Documentation ¶
Index ¶
- Constants
- Variables
- func AssumeRole(ctx context.Context, c *Controller, tenant *miniov2.Tenant, region string, ...) (*credentials.Value, error)
- func GetPolicy(ctx context.Context, adminClient *madmin.AdminClient, policyName string) (*madmin.PolicyInfo, error)
- func IsSTSEnabled() bool
- func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)
- func MinIOControllerRateLimiter() queue.RateLimiter
- func StartOperator(kubeconfig string)
- type APIError
- type AssumeRoleWithWebIdentityResponse
- type AssumedRoleUser
- type Controller
- func (c *Controller) AssumeRoleWithWebIdentityHandler(w http.ResponseWriter, r *http.Request)
- func (c *Controller) CreateOrUpdatePDB(ctx context.Context, t *v2.Tenant) (err error)
- func (c *Controller) DeletePDB(ctx context.Context, t *v2.Tenant) (err error)
- func (c *Controller) GetOpenshiftCSRSignerCAFromSecret() ([]byte, error)
- func (c *Controller) GetPDBAvailable() PDBAvailable
- func (c *Controller) GetSignerCAFromSecret() ([]byte, error)
- func (c *Controller) Start(threadiness int, stopCh <-chan struct{}) error
- func (c *Controller) Stop()
- func (c *Controller) ValidateServiceAccountJWT(ctx *context.Context, token string) (*authv1.TokenReview, error)
- type Credentials
- type EventNotification
- type EventType
- type HealthResult
- type MinIOPrometheusMetrics
- type PDBAvailable
- type ReqInfo
- type Result
- type STSErrorCode
- type STSErrorResponse
- type WebIdentityResult
Constants ¶
const ( // ConsoleTLSEnv Env variable to turn on / off Console TLS. ConsoleTLSEnv = "MINIO_CONSOLE_TLS_ENABLE" // DefaultConsoleDeploymentName is the default name of the console deployment DefaultConsoleDeploymentName = "console" // OperatorConsoleTLSSecretName is the name of secret created with TLS certs for Operator console OperatorConsoleTLSSecretName = "console-tls" )
const ( // OperatorWatchedNamespaceEnv Env variable name, the namespaces which the operator watches for MinIO tenants. Defaults to "" for all namespaces. OperatorWatchedNamespaceEnv = "WATCHED_NAMESPACE" // HostnameEnv Host name env variable HostnameEnv = "HOSTNAME" )
const ( // ErrResourceExists is used as part of the Event 'reason' when a Tenant fails // to sync due to a StatefulSet of the same name already existing. ErrResourceExists = "ErrResourceExists" // MessageResourceExists is the message used for Events when a Tenant // fails to sync due to a StatefulSet already existing MessageResourceExists = "Resource %q already exists and is not managed by MinIO Operator" )
const ( StatusInitialized = "Initialized" StatusProvisioningCIService = "Provisioning MinIO Cluster IP Service" StatusProvisioningHLService = "Provisioning MinIO Headless Service" StatusProvisioningStatefulSet = "Provisioning MinIO Statefulset" StatusProvisioningConsoleService = "Provisioning Console Service" StatusProvisioningKESStatefulSet = "Provisioning KES StatefulSet" StatusProvisioningInitialUsers = "Provisioning initial users" StatusProvisioningDefaultBuckets = "Provisioning default buckets" StatusWaitingMinIOCert = "Waiting for MinIO TLS Certificate" StatusWaitingMinIOClientCert = "Waiting for MinIO TLS Client Certificate" StatusWaitingKESCert = "Waiting for KES TLS Certificate" StatusUpdatingMinIOVersion = "Updating MinIO Version" StatusUpdatingKES = "Updating KES" StatusNotOwned = "Statefulset not controlled by operator" StatusFailedAlreadyExists = "Another MinIO Tenant already exists in the namespace" StatusTenantCredentialsNotSet = "Tenant credentials are not set properly" StatusInconsistentMinIOVersions = "Different versions across MinIO Pools" StatusRestartingMinIO = "Restarting MinIO" StatusDecommissioningNotAllowed = "Pool Decommissioning Not Allowed" )
