controller

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 28, 2023 License: AGPL-3.0 Imports: 106 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ConsoleTLSEnv Env variable to turn on / off Console TLS.
	ConsoleTLSEnv = "MINIO_CONSOLE_TLS_ENABLE"
	// DefaultConsoleDeploymentName is the default name of the console deployment
	DefaultConsoleDeploymentName = "console"
	// OperatorConsoleTLSSecretName is the name of secret created with TLS certs for Operator console
	OperatorConsoleTLSSecretName = "console-tls"
)
View Source
const (
	// OperatorWatchedNamespaceEnv Env variable name, the namespaces which the operator watches for MinIO tenants. Defaults to "" for all namespaces.
	OperatorWatchedNamespaceEnv = "WATCHED_NAMESPACE"
	// HostnameEnv Host name env variable
	HostnameEnv = "HOSTNAME"
)
View Source
const (

	// ErrResourceExists is used as part of the Event 'reason' when a Tenant fails
	// to sync due to a StatefulSet of the same name already existing.
	ErrResourceExists = "ErrResourceExists"
	// MessageResourceExists is the message used for Events when a Tenant
	// fails to sync due to a StatefulSet already existing
	MessageResourceExists = "Resource %q already exists and is not managed by MinIO Operator"
)
View Source
const (
	StatusInitialized                = "Initialized"
	StatusProvisioningCIService      = "Provisioning MinIO Cluster IP Service"
	StatusProvisioningHLService      = "Provisioning MinIO Headless Service"
	StatusProvisioningStatefulSet    = "Provisioning MinIO Statefulset"
	StatusProvisioningConsoleService = "Provisioning Console Service"
	StatusProvisioningKESStatefulSet = "Provisioning KES StatefulSet"
	StatusProvisioningInitialUsers   = "Provisioning initial users"
	StatusProvisioningDefaultBuckets = "Provisioning default buckets"
	StatusWaitingMinIOCert           = "Waiting for MinIO TLS Certificate"
	StatusWaitingMinIOClientCert     = "Waiting for MinIO TLS Client Certificate"
	StatusWaitingKESCert             = "Waiting for KES TLS Certificate"
	StatusUpdatingMinIOVersion       = "Updating MinIO Version"
	StatusUpdatingKES                = "Updating KES"
	StatusNotOwned                   = "Statefulset not controlled by operator"
	StatusFailedAlreadyExists        = "Another MinIO Tenant already exists in the namespace"
	StatusTenantCredentialsNotSet    = "Tenant credentials are not set properly"
	StatusInconsistentMinIOVersions  = "Different versions across MinIO Pools"
	StatusRestartingMinIO            = "Restarting MinIO"
	StatusDecommissioningNotAllowed  = "Pool Decommissioning Not Allowed"
)

Standard Status messages for Tenant

View Source
const (
	// HealthUnavailableMessage means MinIO is down
	HealthUnavailableMessage = "Service Unavailable"
	// HealthHealingMessage means MinIO is healing one of more drives
	HealthHealingMessage = "Healing"
	// HealthReduceAvailabilityMessage some drives are offline
	HealthReduceAvailabilityMessage = "Reduced Availability"
)
View Source
const (
	// CertPasswordEnv Env variable is used to decrypt the private key in the TLS certificate for operator if need it
	CertPasswordEnv = "OPERATOR_CERT_PASSWD"
	// OperatorDeploymentNameEnv Env variable to specify a custom deployment name for Operator
	OperatorDeploymentNameEnv = "MINIO_OPERATOR_DEPLOYMENT_NAME"
	// OperatorCATLSSecretName is the name of the secret for the operator CA
	OperatorCATLSSecretName = "operator-ca-tls"
	// OperatorCSRSignerCASecretName is the name of the secret for the signer-ca certificate
	// this is a copy of the secret signer-ca in namespace
	OperatorCSRSignerCASecretName = "openshift-csr-signer-ca"
	// OpenshiftKubeControllerNamespace is the namespace of kube controller manager operator in Openshift
	OpenshiftKubeControllerNamespace = "openshift-kube-controller-manager-operator"
	// OpenshiftCATLSSecretName is the secret name of the CRD's signer in kubernetes under  OpenshiftKubeControllerNamespace namespace
	OpenshiftCATLSSecretName = "csr-signer"
	// DefaultDeploymentName is the default name of the operator deployment
	DefaultDeploymentName = "minio-operator"
	// DefaultOperatorImage is the version fo the operator being used
	DefaultOperatorImage = "minio/operator:v5.0.11"
	// DefaultOperatorImageEnv is the default image to minio instance
	DefaultOperatorImageEnv = "MINIO_OPERATOR_IMAGE"
)
View Source
const (
	STSDefaultPort = "4223"
	STSEndpoint    = "/sts"
)

STS API constants

View Source
const (
	// STSEnabled Env variable name to turn on and off the STS Service is enabled, disabled by default
	STSEnabled = "OPERATOR_STS_ENABLED"

	// STSTLSSecretName is the name of secret created for the Operator STS TLS certs
	STSTLSSecretName = "sts-tls"
)
View Source
const (
	AmzRequestID = "x-amz-request-id"
)

STS Handler constants

View Source
const (
	WebhookSecret = "operator-webhook-secret"
)

Legacy const

Variables

View Source
var ErrEmptyRootCredentials = errors.New("empty tenant credentials")

ErrEmptyRootCredentials is the error returned when we detect missing root credentials

View Source
var ErrMinIONotReady = fmt.Errorf("MinIO is not ready")

ErrMinIONotReady is the error returned when MinIO is not Ready

View Source
var ErrMinIORestarting = fmt.Errorf("MinIO is restarting")

ErrMinIORestarting is the error returned when MinIO is restarting

Functions

func AssumeRole

func AssumeRole(ctx context.Context, c *Controller, tenant *miniov2.Tenant, region string, sessionPolicy string, duration int) (*credentials.Value, error)

AssumeRole invokes the AssumeRole method in the Minio Tenant

func GetPolicy

func GetPolicy(ctx context.Context, adminClient *madmin.AdminClient, policyName string) (*madmin.PolicyInfo, error)

GetPolicy returns a tenant Policy by Name

func IsSTSEnabled

func IsSTSEnabled() bool

IsSTSEnabled Validates if the STS API is turned on, STS is enabled by default

func LoadX509KeyPair

func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair Internal func load an X509 key pair (private key , certificate) from the provided paths. The private key may be encrypted and is decrypted using the ENV_VAR: OPERATOR_CERT_PASSWD.

func MinIOControllerRateLimiter

func MinIOControllerRateLimiter() queue.RateLimiter

MinIOControllerRateLimiter is a no-arg constructor for a default rate limiter for a workqueue for our controller. both overall and per-item rate limiting. The overall is a token bucket and the per-item is exponential

func StartOperator

func StartOperator(kubeconfig string)

StartOperator starts the MinIO Operator controller

Types

type APIError

type APIError struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

APIError structure

type AssumeRoleWithWebIdentityResponse

type AssumeRoleWithWebIdentityResponse struct {
	XMLName          xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
	Result           WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
	ResponseMetadata struct {
		RequestID string `xml:"RequestId,omitempty"`
	} `xml:"ResponseMetadata,omitempty"`
}

AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.

type AssumedRoleUser

type AssumedRoleUser struct {
	Arn           string
	AssumedRoleID string `xml:"AssumeRoleId"`
}

AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser

type Controller

type Controller struct {
	// contains filtered or unexported fields
}

Controller struct watches the Kubernetes API for changes to Tenant resources

func NewController

func NewController(
	podName string,
	namespacesToWatch set.StringSet,
	kubeClientSet kubernetes.Interface,
	k8sClient client.Client,
	minioClientSet clientset.Interface,
	promClient promclientset.Interface,
	statefulSetInformer appsinformers.StatefulSetInformer,
	deploymentInformer appsinformers.DeploymentInformer,
	podInformer coreinformers.PodInformer,
	tenantInformer informers.TenantInformer,
	policyBindingInformer stsInformers.PolicyBindingInformer,
	serviceInformer coreinformers.ServiceInformer,
	hostsTemplate,
	operatorVersion string,
) *Controller

