Add support for admin ServerUpdate to update containers simultaneously

.gitignore

@@ -1,4 +1,5 @@
 minio-operator
 !minio-operator/
 .idea/
-dist/
+dist/
+*.test

.golangci.yml

@@ -6,7 +6,6 @@ linters-settings:
     locale: US
 
 linters:
-  disable-all: true
   enable:
     - typecheck
     - goimports
@@ -29,6 +28,6 @@ issues:
       linters:
         - golint
         - deadcode
-    
+
 service:
-  golangci-lint-version: 1.20.0 # use the fixed version to not introduce new linters unexpectedly
+  golangci-lint-version: 1.27.0 # use the fixed version to not introduce new linters unexpectedly

go.mod

@@ -3,13 +3,11 @@ module github.com/minio/minio-operator
 go 1.13
 
 require (
-	github.com/evanphx/json-patch v4.5.0+incompatible // indirect
-	github.com/golang/protobuf v1.3.3 // indirect
-	github.com/imdario/mergo v0.3.6 // indirect
-	github.com/minio/minio v0.0.0-20200501124117-09571d03a531
+	github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d // indirect
+	github.com/go-ole/go-ole v1.2.4 // indirect
+	github.com/minio/minio v0.0.0-20200723003940-b9be841fd222
 	github.com/minio/minio-go/v7 v7.0.1
 	github.com/stretchr/testify v1.4.0
-	golang.org/x/net v0.0.0-20200505041828-1ed23360d12c // indirect
 	k8s.io/api v0.18.0
 	k8s.io/apimachinery v0.18.0
 	k8s.io/client-go v0.18.0

pkg/apis/minio.min.io/v1/constants.go

@@ -19,6 +19,7 @@ package v1
 
 import (
 	"crypto/elliptic"
+	"runtime"
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -72,11 +73,9 @@ const MinIOVolumeSubPath = ""
 // DefaultMinIOImage specifies the default MinIO Docker hub image
 const DefaultMinIOImage = "minio/minio:RELEASE.2020-07-22T00-26-33Z"
 
-// DefaultMinIOAccessKey specifies default access key for Tenant
-const DefaultMinIOAccessKey = "AKIAIOSFODNN7EXAMPLE"
-
-// DefaultMinIOSecretKey specifies default secret key for Tenant
-const DefaultMinIOSecretKey = "wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKEY"
+// DefaultMinIOUpdateURL specifies the default MinIO URL where binaries are
+// pulled from during MinIO upgrades
+const DefaultMinIOUpdateURL = "https://dl.min.io/server/minio/release/" + runtime.GOOS + "-" + runtime.GOARCH + "/archive/"
 
 // MinIOHLSvcNameSuffix specifies the suffix added to Tenant name to create a headless service
 const MinIOHLSvcNameSuffix = "-hl"

pkg/apis/minio.min.io/v1/helper.go

@@ -25,8 +25,10 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"path"
 	"strconv"
+	"strings"
 	"text/template"
 	"time"
 
@@ -35,6 +37,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/klog"
 
+	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/minio/minio/pkg/bucket/policy"
 	"github.com/minio/minio/pkg/bucket/policy/condition"
 	iampolicy "github.com/minio/minio/pkg/iam/policy"
@@ -116,6 +119,24 @@ func (t *Tenant) KESReplicas() int32 {
 	return replicas
 }
 
+const (
+	minioReleaseTagTimeLayout = "2006-01-02T15-04-05Z"
+	releasePrefix             = "RELEASE"
+)
+
+// ReleaseTagToReleaseTime - converts a 'RELEASE.2017-09-29T19-16-56Z.hotfix'
+// into the build time
+func ReleaseTagToReleaseTime(releaseTag string) (releaseTime time.Time, err error) {
+	fields := strings.Split(releaseTag, ".")
+	if len(fields) < 2 || len(fields) > 3 {
+		return releaseTime, fmt.Errorf("%s is not a valid release tag", releaseTag)
+	}
+	if fields[0] != releasePrefix {
+		return releaseTime, fmt.Errorf("%s is not a valid release tag", releaseTag)
+	}
+	return time.Parse(minioReleaseTagTimeLayout, fields[1])
+}
+
 // EnsureDefaults will ensure that if a user omits and fields in the
 // spec that are required, we set some sensible defaults.
 // For example a user can choose to omit the version
@@ -320,51 +341,71 @@ func (t *Tenant) HasKESMetadata() bool {
 	return t.Spec.KES != nil && t.Spec.KES.Metadata != nil
 }
 
