant metrics <minio-metrics-collect-using-prometheus>`.
+
+.. end-deprecate-prometheus

source/operations/install-deploy-manage/deploy-minio-tenant.rst

@@ -217,6 +217,8 @@ To deploy a tenant from the MinIO Operator Console, complete the following steps
 
 :ref:`minio-tenant-audit-logging-settings`
 
+:ref:`minio-tenant-monitoring-settings`
+
 :ref:`create-tenant-deploy-view-tenant`
 
 :ref:`create-tenant-connect-tenant`
@@ -614,6 +616,10 @@ Enabling SSE also creates :minio-git:`MinIO Key Encryption Service <kes>` pods i
 9) Audit Log Settings
 ~~~~~~~~~~~~~~~~~~~~~~
 
+.. include:: /includes/common/common-k8s-deprecation-audit-prometheus.rst
+   :start-after: start-deprecate-audit-logs
+   :end-before: end-deprecate-audit-logs
+
 .. list-table::
    :header-rows: 1
    :widths: 30 70
@@ -626,27 +632,54 @@ Enabling SSE also creates :minio-git:`MinIO Key Encryption Service <kes>` pods i
      - Select the storage class and requested capacity associated to the PVC generated to support audit logging.
 
    * - Storage Size
-     - Specify the amount of size of storage to make available for audit logging.
+     - Specify the size of storage to make available for audit logging.
 
    * - :guilabel:`SecurityContext for LogSearch`
      - The MinIO Operator deploys a Log Search service (SQL Database and Log Search API) to support Audit Log search in the MinIO Tenant Console.
 
-       You can modify the Security Context to run the associated pod commands using a different User, Group, FsGroup, or FSGroupChangePolicy. 
+       You can modify the Security Context to run the associated pod commands using a different ``User``, ``Group``, ``FsGroup``, or ``FSGroupChangePolicy``. 
-       You can also direct the pod to not run commands as the Root user.
+       You can also direct the pod to not run commands as the ``Root`` user.
-
-       
 
    * - :guilabel:`SecurityContext for PostgreSQL`
      - The MinIO Operator deploys a PostgreSQL database to support logging services.
 
-       You can modify the Security Context to run the associated pod commands using a different User, Group, FsGroup, or FSGroupChangePolicy. 
+       You can modify the Security Context to run the associated pod commands using a different ``User``, ``Group``, ``FsGroup``, or ``FSGroupChangePolicy``. 
-       You can also direct the pod to not run commands as the Root user.
+       You can also direct the pod to not run commands as the ``Root`` user.
 
        You can also modify the storage class and requested capacity associated to the PVC generated to support the Prometheus service.
 
+.. _minio-tenant-monitoring-settings:
+
+10) Monitoring Settings
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-k8s-deprecation-audit-prometheus.rst
+   :start-after: start-deprecate-prometheus
+   :end-before: end-deprecate-prometheus
+
+.. list-table::
+   :header-rows: 1
+   :widths: 30 70
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - Storage Class
+     - Select the storage class and requested capacity associated to the PVC generated to support Prometheus.
+
+   * - Storage Size
+     - Specify the size of storage to make available for Prometheus.
+
+   * - :guilabel:`SecurityContext`
+     - The MinIO Operator assigns this Security Context for the Prometheus pod.
+
+       You can modify the Security Context to run the associated pod commands using a different ``User``, ``Group``, ``FsGroup``, or ``FSGroupChangePolicy``. 
+       You can also direct the pod to not run commands as the ``Root`` user.
+
 .. _create-tenant-deploy-view-tenant:
 
-10) Deploy and View the Tenant
+11) Deploy and View the Tenant
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Select :guilabel:`Create` at any time to begin the deployment process. 
@@ -674,7 +707,7 @@ Each tab provides additional details or configuration options for the MinIO Tena
 
 .. _create-tenant-connect-tenant:
 
-11) Connect to the Tenant
+12) Connect to the Tenant
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The MinIO Operator creates services for the MinIO Tenant. 
@@ -732,7 +765,7 @@ Kubernetes provides multiple options for configuring external access to services
 
 .. _create-tenant-operator-forward-ports:
 
-12) Forward Ports
+13) Forward Ports
 ~~~~~~~~~~~~~~~~~
 
