Removing credsSecret required field in tenant spec

- Removing required credsSecret field in tenant spec - Migration from creddsSecret to Configuration field for old tenants Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
minio · Aug 30, 2022 · aa5879a · aa5879a
1 parent 2f58272
commit aa5879a
Show file tree

Hide file tree

Showing 22 changed files with 102 additions and 138 deletions.
diff --git a/examples/kustomization/base/kustomization.yaml b/examples/kustomization/base/kustomization.yaml
@@ -4,6 +4,5 @@ namespace: minio-tenant
 resources:
   - namespace.yaml
   - tenant-config.yaml
-  - tenant-minio-creds-secret_deprecated.yaml
   - storage-user.yaml
   - tenant.yaml
diff --git a/examples/kustomization/base/tenant-minio-creds-secret_deprecated.yaml b/examples/kustomization/base/tenant-minio-creds-secret_deprecated.yaml
diff --git a/examples/kustomization/base/tenant.yaml b/examples/kustomization/base/tenant.yaml
@@ -48,9 +48,6 @@ spec:
   ## Secret with credentials and configurations to be used by MinIO Tenant.
   configuration:
     name: storage-configuration
-  ## DEPRECATED: Secret with credentials to be used by MinIO Tenant.
-  credsSecret:
-    name: storage-creds-secret
   ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
   env: [ ]
   ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific

diff --git a/helm/operator/templates/minio.min.io_tenants.yaml b/helm/operator/templates/minio.min.io_tenants.yaml
@@ -4,7 +4,7 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.7
     meta.helm.sh/release-name: minio-operator
-    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+    meta.helm.sh/release-namespace: minio-operator
   labels:
     app.kubernetes.io/managed-by: Helm
   name: tenants.minio.min.io
@@ -15,7 +15,7 @@ spec:
       clientConfig:
         service:
           name: operator
-          namespace: {{ .Release.Namespace }}
+          namespace: minio-operator
           path: /webhook/v1/crd-conversion
           port: 4222
       conversionReviewVersions:

diff --git a/helm/tenant/templates/tenant-secret-deprecated.yaml b/helm/tenant/templates/tenant-secret-deprecated.yaml
diff --git a/helm/tenant/templates/tenant.yaml b/helm/tenant/templates/tenant.yaml
@@ -27,10 +27,8 @@ spec:
   {{- end }}
   ## Secret with default environment variable configurations
   configuration:
-    name: {{ .configuration.name }}
-  ## Deprecated credsSecret
-  credsSecret:
-    name: "tenant-secret"
+    name: {{ dig "secrets" "name" "" ($.Values | merge (dict)) }}
+  {{- end }}
   pools:
   {{- range (dig "pools" (list) .) }}
     - servers: {{ dig "servers" 4 . }}

diff --git a/kubectl-minio/cmd/helpers/helpers.go b/kubectl-minio/cmd/helpers/helpers.go
@@ -272,7 +272,7 @@ func AskNumber(label string, validate func(int) error) int {
 	return r
 }
 
-// AskQuestion user for generic input."
+// AskQuestion ask user for generic input
 func AskQuestion(label string, validate func(string) error) string {
 	prompt := promptui.Prompt{
 		Label: label,

diff --git a/kubectl-minio/cmd/resources/secret.go b/kubectl-minio/cmd/resources/secret.go
@@ -22,24 +22,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// NewTenantCredsSecret : deprecated
-func NewTenantCredsSecret(opts *TenantOptions) (*corev1.Secret, error) {
-	return &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      opts.Name + "-creds-secret",
-			Namespace: opts.NS,
-		},
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: v1.SchemeGroupVersion.Version,
-		},
-		Data: map[string][]byte{
-			"accesskey": []byte(""),
-			"secretkey": []byte(""),
-		},
-	}, nil
-}
-
 // NewTenantConfigurationSecret will return a new secret a MinIO Tenant
 func NewTenantConfigurationSecret(opts *TenantOptions) (*corev1.Secret, error) {
 	accessKey, secretKey, err := miniov2.GenerateCredentials()

diff --git a/kubectl-minio/cmd/resources/tenant.go b/kubectl-minio/cmd/resources/tenant.go
@@ -134,9 +134,6 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err
 			Configuration: &v1.LocalObjectReference{
 				Name: opts.ConfigurationSecretName,
 			},
-			CredsSecret: &v1.LocalObjectReference{
-				Name: opts.Name + "-creds-secret",
-			},
 			Pools:           []miniov2.Pool{Pool(opts, volumesPerServer, *capacityPerVolume)},
 			RequestAutoCert: &autoCert,
 			Mountpath:       helpers.MinIOMountPath,

diff --git a/kubectl-minio/cmd/tenant-create.go b/kubectl-minio/cmd/tenant-create.go
@@ -147,11 +147,6 @@ func (c *createCmd) run(args []string) error {
 	if err != nil {
 		return err
 	}
-	// deprecated tenant credsSecret required for deploying tenant, will be removed in operator v5.x.x
-	tenantCredsSecret, err := resources.NewTenantCredsSecret(&c.tenantOpts)
-	if err != nil {
-		return err
-	}
 	// generate tenant configuration
 	tenantConfiguration, err := resources.NewTenantConfigurationSecret(&c.tenantOpts)
 	if err != nil {
@@ -164,7 +159,7 @@ func (c *createCmd) run(args []string) error {
 	}
 	// create resources
 	if !c.output {
-		return createTenant(operatorClient, kubeClient, tenant, tenantCredsSecret, tenantConfiguration, tenantUserCredentials)
+		return createTenant(operatorClient, kubeClient, tenant, tenantConfiguration, tenantUserCredentials)
 	}
 	tenantYAML, err := yaml.Marshal(&tenant)
 	if err != nil {
@@ -174,10 +169,6 @@ func (c *createCmd) run(args []string) error {
 	if err != nil {
 		return err
 	}
-	tenantCredsSecretYAML, err := yaml.Marshal(&tenantCredsSecret)
-	if err != nil {
-		return err
-	}
 	tenantUserYAML, err := yaml.Marshal(&tenantUserCredentials)
 	if err != nil {
 		return err
@@ -186,8 +177,6 @@ func (c *createCmd) run(args []string) error {
 	fmt.Println("---")
 	fmt.Println(string(tenantConfigurationYAML))
 	fmt.Println("---")
-	fmt.Println(string(tenantCredsSecretYAML))
-	fmt.Println("---")
 	fmt.Println(string(tenantUserYAML))
 	return nil
 }
@@ -255,15 +244,10 @@ func greaterThanZero(value int) error {
 	return nil
 }
 
-func createTenant(operatorClient *operatorv1.Clientset, kubeClient *kubernetes.Clientset, tenant *miniov2.Tenant, tenantCredsSecret, tenantConfiguration, console *corev1.Secret) error {
+func createTenant(operatorClient *operatorv1.Clientset, kubeClient *kubernetes.Clientset, tenant *miniov2.Tenant, tenantConfiguration, console *corev1.Secret) error {
 	if _, err := kubeClient.CoreV1().Namespaces().Get(context.Background(), tenant.Namespace, metav1.GetOptions{}); err != nil {
 		return fmt.Errorf("namespace %s not found, please create the namespace using 'kubectl create ns %s'", tenant.Namespace, tenant.Namespace)
 	}
-	// deprecated tenant credsSecret required for deploying tenant
-	// The credsSecret field will be removed in operator v5.x.x
-	if _, err := kubeClient.CoreV1().Secrets(tenant.Namespace).Create(context.Background(), tenantCredsSecret, metav1.CreateOptions{}); err != nil {
-		return err
-	}
 	if _, err := kubeClient.CoreV1().Secrets(tenant.Namespace).Create(context.Background(), tenantConfiguration, metav1.CreateOptions{}); err != nil {
 		return err
 	}

diff --git a/kubectl-minio/cmd/tenant-delete.go b/kubectl-minio/cmd/tenant-delete.go
@@ -106,12 +106,6 @@ func deleteTenant(client *operatorv1.Clientset, kclient *kubernetes.Clientset, d
 
 	fmt.Println("Deleting MinIO Tenant: ", name)
 
-	// Delete credentials secret, ignore any errors.
-	kclient.CoreV1().Secrets(d.ns).Delete(context.Background(), tenant.Spec.CredsSecret.Name,
-		metav1.DeleteOptions{})
-
-	fmt.Println("Deleting MinIO Tenant Credentials Secret: ", tenant.Spec.CredsSecret.Name)
-
 	if tenant.HasConfigurationSecret() {
 		kclient.CoreV1().Secrets(d.ns).Delete(context.Background(), tenant.Spec.Configuration.Name,
 			metav1.DeleteOptions{})

diff --git a/pkg/apis/minio.min.io/v1/helper.go b/pkg/apis/minio.min.io/v1/helper.go
@@ -75,12 +75,6 @@ func genEllipsis(start, end int) string {
 	return "{" + strconv.Itoa(start) + "..." + strconv.Itoa(end) + "}"
 }
 
-// HasCredsSecret returns true if the user has provided a secret
-// for a Tenant else false
-func (t *Tenant) HasCredsSecret() bool {
-	return t.Spec.CredsSecret != nil
-}
-
 // HasConfigurationSecret returns true if the user has provided a configuration
 // for a Tenant else false
 func (t *Tenant) HasConfigurationSecret() bool {
@@ -555,8 +549,8 @@ func (t *Tenant) Validate() error {
 		return errors.New("zones must be configured")
 	}
 
-	if t.Spec.CredsSecret == nil {
-		return errors.New("please set credsSecret secret with credentials for Tenant")
+	if t.Spec.Configuration == nil {
+		return errors.New("please set configuration secret with credentials for Tenant")
 	}
 
 	// Every zone must contain a Volume Claim Template

diff --git a/pkg/apis/minio.min.io/v2/constants.go b/pkg/apis/minio.min.io/v2/constants.go
@@ -97,6 +97,9 @@ const DefaultMinIOUpdateURL = "https://dl.min.io/server/minio/release/" + runtim
 // MinIOHLSvcNameSuffix specifies the suffix added to Tenant name to create a headless service
 const MinIOHLSvcNameSuffix = "-hl"
 
+// TenantConfigurationSecretSuffix specifies the suffix added to tenant name to create the configuration secret name
+const TenantConfigurationSecretSuffix = "-configuration"
+
 // Console Related Constants
 
 // ConsoleTenantLabel is applied to the Console pods of a Tenant cluster

diff --git a/pkg/apis/minio.min.io/v2/helper.go b/pkg/apis/minio.min.io/v2/helper.go
@@ -872,8 +872,8 @@ func (t *Tenant) Validate() error {
 		return errors.New("pools must be configured")
 	}
 
-	if t.Spec.CredsSecret == nil {
-		return errors.New("please set credsSecret secret with credentials for Tenant")
+	if !t.HasConfigurationSecret() && !t.HasCredsSecret() {
+		return errors.New("please set 'configuration' secret with credentials for Tenant")
 	}
 
 	// Every pool must contain a Volume Claim Template

diff --git a/pkg/apis/minio.min.io/v2/names.go b/pkg/apis/minio.min.io/v2/names.go
@@ -223,6 +223,11 @@ func (t *Tenant) LogHLServiceName() string {
 	return t.Name + LogHLSvcNameSuffix
 }
 
+// ConfigurationSecretName returns name of secret used to store the tenant configuration
+func (t *Tenant) ConfigurationSecretName() string {
+	return fmt.Sprintf("%s%s", t.Name, TenantConfigurationSecretSuffix)
+}
+
 // LogSecretName returns name of secret shared by Log PG server and log-search-api server
 func (t *Tenant) LogSecretName() string {
 	return fmt.Sprintf("%s-%s", t.Name, "log-secret")

diff --git a/pkg/apis/minio.min.io/v2/types.go b/pkg/apis/minio.min.io/v2/types.go
@@ -130,7 +130,7 @@ type TenantSpec struct {
 	// Pod Management Policy for pod created by StatefulSet
 	// +optional
 	PodManagementPolicy appsv1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
-	// *Required* +
+	// *optional* +
 	//
 	// Specify a https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes opaque secret] to use for setting the MinIO root access key and secret key. Specify the secret as `name: <secret>`. The Kubernetes secret must contain the following fields: +
 	//

diff --git a/pkg/controller/cluster/main-controller.go b/pkg/controller/cluster/main-controller.go
@@ -114,6 +114,7 @@ const (
 	StatusUpdatingAffinity                   = "Updating Pod Affinity"
 	StatusNotOwned                           = "Statefulset not controlled by operator"
 	StatusFailedAlreadyExists                = "Another MinIO Tenant already exists in the namespace"
+	StatusTenantCredentialsNotSet            = "Tenant credentials are not set properly"
 	StatusInconsistentMinIOVersions          = "Different versions across MinIO Pools"
 	StatusRestartingMinIO                    = "Restarting MinIO"
 	StatusDecommissioningNotAllowed          = "Pool Decommissioning Not Allowed"
@@ -623,6 +624,12 @@ func (c *Controller) syncHandler(key string) error {
 		}
 		return nil
 	}
+
+	// Check the Sync Version to see if the tenant needs upgrade
+	if tenant, err = c.checkForUpgrades(ctx, tenant); err != nil {
+		return err
+	}
+
 	// Set any required default values and init Global variables
 	nsName := types.NamespacedName{Namespace: namespace, Name: tenantName}
 
@@ -656,11 +663,6 @@ func (c *Controller) syncHandler(key string) error {
 		return nil
 	}
 
-	// Check the Sync Version to see if the tenant needs upgrade
-	if tenant, err = c.checkForUpgrades(ctx, tenant); err != nil {
-		return err
-	}
-
 	// AutoCertEnabled verification is used to manage the tenant migration between v1 and v2
 	// Previous behavior was that AutoCert is disabled by default if RequestAutoCert is nil
 	// New behavior is that AutoCert is enabled by default if RequestAutoCert is nil
@@ -761,6 +763,10 @@ func (c *Controller) syncHandler(key string) error {
 
 	adminClnt, err := tenant.NewMinIOAdmin(tenantConfiguration, c.getTransport())
 	if err != nil {
+		if _, uerr := c.updateTenantStatus(ctx, tenant, StatusTenantCredentialsNotSet, 0); uerr != nil {
+			return uerr
+		}
+		klog.Errorf("Error initializing minio admin client: %v", err)
 		return err
 	}
 

diff --git a/pkg/controller/cluster/monitoring.go b/pkg/controller/cluster/monitoring.go
@@ -108,9 +108,8 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error {
 
 	adminClnt, err := tenant.NewMinIOAdmin(tenantConfiguration, c.getTransport())
 	if err != nil {
-		// show the error and continue
-		klog.Infof("'%s/%s': %v", tenant.Namespace, tenant.Name, err)
-		return nil
+		klog.Errorf("Error instantiating adminClnt '%s/%s': %v", tenant.Namespace, tenant.Name, err)
+		return err
 	}
 
 	aClnt, err := madmin.NewAnonymousClient(tenant.MinIOServerHostAddress(), tenant.TLS())

diff --git a/pkg/controller/cluster/operator.go b/pkg/controller/cluster/operator.go
@@ -365,8 +365,7 @@ func (c *Controller) createUsers(ctx context.Context, tenant *miniov2.Tenant, te
 	// get a new admin client
 	adminClient, err := tenant.NewMinIOAdmin(tenantConfiguration, c.getTransport())
 	if err != nil {
-		// show the error and continue
-		klog.Errorf("Error instantiating madmin: %v", err)
+		klog.Errorf("Error instantiating adminClnt: %v", err)
 		return err
 	}
 

diff --git a/pkg/controller/cluster/tenants.go b/pkg/controller/cluster/tenants.go
@@ -44,27 +44,15 @@ func (c *Controller) getTenantConfiguration(ctx context.Context, tenant *miniov2
 
 // getTenantCredentials returns a combination of env, credsSecret and Configuration tenant credentials
 func (c *Controller) getTenantCredentials(ctx context.Context, tenant *miniov2.Tenant) (map[string][]byte, error) {
-	// Configuration for tenant can be passed using 3 different sources, tenant.spec.env, k8s credsSecret and config.env secret
+	// Configuration for tenant can be passed using 2 different sources, tenant.spec.env and config.env secret
 	// If the user provides duplicated configuration the override order will be:
-	// tenant.Spec.Env < credsSecret (k8s secret) < config.env file (k8s secret)
+	// tenant.Spec.Env < config.env file (k8s secret)
 	tenantConfiguration := map[string][]byte{}
 
 	for _, config := range tenant.GetEnvVars() {
 		tenantConfiguration[config.Name] = []byte(config.Value)
 	}
 
-	if tenant.HasCredsSecret() {
-		minioSecretName := tenant.Spec.CredsSecret.Name
-		minioSecret, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(ctx, minioSecretName, metav1.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-		configFromCredsSecret := minioSecret.Data
-		for key, val := range configFromCredsSecret {
-			tenantConfiguration[key] = val
-		}
-	}
-
 	// Load tenant configuration from file
 	config, err := c.getTenantConfiguration(ctx, tenant)
 	if err != nil {