controller

package
v0.0.0-...-435c516 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2023 License: AGPL-3.0 Imports: 103 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ConsoleTLSEnv Env variable to turn on / off Console TLS.
	ConsoleTLSEnv = "MINIO_CONSOLE_TLS_ENABLE"
	// DefaultConsoleDeploymentName is the default name of the console deployment
	DefaultConsoleDeploymentName = "console"
	// OperatorConsoleTLSSecretName is the name of secret created with TLS certs for Operator console
	OperatorConsoleTLSSecretName = "operator-console-tls"
)
View Source 
const (
	// OperatorWatchedNamespaceEnv Env variable name, the namespaces which the operator watches for MinIO tenants. Defaults to "" for all namespaces.
	OperatorWatchedNamespaceEnv = "WATCHED_NAMESPACE"
	// HostnameEnv Host name env variable
	HostnameEnv = "HOSTNAME"
)
View Source 
const (

	// ErrResourceExists is used as part of the Event 'reason' when a Tenant fails
	// to sync due to a StatefulSet of the same name already existing.
	ErrResourceExists = "ErrResourceExists"
	// MessageResourceExists is the message used for Events when a Tenant
	// fails to sync due to a StatefulSet already existing
	MessageResourceExists = "Resource %q already exists and is not managed by MinIO Operator"
)
View Source 
const (
	StatusInitialized                = "Initialized"
	StatusProvisioningCIService      = "Provisioning MinIO Cluster IP Service"
	StatusProvisioningHLService      = "Provisioning MinIO Headless Service"
	StatusProvisioningStatefulSet    = "Provisioning MinIO Statefulset"
	StatusProvisioningConsoleService = "Provisioning Console Service"
	StatusProvisioningKESStatefulSet = "Provisioning KES StatefulSet"
	StatusProvisioningInitialUsers   = "Provisioning initial users"
	StatusProvisioningDefaultBuckets = "Provisioning default buckets"
	StatusWaitingMinIOCert           = "Waiting for MinIO TLS Certificate"
	StatusWaitingMinIOClientCert     = "Waiting for MinIO TLS Client Certificate"
	StatusWaitingKESCert             = "Waiting for KES TLS Certificate"
	StatusUpdatingMinIOVersion       = "Updating MinIO Version"
	StatusUpdatingKES                = "Updating KES"
	StatusNotOwned                   = "Statefulset not controlled by operator"
	StatusFailedAlreadyExists        = "Another MinIO Tenant already exists in the namespace"
	StatusTenantCredentialsNotSet    = "Tenant credentials are not set properly"
	StatusInconsistentMinIOVersions  = "Different versions across MinIO Pools"
	StatusRestartingMinIO            = "Restarting MinIO"
	StatusDecommissioningNotAllowed  = "Pool Decommissioning Not Allowed"
)

Standard Status messages for Tenant

View Source 
const (
	// HealthUnavailableMessage means MinIO is down
	HealthUnavailableMessage = "Service Unavailable"
	// HealthHealingMessage means MinIO is healing one of more drives
	HealthHealingMessage = "Healing"
	// HealthReduceAvailabilityMessage some drives are offline
	HealthReduceAvailabilityMessage = "Reduced Availability"
	// HealthAboutToLoseQuorumMessage means we are close to losing write capabilities
	HealthAboutToLoseQuorumMessage = "About to lose quorum"
)
View Source 
const (
	// CertPasswordEnv Env variable is used to decrypt the private key in the TLS certificate for operator if need it
	CertPasswordEnv = "OPERATOR_CERT_PASSWD"
	// OperatorDeploymentNameEnv Env variable to specify a custom deployment name for Operator
	OperatorDeploymentNameEnv = "MINIO_OPERATOR_DEPLOYMENT_NAME"

	// OperatorCATLSSecretName is the name of the secret for the operator CA
	OperatorCATLSSecretName = "operator-ca-tls"
	// DefaultDeploymentName is the default name of the operator deployment
	DefaultDeploymentName = "minio-operator"
	// DefaultOperatorImage is the version fo the operator being used
	DefaultOperatorImage = "minio/operator:v"
)
View Source 
const (
	STSDefaultPort = "4223"
	STSEndpoint    = "/sts"
)

