console license page improvements and fixes (#647)

- fixed issue when deploying tenant with tls disabled - applied new design for tenant details and license screens - added license refresh job to operator console - added new refresh license endpoint - console operator not longer store CONSOLE_ACCESS_KEY and CONSOLE_SECRET_KEY values in the tenant-console-secret Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
2021-03-22 11:08:31 -07:00
parent 2a704d3d59
commit 7ce36bac42
29 changed files with 1382 additions and 135 deletions
--- a/restapi/admin_subscription.go
+++ b/restapi/admin_subscription.go
@@ -19,6 +19,7 @@ package restapi

 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"time"
@@ -63,6 +64,40 @@ func registerSubscriptionHandlers(api *operations.ConsoleAPI) {
 		}
 		return admin_api.NewSubscriptionInfoOK().WithPayload(license)
 	})
+	// Refresh license for k8s cluster
+	api.AdminAPISubscriptionRefreshHandler = admin_api.SubscriptionRefreshHandlerFunc(func(params admin_api.SubscriptionRefreshParams, session *models.Principal) middleware.Responder {
+		license, err := getSubscriptionRefreshResponse(session)
+		if err != nil {
+			return admin_api.NewSubscriptionRefreshDefault(int(err.Code)).WithPayload(err)
+		}
+		return admin_api.NewSubscriptionRefreshOK().WithPayload(license)
+	})
+}
+
+// retrieveLicense returns license from K8S secrets (If console is deployed in operator mode) or from
+// the configured CONSOLE_SUBNET_LICENSE environment variable
+func retrieveLicense(ctx context.Context, sessionToken string) (string, error) {
+	var license string
+	// If Console is running in operator mode retrieve License stored in K8s secrets
+	if acl.GetOperatorMode() {
+		// configure kubernetes client
+		clientSet, err := cluster.K8sClient(sessionToken)
+		if err != nil {
+			return "", err
+		}
+		k8sClient := k8sClient{
+			client: clientSet,
+		}
+		// Get cluster subscription license
+		license, err = getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		// If Console is running in Tenant Admin mode retrieve license from env variable
+		license = GetSubnetLicense()
+	}
+	return license, nil
 }

 // addSubscriptionLicenseToTenant replace existing console tenant secret and adds the subnet license key
@@ -175,6 +210,47 @@ func saveSubscriptionLicense(ctx context.Context, clientSet K8sClientI, license
 	return nil
 }

+// updateTenantLicenseAndRestartConsole
+func updateTenantLicenseAndRestartConsole(ctx context.Context, clientSet K8sClientI, license, namespace, tenantName string) error {
+	consoleSelector := fmt.Sprintf("%s-console", tenantName)
+	consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
+	// read current console configuration from k8s secrets
+	currentConsoleSecret, err := clientSet.getSecret(ctx, namespace, consoleSecretName, metav1.GetOptions{})
+	if err != nil || currentConsoleSecret == nil {
+		return err
+	}
+	secretData := currentConsoleSecret.Data
+	secretData[ConsoleSubnetLicense] = []byte(license)
+	// delete existing console configuration from k8s secrets
+	err = clientSet.deleteSecret(ctx, namespace, consoleSecretName, metav1.DeleteOptions{})
+	if err != nil {
+		// log the error if any and continue
+		log.Println(err)
+	}
+	// Save subnet license in k8s secrets
+	imm := true
+	consoleConfigSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: consoleSecretName,
+		},
+		Immutable: &imm,
+		Data:      secretData,
+	}
+	_, err = clientSet.createSecret(ctx, namespace, consoleConfigSecret, metav1.CreateOptions{})
+	if err != nil {
+		return err
+	}
+	// restart Console pods based on label:
+	//  v1.min.io/console: TENANT-console
+	err = clientSet.deletePodCollection(ctx, namespace, metav1.DeleteOptions{}, metav1.ListOptions{
+		LabelSelector: fmt.Sprintf("%s=%s%s", miniov2.ConsoleTenantLabel, tenantName, miniov2.ConsoleName),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // subscriptionValidate will validate the provided jwt license against the subnet public key
 func subscriptionValidate(client cluster.HTTPClientI, license, email, password string) (*models.License, string, error) {
 	licenseInfo, rawLicense, err := subnet.ValidateLicense(client, license, email, password)
@@ -237,37 +313,123 @@ func getSubscriptionLicense(ctx context.Context, clientSet K8sClientI, namespace

