feat: Add support for KES (#95)

This PR also cleans up few helper methods.

README.md

@@ -32,15 +32,6 @@ This will create all relevant resources required for the Operator to work. Here
 - `ClusterRoleBinding`: This cluster wide binding binds the service account `minio-operator-sa` to cluster role `minio-operator-role`.
 - `Deployment`: Deployment creates a pod using the MinIO-Operator Docker image. This is where the custom controller runs and looks after any changes in custom resource.
 
-### Environment variables
-
-These variables may be passed to operator Deployment in order to modify some of its parameters
-
-| Name                | Default | Description                                                                                                                   |
-| ---                 | ---     | ---                                                                                                                           |
-| `WATCHED_NAMESPACE` |         | If set, the operator will watch only MinIO resources deployed in the specified namespace. All namespaces are watched if empty |
-| `CLUSTER_DOMAIN`    | cluster.local | Cluster Domain of the Kubernetes cluster |
-
 ### Create a MinIO instance
 
 Once MinIO-Operator deployment is running, you can create MinIO instances using the below command
@@ -77,19 +68,27 @@ For example, to expose the created headless Service `minio-hl-svc` on http://min
 kubectl apply -f https://raw.githubusercontent.com/minio/minio-operator/master/examples/expose-via-istio.yaml
 ```
 
-## Features
+### Environment variables
 
-MinIO-Operator currently supports following features:
+These variables may be passed to operator Deployment in order to modify some of its parameters
 
-- Create and delete highly available distributed MinIO clusters.
-- Expand an existing MinIO cluster.
-- Upgrading existing distributed MinIO clusters.
+| Name                | Default | Description                                                                                                                   |
+| ---                 | ---     | ---                                                                                                                           |
+| `WATCHED_NAMESPACE` |         | If set, the operator will watch only MinIO resources deployed in the specified namespace. All namespaces are watched if empty |
+| `CLUSTER_DOMAIN`    | cluster.local | Cluster Domain of the Kubernetes cluster |
 
-Refer [`minioinstance.yaml`](https://raw.githubusercontent.com/minio/minio-operator/master/examples/minioinstance.yaml) for details on how to pass supported fields to the operator.
+## Features
 
-## Upcoming features
+MinIO-Operator currently supports following features:
 
-- Continuous remote site mirroring with [`mc mirror`](https://docs.minio.io/docs/minio-client-complete-guide.html#mirror)
+| Feature                 | Reference Document |
+|-------------------------|--------------------|
+| Create and delete highly available distributed MinIO clusters  | [Create a MinIO Instance](https://github.com/minio/minio-operator#create-a-minio-instance). |
+| Expand an existing MinIO cluster                               | [Expand a MinIO Cluster](https://github.com/minio/minio-operator#expand-a-minio-cluster). |
+| Automatic TLS for MinIO                                        | [Automatic TLS for MinIO Instance](https://github.com/minio/minio-operator/blob/master/docs/tls.md#automatic-csr-generation). |
+| Deploy [MCS](https://github.com/minio/mcs) with MinIO cluster  | [Deploy MinIO Instance with MCS](https://github.com/minio/minio-operator/blob/master/docs/mcs.md). |
+| Deploy [KES](https://github.com/minio/kes) with MinIO cluster  | [Deploy MinIO Instance with KES](https://github.com/minio/minio-operator/blob/master/docs/kes.md). |
+| Deploy [mc mirror](https://docs.minio.io/docs/minio-client-complete-guide.html#mirror)  | [Deploy Mirror Instance](https://github.com/minio/minio-operator/blob/master/docs/mirror.md). |
 
 ## Explore Further
 

docs/kes.md

@@ -0,0 +1,58 @@
+# MinIO Operator KES Configuration
+
+[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
+[![Docker Pulls](https://img.shields.io/docker/pulls/minio/k8s-operator.svg?maxAge=604800)](https://hub.docker.com/r/minio/k8s-operator)
+
+This document explains how to enable KES with MinIO Operator.
+
+## Getting Started
+
+### Prerequisites
+
+- MinIO Operator up and running as explained in the [document here](https://github.com/minio/minio-operator#create-operator-and-related-resources).