STS API constants

View Source 
const (
	// STSEnabled Env variable name to turn on and off the STS Service is enabled, disabled by default
	STSEnabled = "OPERATOR_STS_ENABLED"

	// STSTLSSecretName is the name of secret created for the Operator STS TLS certs
	STSTLSSecretName = "sts-tls"
)
View Source 
const (
	AmzRequestID = "x-amz-request-id"
)

STS Handler constants

View Source 
const (
	WebhookSecret = "operator-webhook-secret"
)

Legacy const

Variables

View Source 
var ErrEmptyRootCredentials = errors.New("empty tenant credentials")

ErrEmptyRootCredentials is the error returned when we detect missing root credentials

View Source 
var ErrMinIONotReady = fmt.Errorf("MinIO is not ready")

ErrMinIONotReady is the error returned when MinIO is not Ready

View Source 
var ErrMinIORestarting = fmt.Errorf("MinIO is restarting")

ErrMinIORestarting is the error returned when MinIO is restarting

Functions

func AssumeRole 

func AssumeRole(ctx context.Context, c *Controller, tenant *miniov2.Tenant, sessionPolicy string, duration int) (*credentials.Value, error)

AssumeRole invokes the AssumeRole method in the Minio Tenant

func GetPolicy 

func GetPolicy(ctx context.Context, adminClient *madmin.AdminClient, policyName string) (*madmin.PolicyInfo, error)

GetPolicy returns a tenant Policy by Name

func IsSTSEnabled 

func IsSTSEnabled() bool

IsSTSEnabled Validates if the STS API is turned on, STS is disabled by default **WARNING** This will change and will be default to "on" in operator v5

func LoadX509KeyPair 

func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair Internal func load an X509 key pair (private key , certificate) from the provided paths. The private key may be encrypted and is decrypted using the ENV_VAR: OPERATOR_CERT_PASSWD.

func MinIOControllerRateLimiter 

func MinIOControllerRateLimiter() queue.RateLimiter

MinIOControllerRateLimiter is a no-arg constructor for a default rate limiter for a workqueue for our controller. both overall and per-item rate limiting. The overall is a token bucket and the per-item is exponential

func StartOperator 

func StartOperator(kubeconfig string)

StartOperator starts the MinIO Operator controller

Types

type APIError 

type APIError struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

APIError structure

type AssumeRoleWithWebIdentityResponse 

type AssumeRoleWithWebIdentityResponse struct {
	XMLName          xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
	Result           WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
	ResponseMetadata struct {
		RequestID string `xml:"RequestId,omitempty"`
	} `xml:"ResponseMetadata,omitempty"`
}

AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.

type AssumedRoleUser 

type AssumedRoleUser struct {
	Arn           string
	AssumedRoleID string `xml:"AssumeRoleId"`
}

AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser

type Controller 

type Controller struct {
	// contains filtered or unexported fields
}

Controller struct watches the Kubernetes API for changes to Tenant resources

func NewController 

func NewController(podName string, namespacesToWatch set.StringSet, kubeClientSet kubernetes.Interface, minioClientSet clientset.Interface, promClient promclientset.Interface, statefulSetInformer appsinformers.StatefulSetInformer, deploymentInformer appsinformers.DeploymentInformer, podInformer coreinformers.PodInformer, tenantInformer informers.TenantInformer, policyBindingInformer stsInformers.PolicyBindingInformer, serviceInformer coreinformers.ServiceInformer, hostsTemplate, operatorVersion string) *Controller

NewController returns a new sample controller

func (*Controller) AssumeRoleWithWebIdentityHandler 

func (c *Controller) AssumeRoleWithWebIdentityHandler(w http.ResponseWriter, r *http.Request)

