From e9679fdc96779354161e0860e46c42414a3e817f Mon Sep 17 00:00:00 2001 From: pjuarezd Date: Fri, 15 Jul 2022 16:39:58 -0700 Subject: [PATCH 1/2] Add option to disable TLS on minio --- kubectl-minio/cmd/resources/tenant.go | 23 +++++++++++++++-------- kubectl-minio/cmd/tenant-create.go | 1 + 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/kubectl-minio/cmd/resources/tenant.go b/kubectl-minio/cmd/resources/tenant.go index 24bd303b4df..56ce0b2c0cf 100644 --- a/kubectl-minio/cmd/resources/tenant.go +++ b/kubectl-minio/cmd/resources/tenant.go @@ -39,7 +39,7 @@ type TenantOptions struct { StorageClass string KmsSecret string ConsoleSecret string - DisableTLS bool + EnableTLS bool ImagePullSecret string DisableAntiAffinity bool EnableAuditLogs bool @@ -109,7 +109,6 @@ func storageClass(sc string) *string { // NewTenant will return a new Tenant for a MinIO Operator func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, error) { - autoCert := true volumesPerServer := helpers.VolumesPerServer(opts.Volumes, opts.Servers) capacityPerVolume, err := helpers.CapacityPerVolume(opts.Capacity, opts.Volumes) if err != nil { @@ -134,12 +133,6 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err Name: opts.Name + "-creds-secret", }, Pools: []miniov2.Pool{Pool(opts, volumesPerServer, *capacityPerVolume)}, - RequestAutoCert: &autoCert, - CertConfig: &miniov2.CertificateConfig{ - CommonName: "", - OrganizationName: []string{}, - DNSNames: []string{}, - }, Mountpath: helpers.MinIOMountPath, KES: tenantKESConfig(opts.Name, opts.KmsSecret), ImagePullSecret: v1.LocalObjectReference{Name: opts.ImagePullSecret}, @@ -150,6 +143,12 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err }, }, } + + t.Spec.RequestAutoCert = &opts.EnableTLS + if opts.EnableTLS { + t.Spec.CertConfig = getAutoCertConfig(opts) + } + if opts.EnableAuditLogs { t.Spec.Log = getAuditLogConfig(opts) } @@ -162,6 +161,14 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err return t, t.Validate() } +func getAutoCertConfig(opts *TenantOptions) *miniov2.CertificateConfig { + return &miniov2.CertificateConfig{ + CommonName: "", + OrganizationName: []string{}, + DNSNames: []string{}, + } +} + func getAuditLogConfig(opts *TenantOptions) *miniov2.LogConfig { diskSpace := int64(opts.AuditLogsDiskSpace) * humanize.GiByte var logSearchStorageClass *string diff --git a/kubectl-minio/cmd/tenant-create.go b/kubectl-minio/cmd/tenant-create.go index 6337ddb05bf..6eb9c96a0e2 100644 --- a/kubectl-minio/cmd/tenant-create.go +++ b/kubectl-minio/cmd/tenant-create.go @@ -82,6 +82,7 @@ func newTenantCreateCmd(out io.Writer, errOut io.Writer) *cobra.Command { f.BoolVar(&c.tenantOpts.DisableAntiAffinity, "enable-host-sharing", false, "[TESTING-ONLY] disable anti-affinity to allow pods to be co-located on a single node (unsupported in production environment)") f.StringVar(&c.tenantOpts.KmsSecret, "kes-config", "", "name of secret for KES KMS setup, refer https://github.com/minio/operator/blob/master/examples/kes-secret.yaml") f.BoolVar(&c.tenantOpts.EnableAuditLogs, "enable-audit-logs", true, "Enable/Disable audit logs") + f.BoolVar(&c.tenantOpts.EnableTLS, "enable-tls", true, "Enable/Disable TLS") f.Int32Var(&c.tenantOpts.AuditLogsDiskSpace, "audit-logs-disk-space", 5, "(Only used when enable-audit-logs is on) Disk space for audit logs") f.StringVar(&c.tenantOpts.AuditLogsImage, "audit-logs-image", "", "(Only used when enable-audit-logs is on) The Docker image to use for audit logs") f.StringVar(&c.tenantOpts.AuditLogsPGImage, "audit-logs-pg-image", "", "(Only used when enable-audit-logs is on) The PostgreSQL Docker image to use for audit logs") From fb5a313cb58f986b39617e035c2676c14ef0a084 Mon Sep 17 00:00:00 2001 From: pjuarezd Date: Mon, 18 Jul 2022 17:38:55 -0700 Subject: [PATCH 2/2] change flag to disable-tls we disable tls if and only the flag is present, regardless of what value the user assigns --- kubectl-minio/cmd/resources/tenant.go | 7 ++++--- kubectl-minio/cmd/tenant-create.go | 6 +++++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/kubectl-minio/cmd/resources/tenant.go b/kubectl-minio/cmd/resources/tenant.go index 56ce0b2c0cf..442a6b9b669 100644 --- a/kubectl-minio/cmd/resources/tenant.go +++ b/kubectl-minio/cmd/resources/tenant.go @@ -39,7 +39,7 @@ type TenantOptions struct { StorageClass string KmsSecret string ConsoleSecret string - EnableTLS bool + DisableTLS bool ImagePullSecret string DisableAntiAffinity bool EnableAuditLogs bool @@ -109,6 +109,7 @@ func storageClass(sc string) *string { // NewTenant will return a new Tenant for a MinIO Operator func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, error) { + autoCert := !opts.DisableTLS volumesPerServer := helpers.VolumesPerServer(opts.Volumes, opts.Servers) capacityPerVolume, err := helpers.CapacityPerVolume(opts.Capacity, opts.Volumes) if err != nil { @@ -133,6 +134,7 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err Name: opts.Name + "-creds-secret", }, Pools: []miniov2.Pool{Pool(opts, volumesPerServer, *capacityPerVolume)}, + RequestAutoCert: &autoCert, Mountpath: helpers.MinIOMountPath, KES: tenantKESConfig(opts.Name, opts.KmsSecret), ImagePullSecret: v1.LocalObjectReference{Name: opts.ImagePullSecret}, @@ -144,8 +146,7 @@ func NewTenant(opts *TenantOptions, userSecret *v1.Secret) (*miniov2.Tenant, err }, } - t.Spec.RequestAutoCert = &opts.EnableTLS - if opts.EnableTLS { + if autoCert { t.Spec.CertConfig = getAutoCertConfig(opts) } diff --git a/kubectl-minio/cmd/tenant-create.go b/kubectl-minio/cmd/tenant-create.go index 6eb9c96a0e2..86b5cca0d0e 100644 --- a/kubectl-minio/cmd/tenant-create.go +++ b/kubectl-minio/cmd/tenant-create.go @@ -59,6 +59,10 @@ func newTenantCreateCmd(out io.Writer, errOut io.Writer) *cobra.Command { Long: createDesc, Example: createExample, Args: func(cmd *cobra.Command, args []string) error { + // The disable-tls parameter default value is false, we cannot rely on the default value binded to the tenantOpts.DisableTLS variable + // to identify if the parameter --disable-tls was actually set on the command line. + // regardless of which value is being set to the flag, if the flag and ONLY if the flag is present, then we disable TLS + c.tenantOpts.DisableTLS = cmd.Flags().Lookup("disable-tls").Changed return c.validate(args) }, RunE: func(cmd *cobra.Command, args []string) error { @@ -82,7 +86,7 @@ func newTenantCreateCmd(out io.Writer, errOut io.Writer) *cobra.Command { f.BoolVar(&c.tenantOpts.DisableAntiAffinity, "enable-host-sharing", false, "[TESTING-ONLY] disable anti-affinity to allow pods to be co-located on a single node (unsupported in production environment)") f.StringVar(&c.tenantOpts.KmsSecret, "kes-config", "", "name of secret for KES KMS setup, refer https://github.com/minio/operator/blob/master/examples/kes-secret.yaml") f.BoolVar(&c.tenantOpts.EnableAuditLogs, "enable-audit-logs", true, "Enable/Disable audit logs") - f.BoolVar(&c.tenantOpts.EnableTLS, "enable-tls", true, "Enable/Disable TLS") + f.BoolVar(&c.tenantOpts.DisableTLS, "disable-tls", false, "Disable TLS") f.Int32Var(&c.tenantOpts.AuditLogsDiskSpace, "audit-logs-disk-space", 5, "(Only used when enable-audit-logs is on) Disk space for audit logs") f.StringVar(&c.tenantOpts.AuditLogsImage, "audit-logs-image", "", "(Only used when enable-audit-logs is on) The Docker image to use for audit logs") f.StringVar(&c.tenantOpts.AuditLogsPGImage, "audit-logs-pg-image", "", "(Only used when enable-audit-logs is on) The PostgreSQL Docker image to use for audit logs")