Document OpenShift service certificates for Operator deployments #1002
Conversation
| @@ -65,7 +65,7 @@ | |||
| 'podman-docs' : ('https://docs.podman.io/en/latest/%s', None), | |||
| 'podman-git' : ('https://github.com/containers/podman/%s', None), | |||
| 'docker-docs' : ('https://docs.docker.com/%s', None), | |||
| 'openshift-docs' : ('https://docs.openshift.com/container-platform/4.11/%s', None), | |||
| 'openshift-docs' : ('https://docs.openshift.com/container-platform/4.13/%s', None), | |||
There was a problem hiding this comment.
Might as well? Too bad Red Hat docs don't have an equivalent of latest.
| * - Environment Variable | ||
| - Value | ||
|
|
||
| * - :envvar:`MINIO_CONSOLE_TLS_ENABLE` |
There was a problem hiding this comment.
I found this in https://github.com/minio/operator/blob/3baa9696df34b127c2fdb20306192bd44a1c86bd/docs/env-variables.md but it's not in the giant list of envvars at the moment. I think most of the envvars in that file are not. (Because Operator, not MinIO Server.)
There was a problem hiding this comment.
Appears OPERATOR_STS_ENABLED is not required unless you are messing with STS. Which is beyond the scope of this page. It defaults to off.
| * - :envvar:`MINIO_OPERATOR_RUNTIME` | ||
| - ``OpenShift`` | ||
|
|
||
| #. Configure the following ``volumes`` and ``volumeMounts`` in ``something.yaml``: |
There was a problem hiding this comment.
I'm unclear where this YAML is updated
There was a problem hiding this comment.
This is in the Operator deployment. Celis has a YAML file to use with oc apply that will do this for you, no editing needed (for "standard" environments)
There was a problem hiding this comment.
Added example of editing the file. Can dig into the oc apply method on a future revisit. (Unclear where that YAML file should live.)
| @@ -16,7 +17,7 @@ Overview | |||
| Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. | |||
| OpenShift includes an enterprise-grade Linux operating system, container runtime, networking, monitoring, registry, and authentication and authorization solutions. | |||
|
|
|||
| You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.7+ <welcome/index.html>`. | |||
| You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.8+ <welcome/index.html>`. | |||
There was a problem hiding this comment.
Per Celis, Red Hat said we have to be 4.8+ now.
There was a problem hiding this comment.
@cniackz is there a specific Operator version where that bump happened? We might want to maintain a matrix somewhere, at least internally.
There was a problem hiding this comment.
Hello @ravindk89,
Our ability to influence this situation is limited. I recall that certification tests would fail if we attempted to cover versions 4.7 or older, necessitating our decision to cease coverage of those versions and progress towards more recent ones.
Furthermore, if you visit their website, you will notice that full support for that particular version has already concluded: https://access.redhat.com/support/policy/updates/openshift
Best regards,
| @@ -70,39 +71,38 @@ Select the tab that corresponds to your preferred installation method: | |||
|
|
|||
| .. tab-set:: | |||
|
|
|||
| .. tab-item:: Red Hat Marketplace | |||
| .. tab-item:: Red Hat OperatorHub | |||
There was a problem hiding this comment.
Switched order of these tabs, because using OperatorHub saves you from several annoyances and we should encourage it.
Marketplace does lead you to OperatorHub, but in a roundabout way that few people do. (I.e. paying Red Hat instead of us directly.)
There was a problem hiding this comment.
"changes" from here through line 105 are all because of the tab reorder. (Improvements to existing welcome, as always.)
|
I know this is a draft, but I loved the way it looks in the web page provided at: http://192.241.195.202:9000/staging/DOCS-991/openshift/operations/installation.html#configure-tls-certificates |
| @@ -95,7 +95,7 @@ Kubernetes TLS Certificate API | |||
| The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API <tasks/tls/managing-tls-in-a-cluster/>` to create signed TLS certificates in the following circumstances: | |||
|
|
|||
| - When ``autoCert`` is enabled. | |||
| - For the MinIO Console when the :envvar:`OPERATOR_CONSOLE_TLS_ENABLE` environment variable is set to ``on``. | |||
| - For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``. | |||
There was a problem hiding this comment.
OPERATOR_CONSOLE_TLS_ENABLE was an oops the correct name is MINIO_CONSOLE_TLS_ENABLE
| @@ -65,7 +65,7 @@ | |||
| 'podman-docs' : ('https://docs.podman.io/en/latest/%s', None), | |||
| 'podman-git' : ('https://github.com/containers/podman/%s', None), | |||
| 'docker-docs' : ('https://docs.docker.com/%s', None), | |||
| 'openshift-docs' : ('https://docs.openshift.com/container-platform/4.11/%s', None), | |||
| 'openshift-docs' : ('https://docs.openshift.com/container-platform/4.13/%s', None), | |||
| @@ -16,7 +17,7 @@ Overview | |||
| Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. | |||
| OpenShift includes an enterprise-grade Linux operating system, container runtime, networking, monitoring, registry, and authentication and authorization solutions. | |||
|
|
|||
| You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.7+ <welcome/index.html>`. | |||
| You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.8+ <welcome/index.html>`. | |||
There was a problem hiding this comment.
@cniackz is there a specific Operator version where that bump happened? We might want to maintain a matrix somewhere, at least internally.
MinIO Operator on OpenShift may require manual configuration of TLS cert management via the OpenShift
service-caOperator. (For deployments that are not done through Red Hat OperatorHub.)Document the needed envvars,
volumes, andvolumeMountsto enableservice-caand avoid the need to manually renew certs.Note: This presumes kustomize, additional research/testing required to determine configuration for Helm chart deployments.Staged
http://192.241.195.202:9000/staging/DOCS-991/openshift/operations/installation.html#procedure
See also: https://github.com/minio/wiki/wiki/Besides-MINIO_OPERATOR_RUNTIME-what-else-is-needed-in-Operator%3F
Fixes #991 (remaining item for v5.0.8)