AssumeRoleWithWebIdentityHandler - POST /sts/{tenantNamespace} AssumeRoleWithWebIdentity - implementation of AWS STS API. Authenticates a Kubernetes Service accounts using a JWT Token Evalues a PolicyBinding CRD as Mapping of the Minio Policies that the ServiceAccount can assume on a minio tenant Eg:- $ curl -k -X POST https://operator:9443/sts/{tenantNamespace} -d "Version=2011-06-15&Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>" -H "Content-Type: application/x-www-form-urlencoded"

func (*Controller) CreateOrUpdatePDB 

func (c *Controller) CreateOrUpdatePDB(ctx context.Context, t *v2.Tenant) (err error)

CreateOrUpdatePDB - hold PDB as expected

func (*Controller) DeletePDB 

func (c *Controller) DeletePDB(ctx context.Context, t *v2.Tenant) (err error)

DeletePDB - delete PDB for tenant

func (*Controller) GetPDBAvailable 

func (c *Controller) GetPDBAvailable() PDBAvailable

GetPDBAvailable - return globalPDBAvailable thread safe

func (*Controller) RegisterEvent 

func (c *Controller) RegisterEvent(ctx context.Context, tenant *miniov2.Tenant, eventType, reason, message string)

RegisterEvent creates an event for a given tenant

func (*Controller) Start 

func (c *Controller) Start(threadiness int, stopCh <-chan struct{}) error

Start will set up the event handlers for types we are interested in, as well as syncing informer caches and starting workers. It will block until stopCh is closed, at which point it will shutdown the workqueue and wait for workers to finish processing their current work items.

func (*Controller) Stop 

func (c *Controller) Stop()

Stop is called to shutdown the controller

func (*Controller) ValidateServiceAccountJWT 

func (c *Controller) ValidateServiceAccountJWT(ctx *context.Context, token string) (*authv1.TokenReview, error)

ValidateServiceAccountJWT Executes a call to TokenReview API to verify if the JWT Token received from the client is a valid Service Account JWT Token

type Credentials 

type Credentials struct {
	AccessKey    string                 `xml:"AccessKeyId" json:"accessKey,omitempty"`
	SecretKey    string                 `xml:"SecretAccessKey" json:"secretKey,omitempty"`
	Expiration   time.Time              `xml:"Expiration" json:"expiration,omitempty"`
	SessionToken string                 `xml:"SessionToken" json:"sessionToken,omitempty"`
	Status       string                 `xml:"-" json:"status,omitempty"`
	ParentUser   string                 `xml:"-" json:"parentUser,omitempty"`
	Groups       []string               `xml:"-" json:"groups,omitempty"`
	Claims       map[string]interface{} `xml:"-" json:"claims,omitempty"`
}

Credentials holds access and secret keys.

type EventNotification 

type EventNotification struct {
	// Err the error to handle if any, null when is just a message
	Err error
	// Type the event type to handle
	Type EventType
}

EventNotification - structure to send messages trough a channel regarding a error event to be handled

type EventType 

type EventType int

EventType is Event type to handle 

const (
	STSServerNotification EventType = iota
	LeaderElection
)

Possible values of EventType

type HealthMode 

type HealthMode string

HealthMode type of query we want to perform to MinIO cluster health 

const (
	// MaintenanceMode query type for when we want to ask MinIO if we can take down 1 server
	MaintenanceMode HealthMode = "MaintenanceMode"
	// RegularMode query type for when we want to ask MinIO the current state of healing/health
	RegularMode = "RegularMode"
)

type HealthResult 

type HealthResult struct {
	StatusCode        int
	HealingDrives     int
	WriteQuorumDrives int
}

HealthResult holds the results from cluster/health query into MinIO

type MinIOPrometheusMetrics 

type MinIOPrometheusMetrics struct {
	UsableCapacity int64
	Usage          int64
}