-// CreateMCSUser function creates an admin user
-func (t *Tenant) CreateMCSUser(minioSecret, mcsSecret map[string][]byte) error {
-
-	var accessKey, secretKey, mcsAccessKey, mcsSecretKey []byte
-	var ok bool
+// UpdateURL returns the URL for the sha256sum location of the new binary
+func (t *Tenant) UpdateURL(lrTime time.Time, overrideURL string) (string, error) {
+	if overrideURL == "" {
+		overrideURL = DefaultMinIOUpdateURL
+	}
+	u, err := url.Parse(overrideURL)
+	if err != nil {
+		return "", err
+	}
+	u.Path = path.Dir(u.Path) + "/minio." + releasePrefix + "." + lrTime.Format(minioReleaseTagTimeLayout) + ".sha256sum"
+	return u.String(), nil
+}
 
+// NewMinIOAdmin initializes a new madmin.Client for operator interaction
+func (t *Tenant) NewMinIOAdmin(minioSecret map[string][]byte) (*madmin.AdminClient, error) {
 	host := net.JoinHostPort(t.MinIOCIServiceHost(), strconv.Itoa(MinIOPort))
 	if host == "" {
-		return errors.New("Console MINIO SERVER is empty")
-	}
-
-	accessKey, ok = minioSecret["accesskey"]
-	if !ok {
-		return errors.New("accesskey not provided")
+		return nil, errors.New("MinIO server host is empty")
 	}
 
-	secretKey, ok = minioSecret["secretkey"]
+	accessKey, ok := minioSecret["accesskey"]
 	if !ok {
-		return errors.New("secretkey not provided")
+		return nil, errors.New("MinIO server accesskey not set")
 	}
 
-	mcsAccessKey, ok = mcsSecret["MCS_ACCESS_KEY"]
+	secretKey, ok := minioSecret["secretkey"]
 	if !ok {
-		return errors.New("MCS_ACCESS_KEY not provided")
+		return nil, errors.New("MinIO server secretkey not set")
 	}
 
-	mcsSecretKey, ok = mcsSecret["MCS_SECRET_KEY"]
-	if !ok {
-		return errors.New("MCS_SECRET_KEY not provided")
+	opts := &madmin.Options{
+		Secure: Scheme == "https",
+		Creds:  credentials.NewStaticV4(string(accessKey), string(secretKey), ""),
 	}
 
-	madmClnt, err := madmin.New(host, string(accessKey), string(secretKey), Scheme == "https")
+	madmClnt, err := madmin.NewWithOptions(host, opts)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	if Scheme == "https" {
+	if opts.Secure {
+		// FIXME: add trusted CA
 		madmClnt = setUpInsecureTLS(madmClnt)
 	}
 
+	return madmClnt, nil
+}
+
+// CreateMCSUser function creates an admin user
+func (t *Tenant) CreateMCSUser(madmClnt *madmin.AdminClient, mcsSecret map[string][]byte) error {
+	mcsAccessKey, ok := mcsSecret["MCS_ACCESS_KEY"]
+	if !ok {
+		return errors.New("MCS_ACCESS_KEY not provided")
+	}
+
+	mcsSecretKey, ok := mcsSecret["MCS_SECRET_KEY"]
+	if !ok {
+		return errors.New("MCS_SECRET_KEY not provided")
+	}
+
 	// add user with a 20 seconds timeout
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancel()
 
-	if err = madmClnt.AddUser(ctx, string(mcsAccessKey), string(mcsSecretKey)); err != nil {
+	if err := madmClnt.AddUser(ctx, string(mcsAccessKey), string(mcsSecretKey)); err != nil {
 		return err
 	}
 
@@ -389,15 +430,11 @@ func (t *Tenant) CreateMCSUser(minioSecret, mcsSecret map[string][]byte) error {
 		},
 	}
 
-	if err = madmClnt.AddCannedPolicy(context.Background(), MCSAdminPolicyName, &p); err != nil {
+	if err := madmClnt.AddCannedPolicy(context.Background(), MCSAdminPolicyName, &p); err != nil {
 		return err
 	}
 
-	if err = madmClnt.SetPolicy(context.Background(), MCSAdminPolicyName, string(mcsAccessKey), false); err != nil {
-		return err
-	}
-
-	return nil
+	return madmClnt.SetPolicy(context.Background(), MCSAdminPolicyName, string(mcsAccessKey), false)
 }
 
 // Validate returns an error if any configuration of the MinIO instance is invalid

pkg/controller/cluster/csr.go

@@ -216,7 +216,7 @@ func (c *Controller) fetchCertificate(ctx context.Context, csrName string) ([]by
 	timeout := time.NewTimer(miniov1.DefaultQueryTimeout)
 	defer tick.Stop()
 
-	ch := make(chan os.Signal)
+	ch := make(chan os.Signal, 1) // should be always un-buffered SA1017
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
 	defer signal.Stop(ch)