Skip to content

Commit

Permalink
DOCS-1273: Operator 6.0.0 Deploy/Upgrade docs, removing Console refer…
Browse files Browse the repository at this point in the history
…ences (#1284)

Addresses #1273 

# Summary

This pass does three things:

1. Updates all tutorials related to Operator/Tenant deployment for
Kustomize and Helm
2. Removes references to Operator Console + updates to reference
Kustomize/Helm wherever possible
3. Slightly tidies up old or dangling references

This pass does not do these things:

- Link out heavily to Kubernetes docs (for later)
- Clean up organization (singleplat build handles this)
- Addresses OpenShift, Rancher, etc.

---------

Co-authored-by: Andrea Longo <[email protected]>
Co-authored-by: Allan Roger Reid <[email protected]>
Co-authored-by: Daryl White <[email protected]>
  • Loading branch information
4 people authored Aug 1, 2024
1 parent 7722414 commit 23253dd
Show file tree
Hide file tree
Showing 20 changed files with 955 additions and 1,372 deletions.
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ sync-operator-version:
@echo "Retrieving latest Operator version"
@$(eval OPERATOR = $(shell curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/operator/releases/latest | sed "s/https:\/\/github.com\/minio\/operator\/releases\/tag\///" | sed "s/v//"))
@$(eval kname = $(shell uname -s))
@$(eval K8SFLOOR = $(shell curl -sL https://raw.githubusercontent.com/minio/operator/master/testing/kind-config-floor.yaml | grep -F -m 1 'node:v' | awk 'BEGIN { FS = ":" } ; {print $$3}'))

@echo "Updating Operator to ${OPERATOR}"

Expand All @@ -182,9 +183,11 @@ sync-operator-version:
@case "${kname}" in \
"Darwin") \
sed -i "" "s|OPERATOR|${OPERATOR}|g" source/conf.py;\
sed -i "" "s|K8SFLOOR|${K8SFLOOR}|g" source/conf.py; \
;; \
*) \
sed -i "s|OPERATOR|${OPERATOR}|g" source/conf.py; \
sed -i "s|K8SFLOOR|${K8SFLOOR}|g" source/conf.py; \
;; \
esac

Expand Down
12 changes: 12 additions & 0 deletions source/_static/scss/includes/_misc.scss
Original file line number Diff line number Diff line change
Expand Up @@ -379,4 +379,16 @@ figcaption {
table thead tr.header {
background-color: lightgray;
box-shadow: none;
}

// --------------------------------------
// Improving readability of ordered lists
// --------------------------------------

div.procedure ol.arabic li > p:first-child {
font-weight: bold;
}

div.procedure ol.arabic li ul.simple li p {
font-weight: normal; // stupid hack, not sure how else to fix this
}
8 changes: 6 additions & 2 deletions source/administration/console/managing-deployment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ You can use the MinIO Console to perform many of the deployment monitoring and m
- Set up :ref:`site replication <minio-console-site-replication>` to synchronize datacenters for timely access across geographically dispersed workforces or for disaster preparedness.
- Configure deployment :ref:`settings <minio-console-settings>`.

.. important::

The MinIO Console is a web-based interface for the MinIO Server.

It is distinct and independent from the MinIO Kubernetes Operator Console which was deprecated and removed as of Operator 6.0.0.

.. _minio-console-monitoring:

Monitoring
Expand Down Expand Up @@ -62,8 +68,6 @@ Audit

The Audit Log section provides an interface for viewing :ref:`audit logs <minio-logging>` collected by a configured PostgreSQL service.

The Audit Logging feature is configured and enabled automatically for MinIO deployments created using the :ref:`MinIO Operator Console <minio-operator-console>`.

Trace
~~~~~

Expand Down
4 changes: 3 additions & 1 deletion source/default-conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -331,10 +331,12 @@
.. |SNSD| replace:: :abbr:`SNSD (Single-Node Single-Drive)`
.. |SNMD| replace:: :abbr:`SNMD (Single-Node Multi-Drive)`
.. |MNMD| replace:: :abbr:`MNMD (Multi-Node Multi-Drive)`
.. |operator-version-stable| replace:: 5.0.15
.. |operator-version-stable| replace:: OPERATOR
.. |helm-charts| replace:: `Helm Charts <https://github.com/minio/operator/tree/vOPERATOR/helm>`__
.. |helm-operator-chart| replace:: `Helm Operator Charts <https://github.com/minio/operator/blob/vOPERATOR/helm/operator>`__
.. |helm-tenant-chart| replace:: `Helm Tenant Charts <https://github.com/minio/operator/tree/vOPERATOR/helm/tenant>`__
.. |k8s-floor| replace:: K8SFLOOR
.. |cpp-sdk-version| replace:: CPPVERSION
.. |dotnet-sdk-version| replace:: DOTNETVERSION
Expand Down
100 changes: 5 additions & 95 deletions source/includes/common/common-install-operator-kustomize.rst
Original file line number Diff line number Diff line change
Expand Up @@ -66,42 +66,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min

.. _minio-k8s-deploy-operator-access-console:

#. *(Optional)* Configure access to the Operator Console service

The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access.

For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:

.. code-block:: shell
:class: copyable
kubectl patch service -n minio-operator console -p '
{
"spec": {
"ports": [
{
"name": "http",
"port": 9090,
"protocol": "TCP",
"targetPort": 9090,
"nodePort": 30090
},
{
"name": "https",
"port": 9443,
"protocol": "TCP",
"targetPort": 9443,
"nodePort": 30433
}
],
"type": "NodePort"
}
}'
The patch command should output ``service/console patched``.
You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes.

#. Verify the Operator installation

Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully.
Expand All @@ -123,7 +87,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/operator ClusterIP 10.43.135.241 <none> 4221/TCP 5m20s
service/sts ClusterIP 10.43.117.251 <none> 4223/TCP 5m20s
service/console NodePort 10.43.235.38 <none> 9090:30090/TCP,9443:30433/TCP 5m20s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/console 1/1 1 1 5m20s
Expand All @@ -133,63 +96,10 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
replicaset.apps/console-56c7d8bd89 1 1 1 5m20s
replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s
#. Retrieve the Operator Console JWT for login

.. code-block:: shell
:class: copyable
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: console-sa-secret
namespace: minio-operator
annotations:
kubernetes.io/service-account.name: console-sa
type: kubernetes.io/service-account-token
EOF
SA_TOKEN=$(kubectl -n minio-operator get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode)
echo $SA_TOKEN
The output of this command is the JSON Web Token (JWT) login credential for Operator Console.
#. Log into the MinIO Operator Console
.. tab-set::
.. tab-item:: NodePort
:selected:
If you configured the service for access through a NodePort, specify the hostname of any worker node in the cluster with that port as ``HOSTNAME:NODEPORT`` to access the Console.
For example, a deployment configured with a NodePort of 30090 and the following ``InternalIP`` addresses can be accessed at ``http://172.18.0.5:30090``.
.. code-block:: shell
:class: copyable
kubectl get nodes -o custom-columns=IP:.status.addresses[:]
IP
map[address:172.18.0.5 type:InternalIP],map[address:k3d-MINIO-agent-3 type:Hostname]
map[address:172.18.0.6 type:InternalIP],map[address:k3d-MINIO-agent-2 type:Hostname]
map[address:172.18.0.2 type:InternalIP],map[address:k3d-MINIO-server-0 type:Hostname]
map[address:172.18.0.4 type:InternalIP],map[address:k3d-MINIO-agent-1 type:Hostname]
map[address:172.18.0.3 type:InternalIP],map[address:k3d-MINIO-agent-0 type:Hostname]
.. tab-item:: Ingress or Load Balancer
If you configured the ``svc/console`` service for access through ingress or a cluster load balancer, you can access the Console using the configured hostname and port.
.. tab-item:: Port Forwarding
You can use ``kubectl port forward`` to temporary forward ports for the Console:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/console -n minio-operator 9090:9090
#. Next Steps

You can then use ``http://localhost:9090`` to access the MinIO Operator Console.
You can deploy MinIO tenants using the :ref:`MinIO CRD and Kustomize. <minio-k8s-deploy-minio-tenant>`
MinIO also provides a :ref:`Helm chart for deploying Tenants <deploy-tenant-helm>`.

Once you access the Console, use the Console JWT to log in.
You can now :ref:`deploy and manage MinIO Tenants using the Operator Console <deploy-minio-distributed>`.
MinIO recommends using the same method of Tenant deployment and management used to install the Operator.
Mixing Kustomize and Helm for Operator or Tenant management may increase operational complexity.
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
Instead, you must configure a network control plane component, such as a load balancer or ingress, to grant external access.

.. cond:: k8s

For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:

.. code-block:: shell
Expand Down
36 changes: 16 additions & 20 deletions source/includes/k8s/deploy-operator.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,15 @@ While this documentation *may* provide guidance for configuring or deploying Kub
MinIO Operator Components
-------------------------

The MinIO Operator exists in its own namespace.
Within the Operator's namespace, the MinIO Operator utilizes two pods:
The MinIO Operator exists in its own namespace in which it creates Kubernetes resources.
Those resources includes pods, services, replicasets, and deployments.

- The Operator pod for the base Operator functions to deploy, manage, modify, and maintain tenants.
- Console pod for the Operator's Graphical User Interface, the Operator Console.
The Operator pods monitor all namespaces by default for objects using the MinIO CRD and manages those resources automatically.

When you use the Operator to create a tenant, the tenant *must* have its own namespace.
Within that namespace, the Operator generates the pods required by the tenant configuration.

Each pod runs three containers:
Each Tenant pod runs three containers:

- MinIO Container that runs all of the standard MinIO functions, equivalent to basic MinIO installation on baremetal.
This container stores and retrieves objects in the provided mount points (persistent volumes).
Expand All @@ -51,32 +50,29 @@ Each pod runs three containers:
- SideCar container that monitors configuration secrets for the tenant and updates them as they change.
This container also monitors for root credentials and creates an error if it does not find root credentials.

Starting with v5.0.6, the MinIO Operator supports custom :kube-docs:`init containers <concepts/workloads/pods/init-containers>` for additional pod initialization that may be required for your environment.

The tenant utilizes Persistent Volume Claims to talk to the Persistent Volumes that store the objects.

.. image:: /images/k8s/OperatorsComponent-Diagram.png
:width: 600px
:alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
:align: center
.. Image references Console pods, need to fix this up
.. .. image:: /images/k8s/OperatorsComponent-Diagram.png
.. :width: 600px
.. :alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
.. :align: center
.. _minio-operator-prerequisites:

Prerequisites
-------------

Kubernetes Version 1.21.0
~~~~~~~~~~~~~~~~~~~~~~~~~