 // getSubscriptionInfoResponse returns information about the current configured subnet license for Console
 func getSubscriptionInfoResponse(session *models.Principal) (*models.License, *models.Error) {
-	// 20 seconds timeout
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
 	var licenseInfo *models.License
-	var license string
 	client := &cluster.HTTPClient{
 		Client: GetConsoleSTSClient(),
 	}
-	// If Console is running in operator mode retrieve License stored in K8s secrets
-	if acl.GetOperatorMode() {
-		// configure kubernetes client
-		clientSet, err := cluster.K8sClient(session.STSSessionToken)
-		if err != nil {
-			return nil, prepareError(errInvalidLicense, nil, err)
-		}
-		k8sClient := k8sClient{
-			client: clientSet,
-		}
-		// Get cluster subscription license
-		license, err = getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
-		if err != nil {
-			return nil, prepareError(errLicenseNotFound, nil, err)
-		}
-	} else {
-		// If Console is running in Tenant Admin mode retrieve license from env variable
-		license = GetSubnetLicense()
+	licenseKey, err := retrieveLicense(context.Background(), session.STSSessionToken)
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
 	}
 	// validate license key and obtain license info
-	licenseInfo, _, err := subscriptionValidate(client, license, "", "")
+	licenseInfo, _, err = subscriptionValidate(client, licenseKey, "", "")
 	if err != nil {
 		return nil, prepareError(errLicenseNotFound, nil, err)
 	}
 	return licenseInfo, nil
 }
+
+func subscriptionRefresh(httpClient *cluster.HTTPClient, license string) (*models.License, string, error) {
+	licenseInfo, rawLicense, err := subnet.RefreshLicense(httpClient, license)
+	if err != nil {
+		return nil, "", err
+	}
+	return &models.License{
+		Email:           licenseInfo.Email,
+		AccountID:       licenseInfo.AccountID,
+		StorageCapacity: licenseInfo.StorageCapacity,
+		Plan:            licenseInfo.Plan,
+		ExpiresAt:       licenseInfo.ExpiresAt.String(),
+		Organization:    licenseInfo.Organization,
+	}, rawLicense, nil
+}
+
+func getSubscriptionRefreshResponse(session *models.Principal) (*models.License, *models.Error) {
+	// 20 seconds timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+	client := &cluster.HTTPClient{
+		Client: GetConsoleSTSClient(),
+	}
+	licenseKey, err := retrieveLicense(context.Background(), session.STSSessionToken)
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
+	}
+	newLicenseInfo, licenseRaw, err := subscriptionRefresh(client, licenseKey)
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
+	}
+	// configure kubernetes client
+	clientSet, err := cluster.K8sClient(session.STSSessionToken)
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
+	}
+	k8sClient := k8sClient{
+		client: clientSet,
+	}
+	// save license key to k8s and restart all console pods
+	if err = saveSubscriptionLicense(ctx, &k8sClient, licenseRaw); err != nil {
+		return nil, prepareError(errorGeneric, nil, err)
+	}
+	// update license for all existing tenants
+	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+	opClient := &operatorClient{
+		client: opClientClientSet,
+	}
+	tenants, err := listTenants(ctx, opClient, "", nil)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+	// iterate over all tenants, update console configuration and restart console pods
+	for _, tenant := range tenants.Tenants {
+		if err := updateTenantLicenseAndRestartConsole(ctx, &k8sClient, licenseRaw, tenant.Namespace, tenant.Name); err != nil {
+			log.Println(err)
+		}
+	}
+
+	return newLicenseInfo, nil
+}
+
+// RefreshLicense will check current subnet license and try to renew it
+func RefreshLicense() error {
+	// Get current license
+	saK8SToken := getK8sSAToken()
+	licenseKey, err := retrieveLicense(context.Background(), saK8SToken)
+	if licenseKey == "" {
+		return errors.New("no license present")
+	}
+	if err != nil {
+		return err
+	}
+	client := &cluster.HTTPClient{
+		Client: GetConsoleSTSClient(),
+	}
+	// Attempt to refresh license
+	_, refreshedLicenseKey, err := subscriptionRefresh(client, licenseKey)
+	if err != nil {
+		return err
+	}
+	// store new license in memory for console ui
+	LicenseKey = refreshedLicenseKey
+	// Update in memory license and update k8s secret
+	if refreshedLicenseKey != "" {
+		if acl.GetOperatorMode() {
+			ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+			defer cancel()
+			clientSet, err := cluster.K8sClient(saK8SToken)
+			if err != nil {
+				return err
+			}
+			k8sClient := k8sClient{
+				client: clientSet,
+			}
+			if err = saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/restapi/admin_tenants.go
+++ b/restapi/admin_tenants.go
@@ -739,8 +739,8 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		}
 	}
 	// optionals are set below
-	var consoleAccess string
-	var consoleSecret string
+	var tenantUserAccessKey string
+	var tenantUserSecretKey string

 	enableConsole := true
 	if tenantReq.EnableConsole != nil && *tenantReq.EnableConsole {
@@ -748,16 +748,24 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	}

 	if enableConsole {
+		// provision initial user for tenant
+		tenantUserAccessKey = RandomCharString(16)
+		tenantUserSecretKey = RandomCharString(32)
+		consoleUserSecretName := fmt.Sprintf("%s-user-secret", tenantName)
+		consoleUserSecretData := map[string][]byte{
+			"CONSOLE_ACCESS_KEY": []byte(tenantUserAccessKey),
+			"CONSOLE_SECRET_KEY": []byte(tenantUserSecretKey),
+		}
+		_, err := createOrReplaceSecrets(ctx, &k8sClient, ns, []tenantSecret{{Name: consoleUserSecretName, Content: consoleUserSecretData}}, tenantName)
+		if err != nil {
+			return nil, prepareError(errorGeneric, nil, err)
+		}
+		minInst.Spec.Users = []*corev1.LocalObjectReference{{Name: consoleUserSecretName}}
 		consoleSelector := fmt.Sprintf("%s-console", tenantName)
 		consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
-		consoleAccess = RandomCharString(16)
-		consoleSecret = RandomCharString(32)
-
 		consoleSecretData := map[string][]byte{
 			"CONSOLE_PBKDF_PASSPHRASE": []byte(RandomCharString(16)),
 			"CONSOLE_PBKDF_SALT":       []byte(RandomCharString(8)),
-			"CONSOLE_ACCESS_KEY":       []byte(consoleAccess),
-			"CONSOLE_SECRET_KEY":       []byte(consoleSecret),
 		}
 		// If Subnet License is present in k8s secrets, copy that to the CONSOLE_SUBNET_LICENSE env variable
 		// of the console tenant
@@ -928,8 +936,8 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	// Attach Console Credentials
 	if enableConsole {
 		response.Console = &models.CreateTenantResponseConsole{
-			AccessKey: consoleAccess,
-			SecretKey: consoleSecret,
+			AccessKey: tenantUserAccessKey,
+			SecretKey: tenantUserSecretKey,
 		}
 	}
 	return response, nil
--- a/restapi/config.go
+++ b/restapi/config.go
@@ -47,6 +47,9 @@ var (

 	// SessionDuration cookie validity duration
 	SessionDuration = 45 * time.Minute
+
+	// LicenseKey in memory license key used by console ui
+	LicenseKey = ""
 )

 var (
@@ -257,7 +260,13 @@ func getPrometheusURL() string {

 // GetSubnetLicense returns the current subnet jwt license
 func GetSubnetLicense() string {
-	return env.Get(ConsoleSubnetLicense, "")
+	// if we have a license key in memory return that
+	if LicenseKey != "" {
+		return LicenseKey
+	}
+	// return license configured via environment variable
+	LicenseKey = env.Get(ConsoleSubnetLicense, "")
+	return LicenseKey
 }

 func initVars() {
--- a/restapi/embedded_spec.go
+++ b/restapi/embedded_spec.go
@@ -2876,12 +2876,35 @@ func init() {
        }
      }
    },
+    "/subscription/refresh": {
+      "post": {
+        "tags": [
+          "AdminAPI"
+        ],
+        "summary": "Refresh existing subscription license",
+        "operationId": "SubscriptionRefresh",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/license"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/subscription/validate": {
      "post": {
        "tags": [
          "AdminAPI"
        ],
-        "summary": "Validate a provided subscription license",
+        "summary": "Validates subscription license",
        "operationId": "SubscriptionValidate",
        "parameters": [
          {
@@ -8570,12 +8593,35 @@ func init() {
        }
      }
    },
+    "/subscription/refresh": {
+      "post": {
+        "tags": [
+          "AdminAPI"
+        ],
+        "summary": "Refresh existing subscription license",
+        "operationId": "SubscriptionRefresh",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/license"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/subscription/validate": {
      "post": {
        "tags": [
          "AdminAPI"
        ],
-        "summary": "Validate a provided subscription license",
+        "summary": "Validates subscription license",
        "operationId": "SubscriptionValidate",
        "parameters": [
          {
--- a/restapi/operations/admin_api/subscription_refresh.go
+++ b/restapi/operations/admin_api/subscription_refresh.go
@@ -0,0 +1,90 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package admin_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/minio/console/models"
+)
+
+// SubscriptionRefreshHandlerFunc turns a function with the right signature into a subscription refresh handler
+type SubscriptionRefreshHandlerFunc func(SubscriptionRefreshParams, *models.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn SubscriptionRefreshHandlerFunc) Handle(params SubscriptionRefreshParams, principal *models.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// SubscriptionRefreshHandler interface for that can handle valid subscription refresh params
+type SubscriptionRefreshHandler interface {
+	Handle(SubscriptionRefreshParams, *models.Principal) middleware.Responder
+}
+
+// NewSubscriptionRefresh creates a new http.Handler for the subscription refresh operation
+func NewSubscriptionRefresh(ctx *middleware.Context, handler SubscriptionRefreshHandler) *SubscriptionRefresh {
+	return &SubscriptionRefresh{Context: ctx, Handler: handler}
+}
+
+/*SubscriptionRefresh swagger:route POST /subscription/refresh AdminAPI subscriptionRefresh
+
+Refresh existing subscription license
+
+*/
+type SubscriptionRefresh struct {
+	Context *middleware.Context
+	Handler SubscriptionRefreshHandler
+}
+
+func (o *SubscriptionRefresh) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		r = rCtx
+	}
+	var Params = NewSubscriptionRefreshParams()
+
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		r = aCtx
+	}
+	var principal *models.Principal
+	if uprinc != nil {
+		principal = uprinc.(*models.Principal) // this is really a models.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
--- a/restapi/operations/admin_api/subscription_refresh_parameters.go
+++ b/restapi/operations/admin_api/subscription_refresh_parameters.go
@@ -0,0 +1,62 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package admin_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+)
+
+// NewSubscriptionRefreshParams creates a new SubscriptionRefreshParams object
+// no default values defined in spec.
+func NewSubscriptionRefreshParams() SubscriptionRefreshParams {
+
+	return SubscriptionRefreshParams{}
+}
+
+// SubscriptionRefreshParams contains all the bound params for the subscription refresh operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters SubscriptionRefresh
+type SubscriptionRefreshParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewSubscriptionRefreshParams() beforehand.
+func (o *SubscriptionRefreshParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/restapi/operations/admin_api/subscription_refresh_responses.go
+++ b/restapi/operations/admin_api/subscription_refresh_responses.go
@@ -0,0 +1,133 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package admin_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/minio/console/models"
+)
+
+// SubscriptionRefreshOKCode is the HTTP code returned for type SubscriptionRefreshOK
+const SubscriptionRefreshOKCode int = 200
+
+/*SubscriptionRefreshOK A successful response.
+
+swagger:response subscriptionRefreshOK
+*/
+type SubscriptionRefreshOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *models.License `json:"body,omitempty"`
+}
+
+// NewSubscriptionRefreshOK creates SubscriptionRefreshOK with default headers values
+func NewSubscriptionRefreshOK() *SubscriptionRefreshOK {
+
+	return &SubscriptionRefreshOK{}
+}
+
+// WithPayload adds the payload to the subscription refresh o k response
+func (o *SubscriptionRefreshOK) WithPayload(payload *models.License) *SubscriptionRefreshOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the subscription refresh o k response
+func (o *SubscriptionRefreshOK) SetPayload(payload *models.License) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *SubscriptionRefreshOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+/*SubscriptionRefreshDefault Generic error response.
+
+swagger:response subscriptionRefreshDefault
+*/
+type SubscriptionRefreshDefault struct {
+	_statusCode int
+
+	/*
+	  In: Body
+	*/
+	Payload *models.Error `json:"body,omitempty"`
+}
+
+// NewSubscriptionRefreshDefault creates SubscriptionRefreshDefault with default headers values
+func NewSubscriptionRefreshDefault(code int) *SubscriptionRefreshDefault {
+	if code <= 0 {
+		code = 500
+	}
+
+	return &SubscriptionRefreshDefault{
+		_statusCode: code,
+	}
+}
+
+// WithStatusCode adds the status to the subscription refresh default response
+func (o *SubscriptionRefreshDefault) WithStatusCode(code int) *SubscriptionRefreshDefault {
+	o._statusCode = code
+	return o
+}
+
+// SetStatusCode sets the status to the subscription refresh default response
+func (o *SubscriptionRefreshDefault) SetStatusCode(code int) {
+	o._statusCode = code
+}
+
+// WithPayload adds the payload to the subscription refresh default response
+func (o *SubscriptionRefreshDefault) WithPayload(payload *models.Error) *SubscriptionRefreshDefault {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the subscription refresh default response
+func (o *SubscriptionRefreshDefault) SetPayload(payload *models.Error) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *SubscriptionRefreshDefault) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(o._statusCode)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
--- a/restapi/operations/admin_api/subscription_refresh_urlbuilder.go
+++ b/restapi/operations/admin_api/subscription_refresh_urlbuilder.go
@@ -0,0 +1,104 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package admin_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// SubscriptionRefreshURL generates an URL for the subscription refresh operation
+type SubscriptionRefreshURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *SubscriptionRefreshURL) WithBasePath(bp string) *SubscriptionRefreshURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *SubscriptionRefreshURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *SubscriptionRefreshURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/subscription/refresh"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *SubscriptionRefreshURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *SubscriptionRefreshURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *SubscriptionRefreshURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on SubscriptionRefreshURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on SubscriptionRefreshURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *SubscriptionRefreshURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/restapi/operations/admin_api/subscription_validate.go
+++ b/restapi/operations/admin_api/subscription_validate.go
@@ -50,7 +50,7 @@ func NewSubscriptionValidate(ctx *middleware.Context, handler SubscriptionValida

 /*SubscriptionValidate swagger:route POST /subscription/validate AdminAPI subscriptionValidate

-Validate a provided subscription license
+Validates subscription license

 */
 type SubscriptionValidate struct {
--- a/restapi/operations/console_api.go
+++ b/restapi/operations/console_api.go
@@ -307,6 +307,9 @@ func NewConsoleAPI(spec *loads.Document) *ConsoleAPI {
 		AdminAPISubscriptionInfoHandler: admin_api.SubscriptionInfoHandlerFunc(func(params admin_api.SubscriptionInfoParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin_api.SubscriptionInfo has not yet been implemented")
 		}),
+		AdminAPISubscriptionRefreshHandler: admin_api.SubscriptionRefreshHandlerFunc(func(params admin_api.SubscriptionRefreshParams, principal *models.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin_api.SubscriptionRefresh has not yet been implemented")
+		}),
 		AdminAPISubscriptionValidateHandler: admin_api.SubscriptionValidateHandlerFunc(func(params admin_api.SubscriptionValidateParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin_api.SubscriptionValidate has not yet been implemented")
 		}),
@@ -551,6 +554,8 @@ type ConsoleAPI struct {
 	AdminAPISubscriptionActivateHandler admin_api.SubscriptionActivateHandler
 	// AdminAPISubscriptionInfoHandler sets the operation handler for the subscription info operation
 	AdminAPISubscriptionInfoHandler admin_api.SubscriptionInfoHandler
+	// AdminAPISubscriptionRefreshHandler sets the operation handler for the subscription refresh operation
+	AdminAPISubscriptionRefreshHandler admin_api.SubscriptionRefreshHandler
 	// AdminAPISubscriptionValidateHandler sets the operation handler for the subscription validate operation
 	AdminAPISubscriptionValidateHandler admin_api.SubscriptionValidateHandler
 	// AdminAPITenantAddPoolHandler sets the operation handler for the tenant add pool operation
@@ -890,6 +895,9 @@ func (o *ConsoleAPI) Validate() error {
 	if o.AdminAPISubscriptionInfoHandler == nil {
 		unregistered = append(unregistered, "admin_api.SubscriptionInfoHandler")
 	}
+	if o.AdminAPISubscriptionRefreshHandler == nil {
+		unregistered = append(unregistered, "admin_api.SubscriptionRefreshHandler")
+	}
 	if o.AdminAPISubscriptionValidateHandler == nil {
 		unregistered = append(unregistered, "admin_api.SubscriptionValidateHandler")
 	}
@@ -1349,6 +1357,10 @@ func (o *ConsoleAPI) initHandlerCache() {
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}
+	o.handlers["POST"]["/subscription/refresh"] = admin_api.NewSubscriptionRefresh(o.context, o.AdminAPISubscriptionRefreshHandler)
+	if o.handlers["POST"] == nil {
+		o.handlers["POST"] = make(map[string]http.Handler)
+	}
 	o.handlers["POST"]["/subscription/validate"] = admin_api.NewSubscriptionValidate(o.context, o.AdminAPISubscriptionValidateHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)