 .. cond:: k8s and not openshift

source/operations/monitoring/collect-minio-metrics-using-prometheus.rst

@@ -27,15 +27,6 @@ The procedure on this page documents the following:
 
    - An :mc:`mc` installation on your local host configured to :ref:`access <alias>` the MinIO deployment
 
-.. cond:: k8s
-
-   The MinIO Operator supports deploying a :ref:`per-tenant Prometheus instance <create-tenant-configure-section>` configured to support metrics and visualizations.
-   This includes automatically configuring the Tenant to enable the :ref:`Tenant Console historical metric view <minio-console-metrics>`.
-
-   You can still use this procedure to configure an external Prometheus service for supporting monitoring and alerting for a MinIO Tenant.
-   You must configure all necessary network control components, such as Ingress or a Load Balancer, to facilitate access between the Tenant and the Prometheus service.
-   This procedure assumes your local host machine can access the Tenant via :mc:`mc`.
-
 Configure Prometheus to Collect and Alert using MinIO Metrics
 -------------------------------------------------------------
 
@@ -76,6 +67,12 @@ The command returns output similar to the following:
 
   This can be any single node, or a load balancer/proxy which handles connections to the MinIO nodes.
 
+  .. cond:: k8s
+
+     For Prometheus deployments in the same cluster as the MinIO Tenant, you can specify the service DNS name for the ``minio`` service.
+
+     For Prometheus deployments external to the cluster, you must specify an ingress or load balancer endpoint configured to route connections to and from the MinIO Tenant.
+
 2) Restart Prometheus with the Updated Configuration
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

source/reference/kubectl-minio-plugin/kubectl-minio-init.rst

@@ -49,6 +49,7 @@ Syntax
          kubectl minio init                      \
                        [--cluster-domain]        \
                        [--console-image]         \
+                       [--console-tls]           \
                        [--default-console-image] \
                        [--default-kes-image]     \
                        [--default-minio-image]   \
@@ -84,6 +85,15 @@ The command supports the following flags:
    The image to use when deploying the :minio-git:`MinIO Console <console>` in Operator mode, where administrators can create and manage MinIO tenants using a Graphical User Interface.
    Defaults to ``minio/console:v0.17.3``.
 
+.. mc-cmd:: --console-tls
+   :optional:
+
+   .. versionadded:: 4.5.6
+
+   Enables TLS for the Operator Console.
+
+   Disabled by default.
+
 .. mc-cmd:: --default-console-image
    :optional:
 

source/reference/kubectl-minio-plugin/kubectl-minio-tenant-create.rst

@@ -70,20 +70,24 @@ Syntax
 
       .. code-block:: shell
 
-         kubectl minio tenant create                  \
+         kubectl minio tenant create                      \
-                              TENANT_NAME             \
+                              TENANT_NAME                 \                          
-                              [--interactive]         \
+                              [--interactive]             \
-                              --capacity              \
+                              [--disable-tls]             \
-                              --servers               \
+                              [--enable-audit-logs]       \
-                              --volumes               \
+                              [--enable-prometheus]       \
-                              [--enable-host-sharing] \
+                              [--expose-console-service]  \
-                              [--image]               \
+                              [--expose-minio-service]    \
-                              [--image-pull-secret]   \
+                              [--image]                   \
-                              [--kes-config]          \
+                              [--image-pull-secret]       \
-                              [--namespace]           \
+                              [--kes-config]              \
-                              [--output]              \
+                              [--namespace]               \
-                              [--pool]                \
+                              [--output]                  \
-                              [--storage-class] 
+                              [--pool]                    \
+                              [--storage-class]           \
+                              --capacity                  \
+                              --servers                   \
+                              --volumes                   \
 
 
 Flags
@@ -148,15 +152,93 @@ The command supports the following flags:
 
    If the specified number of volumes exceeds the number of unbound ``PV`` available on the cluster, :mc:`kubectl minio tenant create` hangs and waits until the required ``PV`` exist.
 