Standard Status messages for Tenant
const ( // HealthHealingMessage means MinIO is healing one of more drives HealthHealingMessage = "Healing" // HealthReduceAvailabilityMessage some drives are offline HealthReduceAvailabilityMessage = "Reduced Availability" )HealthUnavailableMessage = "Service Unavailable"
const ( // CertPasswordEnv Env variable is used to decrypt the private key in the TLS certificate for operator if need it CertPasswordEnv = "OPERATOR_CERT_PASSWD" // OperatorDeploymentNameEnv Env variable to specify a custom deployment name for Operator OperatorDeploymentNameEnv = "MINIO_OPERATOR_DEPLOYMENT_NAME" // OperatorCATLSSecretName is the name of the secret for the operator CA OperatorCATLSSecretName = "operator-ca-tls" // OperatorCSRSignerCASecretName is the name of the secret for the signer-ca certificate // this is a copy of the secret signer-ca in namespace OperatorCSRSignerCASecretName = "openshift-csr-signer-ca" // OpenshiftKubeControllerNamespace is the namespace of kube controller manager operator in Openshift OpenshiftKubeControllerNamespace = "openshift-kube-controller-manager-operator" // OpenshiftCATLSSecretName is the secret name of the CRD's signer in kubernetes under OpenshiftKubeControllerNamespace namespace OpenshiftCATLSSecretName = "csr-signer" // DefaultDeploymentName is the default name of the operator deployment DefaultDeploymentName = "minio-operator" // DefaultOperatorImage is the version fo the operator being used DefaultOperatorImage = "minio/operator:v5.0.11" // DefaultOperatorImageEnv is the default image to minio instance DefaultOperatorImageEnv = "MINIO_OPERATOR_IMAGE" )
const ( STSDefaultPort = "4223" STSEndpoint = "/sts" )
STS API constants
const ( // STSEnabled Env variable name to turn on and off the STS Service is enabled, disabled by default STSEnabled = "OPERATOR_STS_ENABLED" // STSTLSSecretName is the name of secret created for the Operator STS TLS certs STSTLSSecretName = "sts-tls" )
const (
AmzRequestID = "x-amz-request-id"
)
STS Handler constants
const (
WebhookSecret = "operator-webhook-secret"
)
Legacy const
Variables ¶
var ErrEmptyRootCredentials = errors.New("empty tenant credentials")
ErrEmptyRootCredentials is the error returned when we detect missing root credentials
var ErrMinIONotReady = fmt.Errorf("MinIO is not ready")
ErrMinIONotReady is the error returned when MinIO is not Ready
var ErrMinIORestarting = fmt.Errorf("MinIO is restarting")
ErrMinIORestarting is the error returned when MinIO is restarting
Functions ¶
func AssumeRole ¶
func AssumeRole(ctx context.Context, c *Controller, tenant *miniov2.Tenant, region string, sessionPolicy string, duration int) (*credentials.Value, error)
AssumeRole invokes the AssumeRole method in the Minio Tenant
func GetPolicy ¶
func GetPolicy(ctx context.Context, adminClient *madmin.AdminClient, policyName string) (*madmin.PolicyInfo, error)
GetPolicy returns a tenant Policy by Name
func IsSTSEnabled ¶
func IsSTSEnabled() bool
IsSTSEnabled Validates if the STS API is turned on, STS is enabled by default
func LoadX509KeyPair ¶
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)
LoadX509KeyPair Internal func load an X509 key pair (private key , certificate) from the provided paths. The private key may be encrypted and is decrypted using the ENV_VAR: OPERATOR_CERT_PASSWD.