+- KES requires TLS enabled for MinIO. Make sure TLS is enabled as explained in the [document here](https://github.com/minio/minio-operator/blob/master/docs/tls.md).
+- KES requires a KMS backend in [configuration](https://raw.githubusercontent.com/minio/minio-operator/master/examples/kes-config-secret.yaml). Currently KES supports [AWS Secrets Manager](https://github.com/minio/kes/wiki/AWS-SecretsManager) and [Hashicorp Vault](https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore) as KMS backend for production. We recommend setting up one of these as the KMS backend before setting up KES.
+
+### Enable KES Configuration
+
+KES Configuration is a part of MinIOInstance yaml file. Check the sample file [available here](https://raw.githubusercontent.com/minio/minio-operator/master/examples/minioinstance-kes.yaml). The config offers below options
+
+#### KES Fields
+
+| Field                 | Description |
+|-----------------------|-------------|
+| spec.kes | Defines the KES configuration. Refer [this](https://github.com/minio/kes) |
+| spec.kes.replicas | Number of KES pods to be created. |
+| spec.kes.image | Defines the KES image. |
+| spec.kes.configSecret | Secret to specify KES Configuration. This is a mandatory field. |
+| spec.kes.selector | Add a selector for the KES. Which will be used by the KES pods for grouping. (Note: Should not match the labels provided in `spec.selector`) |
+| spec.kes.metadata | This allows a way to map metadata to the KES pods. Internally `metadata` is a struct type as [explained here](https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta). [Note: Should match the labels in `spec.kes.selector`] |
+
+### Create MinIO Instance
+
+Once you have updated the yaml file per your requirement, use `kubectl` to create the MinIO instance like
+
+```
+kubectl create -f examples/minioinstance-kes.yaml
+```
+
+Alternatively, you can deploy the example like this
+
+```
+kubectl create -f https://raw.githubusercontent.com/minio/minio-operator/master/examples/minioinstance-kes.yaml
+```
+
+KES uses CSR for self signed certificate generation. KES requires three certificates/key pairs for working
+
+- X.509 certificate for the KES server and the corresponding private key.
+- X.509 certificate for the MinIO server and the corresponding private key.
+- X.509 certificate for the KES client (MinIO is the KES client in this case) and the corresponding private key.
+
+Accordingly, you'll need to approve three CSR requests, using below approach
+
+```
+kubectl get csr
+kubectl certificate approve <csr-name>
+```
+
+Once all the CSRs are approved, MinIO Operator will deploy KES Pods and start MinIO Server with KES integration.

docs/mcs.md

@@ -0,0 +1,41 @@
+# MinIO Operator MCS Configuration
+
+[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
+[![Docker Pulls](https://img.shields.io/docker/pulls/minio/k8s-operator.svg?maxAge=604800)](https://hub.docker.com/r/minio/k8s-operator)
+
+This document explains how to enable MCS with MinIO Operator.
+
+## Getting Started
+
+### Prerequisites
+
+- MinIO Operator up and running as explained in the [document here](https://github.com/minio/minio-operator#create-operator-and-related-resources).
+
+### Enable MCS Configuration
+
+MCS Configuration is a part of MinIOInstance yaml file. Check the sample file [available here](https://raw.githubusercontent.com/minio/minio-operator/master/examples/minioinstance-mcs.yaml). The config offers below options
+
+#### MCS Fields
+
+| Field                 | Description |
+|-----------------------|-------------|
+| spec.mcs | Defines the mcs configuration. mcs is a graphical user interface for MinIO. Refer [this](https://github.com/minio/mcs) |
+| spec.mcs.image | Defines the mcs image |
+| spec.mcs.mcsAccessKey | Specify the access key to be used by mcs |
+| spec.mcs.mcsSecret | Use this secret to assign mcs credentials to MinIOInstance. |
+| spec.mcs.selector | Add a selector for the mcs. Which will be used by the mcs container for grouping. (Note: Should not match the labels provided in `spec.selector`) |
+| spec.mcs.metadata | This allows a way to map metadata to the mcs container. Internally `metadata` is a struct type as [explained here](https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta). [Note: Should match the labels in `spec.mcs.selector`] |
+
+### Create MinIO Instance
+
+Once you have updated the yaml file per your requirement, use `kubectl` to create the MinIO instance like
+
+```
+kubectl create -f examples/minioinstance-mcs.yaml
+```
+
+Alternatively, you can deploy the example like this
+
+```
+kubectl create -f https://raw.githubusercontent.com/minio/minio-operator/master/examples/minioinstance-mcs.yaml
+```

docs/mirror.md

@@ -0,0 +1,44 @@
+# MinIO Operator Mirror Configuration
+
+[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
+[![Docker Pulls](https://img.shields.io/docker/pulls/minio/k8s-operator.svg?maxAge=604800)](https://hub.docker.com/r/minio/k8s-operator)
+
+This document explains how to enable Mirror with MinIO Operator.
