Adding key creation in tenant wizard. (#697)
Signed-off-by: Adam Stafford <adam@minio.io> Co-authored-by: Adam Stafford <adamstafford@MacBook-Pro-van-Adam-2.local>
This commit is contained in:
adfost
GitHub
@@ -540,8 +540,8 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
}
|
||||
|
||||
ns := *tenantReq.Namespace
|
||||
|
||||
// if access/secret are provided, use them, else create a random pair
|
||||
|
||||
accessKey := RandomCharString(16)
|
||||
secretKey := RandomCharString(32)
|
||||
|
||||
@@ -555,24 +555,48 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
tenantName := *tenantReq.Name
|
||||
secretName := fmt.Sprintf("%s-secret", tenantName)
|
||||
imm := true
|
||||
|
||||
instanceSecret := corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: secretName,
|
||||
Labels: map[string]string{
|
||||
miniov2.TenantLabel: tenantName,
|
||||
var instanceSecret corev1.Secret
|
||||
var users []*corev1.LocalObjectReference
|
||||
if !(len(tenantReq.Idp.Keys) > 0) {
|
||||
instanceSecret = corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: secretName,
|
||||
Labels: map[string]string{
|
||||
miniov2.TenantLabel: tenantName,
|
||||
},
|
||||
},
|
||||
},
|
||||
Immutable: &imm,
|
||||
Data: map[string][]byte{
|
||||
"accesskey": []byte(accessKey),
|
||||
"secretkey": []byte(secretKey),
|
||||
},
|
||||
}
|
||||
|
||||
_, err = clientSet.CoreV1().Secrets(ns).Create(ctx, &instanceSecret, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return nil, prepareError(err)
|
||||
Immutable: &imm,
|
||||
Data: map[string][]byte{
|
||||
"accesskey": []byte(accessKey),
|
||||
"secretkey": []byte(secretKey),
|
||||
},
|
||||
}
|
||||
_, err = clientSet.CoreV1().Secrets(ns).Create(ctx, &instanceSecret, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
} else {
|
||||
users = append(users, &corev1.LocalObjectReference{Name: secretName})
|
||||
for i := 0; i < len(tenantReq.Idp.Keys); i++ {
|
||||
users = append(users, &corev1.LocalObjectReference{Name: fmt.Sprintf("%s%d", secretName, i)})
|
||||
instanceSecret = corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: fmt.Sprintf("%s%d", secretName, i),
|
||||
Labels: map[string]string{
|
||||
miniov2.TenantLabel: tenantName,
|
||||
},
|
||||
},
|
||||
Immutable: &imm,
|
||||
Data: map[string][]byte{
|
||||
"CONSOLE_ACCESS_KEY": []byte(*tenantReq.Idp.Keys[i].AccessKey),
|
||||
"CONSOLE_SECRET_KEY": []byte(*tenantReq.Idp.Keys[i].SecretKey),
|
||||
},
|
||||
}
|
||||
_, err := clientSet.CoreV1().Secrets(ns).Create(ctx, &instanceSecret, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
// delete secrets created if an error occurred during tenant creation,
|
||||
defer func() {
|
||||
@@ -616,6 +640,9 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
},
|
||||
}
|
||||
idpEnabled := false
|
||||
if len(tenantReq.Idp.Keys) > 0 {
|
||||
minInst.Spec.Users = users
|
||||
}
|
||||
// Enable IDP (Active Directory) for MinIO
|
||||
if tenantReq.Idp != nil && tenantReq.Idp.ActiveDirectory != nil {
|
||||
url := *tenantReq.Idp.ActiveDirectory.URL
|
||||
@@ -749,18 +776,36 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
|
||||
if enableConsole {
|
||||
// provision initial user for tenant
|
||||
tenantUserAccessKey = RandomCharString(16)
|
||||
tenantUserSecretKey = RandomCharString(32)
|
||||
consoleUserSecretName := fmt.Sprintf("%s-user-secret", tenantName)
|
||||
consoleUserSecretData := map[string][]byte{
|
||||
"CONSOLE_ACCESS_KEY": []byte(tenantUserAccessKey),
|
||||
"CONSOLE_SECRET_KEY": []byte(tenantUserSecretKey),
|
||||
if !(len(tenantReq.Idp.Keys) > 0) {
|
||||
tenantUserAccessKey = RandomCharString(16)
|
||||
tenantUserSecretKey = RandomCharString(32)
|
||||
consoleUserSecretName := fmt.Sprintf("%s-user-secret", tenantName)
|
||||
consoleUserSecretData := map[string][]byte{
|
||||
"CONSOLE_ACCESS_KEY": []byte(tenantUserAccessKey),
|
||||
"CONSOLE_SECRET_KEY": []byte(tenantUserSecretKey),
|
||||
}
|
||||
_, err := createOrReplaceSecrets(ctx, &k8sClient, ns, []tenantSecret{{Name: consoleUserSecretName, Content: consoleUserSecretData}}, tenantName)
|
||||
if err != nil {
|
||||
return nil, prepareError(errorGeneric, nil, err)
|
||||
}
|
||||
minInst.Spec.Users = []*corev1.LocalObjectReference{{Name: consoleUserSecretName}}
|
||||
} else {
|
||||
tenantUserAccessKey = *tenantReq.Idp.Keys[0].AccessKey
|
||||
tenantUserSecretKey = *tenantReq.Idp.Keys[0].SecretKey
|
||||
for i := 0; i < len(tenantReq.Idp.Keys); i++ {
|
||||
userSecretName := fmt.Sprintf("%s-%d-user-secret", tenantName, i)
|
||||
userSecretData := map[string][]byte{
|
||||
"CONSOLE_ACCESS_KEY": []byte(*tenantReq.Idp.Keys[i].AccessKey),
|
||||
"CONSOLE_SECRET_KEY": []byte(*tenantReq.Idp.Keys[i].SecretKey),
|
||||
}
|
||||
_, err := createOrReplaceSecrets(ctx, &k8sClient, ns, []tenantSecret{{Name: userSecretName, Content: userSecretData}}, tenantName)
|
||||
if err != nil {
|
||||
return nil, prepareError(errorGeneric, nil, err)
|
||||
}
|
||||
minInst.Spec.Users = append(minInst.Spec.Users, &corev1.LocalObjectReference{Name: userSecretName})
|
||||
}
|
||||
|
||||
}
|
||||
_, err := createOrReplaceSecrets(ctx, &k8sClient, ns, []tenantSecret{{Name: consoleUserSecretName, Content: consoleUserSecretData}}, tenantName)
|
||||
if err != nil {
|
||||
return nil, prepareError(errorGeneric, nil, err)
|
||||
}
|
||||
minInst.Spec.Users = []*corev1.LocalObjectReference{{Name: consoleUserSecretName}}
|
||||
consoleSelector := fmt.Sprintf("%s-console", tenantName)
|
||||
consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
|
||||
consoleSecretData := map[string][]byte{
|
||||
@@ -962,7 +1007,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
|
||||
return nil, prepareError(err)
|
||||
}
|
||||
|
||||
// Integratrions
|
||||
// Integrations
|
||||
if os.Getenv("GKE_INTEGRATION") != "" {
|
||||
err := gkeIntegration(clientSet, tenantName, ns, session.STSSessionToken)
|
||||
if err != nil {
|
||||
|
||||
@@ -4308,6 +4308,24 @@ func init() {
|
||||
}
|
||||
}
|
||||
},
|
||||
"keys": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"access_key",
|
||||
"secret_key"
|
||||
],
|
||||
"properties": {
|
||||
"access_key": {
|
||||
"type": "string"
|
||||
},
|
||||
"secret_key": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"oidc": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
@@ -9717,6 +9735,21 @@ func init() {
|
||||
}
|
||||
}
|
||||
},
|
||||
"IdpConfigurationKeysItems0": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"access_key",
|
||||
"secret_key"
|
||||
],
|
||||
"properties": {
|
||||
"access_key": {
|
||||
"type": "string"
|
||||
},
|
||||
"secret_key": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"IdpConfigurationOidc": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
@@ -11000,6 +11033,12 @@ func init() {
|
||||
}
|
||||
}
|
||||
},
|
||||
"keys": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"$ref": "#/definitions/IdpConfigurationKeysItems0"
|
||||
}
|
||||
},
|
||||
"oidc": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
|
||||
Reference in New Issue
Block a user