MinIOPrometheusMetrics holds metrics pulled from prometheus

type PDBAvailable 

type PDBAvailable struct {
	// contains filtered or unexported fields
}

PDBAvailable - v1 for v1.PDB and v1beta for v1beta.PDB,flag for support or not

func (*PDBAvailable) Available 

func (p *PDBAvailable) Available() bool

Available - show if it supports PDB

func (*PDBAvailable) V1Available 

func (p *PDBAvailable) V1Available() bool

V1Available - show if it supports PDB v1

func (*PDBAvailable) V1BetaAvailable 

func (p *PDBAvailable) V1BetaAvailable() bool

V1BetaAvailable - show if it supports PDB v1beta

type ReqInfo 

type ReqInfo struct {
	RemoteHost      string // Client Host/IP
	Host            string // Node Host/IP
	UserAgent       string // User Agent
	RequestID       string // x-amz-request-id
	API             string // API name
	AccessKey       string // Access Key
	TenantNamespace string // tenant namespace
	sync.RWMutex
}

ReqInfo stores the request info. Reading/writing directly to struct requires appropriate R/W lock.

type Result 

type Result struct {
	// Requeue tells the Controller to requeue the reconcile key.  Defaults to false.
	Requeue bool

	// RequeueAfter if greater than 0, tells the Controller to requeue the reconcile key after the Duration.
	// Implies that Requeue is true, there is no need to set Requeue to true at the same time as RequeueAfter.
	RequeueAfter time.Duration
}

Result contains the result of a sync invocation.

func WrapResult 

func WrapResult(result Result, err error) (Result, error)

WrapResult is wrap for result. We can find where return result.

type STSErrorCode 

type STSErrorCode int

STSErrorCode type of error status. 

const (
	ErrSTSNone STSErrorCode = iota
	ErrSTSAccessDenied
	ErrSTSInvalidIdentityToken
	ErrSTSMissingParameter
	ErrSTSInvalidParameterValue
	ErrSTSWebIdentityExpiredToken
	ErrSTSClientGrantsExpiredToken
	ErrSTSInvalidClientGrantsToken
	ErrSTSMalformedPolicyDocument
	ErrSTSInsecureConnection
	ErrSTSInvalidClientCertificate
	ErrSTSNotInitialized
	ErrSTSUpstreamError
	ErrSTSInternalError
	ErrSTSIDPCommunicationError
	ErrSTSPackedPolicyTooLarge
)

Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

type STSErrorResponse 

type STSErrorResponse struct {
	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
	Error   struct {
		Type    string `xml:"Type"`
		Code    string `xml:"Code"`
		Message string `xml:"Message"`
	} `xml:"Error"`
	RequestID string `xml:"RequestId"`
}

STSErrorResponse - error response format

type WebIdentityResult 

type WebIdentityResult struct {
	// The identifiers for the temporary security credentials that the operation
	// returns.
	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`

	// The intended audience (also known as client ID) of the web identity token.
	// This is traditionally the client identifier issued to the application that
	// requested the client grants.
	Audience string `xml:",omitempty"`

	// The temporary security credentials, which include an access key ID, a secret
	// access key, and a security (or session) token.
	//
	// Note: The size of the security token that STS APIs return is not fixed. We
	// strongly recommend that you make no assumptions about the maximum size. As
	// of this writing, the typical size is less than 4096 bytes, but that can vary.
	// Also, future updates to AWS might require larger sizes.
	Credentials Credentials `xml:",omitempty"`

	// A percentage value that indicates the size of the policy in packed form.
	// The service rejects any policy with a packed size greater than 100 percent,
	// which means the policy exceeded the allowed space.
	PackedPolicySize int `xml:",omitempty"`

	// The issuing authority of the web identity token presented. For OpenID Connect
	// ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens,
	// this contains the value of the ProviderId parameter that was passed in the
	// AssumeRoleWithWebIdentity request.
	Provider string `xml:",omitempty"`

	// The unique user identifier that is returned by the identity provider.
	// This identifier is associated with the Token that was submitted
	// with the AssumeRoleWithWebIdentity call. The identifier is typically unique to
	// the user and the application that acquired the WebIdentityToken (pairwise identifier).
	// For OpenID Connect ID tokens, this field contains the value returned by the identity
	// provider as the token's sub (Subject) claim.
	SubjectFromWebIdentityToken string `xml:",omitempty"`
}

WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary credentials that can be used to make MinIO API requests.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.