.. important::
Kubernetes Version |k8s-floor|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__ Kubernetes APIs.
MinIO tests |operator-version-stable| against a floor of Kubernetes API of |k8s-floor|.
MinIO **strongly recommends** maintaining Kubernetes infrastructure using `actively maintained Kubernetes API versions <https://kubernetes.io/releases/>`__.

Starting with v5.0.0, MinIO **requires** Kubernetes 1.21.0 or later for both the infrastructure and the ``kubectl`` CLI tool.

.. versionadded:: Operator 5.0.6
MinIO **strongly recommends** upgrading Kubernetes clusters running with `End-Of-Life API versions <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__

For Kubernetes 1.25.0 and later, MinIO supports deploying in environments with the :kube-docs:`Pod Security admission (PSA) <concepts/security/pod-security-admission>` ``restricted`` policy enabled.


Kustomize and ``kubectl``
Expand All @@ -100,7 +96,7 @@ Kubernetes TLS Certificate API
The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API <tasks/tls/managing-tls-in-a-cluster/>` to create signed TLS certificates in the following circumstances:

- When ``autoCert`` is enabled.
- For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
- For the MinIO Tenant Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
- For :ref:`STS service <minio-security-token-service>` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``.
- For retrieving the health of the cluster.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,59 +37,11 @@ Set the value to any :ref:`policy <minio-policy>` on the MinIO deployment.

MinIO supports multiple methods for configuring Keycloak authentication:

- Using the MinIO Operator Console
- Using the MinIO Tenant Console
- Using a terminal/shell and the :mc:`mc idp openid` command

.. tab-set::

.. tab-item:: MinIO Operator Console

You can use the MinIO Operator Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
See :ref:`minio-operator-console-connect` for specific instructions.

Select :guilabel:`Identity Provider` from the left-hand navigation bar, then select :guilabel:`OpenID`.
Select :guilabel:`Create Configuration` to create a new configuration.

Enter the following information into the modal:

.. list-table::
:stub-columns: 1
:widths: 30 70
:width: 100%

* - :guilabel:`Name`
- Enter a unique name for the Keycloak instance

* - :guilabel:`Config URL`
- Specify the address of the Keycloak OpenID configuration document (|KEYCLOAK_URL|)

Ensure the ``REALM`` matches the Keycloak realm you want to use for authenticating users to MinIO

* - :guilabel:`Client ID`
- Specify the name of the Keycloak client created in Step 1

* - :guilabel:`Client Secret`
- Specify the secret credential value for the Keycloak client created in Step 1

* - :guilabel:`Display Name`
- Specify the user-facing name the MinIO Console should display as part of the Single-Sign On (SSO) workflow for the configured Keycloak service

* - :guilabel:`Scopes`
- Specify the OpenID scopes to include in the JWT, such as ``preferred_username`` or ``email``

You can reference these scopes using supported OpenID policy variables for the purpose of programmatic policy configurations

* - :guilabel:`Redirect URI Dynamic`
- Toggle to ``on``

Substitutes the MinIO Console address used by the client as part of the Keycloak redirect URI.
Keycloak returns authenticated users to the Console using the provided URI.

For MinIO Console deployments behind a reverse proxy, load balancer, or similar network control plane, you can instead use the :envvar:`MINIO_BROWSER_REDIRECT_URL` variable to set the redirect address for Keycloak to use.

Select :guilabel:`Save` to apply the configuration.

.. tab-item:: MinIO Tenant Console

You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
Expand Down
25 changes: 2 additions & 23 deletions source/includes/openshift/deploy-minio-on-openshift.rst
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ Once installation completes, click :guilabel:`View Operator` to view the MinIO O
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator <security/certificate_types_descriptions/service-ca-certificates.html>`.
This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants.
This Operator manages the TLS certificates required to access MinIO Tenants.
It automatically renews and rotates the certificates 13 months before expiration.
No additional action is required.

Expand Down Expand Up @@ -287,29 +287,8 @@ You can find the MinIO Operator Interface from the :guilabel:`Operators` left-ha
3. Select :guilabel:`MinIO Operators` from the list of installed operators.
The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface.

5) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.

.. include:: /includes/common/common-k8s-connect-operator-console.rst

You can create a permanent routing rule by creating a :openshift-docs:`Route or Ingress <networking/understanding-networking.html#nw-ne-comparing-ingress-route_understanding-networking>` to allow access from external clients, such as your local computer browser.

The following steps provides a summary of actions necessary to create a Route.

#. From :guilabel:`Networking`, go to :guilabel:`Routes`
#. Create a new Route in the MinIO Operator project.
Select a recognizable route name, such as ``operator-console-route``.
#. Set the :guilabel:`Hostname` as per your organizations networking and hostname topology.
Omit the hostname to allow OpenShift to generate it automatically
#. Set the :guilabel:`Service` to :guilabel:`console`
#. Set the :Guilabel:`Target Port` to ``9090``

You can then access the Operator Console using the configured Route.
The Operator Console still requires using the generated JWT token for access, which you can generate at any time using ``oc minio port-forward``.

6) Next Steps
5) Next Steps
~~~~~~~~~~~~~

After deploying the MinIO Operator, you can create a new MinIO Tenant.
Expand Down
3 changes: 2 additions & 1 deletion source/operations/concepts.rst
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,8 @@ There are several options to manage your MinIO deployments and clusters:

- Use the command line with :mc:`mc` and :mc:`mc admin`
- The :ref:`MinIO Console <minio-console>` graphical user interface for individual instances
- In Kubernetes, with the :ref:`MinIO Operator Console <minio-operator-console>`

.. Reference Enterprise Operator Console eventually
.. _minio-rebalance:

Expand Down
1 change: 0 additions & 1 deletion source/operations/deploy-manage-tenants.rst
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,3 @@ The following tutorials provide steps for tenant management via the Operator Con
/operations/install-deploy-manage/expand-minio-tenant
/operations/install-deploy-manage/delete-minio-tenant
/operations/install-deploy-manage/multi-site-replication
/operations/install-deploy-manage/minio-operator-console
Loading

0 comments on commit 23253dd

Please sign in to comment.