func MinIOControllerRateLimiter ¶
func MinIOControllerRateLimiter() queue.RateLimiter
MinIOControllerRateLimiter is a no-arg constructor for a default rate limiter for a workqueue for our controller. both overall and per-item rate limiting. The overall is a token bucket and the per-item is exponential
func StartOperator ¶
func StartOperator(kubeconfig string)
StartOperator starts the MinIO Operator controller
Types ¶
type AssumeRoleWithWebIdentityResponse ¶
type AssumeRoleWithWebIdentityResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"` Result WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"` ResponseMetadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
type AssumedRoleUser ¶
AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
type Controller ¶
type Controller struct {
// contains filtered or unexported fields
}
Controller struct watches the Kubernetes API for changes to Tenant resources
func NewController ¶
func NewController( podName string, namespacesToWatch set.StringSet, kubeClientSet kubernetes.Interface, k8sClient client.Client, minioClientSet clientset.Interface, promClient promclientset.Interface, statefulSetInformer appsinformers.StatefulSetInformer, deploymentInformer appsinformers.DeploymentInformer, podInformer coreinformers.PodInformer, tenantInformer informers.TenantInformer, policyBindingInformer stsInformers.PolicyBindingInformer, serviceInformer coreinformers.ServiceInformer, hostsTemplate, operatorVersion string, ) *Controller
NewController returns a new Operator Controller
func (*Controller) AssumeRoleWithWebIdentityHandler ¶
func (c *Controller) AssumeRoleWithWebIdentityHandler(w http.ResponseWriter, r *http.Request)
AssumeRoleWithWebIdentityHandler - POST /sts/{tenantNamespace} AssumeRoleWithWebIdentity - implementation of AWS STS API. Authenticates a Kubernetes Service accounts using a JWT Token Evalues a PolicyBinding CRD as Mapping of the Minio Policies that the ServiceAccount can assume on a minio tenant Eg:- $ curl -k -X POST https://operator:9443/sts/{tenantNamespace} -d "Version=2011-06-15&Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>" -H "Content-Type: application/x-www-form-urlencoded"
func (*Controller) CreateOrUpdatePDB ¶
CreateOrUpdatePDB - hold PDB as expected
func (*Controller) GetOpenshiftCSRSignerCAFromSecret ¶
func (c *Controller) GetOpenshiftCSRSignerCAFromSecret() ([]byte, error)
GetOpenshiftCSRSignerCAFromSecret loads the tls certificate in openshift-csr-signer-ca secret in operator namespace
func (*Controller) GetPDBAvailable ¶
func (c *Controller) GetPDBAvailable() PDBAvailable
GetPDBAvailable - return globalPDBAvailable thread safe
func (*Controller) GetSignerCAFromSecret ¶
func (c *Controller) GetSignerCAFromSecret() ([]byte, error)
GetSignerCAFromSecret Retrieves the CA certificate for Openshift CSR signed certificates from openshift-kube-controller-manager-operator namespace
func (*Controller) Start ¶
func (c *Controller) Start(threadiness int, stopCh <-chan struct{}) error
Start will set up the event handlers for types we are interested in, as well as syncing informer caches and starting workers. It will block until stopCh is closed, at which point it will shutdown the workqueue and wait for workers to finish processing their current work items.
func (*Controller) ValidateServiceAccountJWT ¶
func (c *Controller) ValidateServiceAccountJWT(ctx *context.Context, token string) (*authv1.TokenReview, error)
ValidateServiceAccountJWT Executes a call to TokenReview API to verify if the JWT Token received from the client is a valid Service Account JWT Token
type Credentials ¶
type Credentials struct { AccessKey string `xml:"AccessKeyId" json:"accessKey,omitempty"` SecretKey string `xml:"SecretAccessKey" json:"secretKey,omitempty"` Expiration time.Time `xml:"Expiration" json:"expiration,omitempty"` SessionToken string `xml:"SessionToken" json:"sessionToken,omitempty"` Status string `xml:"-" json:"status,omitempty"` ParentUser string `xml:"-" json:"parentUser,omitempty"` Groups []string `xml:"-" json:"groups,omitempty"` Claims map[string]interface{} `xml:"-" json:"claims,omitempty"` }
Credentials holds access and secret keys.
type EventNotification ¶
type EventNotification struct { // Err the error to handle if any, null when is just a message Err error // Type the event type to handle Type EventType }
EventNotification - structure to send messages through a channel regarding a error event to be handled
type HealthResult ¶
HealthResult holds the results from cluster/health query into MinIO
type MinIOPrometheusMetrics ¶
MinIOPrometheusMetrics holds metrics pulled from prometheus
type PDBAvailable ¶
type PDBAvailable struct {
// contains filtered or unexported fields
}
PDBAvailable - v1 for v1.PDB and v1beta for v1beta.PDB,flag for support or not
func (*PDBAvailable) Available ¶
func (p *PDBAvailable) Available() bool
Available - show if it supports PDB
func (*PDBAvailable) V1Available ¶
func (p *PDBAvailable) V1Available() bool
V1Available - show if it supports PDB v1
func (*PDBAvailable) V1BetaAvailable ¶
func (p *PDBAvailable) V1BetaAvailable() bool
V1BetaAvailable - show if it supports PDB v1beta
type ReqInfo ¶
type ReqInfo struct { RemoteHost string // Client Host/IP Host string // Node Host/IP UserAgent string // User Agent RequestID string // x-amz-request-id API string // API name AccessKey string // Access Key TenantNamespace string // tenant namespace sync.RWMutex }
ReqInfo stores the request info. Reading/writing directly to struct requires appropriate R/W lock.
type Result ¶
type Result struct { // Requeue tells the Controller to requeue the reconcile key. Defaults to false. Requeue bool // RequeueAfter if greater than 0, tells the Controller to requeue the reconcile key after the Duration. // Implies that Requeue is true, there is no need to set Requeue to true at the same time as RequeueAfter. RequeueAfter time.Duration }
Result contains the result of a sync invocation.
type STSErrorCode ¶
type STSErrorCode int
STSErrorCode type of error status.
const ( ErrSTSNone STSErrorCode = iota ErrSTSAccessDenied ErrSTSInvalidIdentityToken ErrSTSMissingParameter ErrSTSInvalidParameterValue ErrSTSWebIdentityExpiredToken ErrSTSClientGrantsExpiredToken ErrSTSInvalidClientGrantsToken ErrSTSMalformedPolicyDocument ErrSTSInsecureConnection ErrSTSInvalidClientCertificate ErrSTSNotInitialized ErrSTSUpstreamError ErrSTSInternalError ErrSTSIDPCommunicationError ErrSTSPackedPolicyTooLarge )
Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
type STSErrorResponse ¶
type STSErrorResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"` Error struct { Type string `xml:"Type"` Code string `xml:"Code"` Message string `xml:"Message"` } `xml:"Error"` RequestID string `xml:"RequestId"` }
STSErrorResponse - error response format
type WebIdentityResult ¶
type WebIdentityResult struct { // The identifiers for the temporary security credentials that the operation // returns. AssumedRoleUser AssumedRoleUser `xml:",omitempty"` // The intended audience (also known as client ID) of the web identity token. // This is traditionally the client identifier issued to the application that // requested the client grants. Audience string `xml:",omitempty"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // Note: The size of the security token that STS APIs return is not fixed. We // strongly recommend that you make no assumptions about the maximum size. As // of this writing, the typical size is less than 4096 bytes, but that can vary. // Also, future updates to AWS might require larger sizes. Credentials Credentials `xml:",omitempty"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize int `xml:",omitempty"` // The issuing authority of the web identity token presented. For OpenID Connect // ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens, // this contains the value of the ProviderId parameter that was passed in the // AssumeRoleWithWebIdentity request. Provider string `xml:",omitempty"` // The unique user identifier that is returned by the identity provider. // This identifier is associated with the Token that was submitted // with the AssumeRoleWithWebIdentity call. The identifier is typically unique to // the user and the application that acquired the WebIdentityToken (pairwise identifier). // For OpenID Connect ID tokens, this field contains the value returned by the identity // provider as the token's sub (Subject) claim. SubjectFromWebIdentityToken string `xml:",omitempty"` }
WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary credentials that can be used to make MinIO API requests.