Add sections for Operator STS, Fields immutable and Headless service …

…port rename Signed-off-by: pjuarezd <[email protected]>
minio · Jun 9, 2024 · fc43b2f · fc43b2f
1 parent 4ec8d9e
commit fc43b2f
Showing 1 changed file with 150 additions and 0 deletions.
diff --git a/docs/notes/v6.0.0.md b/docs/notes/v6.0.0.md
@@ -70,3 +70,153 @@ spec:
 3. Job is completed, bucket created:
 
 ![bucket creation](images/v6.0.0/image1.png )
+
+### Sidecar container
+
+TODO
+
+### TLS Refactor
+
+TODO
+
+### Operator STS 
+
+API `sts.min.io` is updated from `v1alpha1` to `v1beta1`.
+
+The [PolicyBinding](https://github.com/minio/operator/blob/master/docs/policybinding_crd.adoc#k8s-api-github-com-minio-operator-pkg-apis-sts-min-io-v1alpha1-policybinding)
+CRD will be backward compatible.
+If a resource of type `PolicyBindig` on version `v1alpha` currently exists in the Cluster
+at the moment of the upgrade of Operator to Version 6.0.0, the resource will be automatically updated to version `v1beta1`
+with no manual intervention.
+
+<details>
+  <summary>Example</summary>
+
+Before update:
+```yaml
+apiVersion: sts.min.io/v1alpha
+kind: PolicyBinding
+metadata:
+  name: binding-1
+  namespace: minio-tenant-1
+spec:
+  application:
+    namespace: sts-client
+    serviceaccount: stsclient-sa
+  policies:
+    - test-bucket-rw
+```
+
+After update:
+```yaml
+apiVersion: sts.min.io/v1beta1
+kind: PolicyBinding
+metadata:
+  name: binding-1
+  namespace: minio-tenant-1
+spec:
+  application:
+    namespace: sts-client
+    serviceaccount: stsclient-sa
+  policies:
+    - test-bucket-rw
+```
+</details>
+
+### Fields immutable
+
+`spec.pools.*.volumesPerServer` and `spec.pools.*.servers` fields are immutable once created, this was introduced in 
+https://github.com/minio/operator/pull/2070 on Operator v5.0.15, this is a safety net to prevent potentially dangerous change,
+once a pool is created, and it contains data the pool's number of servers and the number of volumes per server should not be changed.
+
+Some of the reasons might be in need to modify this values are expanding storage, this should be made adding a pool,
+see [Expand a distributed MinIO Deployment](https://min.io/docs/minio/linux/operations/install-deploy-manage/expand-minio-deployment.html)
+for this.
+
+On the other hand, the removal of servers no longer in use or ready to be decommissioned should be carefully taken care 
+of by [Decommission a Tenant Server Poo](https://min.io/docs/minio/kubernetes/upstream/operations/install-deploy-manage/modify-minio-tenant.html#decommission-a-tenant-server-pool) 
+not individual nodes or drives.
+If a drive is misbehaving or failing follow the [Drive Failure Recovery](https://min.io/docs/minio/kubernetes/upstream/operations/data-recovery/recover-after-drive-failure.html#minio-restore-hardware-failure-drive)
+guide, if a node is failing follow Node [Failure Recovery guide](https://min.io/docs/minio/kubernetes/upstream/operations/data-recovery/recover-after-node-failure.html).
+
+### Field `spec.pools.*.name` is required starting v5.0.15
+
+TODO
+
+### Headless service port name is now renamed based on TLS settings
+
+Headless service now changes port name from `http-minio` to `https-minio` when TLS is enabled, be aware to configure Ingres
+or any other resources that reference the port name accordingly.
+
+When `.spec.requestAutocert` is `false` and `.spec.externalCertSecret` is empty, then no TLS encryption in transit 
+(https) is enabled for the tenant, and the 3 services created in the namespace have a prefixed `http-` service port:
+
+`{tenant-name}-console` exposes port `http-console`
+
+<details>
+  <summary> example</summary>
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    v1.min.io/console: tenant-1-console
+  name: tenant-1-console
+  namespace: tenant-1
+spec:
+  allocateLoadBalancerNodePorts: true
+  clusterIP: 10.96.78.111
+  clusterIPs:
+  - 10.96.78.111
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http-console
+    nodePort: 30984
+    port: 9090
+  selector:
+    v1.min.io/tenant: tenant-1
+  type: LoadBalancer
+```
+</details>
+
+the same, `minio` exposes port `http-minio` and headless service `{tenant-name}-hl` exposes port `http-minio`.
+
+However, when TLS is enabled (because of `.spec.requestAutocert` is `true` or `.spec. externalCertSecret` is provided)
+then the port names for  `{tenant-name}-console` and `minio` services were renamed to have prefix `https-`.
+
+<details>
+  <summary> example</summary>
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    v1.min.io/console: tenant-1-console
+  name: tenant-1-console
+  namespace: tenant-1
+spec:
+  allocateLoadBalancerNodePorts: true
+  clusterIP: 10.96.78.111
+  clusterIPs:
+  - 10.96.78.111
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: https-console
+    nodePort: 32368
+    port: 9443
+  selector:
+    v1.min.io/tenant: tenant-1
+  type: LoadBalancer
+```
+</details>
+
+Headless service port was not renamed, it was kept as `http-minio`, starting Operator version 6.0.0 the 3 services behave
+the same way and rename the port with a `https-` prefix.