+
+## Getting Started
+
+### Prerequisites
+
+- MinIO Operator up and running as explained in the [document here](https://github.com/minio/minio-operator#create-operator-and-related-resources).
+
+### Enable MCS Configuration
+
+Mirror Configuration is a part of MirrorInstance yaml file. Check the sample file [available here](https://raw.githubusercontent.com/minio/minio-operator/master/examples/mirrorinstance.yaml). The config offers below options
+
+#### Mirror Fields
+
+| Field                 | Description |
+|-----------------------|-------------|
+| kind                  | This defines the resource type to be created. MinIO Operator CRD defines the `kind` for Mirror Operation as `MirrorInstance`.|
+| metadata              | This field allows a way to assign metadata to a MirrorInstance. Internally `metadata` is a struct type as [explained here](https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta).|
+| spec.metadata         | Define the object metadata to be passed to all the members pods of this MirrorInstance. This allows adding annotations and labels.|
+| spec.image            | Set the container registry and image tag for MinIO Client to be used in the MirrorInstance.|
+| spec.env              | Add Mirror specific environment variables. There are two mandatory fields required for Mirror to work. `MC_HOST_source` is the environment variable to specify the source MinIO cluster for mirror operation. `MC_HOST_target` is the environment variable to specify the target MinIO cluster for mirror operation. The value of these environment variables in the format `https://<access_key>:<secret_key>@<minio_server_url>`. Refer [the document](https://github.com/minio/mc/blob/master/docs/minio-client-complete-guide.md#specify-host-configuration-through-environment-variable) for further details. |
+| spec.args.source      | Specify the source location for mirror operation. This can be a top level alias (e.g `source`), a bucket (e.g `source/bucket`), or a prefix (e.g `source/bucket/prefix`.) |
+| spec.args.target      | Specify the target location for mirror operation. This can be a top level alias (e.g `target`), a bucket (e.g `target/bucket`), or a prefix (e.g `target/bucket/prefix`.)  |
+| spec.args.flags       | Specify the flags to fine tune the mirror operation. Refer the [mc mirror documentation](https://github.com/minio/mc/blob/master/docs/minio-client-complete-guide.md#mirror) for possible values for flags. |
+| spec.resources | Specify CPU and Memory resources for each MirrorInstance Job container. Refer [this document](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-types) for details. |
+
+### Create Mirror Instance
+
+Once you have updated the yaml file per your requirement, use `kubectl` to create the Mirror instance like
+
+```
+kubectl create -f examples/mirrorinstance.yaml
+```
+
+Alternatively, you can deploy the example like this
+
+```
+kubectl create -f https://raw.githubusercontent.com/minio/minio-operator/master/examples/mirrorinstance.yaml
+```

docs/operator-fields.md

@@ -44,11 +44,17 @@ If the MirrorInstance is named as `mirrorinstance`, resources and their names as
 | spec.tolerations | Define a toleration for the MinIOInstance pod to match on a taint. Refer [this document](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) for details. |
 | spec.securityContext | Define a security context for the MinIOInstance pod. Refer [this document](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for details. |
 | spec.mcs | Defines the mcs configuration. mcs is a graphical user interface for MinIO. Refer [this](https://github.com/minio/mcs) |
-| spec.mcs.image | Defines the mcs image (If unspecified, It will be set to the default: `minio/mcs:v0.0.2`) |
+| spec.mcs.image | Defines the mcs image. |
 | spec.mcs.mcsAccessKey | Specify the access key to be used by mcs |
 | spec.mcs.mcsSecret | Use this secret to assign mcs credentials to MinIOInstance. |
 | spec.mcs.selector | Add a selector for the mcs. Which will be used by the mcs container for grouping. (Note: Should not match the labels provided in `spec.selector`) |
 | spec.mcs.metadata | This allows a way to map metadata to the mcs container. Internally `metadata` is a struct type as [explained here](https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta). [Note: Should match the labels in `spec.mcs.selector`] |
+| spec.kes | Defines the KES configuration. Refer [this](https://github.com/minio/kes) |
+| spec.kes.replicas | Number of KES pods to be created. |
+| spec.kes.image | Defines the KES image. |
+| spec.kes.configSecret | Secret to specify KES Configuration. This is a mandatory field. |
+| spec.kes.selector | Add a selector for the KES. Which will be used by the KES pods for grouping. (Note: Should not match the labels provided in `spec.selector`) |
+| spec.kes.metadata | This allows a way to map metadata to the KES pods. Internally `metadata` is a struct type as [explained here](https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta). [Note: Should match the labels in `spec.kes.selector`] |
 
 ## MirrorInstance Fields
 

examples/kes-config-secret.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kes-config
+type: Opaque
+stringData:
+  server-config.yaml: |-
+    address: 0.0.0.0:7373
+    root: _ # Effectively disabled since no root identity necessary.
+    tls:
+      key: /home/server.key   # Path to the TLS private key
+      cert: /home/server.crt # Path to the TLS certificate
+      proxy:
+        identities: []
+        header:
+          cert: X-Tls-Client-Cert
+    policy:
+      my-policy:
+        paths:
+        - /v1/key/create/*
+        - /v1/key/generate/*
+        - /v1/key/decrypt/*
+        identities:
+        - ${MINIO_ID}
+    cache:
+      expiry:
+        any: 5m0s
+        unused: 20s
+    log:
+      error: on
+      audit: off
+    keys:
+      fs:
+        path: "/kes" # Path to directory. Keys will be stored as files. Not Recommended for Production.
+      # vault:
+      #   endpoint: ""  # The Vault endpoint - e.g. https://127.0.0.1:8200
+      #   namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
+      #   prefix: ""    # An optional K/V prefix. The server will store keys under this prefix. 
+      #   approle:    # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
+      #     id: ""      # Your AppRole Role ID
+      #     secret: ""  # Your AppRole Secret ID
+      #     retry: 15s  # Duration until the server tries to re-authenticate after connection loss.
+      #   tls:        # The Vault client TLS configuration for mTLS authentication and certificate verification  
+      #     key: ""     # Path to the TLS client private key for mTLS authentication to Vault
+      #     cert: ""    # Path to the TLS client certificate for mTLS authentication to Vailt
+      #     ca: ""      # Path to one or multiple PEM root CA certificates 
+      #   status:     # Vault status configuration. The server will periodically reach out to Vault to check its status. 
+      #     ping: 10s   # Duration until the server checks Vault's status again.
+      # aws:
+      #   # The AWS SecretsManager key store. The server will store
+      #   # secret keys at the AWS SecretsManager encrypted with
+      #   # AWS-KMS. See: https://aws.amazon.com/secrets-manager
+      #   secretsmanager:
+      #     endpoint: ""   # The AWS SecretsManager endpoint      - e.g.: secretsmanager.us-east-2.amazonaws.com
+      #     region: ""     # The AWS region of the SecretsManager - e.g.: us-east-2
+      #     kmskey: ""     # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
+      #     credentials:   # The AWS credentials for accessing secrets at the AWS SecretsManager.
+      #       accesskey: ""  # Your AWS Access Key
+      #       secretkey: ""  # Your AWS Secret Key
+      #       token: ""      # Your AWS session token (usually optional)