add webhook server implementation for tenants (#251)

Current implementation provides a mechanism where the tenant loads an ENV such as its command line args remotely, this is to facilitate faster zone addition times.
minio · Aug 12, 2020 · 2f86f4c · 2f86f4c
1 parent e10e1a5
commit 2f86f4c
Show file tree

Hide file tree

Showing 15 changed files with 311 additions and 65 deletions.
diff --git a/examples/tenant-console.yaml b/examples/tenant-console.yaml
@@ -37,7 +37,7 @@ spec:
       prometheus.io/port: "9000"
       prometheus.io/scrape: "true"
   ## Registry location and Tag to download MinIO Server image
-  image: minio/minio:RELEASE.2020-08-05T21-34-13Z
+  image: minio/minio:RELEASE.2020-08-08T04-50-06Z
   ## Secret with credentials to be used by MinIO instance.
   credsSecret:
     name: minio-creds-secret

diff --git a/examples/tenant-kes.yaml b/examples/tenant-kes.yaml
@@ -37,7 +37,7 @@ spec:
       prometheus.io/port: "9000"
       prometheus.io/scrape: "true"
   ## Registry location and Tag to download MinIO Server image
-  image: minio/minio:RELEASE.2020-08-05T21-34-13Z
+  image: minio/minio:RELEASE.2020-08-08T04-50-06Z
   ## Secret with credentials to be used by MinIO instance.
   credsSecret:
     name: minio-creds-secret

diff --git a/examples/tenant-pod-security-policy.yaml b/examples/tenant-pod-security-policy.yaml
@@ -78,7 +78,7 @@ spec:
       prometheus.io/port: "9000"
       prometheus.io/scrape: "true"
   ## Registry location and Tag to download MinIO Server image
-  image: minio/minio:RELEASE.2020-08-05T21-34-13Z
+  image: minio/minio:RELEASE.2020-08-08T04-50-06Z
   ## Service account to be used for all the MinIO Pods
   serviceAccountName: minio-pods
   zones:

diff --git a/go.mod b/go.mod
@@ -4,9 +4,11 @@ go 1.13
 
 require (
 	github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/google/go-cmp v0.4.1 // indirect
+	github.com/gorilla/mux v1.7.5-0.20200711200521-98cb6bf42e08
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/minio/minio v0.0.0-20200723003940-b9be841fd222

diff --git a/go.sum b/go.sum
@@ -159,6 +159,7 @@ github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEo
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/handlers v1.4.2/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
+github.com/gorilla/mux v1.7.5-0.20200711200521-98cb6bf42e08 h1:kPna6oIGlRXWmg/jkKfxbpvsl+0DHYnw1qQwN+6+gyA=
 github.com/gorilla/mux v1.7.5-0.20200711200521-98cb6bf42e08/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36jkTQ=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=

diff --git a/kustomization.yaml b/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
   - name: minio/k8s-operator
     newName: minio/k8s-operator
-    newTag: v3.0.10
+    newTag: v3.0.11
 
 namespace: minio-operator
 
@@ -15,4 +15,5 @@ resources:
   - operator-kustomize/cluster-role.yaml
   - operator-kustomize/cluster-role-binding.yaml
   - operator-kustomize/crds/minio.min.io_tenants.yaml
+  - operator-kustomize/service.yaml
   - operator-kustomize/deployment.yaml
diff --git a/operator-kustomize/service.yaml b/operator-kustomize/service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: operator
+  labels:
+    name: minio-operator
+  namespace: minio-operator
+spec:
+  type: ClusterIP
+  ports:
+    - port: 4222
+      name: http
+    - port: 4233
+      name: https
+  selector:
+    name: minio-operator
diff --git a/pkg/apis/minio.min.io/v1/constants.go b/pkg/apis/minio.min.io/v1/constants.go
@@ -74,7 +74,7 @@ const MinIOVolumeMountPath = "/export"
 const MinIOVolumeSubPath = ""
 
 // DefaultMinIOImage specifies the default MinIO Docker hub image
-const DefaultMinIOImage = "minio/minio:RELEASE.2020-08-05T21-34-13Z"
+const DefaultMinIOImage = "minio/minio:RELEASE.2020-08-08T04-50-06Z"
 
 // DefaultMinIOUpdateURL specifies the default MinIO URL where binaries are
 // pulled from during MinIO upgrades

diff --git a/pkg/apis/minio.min.io/v1/helper.go b/pkg/apis/minio.min.io/v1/helper.go
@@ -44,6 +44,21 @@ import (
 	"github.com/minio/minio/pkg/madmin"
 )
 
+// Webhook API constants
+const (
+	WebhookAPIVersion       = "/webhook/v1"
+	WebhookDefaultPort      = "4222"
+	WebhookOperatorSecret   = "operator-webhook-secret"
+	WebhookOperatorUsername = "webhookUsername"
+	WebhookOperatorPassword = "webhookPassword"
+)
+
+// List of webhook APIs
+const (
+	WebhookAPIGetenv        = WebhookAPIVersion + "/getenv"
+	WebhookAPIBucketService = WebhookAPIVersion + "/bucketsrv"
+)
+
 type hostsTemplateValues struct {
 	StatefulSet string
 	CIService   string

diff --git a/pkg/controller/cluster/console-csr.go b/pkg/controller/cluster/console-csr.go
@@ -86,7 +86,7 @@ func (c *Controller) createConsoleTLSCSR(ctx context.Context, mi *miniov1.Tenant
 	encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
 
 	// Create secret for Console Deployment to use
-	err = c.createSecret(ctx, mi, mi.ConsolePodLabels(), mi.ConsoleTLSSecretName(), mi.Namespace, encodedPrivKey, certbytes)
+	err = c.createSecret(ctx, mi, mi.ConsolePodLabels(), mi.ConsoleTLSSecretName(), encodedPrivKey, certbytes)
 	if err != nil {
 		klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.ConsoleTLSSecretName(), err)
 		return err

diff --git a/pkg/controller/cluster/csr.go b/pkg/controller/cluster/csr.go
@@ -139,7 +139,7 @@ func (c *Controller) createCSR(ctx context.Context, mi *miniov1.Tenant) error {
 	encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
 
 	// Create secret for MinIO Statefulset to use
-	err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOTLSSecretName(), mi.Namespace, encodedPrivKey, certbytes)
+	err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOTLSSecretName(), encodedPrivKey, certbytes)
 	if err != nil {
 		klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.MinIOTLSSecretName(), err)
 		return err
@@ -251,12 +251,12 @@ func (c *Controller) fetchCertificate(ctx context.Context, csrName string) ([]by
 	}
 }
 
-func (c *Controller) createSecret(ctx context.Context, mi *miniov1.Tenant, labels map[string]string, name, namespace string, pkBytes, certBytes []byte) error {
+func (c *Controller) createSecret(ctx context.Context, mi *miniov1.Tenant, labels map[string]string, secretName string, pkBytes, certBytes []byte) error {
 	secret := &corev1.Secret{
 		Type: "Opaque",
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
+			Name:      secretName,
+			Namespace: mi.Namespace,
 			Labels:    labels,
 			OwnerReferences: []metav1.OwnerReference{
 				*metav1.NewControllerRef(mi, schema.GroupVersionKind{
@@ -271,10 +271,8 @@ func (c *Controller) createSecret(ctx context.Context, mi *miniov1.Tenant, label
 			"public.crt":  certBytes,
 		},
 	}
-	if _, err := c.kubeClientSet.CoreV1().Secrets(mi.Namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
-		return err
-	}
-	return nil
+	_, err := c.kubeClientSet.CoreV1().Secrets(mi.Namespace).Create(ctx, secret, metav1.CreateOptions{})
+	return err
 }
 
 func parseCertificate(r io.Reader) (*x509.Certificate, error) {

diff --git a/pkg/controller/cluster/kes-csr.go b/pkg/controller/cluster/kes-csr.go
@@ -89,7 +89,7 @@ func (c *Controller) createKESTLSCSR(ctx context.Context, mi *miniov1.Tenant) er
 	encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
 
 	// Create secret for KES Statefulset to use
-	err = c.createSecret(ctx, mi, mi.KESPodLabels(), mi.KESTLSSecretName(), mi.Namespace, encodedPrivKey, certbytes)
+	err = c.createSecret(ctx, mi, mi.KESPodLabels(), mi.KESTLSSecretName(), encodedPrivKey, certbytes)
 	if err != nil {
 		klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.KESTLSSecretName(), err)
 		return err
@@ -142,7 +142,7 @@ func (c *Controller) createMinIOClientTLSCSR(ctx context.Context, mi *miniov1.Te
 	encodedPrivKey := pem.EncodeToMemory(&pem.Block{Type: privateKeyType, Bytes: privKeysBytes})
 
 	// Create secret for KES Statefulset to use
-	err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOClientTLSSecretName(), mi.Namespace, encodedPrivKey, certbytes)
+	err = c.createSecret(ctx, mi, mi.MinIOPodLabels(), mi.MinIOClientTLSSecretName(), encodedPrivKey, certbytes)
 	if err != nil {
 		klog.Errorf("Unexpected error during the creation of the secret/%s: %v", mi.MinIOClientTLSSecretName(), err)
 		return err