- Added flag CONSOLE_OBJECT_BROWSER_ONLY=on to trigger between console mode & Object Browser only
- Hidden not necessary buttons for object browse
- STS Login
Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>
Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
- fix: create tenant from operator-ui was broken due to migration from
standalone console to embedded console
- fix: refresh, activate and attach license in subscription page was
broken
- fix: tenant usage report in operator-ui
- fix: show tenant encryption enabled if MINIO_KMS_SECRET_KEY is present
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
iam/policies now support wildcard actions for
all actions such as 's3:Get*', 's3:Put*'
new policies such as CreateBucket now honors
LocationConstraint set but rejecting calls
that do not honor region.
Implemented Log Search API & Prometheus functionality in console, also fixed minor issues in all the platform
Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
Operator UI - Provide and store License key
- New License section in Operator UI will allow user to provide the
license key via input form
- New License section in Operator UI will allow the user to fetch the
license key using subnet credentials
- Console backend has to verify provided license is valid -
https://godoc.org/github.com/minio/minio/pkg/licverifier#example-package
- Console backend has to store the license key in k8s secrets
Operator UI - Set license to tenant during provisioning
- Check if license key exists in k8s secret during tenant creation
- If License is present attach the license-key jwt to the new console
tenant via an environment variable
Operator UI - Set license for an existing tenant
- Tenant view will display information about the current status of the
Tenant License
- If Tenant doesn't have a License then Operator-UI will allow to attach
new license by clicking the Add License button
- Console backend will extract the license from the k8s secret and save
the license-key jwt in the tenant console environment variable and
redeploy
- Account change password endpoints
- Change account password modal
- Grouped account settings and service accounts
- Removed the SuperAdmin credentials from almost all places, only
missing place is Oauth login
- Renamed service-accounts UI labels to account in Menu
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)
Kubernetes
The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.
Development
If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI
Extract the Service account token and use it with MCS
For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:
```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```
Then run the mcs server
```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```
Self-signed certificates and Custom certificate authority for Mkube
If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable
````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
This PR adds support to connect MCS to minio instances running TLS with
self-signed certificates or certificates signed by custom
Certificate Authorities
```
export MCS_MINIO_SERVER_TLS_ROOT_CAS=file1,file2,file3
```
Note: TLS Skip Verification is not supported unless there's a clear need
for it
This PR adds support for oidc in mcs, to enable idp
authentication you need to pass the following environment variables and
restart mcs.
```
MCS_IDP_URL=""
MCS_IDP_CLIENT_ID=""
MCS_IDP_SECRET=""
MCS_IDP_CALLBACK=""
```