-.. mc-cmd:: --enable-host-sharing
+.. mc-cmd:: --disable-tls
    :optional:
 
-   .. important::
+   Disables automatic TLS certificate provisioning on the Tenant.
-   
+
-      To be used in testing environments only.
+.. mc-cmd:: --enable-audit-logs
-      This flag is **not** supported in production environments.
+   :optional:
-   
+
-   Disable pod anti-affinity to allow co-location of pods on a single node.
+   .. include:: /includes/common/common-k8s-deprecation-audit-prometheus.rst
+      :start-after: start-deprecate-audit-logs
+      :end-before: end-deprecate-audit-logs
+
+   Defaults to ``true``.
+
+   Deploys the MinIO Tenant with a PostgreSQL Pod which, combined with an additional auto-deployed service, enables Audit Logging in the Tenant Console.
+
+   You can control the configuration of the PostgreSQL pod using the following optional parameters:
+
+   .. list-table::
+      :header-rows: 1
+      :widths: 40 60
+      :width: 80%
+
+      * - Option
+        - Description
+
+      * - ``--audit-logs-disk-space <int>``
+        - Specify the amount of storage to provision for the PostgreSQL pod.
+          The Operator provisions a PVC requesting the specified amount of storage in gigabytes.
+
+          Defaults to ``5``
+
+          If no Persistent Volume can meet the PVC request, the pod fails to deploy.
+
+      * - ``--audit-logs-pg-image``
+        - Specify the Docker image to use for deploying the PostgreSQL pod.
+
+      * - ``--audit-logs-storage-class``
+        - Specify the storage class to assign to the generated PVC for the PostgreSQL Pod.
+
+   Specify ``false`` to deploy the Tenant without the PostgreSQL and Audit Logging Console feature.
+
+.. mc-cmd:: --enable-prometheus
+   :optional:
+
+   .. include:: /includes/common/common-k8s-deprecation-audit-prometheus.rst
+      :start-after: start-deprecate-prometheus
+      :end-before: end-deprecate-prometheus
+
+   Defaults to ``true``.
+
+   Deploys the MinIO Tenant with a Prometheus pod which enables the :ref:`MinIO Console Metrics <minio-console-monitoring>` view.
+
+   You can control the configuration of the Prometheus pod using the following optional parameters:
+
+   .. list-table::
+      :header-rows: 1
+      :widths: 40 60
+      :width: 80%
+
+      * - Option
+        - Description
+
+      * - ``--prometheus-disk-space <int>``
+        - Specify the amount of storage to provision for the Prometheus pod.
+          The Operator provisions a PVC requesting the specified amount of storage in gigabytes.
+
+          Defaults to ``5``.
+
+      * - ``--prometheus-image``
+        - Specify the Docker image to use for deploying the Prometheus pod.
+
+      * - ``--prometheus-storage-class``
+        - Specify the storage class to assign to the generated PVC for the Prometheus pod.
+
+
+.. mc-cmd:: --expose-console-service
+   :optional:
+
+   Directs the Operator to configure the MinIO Tenant Console service with the :kube-docs:`LoadBalancer <concepts/services-networking/service/#loadbalancer>` networking type. 
+   For Kubernetes clusters configured with a global load balancer, this option allows the Console to request an external IP address automatically.
+
+.. mc-cmd:: --expose-minio-service
+   :optional:
+
+   Directs the Operator to configure the MinIO API service with the :kube-docs:`LoadBalancer <concepts/services-networking/service/#loadbalancer>` networking type. 
+   For Kubernetes clusters configured with a global load balancer, this option allows the Console to request an external IP address automatically.
 
 .. mc-cmd:: --image
    :optional: