Remove credsSecret (#2217)

Remove credsSecret

Signed-off-by: pjuarezd <[email protected]>

docs/notes/v6.0.0.md

@@ -139,6 +139,12 @@ guide. If a node is failing, follow the [Node Failure Recovery guide](https://mi
 
 TODO
 
+### Field `spec.credsSecret` is removed
+
+Field .spec.credsSecret was removed in favor of .spec.configuration, this secret should hold all the environment variables for the MinIO deployment that contain sensitive information and should not be shown on .spec.env.
+
+The content of .spec.credsSecret was custom credentials (access key and secret key) to the Tenant, now those credentials are stored in .spec.configuration instead.
+
 ### Headless service port name is now renamed based on TLS settings
 
 If TLS is enabled, the Headless service port name is now `https-minio` instead of `http-minio`. Be sure to update your Ingress configuration or other resources that reference the port name.
@@ -215,3 +221,5 @@ spec:
 
 Headless service port was not renamed, it was kept as `http-minio`, starting Operator version 6.0.0 the 3 services behave
 the same way and rename the port with a `https-` prefix.
+
+

docs/operator-fields.md

@@ -18,7 +18,6 @@ MinIO Operator creates native Kubernetes resources within the cluster. If the Te
 | scheduler                        | Set custom scheduler for pods created by MinIO Operator.                                                                                                                                                                                                                                                                                                                                  |
 | spec                             | Defines the configuration of a MinIO Tenant object                                                                                                                                                                                                                                                                                                                                        |
 | spec.certConfig                  | When `spec.requestAutoCert` is enabled, use this field to pass additional parameters for certificate creation.                                                                                                                                                                                                                                                                            |
-| spec.credsSecret                 | Use this secret to assign custom credentials (access key and secret key) to the Tenant.                                                                                                                                                                                                                                                                                                   |
 | spec.env                         | Add MinIO specific environment variables to enable certain features.                                                                                                                                                                                                                                                                                                                      |
 | spec.externalCertSecret          | Set a list of external secrets with private key and certificate to be used to enable TLS on Tenant pods. Note that only `spec.requestAutoCert` or `spec.externalCertSecret` should be enabled at a time. Follow [the document here](https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret) to create the secret to be passed in this section.         |
 | spec.image                       | Set the container registry and image tag for MinIO server to be used in the Tenant.                                                                                                                                                                                                                                                                                                       |

helm/operator/templates/minio.min.io_tenants.yaml

@@ -882,13 +882,6 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
-              credsSecret:
-                properties:
-                  name:
-                    default: ""
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               env:
                 items:
                   properties:

pkg/apis/minio.min.io/v2/helper.go

@@ -138,12 +138,6 @@ func genEllipsis(start, end int) string {
 	return "{" + strconv.Itoa(start) + "..." + strconv.Itoa(end) + "}"
 }
 
-// HasCredsSecret returns true if the user has provided a secret
-// for a Tenant else false
-func (t *Tenant) HasCredsSecret() bool {
-	return t.Spec.CredsSecret != nil && t.Spec.CredsSecret.Name != ""
-}
-
 // HasConfigurationSecret returns true if the user has provided a configuration
 // for a Tenant else false
 func (t *Tenant) HasConfigurationSecret() bool {
@@ -824,7 +818,7 @@ func (t *Tenant) Validate() error {
 		return errors.New("pools must be configured")
 	}
 
-	if !t.HasConfigurationSecret() && !t.HasCredsSecret() {
+	if !t.HasConfigurationSecret() {
 		return errors.New("please set 'configuration' secret with credentials for Tenant")
 	}
 

pkg/apis/minio.min.io/v2/types.go

@@ -124,17 +124,6 @@ type TenantSpec struct {
 	// Pod Management Policy for pod created by StatefulSet
 	// +optional
 	PodManagementPolicy appsv1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
-	// *optional* +
-	//
-	// Specify a https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes opaque secret] to use for setting the MinIO root access key and secret key. Specify the secret as `name: <secret>`. The Kubernetes secret must contain the following fields: +
-	//
-	// * `data.accesskey` - The access key for the root credentials +
-	//
-	// * `data.secretkey` - The secret key for the root credentials +
-	//
-	//
-	// +optional
-	CredsSecret *corev1.LocalObjectReference `json:"credsSecret,omitempty"`
 	// *Optional* +
 	//
 	// If provided, the MinIO Operator adds the specified environment variables when deploying the Tenant resource.

pkg/controller/main-controller.go

@@ -812,7 +812,7 @@ func (c *Controller) syncHandler(key string) (Result, error) {
 	// Set any required default values and init Global variables
 	nsName := types.NamespacedName{Namespace: namespace, Name: tenantName}
 
-	// get combined configurations (tenant.env, tenant.credsSecret and tenant.Configuration) for tenant
+	// get combined configurations (tenant.env and tenant.Configuration) for tenant
 	tenantConfiguration, err := c.getTenantCredentials(ctx, tenant)
 	if err != nil {
 		if errors.Is(err, ErrEmptyRootCredentials) {

pkg/controller/tenants.go

@@ -45,7 +45,7 @@ func (c *Controller) getTenantConfiguration(ctx context.Context, tenant *miniov2
 	return tenantConfiguration, nil
 }
 
-// getTenantCredentials returns a combination of env, credsSecret and Configuration tenant credentials
+// getTenantCredentials returns a combination of env and Configuration tenant credentials
 func (c *Controller) getTenantCredentials(ctx context.Context, tenant *miniov2.Tenant) (map[string][]byte, error) {
 	// Configuration for tenant can be passed using 2 different sources, tenant.spec.env and config.env secret
 	// If the user provides duplicated configuration the override order will be:

pkg/controller/upgrades.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 
 	"github.com/minio/operator/pkg/controller/legacy"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/blang/semver/v4"
@@ -62,7 +61,6 @@ func (c *Controller) checkForUpgrades(ctx context.Context, tenant *miniov2.Tenan
 		version424: c.upgrade424,
 		version429: c.upgrade429,
 		version430: c.upgrade430,
-		version45:  c.upgrade45,
 		version500: c.upgrade500,
 		version600: c.upgrade600,
 	}
@@ -265,67 +263,7 @@ func (c *Controller) upgrade430(ctx context.Context, tenant *miniov2.Tenant) (*m
 	return c.updateTenantSyncVersion(ctx, tenant, version430)
 }
 
-// Upgrades the sync version to v4.5
-// in this version we finally deprecated tenant.spec.credsSecret field.
-func (c *Controller) upgrade45(ctx context.Context, tenant *miniov2.Tenant) (*miniov2.Tenant, error) {
-	if tenant.HasConfigurationSecret() {
-		return c.updateTenantSyncVersion(ctx, tenant, version45)
-	}
-	if !tenant.HasCredsSecret() {
-		return tenant, fmt.Errorf("'%s/%s' error migrating tenant credsSecret, credsSecret does not exist", tenant.Namespace, tenant.Name)
-	}
-	// Create new configuration secret based on the existing credsSecret
-	credsSecret, err := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(ctx, tenant.Spec.CredsSecret.Name, metav1.GetOptions{})
-	if err != nil && !k8serrors.IsNotFound(err) {
-		return tenant, err
-	}
-	var accessKey string
-	var secretKey string
-	if _, ok := credsSecret.Data["accesskey"]; ok {
-		accessKey = string(credsSecret.Data["accesskey"])
-	}
-	if _, ok := credsSecret.Data["secretkey"]; ok {
-		secretKey = string(credsSecret.Data["secretkey"])
-	}
-	if accessKey == "" || secretKey == "" {
-		return tenant, fmt.Errorf("accessKey/secretKey are empty - '%s/%s' error in migrating tenant credsSecret to newer configuration", tenant.Namespace, tenant.Name)
-	}
-	tenantConfiguration := map[string]string{}
-	tenantConfiguration["MINIO_ROOT_USER"] = accessKey
-	tenantConfiguration["MINIO_ROOT_PASSWORD"] = secretKey
-	configurationSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      tenant.ConfigurationSecretName(),
-			Namespace: tenant.Namespace,
-		},
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: corev1.SchemeGroupVersion.Version,
-		},
-		Data: map[string][]byte{
-			"config.env": []byte(miniov2.GenerateTenantConfigurationFile(tenantConfiguration)),
-		},
-	}
-	_, err = c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Create(ctx, configurationSecret, metav1.CreateOptions{})
-	if err != nil {
-		return tenant, err
-	}
-	// Update tenant fields
-	tenantCopy := tenant.DeepCopy()
-	tenantCopy.EnsureDefaults()
-	tenantCopy.Spec.Configuration = &corev1.LocalObjectReference{
-		Name: tenantCopy.ConfigurationSecretName(),
-	}
-	tenantCopy.Spec.CredsSecret = nil
-	_, err = c.minioClientSet.MinioV2().Tenants(tenant.Namespace).Update(ctx, tenantCopy, metav1.UpdateOptions{})
-	if err != nil {
-		return tenant, fmt.Errorf("error updating tenant '%s/%s', could not update tenant.spec.configuration field: %v", tenant.Namespace, tenant.Name, err)
-	}
-	return c.updateTenantSyncVersion(ctx, tenant, version45)
-}
-
 // Upgrades the sync version to v5.0.0
-// in this version we finally deprecated tenant.spec.credsSecret field.
 func (c *Controller) upgrade500(ctx context.Context, tenant *miniov2.Tenant) (*miniov2.Tenant, error) {
 	// log search deployment
 	logSearchDeployment, err := c.deploymentLister.Deployments(tenant.Namespace).Get(legacy.LogSearchAPIDeploymentName(tenant))

resources/base/crds/minio.min.io_tenants.yaml

@@ -882,13 +882,6 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
-              credsSecret:
-                properties:
-                  name:
-                    default: ""
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               env:
                 items:
                   properties:

testing/tenant-hotfix-update.sh

@@ -103,6 +103,17 @@ function install_tenant_with_image() {
 	fi
 	kustomize build "${SCRIPT_DIR}/../examples/kustomization/tenant-lite" > tenant-lite.yaml
 	yq -i e "select(.kind == \"Tenant\").spec.image = \"${minio_image}\"" tenant-lite.yaml
+
+	echo "#################"
+    echo "tenant-lite.yaml:"
+	echo "#################"
+	echo " "
+	echo " "
+	echo " "
+    cat tenant-lite.yaml
+	echo " "
+	echo " "
+	echo " "
 
 	try kubectl apply -f tenant-lite.yaml
 }