Fix Session validation for MCS Operator Mode

cluster/cluster.go

@@ -24,7 +24,7 @@ import (
 )
 
 func GetK8sConfig(token string) *rest.Config {
-	// if m3 is running inside k8s by default he will have access to the ca cert from the k8s local authority
+	// if console is running inside k8s by default he will have access to the ca cert from the k8s local authority
 	const (
 		rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	)
@@ -33,7 +33,7 @@ func GetK8sConfig(token string) *rest.Config {
 		tlsClientConfig.CAFile = rootCAFile
 	}
 	config := &rest.Config{
-		Host:            getK8sAPIServer(),
+		Host:            GetK8sAPIServer(),
 		TLSClientConfig: tlsClientConfig,
 		APIPath:         "/",
 		BearerToken:     token,

cluster/config.go

@@ -34,27 +34,27 @@ var (
 	errCantDetermineMCImage    = errors.New("can't determine MC Image")
 )
 
-func getK8sAPIServer() string {
-	// if m3 is running inside a k8s pod KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT will contain the k8s api server apiServerAddress
-	// if m3 is not running inside k8s by default will look for the k8s api server on localhost:8001 (kubectl proxy)
+func GetK8sAPIServer() string {
+	// if console is running inside a k8s pod KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT will contain the k8s api server apiServerAddress
+	// if console is not running inside k8s by default will look for the k8s api server on localhost:8001 (kubectl proxy)
 	// NOTE: using kubectl proxy is for local development only, since every request send to localhost:8001 will bypass service account authentication
 	// more info here: https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api
-	// you can override this using M3_K8S_API_SERVER, ie use the k8s cluster from `kubectl config view`
+	// you can override this using MCS_K8S_API_SERVER, ie use the k8s cluster from `kubectl config view`
 	host, port := env.Get("KUBERNETES_SERVICE_HOST", ""), env.Get("KUBERNETES_SERVICE_PORT", "")
 	apiServerAddress := "http://localhost:8001"
 	if host != "" && port != "" {
 		apiServerAddress = "https://" + net.JoinHostPort(host, port)
 	}
-	return env.Get(M3K8sAPIServer, apiServerAddress)
+	return env.Get(McsK8sAPIServer, apiServerAddress)
 }
 
 // getK8sAPIServerInsecure allow to tell the k8s client to skip TLS certificate verification, ie: when connecting to a k8s cluster
 // that uses certificate not trusted by your machine
 func getK8sAPIServerInsecure() bool {
-	return strings.ToLower(env.Get(m3k8SAPIServerInsecure, "off")) == "on"
+	return strings.ToLower(env.Get(McsK8SAPIServerInsecure, "off")) == "on"
 }
 
-// GetNsFromFile assumes mkube is running inside a k8s pod and extract the current namespace from the
+// GetNsFromFile assumes console is running inside a k8s pod and extract the current namespace from the
 // /var/run/secrets/kubernetes.io/serviceaccount/namespace file
 func GetNsFromFile() string {
 	dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
@@ -64,12 +64,12 @@ func GetNsFromFile() string {
 	return string(dat)
 }
 
-// This operation will run only once at mkube startup
+// This operation will run only once at console startup
 var namespace = GetNsFromFile()
 
 // Returns the namespace in which the controller is installed
 func GetNs() string {
-	return env.Get(M3Namespace, namespace)
+	return env.Get(McsNamespace, namespace)
 }
 
 // getLatestMinIOImage returns the latest docker image for MinIO if found on the internet
@@ -106,7 +106,7 @@ var latestMinIOImage, errLatestMinIOImage = getLatestMinIOImage(
 // a preferred image to be used (configured via ENVIRONMENT VARIABLES) GetMinioImage will return that
 // if not, GetMinioImage will try to obtain the image URL for the latest version of MinIO and return that
 func GetMinioImage() (*string, error) {
-	image := strings.TrimSpace(env.Get(M3MinioImage, ""))
+	image := strings.TrimSpace(env.Get(McsMinioImage, ""))
 	// if there is a preferred image configured by the user we'll always return that
 	if image != "" {
 		return &image, nil
@@ -156,7 +156,7 @@ func getLatestMCImage() (*string, error) {
 var latestMCImage, errLatestMCImage = getLatestMCImage()
 
 func GetMCImage() (*string, error) {
-	image := strings.TrimSpace(env.Get(M3MCImage, ""))
+	image := strings.TrimSpace(env.Get(McsMCImage, ""))
 	// if there is a preferred image configured by the user we'll always return that
 	if image != "" {
 		return &image, nil

cluster/const.go

@@ -17,9 +17,9 @@
 package cluster
 
 const (
-	M3K8sAPIServer         = "M3_K8S_API_SERVER"
-	m3k8SAPIServerInsecure = "M3_K8S_API_SERVER_INSECURE"
-	M3MinioImage           = "M3_MINIO_IMAGE"
-	M3MCImage              = "M3_MC_IMAGE"
-	M3Namespace            = "M3_NAMESPACE"
+	McsK8sAPIServer         = "MCS_K8S_API_SERVER"
+	McsK8SAPIServerInsecure = "MCS_K8S_API_SERVER_INSECURE"
+	McsMinioImage           = "MCS_MINIO_IMAGE"
+	McsMCImage              = "MCS_MC_IMAGE"
+	McsNamespace            = "MCS_NAMESPACE"
 )

k8s/console/base/mcs-deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mcs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mcs
+  template:
+    metadata:
+      labels:
+        app: mcs
+    spec:
+      serviceAccountName: m3-sa
+      containers:
+        - name: mcs
+          image: minio/mcs:latest
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - /mcs
+            - server
+          ports:
+            - containerPort: 9090
+              name: http
+            - containerPort: 9433
+              name: https

k8s/operator-console/base/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+# beginning of customizations
+resources:
+  - mcs-service-account.yaml
+  - mcs-cluster-role.yaml
+  - mcs-cluster-role-binding.yaml
+  - mcs-configmap.yaml
+  - mcs-service.yaml
+  - mcs-deployment.yaml
+  - minio-operator.yaml

k8s/operator-console/base/mcs-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mcs-sa-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mcs-sa-role
+subjects:
+  - kind: ServiceAccount
+    name: mcs-sa
+    namespace: default

k8s/operator-console/base/mcs-cluster-role.yaml

@@ -0,0 +1,77 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mcs-sa-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - secrets
+      - pods
+      - services
+      - events
+      - resourcequotas
+    verbs:
+      - get
+      - watch
+      - create
+      - list
+      - patch
+  - apiGroups:
+      - "storage.k8s.io"
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - watch
+      - create
+      - list
+      - patch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+      - deployments
+    verbs:
+      - get
+      - create
+      - list
+      - patch
+      - watch
+      - update
+      - delete
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - get
+      - create
+      - list
+      - patch
+      - watch
+      - update
+      - delete
+  - apiGroups:
+      - "certificates.k8s.io"
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs:
+      - update
+      - create
+      - get
+  - apiGroups:
+      - operator.min.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups:
+      - min.io
+    resources:
+      - "*"
+    verbs:
+      - "*"

k8s/operator-console/base/mcs-configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mcs-env
+data:
+  MCS_PORT: "9090"
+  MCS_TLS_PORT: "9443"

k8s/base/mcs-deployment.yaml → k8s/operator-console/base/mcs-deployment.yaml

@@ -18,7 +18,7 @@ spec:
           image: minio/mcs:latest
           imagePullPolicy: "IfNotPresent"
           env:
-            - name: MCS_MKUBE_ADMIN_ONLY
+            - name: MCS_OPERATOR_MODE
               value: "on"
           args:
             - /mcs

k8s/operator-console/base/mcs-service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mcs-sa
+  namespace: default

k8s/operator-console/base/mcs-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mcs
+  labels:
+    name: mcs
+spec:
+  ports:
+    - port: 9090
+      name: http
+    - port: 9443
+      name: https
+  selector:
+    app: mcs