NewController returns a new Operator Controller

func (*Controller) AssumeRoleWithWebIdentityHandler

func (c *Controller) AssumeRoleWithWebIdentityHandler(w http.ResponseWriter, r *http.Request)

AssumeRoleWithWebIdentityHandler - POST /sts/{tenantNamespace} AssumeRoleWithWebIdentity - implementation of AWS STS API. Authenticates a Kubernetes Service accounts using a JWT Token Evalues a PolicyBinding CRD as Mapping of the Minio Policies that the ServiceAccount can assume on a minio tenant Eg:- $ curl -k -X POST https://operator:9443/sts/{tenantNamespace} -d "Version=2011-06-15&Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>" -H "Content-Type: application/x-www-form-urlencoded"

func (*Controller) CreateOrUpdatePDB

func (c *Controller) CreateOrUpdatePDB(ctx context.Context, t *v2.Tenant) (err error)

CreateOrUpdatePDB - hold PDB as expected

func (*Controller) DeletePDB

func (c *Controller) DeletePDB(ctx context.Context, t *v2.Tenant) (err error)

DeletePDB - delete PDB for tenant

func (*Controller) GetOpenshiftCSRSignerCAFromSecret

func (c *Controller) GetOpenshiftCSRSignerCAFromSecret() ([]byte, error)

GetOpenshiftCSRSignerCAFromSecret loads the tls certificate in openshift-csr-signer-ca secret in operator namespace

func (*Controller) GetPDBAvailable

func (c *Controller) GetPDBAvailable() PDBAvailable

GetPDBAvailable - return globalPDBAvailable thread safe

func (*Controller) GetSignerCAFromSecret

func (c *Controller) GetSignerCAFromSecret() ([]byte, error)

GetSignerCAFromSecret Retrieves the CA certificate for Openshift CSR signed certificates from openshift-kube-controller-manager-operator namespace

func (*Controller) Start

func (c *Controller) Start(threadiness int, stopCh <-chan struct{}) error

Start will set up the event handlers for types we are interested in, as well as syncing informer caches and starting workers. It will block until stopCh is closed, at which point it will shutdown the workqueue and wait for workers to finish processing their current work items.

func (*Controller) Stop

func (c *Controller) Stop()

Stop is called to shutdown the controller

func (*Controller) ValidateServiceAccountJWT

func (c *Controller) ValidateServiceAccountJWT(ctx *context.Context, token string) (*authv1.TokenReview, error)

ValidateServiceAccountJWT Executes a call to TokenReview API to verify if the JWT Token received from the client is a valid Service Account JWT Token

type Credentials

type Credentials struct {
	AccessKey    string                 `xml:"AccessKeyId" json:"accessKey,omitempty"`
	SecretKey    string                 `xml:"SecretAccessKey" json:"secretKey,omitempty"`
	Expiration   time.Time              `xml:"Expiration" json:"expiration,omitempty"`
	SessionToken string                 `xml:"SessionToken" json:"sessionToken,omitempty"`
	Status       string                 `xml:"-" json:"status,omitempty"`
	ParentUser   string                 `xml:"-" json:"parentUser,omitempty"`
	Groups       []string               `xml:"-" json:"groups,omitempty"`
	Claims       map[string]interface{} `xml:"-" json:"claims,omitempty"`
}

Credentials holds access and secret keys.

type EventNotification

type EventNotification struct {
	// Err the error to handle if any, null when is just a message
	Err error
	// Type the event type to handle
	Type EventType
}

EventNotification - structure to send messages through a channel regarding a error event to be handled

type EventType

type EventType int

EventType is Event type to handle

const (
	STSServerNotification EventType = iota
	LeaderElection
)

Possible values of EventType

type HealthResult

type HealthResult struct {
	StatusCode        int
	HealingDrives     int
	WriteQuorumDrives int
}

HealthResult holds the results from cluster/health query into MinIO

type MinIOPrometheusMetrics

type MinIOPrometheusMetrics struct {
	UsableCapacity int64
	Usage          int64
}

