Merge branch 'master' into add-certificate-rotate-threshold

docs/job_crd.adoc

@@ -4,9 +4,9 @@
 [id="{p}-api-reference"]
 == API Reference
 
-:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-13T01-46-15Z]
+:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-16T23-46-41Z]
 :kes-image: https://hub.docker.com/r/minio/kes/tags[minio/kes:2024-06-17T15-47-05Z]
-:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-11T18-01-28Z]
+:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-16T23-46-41Z]
 
 
 [id="{anchor_prefix}-job-min-io-v1alpha1"]

docs/policybinding_crd.adoc

@@ -4,9 +4,9 @@
 [id="{p}-api-reference"]
 == API Reference
 
-:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-13T01-46-15Z]
+:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-16T23-46-41Z]
 :kes-image: https://hub.docker.com/r/minio/kes/tags[minio/kes:2024-06-17T15-47-05Z]
-:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-11T18-01-28Z]
+:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-16T23-46-41Z]
 
 
 [id="{anchor_prefix}-sts-min-io-v1beta1"]

docs/templates/asciidoctor/gv_list.tpl

@@ -7,9 +7,9 @@
 [id="{p}-api-reference"]
 == API Reference
 
-:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-13T01-46-15Z]
+:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-16T23-46-41Z]
 :kes-image: https://hub.docker.com/r/minio/kes/tags[minio/kes:2024-06-17T15-47-05Z]
-:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-11T18-01-28Z]
+:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-16T23-46-41Z]
 
 {{ range $groupVersions }}
 {{ template "gvDetails" . }}

docs/tenant_crd.adoc

@@ -4,9 +4,9 @@
 [id="{p}-api-reference"]
 == API Reference
 
-:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-13T01-46-15Z]
+:minio-image: https://hub.docker.com/r/minio/minio/tags[minio/minio:RELEASE.2024-07-16T23-46-41Z]
 :kes-image: https://hub.docker.com/r/minio/kes/tags[minio/kes:2024-06-17T15-47-05Z]
-:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-11T18-01-28Z]
+:mc-image: https://hub.docker.com/r/minio/mc/tags[minio/mc:RELEASE.2024-07-16T23-46-41Z]
 
 
 [id="{anchor_prefix}-minio-min-io-v2"]

examples/kustomization/base/tenant.yaml

@@ -144,7 +144,7 @@ spec:
   ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
   externalClientCertSecrets: [ ]
   ## Registry location and Tag to download MinIO Server image
-  image: quay.io/minio/minio:RELEASE.2024-07-13T01-46-15Z
+  image: quay.io/minio/minio:RELEASE.2024-07-16T23-46-41Z
   imagePullSecret: { }
   ## Mount path where PV will be mounted inside container(s).
   mountPath: /export
@@ -229,7 +229,7 @@ spec:
   # certExpiryAlertThreshold: 1
   ## Prometheus setup for MinIO Tenant.
   #  prometheus:
-  #    image: "" # defaults to quay.io/prometheus/prometheus:RELEASE.2024-07-11T18-01-28Z
+  #    image: "" # defaults to quay.io/prometheus/prometheus:RELEASE.2024-07-16T23-46-41Z
   #    env: [ ]
   #    sidecarimage: "" # defaults to alpine
   #    initimage: "" # defaults to busybox:1.33.1

helm/operator/templates/job.min.io_jobs.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: miniojobs.job.min.io
 spec:
   group: job.min.io
@@ -1080,7 +1080,7 @@ spec:
                   x-kubernetes-map-type: atomic
                 type: array
               mcImage:
-                default: quay.io/minio/mc:RELEASE.2024-07-11T18-01-28Z
+                default: quay.io/minio/mc:RELEASE.2024-07-16T23-46-41Z
                 type: string
               securityContext:
                 properties:

helm/operator/templates/minio.min.io_tenants.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: tenants.minio.min.io
 spec:
   group: minio.min.io

helm/operator/templates/sts.min.io_policybindings.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: policybindings.sts.min.io
 spec:
   group: sts.min.io

helm/operator/values.yaml

@@ -75,7 +75,7 @@ operator:
   #
   #    sidecarImage:
   #      repository: quay.io/minio/operator-sidecar@sha256
-  #      digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
+  #      digest: a11947a230b80fb1b0bffa97173147a505d4f1207958f722e348d11ab9e972c1
   #      pullPolicy: IfNotPresent
   #
   sidecarImage: {}

helm/tenant/values.yaml

@@ -55,7 +55,7 @@ tenant:
   # 
   #    image:
   #       repository: quay.io/minio/minio
-  #       tag: RELEASE.2024-07-13T01-46-15Z
+  #       tag: RELEASE.2024-07-16T23-46-41Z
   #       pullPolicy: IfNotPresent
   #
   # The chart also supports specifying an image based on digest value:
@@ -70,7 +70,7 @@ tenant:
   #
   image:
     repository: quay.io/minio/minio
-    tag: RELEASE.2024-07-13T01-46-15Z
+    tag: RELEASE.2024-07-16T23-46-41Z
     pullPolicy: IfNotPresent
   ###
   #

pkg/apis/job.min.io/v1alpha1/types.go

@@ -35,7 +35,7 @@ const (
 // +kubebuilder:resource:scope=Namespaced,shortName=miniojob,singular=miniojob
 // +kubebuilder:printcolumn:name="Tenant",type=string,JSONPath=`.spec.tenant.name`
 // +kubebuilder:printcolumn:name="Phase",type=string,JSONPath=`.spec.status.phase`
-// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.0
+// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.1
 
 // MinIOJob is a top-level type. A client is created for it
 type MinIOJob struct {
@@ -96,7 +96,7 @@ type MinIOJobSpec struct {
 
 	// The Docker image to use when deploying `mc` pods. Defaults to {mc-image}. +
 	// +optional
-	// +kubebuilder:default="quay.io/minio/mc:RELEASE.2024-07-11T18-01-28Z"
+	// +kubebuilder:default="quay.io/minio/mc:RELEASE.2024-07-16T23-46-41Z"
 	MCImage string `json:"mcImage,omitempty"`
 
 	// *Optional* +

pkg/apis/minio.min.io/v2/constants.go

@@ -97,7 +97,7 @@ const MinIOVolumeMountPath = "/export"
 const MinIOVolumeSubPath = ""
 
 // DefaultMinIOImage specifies the default MinIO Docker hub image
-const DefaultMinIOImage = "minio/minio:RELEASE.2024-07-13T01-46-15Z"
+const DefaultMinIOImage = "minio/minio:RELEASE.2024-07-16T23-46-41Z"
 
 // DefaultMinIOUpdateURL specifies the default MinIO URL where binaries are
 // pulled from during MinIO upgrades
@@ -134,7 +134,7 @@ const ConsoleAdminPolicyName = "consoleAdmin"
 
 // KES Related Constants
 
-// DefaultKESImage specifies the RELEASE.2024-07-11T18-01-28Z KES Docker hub image
+// DefaultKESImage specifies the RELEASE.2024-07-16T23-46-41Z KES Docker hub image
 const DefaultKESImage = "minio/kes:2024-06-17T15-47-05Z"
 
 // KESInstanceLabel is applied to the KES pods of a Tenant cluster

pkg/apis/minio.min.io/v2/types.go

@@ -31,7 +31,7 @@ import (
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.currentState"
 // +kubebuilder:printcolumn:name="Health",type="string",JSONPath=".status.healthStatus"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.0
+// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.1
 // +kubebuilder:storageversion
 type Tenant struct {
 	metav1.TypeMeta   `json:",inline"`

pkg/apis/sts.min.io/v1beta1/types.go

@@ -26,7 +26,7 @@ import (
 // +kubebuilder:resource:scope=Namespaced,shortName=policybinding,singular=policybinding
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.currentState"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.0
+// +kubebuilder:metadata:annotations=operator.min.io/version=v6.0.1
 // +kubebuilder:storageversion
 // +groupName=policybinding.sts.min.io
 // +versionName=v1beta1

pkg/controller/console.go

@@ -0,0 +1,88 @@
+// This file is part of MinIO Operator
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package controller
+
+import (
+	"context"
+
+	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+	"github.com/minio/operator/pkg/resources/services"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+)
+
+// checkConsoleSvc validates the existence of the MinIO service and validate it's status against what the specification
+// states
+func (c *Controller) checkConsoleSvc(ctx context.Context, tenant *miniov2.Tenant, nsName types.NamespacedName) error {
+	// Handle the Internal ClusterIP Service for Tenant
+	svc, err := c.serviceLister.Services(tenant.Namespace).Get(tenant.ConsoleCIServiceName())
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			if tenant, err = c.updateTenantStatus(ctx, tenant, StatusProvisioningConsoleService, 0); err != nil {
+				return err
+			}
+			klog.V(2).Infof("Creating a new Console Cluster IP Service for cluster %q", nsName)
+			// Create the clusterIP service for the Tenant
+			svc = services.NewClusterIPForConsole(tenant)
+			svc, err = c.kubeClientSet.CoreV1().Services(tenant.Namespace).Create(ctx, svc, metav1.CreateOptions{})
+			if err != nil {
+				return err
+			}
+			c.recorder.Event(tenant, corev1.EventTypeNormal, "SvcCreated", "Console Service Created")
+		} else {
+			return err
+		}
+	}
+
+	// compare any other change from what is specified on the tenant
+	expectedSvc := services.NewClusterIPForConsole(tenant)
+
+	// check the expose status of the Console service
+	svcMatchesSpec, err := minioSvcMatchesSpecification(svc, expectedSvc)
+
+	// check the specification of the MinIO ClusterIP service
+	if !svcMatchesSpec {
+		if err != nil {
+			klog.Infof("Console Service don't match: %s. Conciliating", err)
+		}
+
+		svc.ObjectMeta.Annotations = expectedSvc.ObjectMeta.Annotations
+		svc.ObjectMeta.Labels = expectedSvc.ObjectMeta.Labels
+		svc.Spec.Ports = expectedSvc.Spec.Ports
+		// Only when ExposeServices is set an explicit value we do modifications to the service type
+		if tenant.Spec.ExposeServices != nil {
+			if tenant.Spec.ExposeServices.Console {
+				svc.Spec.Type = corev1.ServiceTypeLoadBalancer
+			} else {
+				svc.Spec.Type = corev1.ServiceTypeClusterIP
+			}
+		}
+
+		// update the selector
+		svc.Spec.Selector = expectedSvc.Spec.Selector
+
+		_, err = c.kubeClientSet.CoreV1().Services(tenant.Namespace).Update(ctx, svc, metav1.UpdateOptions{})
+		if err != nil {
+			return err
+		}
+		c.recorder.Event(tenant, corev1.EventTypeNormal, "Updated", "Console Service Updated")
+	}
+	return err
+}

pkg/controller/main-controller.go

@@ -905,6 +905,13 @@ func (c *Controller) syncHandler(key string) (Result, error) {
 		return WrapResult(Result{}, err)
 	}
 
+	// Check Console Endpoint Service
+	err = c.checkConsoleSvc(ctx, tenant, nsName)
+	if err != nil {
+		klog.V(2).Infof("error consolidating console service: %s", err.Error())
+		return WrapResult(Result{}, err)
+	}
+
 	// Check MinIO Headless Service used for internode communication
 	err = c.checkMinIOHLSvc(ctx, tenant, nsName)
 	if err != nil {

resources/base/crds/job.min.io_miniojobs.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: miniojobs.job.min.io
 spec:
   group: job.min.io
@@ -1080,7 +1080,7 @@ spec:
                   x-kubernetes-map-type: atomic
                 type: array
               mcImage:
-                default: quay.io/minio/mc:RELEASE.2024-07-11T18-01-28Z
+                default: quay.io/minio/mc:RELEASE.2024-07-16T23-46-41Z
                 type: string
               securityContext:
                 properties:

resources/base/crds/minio.min.io_tenants.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: tenants.minio.min.io
 spec:
   group: minio.min.io

resources/base/crds/sts.min.io_policybindings.yaml

@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.15.0
-    operator.min.io/version: v6.0.0
+    operator.min.io/version: v6.0.1
   name: policybindings.sts.min.io
 spec:
   group: sts.min.io

resources/kustomization.yaml

@@ -5,7 +5,7 @@ commonAnnotations:
   operator.min.io/authors: "MinIO, Inc."
   operator.min.io/license: "AGPLv3"
   operator.min.io/support: "https://subnet.min.io"
-  operator.min.io/version: v6.0.0
+  operator.min.io/version: v6.0.1
 commonLabels:
   app.kubernetes.io/name: operator
 resources: