Skip to content

Commit

Permalink
Turn-off bucket DNS by default, make it opt-in (#321)
Browse files Browse the repository at this point in the history
To enable one must enable this explicitly.
```
s3:
 bucketDNS: true
```

It looks like many S3 API users seem to have buckets with
`.` in them and would love to just use `path-style` instead
of `bucket` DNS style.

Making this an opt-in because users should be aware of the
restrictions this would bring in for their bucket names.
harshavardhana authored Oct 5, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 5cceb2b commit dda8cb7
Showing 10 changed files with 814 additions and 228 deletions.
6 changes: 6 additions & 0 deletions examples/tenant-encryption.yaml
Original file line number Diff line number Diff line change
@@ -192,6 +192,12 @@ spec:
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: true

## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`
s3:
## This feature is turned off by default
bucketDNS: false

## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
10 changes: 10 additions & 0 deletions examples/tenant-pod-security-policy.yaml
Original file line number Diff line number Diff line change
@@ -99,11 +99,14 @@ spec:
storage: 1Ti
## Mount path where PV will be mounted inside container(s). Defaults to "/export".
mountPath: /export

## Sub path inside Mount path where MinIO starts. Defaults to "".
# subPath: /data

## Secret with credentials to be used by MinIO Tenant.
credsSecret:
name: minio-creds-secret

## PodManagement policy for pods created by StatefulSet. Can be "OrderedReady" or "Parallel"
## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
## for details. Defaults to "Parallel"
@@ -119,6 +122,13 @@ spec:
## Enable Kubernetes based certificate generation and signing as explained in
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: false

## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`
s3:
## This feature is turned off by default
bucketDNS: false

## Used when "requestAutoCert" is set to true. Set CommonName for the auto-generated certificate.
## Internal DNS name for the pod will be used if CommonName is not provided.
## DNS name format is minio-{0...3}.minio.default.svc.cluster.local
6 changes: 6 additions & 0 deletions examples/tenant.yaml
Original file line number Diff line number Diff line change
@@ -131,6 +131,12 @@ spec:
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: true

## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`
s3:
## This feature is turned off by default
bucketDNS: false

## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
2 changes: 1 addition & 1 deletion kubectl-minio/statik/statik.go

Large diffs are not rendered by default.

944 changes: 737 additions & 207 deletions operator-kustomize/crds/minio.min.io_tenants.yaml

Large diffs are not rendered by default.

10 changes: 5 additions & 5 deletions pkg/apis/minio.min.io/v1/helper.go
Original file line number Diff line number Diff line change
@@ -256,11 +256,6 @@ func (t *Tenant) EnsureDefaults() *Tenant {
t.Spec.Image = DefaultMinIOImage
}

// Default an empty service name to the instance name
if t.Spec.ServiceName == "" {
t.Spec.ServiceName = t.Name
}

if t.Spec.ImagePullPolicy == "" {
t.Spec.ImagePullPolicy = DefaultImagePullPolicy
}
@@ -457,6 +452,11 @@ func (t *Tenant) KESServiceHost() string {
return fmt.Sprintf("%s.%s.svc.%s", t.KESHLServiceName(), t.Namespace, ClusterDomain)
}

// S3BucketDNS indicates if Bucket DNS feature is enabled.
func (t *Tenant) S3BucketDNS() bool {
return t.Spec.S3 != nil && t.Spec.S3.BucketDNS
}

// HasKESEnabled checks if kes configuration is provided by user
func (t *Tenant) HasKESEnabled() bool {
return t.Spec.KES != nil
3 changes: 2 additions & 1 deletion pkg/apis/minio.min.io/v1/names.go
Original file line number Diff line number Diff line change
@@ -71,7 +71,8 @@ func (t *Tenant) MinIOHLServiceName() string {
// MinIOCIServiceName returns the name of Cluster IP service that is created to communicate
// with current MinIO StatefulSet pods
func (t *Tenant) MinIOCIServiceName() string {
return t.Spec.ServiceName
// DO NOT CHANGE, this should be constant
return "minio"
}

// MinIOBucketBaseDomain returns the base domain name for buckets
14 changes: 10 additions & 4 deletions pkg/apis/minio.min.io/v1/types.go
Original file line number Diff line number Diff line change
@@ -47,17 +47,20 @@ type TenantScheduler struct {
Name string `json:"name"`
}

// S3Features list of S3 features to enable/disable.
// Currently only supports BucketDNS
type S3Features struct {
// BucketDNS if 'true' means Buckets can be accessed using `<bucket>.minio.default.svc.cluster.local`
BucketDNS bool `json:"bucketDNS"`
}

// TenantSpec is the spec for a Tenant resource
type TenantSpec struct {
// Definition for Cluster in given MinIO cluster
Zones []Zone `json:"zones"`
// Image defines the Tenant Docker image.
// +optional
Image string `json:"image,omitempty"`
// ServiceName defines name of the Service that will be created for this instance, if none is specified,
// it will default to the instance name
// +optional
ServiceName string `json:"serviceName,omitempty"`
// ImagePullSecret defines the secret to be used for pull image from a private Docker image.
// +optional
ImagePullSecret corev1.LocalObjectReference `json:"imagePullSecret,omitempty"`
@@ -92,6 +95,9 @@ type TenantSpec struct {
// https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
// +optional
RequestAutoCert bool `json:"requestAutoCert,omitempty"`
// S3 related features can be disabled or enabled such as `bucketDNS` etc.
S3 *S3Features `json:"s3,omitempty"`
// +optional
// CertConfig allows users to set entries like CommonName, Organization, etc for the certificate
// +optional
CertConfig *CertificateConfig `json:"certConfig,omitempty"`
21 changes: 21 additions & 0 deletions pkg/apis/minio.min.io/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 16 additions & 10 deletions pkg/resources/statefulsets/minio-statefulset.go
Original file line number Diff line number Diff line change
@@ -46,9 +46,6 @@ func minioEnvironmentVars(t *miniov1.Tenant, wsSecret *v1.Secret, hostsTemplate
corev1.EnvVar{
Name: "MINIO_UPDATE",
Value: "on",
}, corev1.EnvVar{
Name: "MINIO_DOMAIN",
Value: t.MinIOBucketBaseDomain(),
}, corev1.EnvVar{
Name: "MINIO_UPDATE_MINISIGN_PUBKEY",
Value: "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav",
@@ -62,6 +59,20 @@ func minioEnvironmentVars(t *miniov1.Tenant, wsSecret *v1.Secret, hostsTemplate
Key: miniov1.WebhookMinIOArgs,
},
},
}, corev1.EnvVar{
// Add a fallback in-case operator is down.
Name: "MINIO_ENDPOINTS",
Value: strings.Join(GetContainerArgs(t, hostsTemplate), " "),
}, corev1.EnvVar{
Name: "MINIO_OPERATOR_VERSION",
Value: opVersion,
})

// Enable Bucket DNS only if asked for by default turned off
if t.S3BucketDNS() {
envVars = append(envVars, corev1.EnvVar{
Name: "MINIO_DOMAIN",
Value: t.MinIOBucketBaseDomain(),
}, corev1.EnvVar{
Name: miniov1.WebhookMinIOBucket,
ValueFrom: &corev1.EnvVarSource{
@@ -72,14 +83,8 @@ func minioEnvironmentVars(t *miniov1.Tenant, wsSecret *v1.Secret, hostsTemplate
Key: miniov1.WebhookMinIOArgs,
},
},
}, corev1.EnvVar{
// Add a fallback in-case operator is down.
Name: "MINIO_ENDPOINTS",
Value: strings.Join(GetContainerArgs(t, hostsTemplate), " "),
}, corev1.EnvVar{
Name: "MINIO_OPERATOR_VERSION",
Value: opVersion,
})
}

// Add env variables from credentials secret, if no secret provided, dont use
// env vars. MinIO server automatically creates default credentials
@@ -107,6 +112,7 @@ func minioEnvironmentVars(t *miniov1.Tenant, wsSecret *v1.Secret, hostsTemplate
},
})
}

if t.HasKESEnabled() {
envVars = append(envVars, corev1.EnvVar{
Name: "MINIO_KMS_KES_ENDPOINT",

0 comments on commit dda8cb7

Please sign in to comment.