From 1ee845150e6bc2913d5442cf48eefacc37533aac Mon Sep 17 00:00:00 2001 From: Daryl White <53910321+djwfyi@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:43:08 -0400 Subject: [PATCH] Updates related to Operator 6.0.0 release Partially addresses #1273. --- source/includes/k8s/deploy-operator.rst | 12 +++++++++--- source/includes/k8s/file-transfer-protocol-k8s.rst | 2 -- .../install-deploy-manage/upgrade-minio-operator.rst | 2 +- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/source/includes/k8s/deploy-operator.rst b/source/includes/k8s/deploy-operator.rst index 6a2109378..45d801e76 100644 --- a/source/includes/k8s/deploy-operator.rst +++ b/source/includes/k8s/deploy-operator.rst @@ -48,8 +48,13 @@ Each pod runs three containers: - InitContainer that only exists during the launch of the pod to manage configuration secrets during startup. Once startup completes, this container terminates. -- SideCar container that monitors configuration secrets for the tenant and updates them as they change. - This container also monitors for root credentials and creates an error if it does not find root credentials. +- Sidecar container used to initialize the MinIO tenant. + The sidecar retrieves and validates the configuration for each tenant and creates the necessary local resources in the pod. + + .. versionchanged:: Operator 6.0.0 + + The Sidecar has its own image and release cycle separate from the rest of the MinIO Operator. + The MinIO Operator stores the tenant's environment variables in the sidecar, allowing the Operator to update the variables without requiring a rolling restart. Starting with v5.0.6, the MinIO Operator supports custom :kube-docs:`init containers ` for additional pod initialization that may be required for your environment. @@ -104,7 +109,8 @@ Kubernetes TLS Certificate API - For :ref:`STS service ` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``. - For retrieving the health of the cluster. - The MinIO Operator reads certificates inside the ``operator-ca-tls`` secret and syncs this secret within the tenant namespace to trust private certificate authorities, such as when using cert-manager. + Beginning with Operator 6.0.0, the MinIO Operator reads certificates inside the ``operator-ca-tls`` secret to trust private certificate authorities throughout the Kubernetes cluster, such as when using cert-manager. + Previous versions of the Operator sync the ``operator-ca-tls`` certificates to each tenant. For any of these circumstances, the MinIO Operator *requires* that the Kubernetes ``kube-controller-manager`` configuration include the following :kube-docs:`configuration settings `: diff --git a/source/includes/k8s/file-transfer-protocol-k8s.rst b/source/includes/k8s/file-transfer-protocol-k8s.rst index b2de82f2f..408db992a 100644 --- a/source/includes/k8s/file-transfer-protocol-k8s.rst +++ b/source/includes/k8s/file-transfer-protocol-k8s.rst @@ -102,8 +102,6 @@ Procedure spec: configuration: name: my-tenant-env-configuration - credsSecret: - name: my-tenant-secret exposeServices: console: true minio: true diff --git a/source/operations/install-deploy-manage/upgrade-minio-operator.rst b/source/operations/install-deploy-manage/upgrade-minio-operator.rst index 9aea52a16..5b35cb898 100644 --- a/source/operations/install-deploy-manage/upgrade-minio-operator.rst +++ b/source/operations/install-deploy-manage/upgrade-minio-operator.rst @@ -42,7 +42,7 @@ The following changes apply for Operator v5.0.0 or later: - The ``.spec.s3`` field is replaced by the ``.spec.features`` field. - The ``.spec.credsSecret`` field is replaced by the ``.spec.configuration`` field. - The ``.spec.credsSecret`` should hold all the environment variables for the MinIO deployment that contain sensitive information and should not show in ``.spec.env``. + The ``.spec.configuration`` secret should hold all the environment variables for the MinIO deployment that contain sensitive information and should not show in ``.spec.env``. This change impacts the Tenant :abbr:`CRD (CustomResourceDefinition)` and only impacts users editing a tenant YAML directly, such as through Helm or Kustomize. - Both the **Log Search API** (``.spec.log``) and **Prometheus** (``.spec.prometheus``) deployments have been removed. However, existing deployments are left running as standalone deployments / statefulsets with no connection to the Tenant CR.