MinIOPrometheusMetrics holds metrics pulled from prometheus

type PDBAvailable

type PDBAvailable struct {
	// contains filtered or unexported fields
}

PDBAvailable - v1 for v1.PDB and v1beta for v1beta.PDB,flag for support or not

func (*PDBAvailable) Available

func (p *PDBAvailable) Available() bool

Available - show if it supports PDB

func (*PDBAvailable) V1Available

func (p *PDBAvailable) V1Available() bool

V1Available - show if it supports PDB v1

func (*PDBAvailable) V1BetaAvailable

func (p *PDBAvailable) V1BetaAvailable() bool

V1BetaAvailable - show if it supports PDB v1beta

type ReqInfo

type ReqInfo struct {
	RemoteHost      string // Client Host/IP
	Host            string // Node Host/IP
	UserAgent       string // User Agent
	RequestID       string // x-amz-request-id
	API             string // API name
	AccessKey       string // Access Key
	TenantNamespace string // tenant namespace
	sync.RWMutex
}

ReqInfo stores the request info. Reading/writing directly to struct requires appropriate R/W lock.

type Result

type Result struct {
	// Requeue tells the Controller to requeue the reconcile key.  Defaults to false.
	Requeue bool

	// RequeueAfter if greater than 0, tells the Controller to requeue the reconcile key after the Duration.
	// Implies that Requeue is true, there is no need to set Requeue to true at the same time as RequeueAfter.
	RequeueAfter time.Duration
}

Result contains the result of a sync invocation.

func WrapResult

func WrapResult(result Result, err error) (Result, error)

WrapResult is wrap for result. We can find where return result.

type STSErrorCode

type STSErrorCode int

STSErrorCode type of error status.

const (
	ErrSTSNone STSErrorCode = iota
	ErrSTSAccessDenied
	ErrSTSInvalidIdentityToken
	ErrSTSMissingParameter
	ErrSTSInvalidParameterValue
	ErrSTSWebIdentityExpiredToken
	ErrSTSClientGrantsExpiredToken
	ErrSTSInvalidClientGrantsToken
	ErrSTSMalformedPolicyDocument
	ErrSTSInsecureConnection
	ErrSTSInvalidClientCertificate
	ErrSTSNotInitialized
	ErrSTSUpstreamError
	ErrSTSInternalError
	ErrSTSIDPCommunicationError
	ErrSTSPackedPolicyTooLarge
)

Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

type STSErrorResponse

type STSErrorResponse struct {
	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
	Error   struct {
		Type    string `xml:"Type"`
		Code    string `xml:"Code"`
		Message string `xml:"Message"`
	} `xml:"Error"`
	RequestID string `xml:"RequestId"`
}

STSErrorResponse - error response format

type WebIdentityResult

type WebIdentityResult struct {
	// The identifiers for the temporary security credentials that the operation
	// returns.
	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`

	// The intended audience (also known as client ID) of the web identity token.
	// This is traditionally the client identifier issued to the application that
	// requested the client grants.
	Audience string `xml:",omitempty"`

	// The temporary security credentials, which include an access key ID, a secret
	// access key, and a security (or session) token.
	//
	// Note: The size of the security token that STS APIs return is not fixed. We
	// strongly recommend that you make no assumptions about the maximum size. As
	// of this writing, the typical size is less than 4096 bytes, but that can vary.
	// Also, future updates to AWS might require larger sizes.
	Credentials Credentials `xml:",omitempty"`

	// A percentage value that indicates the size of the policy in packed form.
	// The service rejects any policy with a packed size greater than 100 percent,
	// which means the policy exceeded the allowed space.
	PackedPolicySize int `xml:",omitempty"`

	// The issuing authority of the web identity token presented. For OpenID Connect
	// ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens,
	// this contains the value of the ProviderId parameter that was passed in the
	// AssumeRoleWithWebIdentity request.
	Provider string `xml:",omitempty"`

	// The unique user identifier that is returned by the identity provider.
	// This identifier is associated with the Token that was submitted
	// with the AssumeRoleWithWebIdentity call. The identifier is typically unique to
	// the user and the application that acquired the WebIdentityToken (pairwise identifier).
	// For OpenID Connect ID tokens, this field contains the value returned by the identity
	// provider as the token's sub (Subject) claim.
	SubjectFromWebIdentityToken string `xml:",omitempty"`
}

WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary credentials that can be used to make MinIO API requests.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL