Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document OpenShift service certificates for Operator deployments #1002

Merged
merged 5 commits into from
Sep 25, 2023
Merged

Document OpenShift service certificates for Operator deployments #1002

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0e090c2
update openshift-docs link to their latest version
feorlen Sep 13, 2023
c73c1ef
Draft OpenShift service-ca detail
feorlen Sep 13, 2023
96b1793
manual cert config
feorlen Sep 14, 2023
cf60e51
fixups
feorlen Sep 15, 2023
9b02108
Update source/includes/openshift/deploy-minio-on-openshift.rst
ravindk89 Sep 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/default-conf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
'podman-docs' : ('https://docs.podman.io/en/latest/%s', None),
'podman-git' : ('https://github.com/containers/podman/%s', None),
'docker-docs' : ('https://docs.docker.com/%s', None),
'openshift-docs' : ('https://docs.openshift.com/container-platform/4.11/%s', None),
'openshift-docs' : ('https://docs.openshift.com/container-platform/4.13/%s', None),
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might as well? Too bad Red Hat docs don't have an equivalent of latest.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No harm in bumping!

'influxdb-docs' : ('https://docs.influxdata.com/influxdb/v2.4/%s', None),
'eks-docs' : ('https://docs.aws.amazon.com/eks/latest/userguide/%s', None),
'minio-web' : ('https://min.io/%s?ref=docs', None),
Expand Down
89 changes: 87 additions & 2 deletions source/includes/openshift/deploy-minio-on-openshift.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,92 @@ The web console displays a widget for tracking the installation progress.

Once installation completes, click :guilabel:`View Operator` to view the MinIO Operator page.

3) Open the MinIO Operator Interface
3) Configure TLS Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator <security/certificate_types_descriptions/service-ca-certificates.html>`.
This Operator manages the the TLS certificate required to access the MinIO Operator Console and Tenants.
feorlen marked this conversation as resolved.
Show resolved Hide resolved
It automatically renews and rotates the certificate 13 months before expiration.
No additional action is required.

For Operator installations deployed from Red Hat Marketplace or other methods, configure the :openshift-docs:`Service CA certificates <security/certificate_types_descriptions/service-ca-certificates.html>` manually.
feorlen marked this conversation as resolved.
Show resolved Hide resolved
See the instructions in the dropdown below for details.

.. dropdown:: OpenShift Service CA Certificate configuration

To manually enable the ``service-ca`` Operator to manage TLS certificates:

#. Configure the following MinIO :ref:`environment variables <minio-server-environment-variables>`:

.. list-table::
:header-rows: 1

* - Environment Variable
- Value

* - :envvar:`MINIO_CONSOLE_TLS_ENABLE`
Copy link
Collaborator Author

@feorlen feorlen Sep 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this in https://github.com/minio/operator/blob/3baa9696df34b127c2fdb20306192bd44a1c86bd/docs/env-variables.md but it's not in the giant list of envvars at the moment. I think most of the envvars in that file are not. (Because Operator, not MinIO Server.)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appears OPERATOR_STS_ENABLED is not required unless you are messing with STS. Which is beyond the scope of this page. It defaults to off.

- ``on``

* - :envvar:`OPERATOR_STS_ENABLED`
- ``off``

* - :envvar:`MINIO_OPERATOR_RUNTIME`
- ``OpenShift``

#. Configure the following ``volumes`` and ``volumeMounts`` in ``something.yaml``:
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unclear where this YAML is updated

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is in the Operator deployment. Celis has a YAML file to use with oc apply that will do this for you, no editing needed (for "standard" environments)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added example of editing the file. Can dig into the oc apply method on a future revisit. (Unclear where that YAML file should live.)


- ``sts-tls``
- ``openshift-service-ca``
- ``openshift-csr-signer-ca``

The YAML configuration resembles the following:

.. code-block:: shell
:class: copyable

volumes:
- name: sts-tls
projected:
sources:
- secret:
name: sts-tls
items:
- key: tls.crt
path: public.crt
- key: tls.key
path: private.key
optional: true
defaultMode: 420
- name: openshift-service-ca
configMap:
name: openshift-service-ca.crt
items:
- key: service-ca.crt
path: service-ca.crt
defaultMode: 420
optional: true
- name: openshift-csr-signer-ca
projected:
sources:
- secret:
name: openshift-csr-signer-ca
items:
- key: tls.crt
path: tls.crt
optional: true
defaultMode: 420

imagePullPolicy: IfNotPresent
volumeMounts:
- name: openshift-service-ca
mountPath: /tmp/service-ca
- name: openshift-csr-signer-ca
mountPath: /tmp/csr-signer-ca
- name: sts-tls
mountPath: /tmp/sts


4) Open the MinIO Operator Interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can find the MinIO Operator Interface from the :guilabel:`Operators` left-hand navigation header.
Expand All @@ -148,7 +233,7 @@ You can find the MinIO Operator Interface from the :guilabel:`Operators` left-ha
3. Select :guilabel:`MinIO Operators` from the list of installed operators.
The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface.

4) Access the Operator Console
5) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.
Expand Down