Release v0.3.4 (#220)

This PR adds the following features:

- Allow user to provide its own keypair certificates for enable TLS in
  MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
  encrypted session tokens

Enable TLS between client and MinIO with user provided certificates

Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`

Enable encryption at rest configuring KES

User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.

eg of body request for create-tenant

```
{
    "name": "honeywell",
    "access_key": "minio",
    "secret_key": "minio123",
    "enable_mcs": false,
    "enable_ssl": false,
    "service_name": "honeywell",
    "zones": [
        {
            "name": "honeywell-zone-1",
            "servers": 1,
            "volumes_per_server": 4,
            "volume_configuration": {
                "size": 256000000,
                "storage_class": "vsan-default-storage-policy"
            }
        }
    ],
    "namespace": "default",
    "tls": {
      "tls.crt": "",
      "tls.key": ""
    },
    "encryption": {
        "server": {
          "tls.crt": "",
          "tls.key": ""
        },
        "client": {
          "tls.crt": "",
          "tls.key": ""
        },
      "vault": {
        "endpoint": "http://vault:8200",
        "prefix": "",
        "approle": {
          "id": "",
          "secret": ""
        }
      }
    }
}
```

Dockerfile.release

@@ -1,6 +1,12 @@
+FROM ubuntu:18.04 as certs
+
+RUN apt-get update -y && apt-get install -y ca-certificates
+
 FROM scratch
 MAINTAINER MinIO Development "dev@min.io"
 EXPOSE 9090
 COPY console /console
 
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
 ENTRYPOINT ["/console"]

cluster/config.go

@@ -98,7 +98,7 @@ func getLatestMinIOImage(client HTTPClientI) (*string, error) {
 var latestMinIOImage, errLatestMinIOImage = getLatestMinIOImage(
 	&HTTPClient{
 		Client: &http.Client{
-			Timeout: 4 * time.Second,
+			Timeout: 15 * time.Second,
 		},
 	})
 

go.mod

@@ -4,7 +4,6 @@ go 1.13
 
 require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/go-openapi/errors v0.19.6
 	github.com/go-openapi/loads v0.19.5
@@ -15,19 +14,19 @@ require (
 	github.com/go-openapi/validate v0.19.10
 	github.com/gorilla/websocket v1.4.2
 	github.com/jessevdk/go-flags v1.4.0
-	github.com/json-iterator/go v1.1.10
 	github.com/minio/cli v1.22.0
+	github.com/minio/kes v0.10.1
 	github.com/minio/mc v0.0.0-20200725183142-90d22b271f60
 	github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8
 	github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252
-	github.com/minio/operator v0.0.0-20200726122325-9efe901afebb
+	github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/testify v1.6.1
 	github.com/unrolled/secure v1.0.7
 	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	gopkg.in/yaml.v2 v2.3.0
 	k8s.io/api v0.18.0
 	k8s.io/apimachinery v0.18.0
 	k8s.io/client-go v0.18.0

go.sum

@@ -55,6 +55,7 @@ github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:o
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
 github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.26.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2 h1:M+TYzBcNIRyzPRg66ndEqUMd7oWDmhvdQmaPC6EZNwM=
 github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2/go.mod h1:RDu/qcrnpEdJC/p8tx34+YBFqqX71lB7dOX9QE+ZC4M=
 github.com/beevik/ntp v0.2.0 h1:sGsd+kAXzT0bfVfzJfce04g+dSRfrs+tbQW8lweuYgw=
@@ -134,6 +135,7 @@ github.com/frankban/quicktest v1.4.1/go.mod h1:36zfPVQyHxymz4cH7wlDmVwDrJuljRB60
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
@@ -143,6 +145,8 @@ github.com/go-ldap/ldap v3.0.2+incompatible h1:kD5HQcAzlQ7yrhfn+h+MSABeAy/jAJhvI
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
 github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
@@ -451,6 +455,8 @@ github.com/minio/cli v1.22.0 h1:VTQm7lmXm3quxO917X3p+el1l0Ca5X3S4PM2ruUYO68=
 github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY=
 github.com/minio/highwayhash v1.0.0 h1:iMSDhgUILCr0TNm8LWlSjF8N0ZIj2qbO8WHp6Q/J2BA=
 github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5dxBpaMbdc=
+github.com/minio/kes v0.10.1 h1:f+WDJdNHNMf1xE6BbjtCLUyh671weSCQ30uynoCPl78=
+github.com/minio/kes v0.10.1/go.mod h1:mTF1Bv8YVEtQqF/B7Felp4tLee44Pp+dgI0rhCvgNg8=
 github.com/minio/mc v0.0.0-20200725183142-90d22b271f60 h1:LevaZ33nx+rUzRsuU7rVvqXUP7VCu2BQanhITw4Z9rA=
 github.com/minio/mc v0.0.0-20200725183142-90d22b271f60/go.mod h1:Hvnyrb/NMM+pJ53JO/J3jxGtwPDYJh7K6c1D+RR2h2g=
 github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4=
@@ -463,8 +469,8 @@ github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8/go.mod h1:NBWtYp4t5pt3
 github.com/minio/minio-go/v7 v7.0.1/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns=
 github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252 h1:V2JkMDoSmEIhRcMJwX3qeJVOzy1B5bHpHbZaQu77vbs=
 github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns=
-github.com/minio/operator v0.0.0-20200726122325-9efe901afebb h1:xAfr+GIP+4c6fU+Ad8oWHVWKtbQ60Su3dfEv3nPPyWM=
+github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1 h1:cTgvRgFBUVxbnxhQUioT2T7SH0M7AyvO7dDX32yKPGw=
-github.com/minio/operator v0.0.0-20200726122325-9efe901afebb/go.mod h1:G0pMmQFV5b5OrH7/OmVKtPoHzj3SmHNgqDlTew1NM/Y=
+github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1/go.mod h1:RLhFkLcL65qmrgUQJHrRwb1Lb4yHgD/DfjNENY2WNXg=
 github.com/minio/selfupdate v0.3.0 h1:1qfaZscU3hWwX1cF5m5Dov8Z5aZNvPHk9LROzIkas1k=
 github.com/minio/selfupdate v0.3.0/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
 github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU=
@@ -586,8 +592,6 @@ github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/secure-io/sio-go v0.3.0 h1:QKGb6rGJeiExac9wSWxnWPYo8O8OFN7lxXQvHshX6vo=
 github.com/secure-io/sio-go v0.3.0/go.mod h1:D3KmXgKETffyYxBdFRN+Hpd2WzhzqS0EQwT3XWsAcBU=
 github.com/shirou/gopsutil v2.20.3-0.20200314133625-53cec6b37e6a+incompatible h1:YiKUe2ZOmfpDBH4OSyxwkx/mjNqHHnNhOtZ2mPyRme8=
@@ -693,6 +697,7 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -915,6 +920,8 @@ k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUc
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/klog/v2 v2.3.0 h1:WmkrnW7fdrm0/DMClc+HIxtftvxVIPAhlVwMQo5yLco=
+k8s.io/klog/v2 v2.3.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM=
 k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6 h1:Oh3Mzx5pJ+yIumsAD0MOECPVeXsVot0UkiaCGVyfGQY=

k8s/console/base/console-deployment.yaml

@@ -15,10 +15,9 @@ spec:
       serviceAccountName: console-sa
       containers:
         - name: console
-          image: minio/console:latest
+          image: minio/console:v0.3.4
           imagePullPolicy: "IfNotPresent"
           args:
-            - /console
             - server
           ports:
             - containerPort: 9090

k8s/getoperator.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-# Get's the latest deployment file from MinIO Operator
-curl https://raw.githubusercontent.com/minio/operator/master/minio-operator.yaml > operator-console/base/minio-operator.yaml

k8s/operator-console/base/console-deployment.yaml

@@ -15,13 +15,12 @@ spec:
       serviceAccountName: console-sa
       containers:
         - name: console
-          image: minio/console:latest
+          image: minio/console:v0.3.4
           imagePullPolicy: "IfNotPresent"
           env:
             - name: CONSOLE_OPERATOR_MODE
               value: "on"
           args:
-            - /console
             - server
           ports:
             - containerPort: 9090

models/aws_configuration.go

@@ -0,0 +1,258 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// AwsConfiguration aws configuration
+//
+// swagger:model awsConfiguration
+type AwsConfiguration struct {
+
+	// secretsmanager
+	// Required: true
+	Secretsmanager *AwsConfigurationSecretsmanager `json:"secretsmanager"`
+}
+
+// Validate validates this aws configuration
+func (m *AwsConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateSecretsmanager(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AwsConfiguration) validateSecretsmanager(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager", "body", m.Secretsmanager); err != nil {
+		return err
+	}
+
+	if m.Secretsmanager != nil {
+		if err := m.Secretsmanager.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("secretsmanager")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AwsConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AwsConfiguration) UnmarshalBinary(b []byte) error {
+	var res AwsConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// AwsConfigurationSecretsmanager aws configuration secretsmanager
+//
+// swagger:model AwsConfigurationSecretsmanager
+type AwsConfigurationSecretsmanager struct {
+
+	// credentials
+	// Required: true
+	Credentials *AwsConfigurationSecretsmanagerCredentials `json:"credentials"`
+
+	// endpoint
+	// Required: true
+	Endpoint *string `json:"endpoint"`
+
+	// kmskey
+	Kmskey string `json:"kmskey,omitempty"`
+
+	// region
+	// Required: true
+	Region *string `json:"region"`
+}
+
+// Validate validates this aws configuration secretsmanager
+func (m *AwsConfigurationSecretsmanager) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCredentials(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateEndpoint(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateRegion(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AwsConfigurationSecretsmanager) validateCredentials(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager"+"."+"credentials", "body", m.Credentials); err != nil {
+		return err
+	}
+
+	if m.Credentials != nil {
+		if err := m.Credentials.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("secretsmanager" + "." + "credentials")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *AwsConfigurationSecretsmanager) validateEndpoint(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager"+"."+"endpoint", "body", m.Endpoint); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *AwsConfigurationSecretsmanager) validateRegion(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager"+"."+"region", "body", m.Region); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AwsConfigurationSecretsmanager) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AwsConfigurationSecretsmanager) UnmarshalBinary(b []byte) error {
+	var res AwsConfigurationSecretsmanager
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// AwsConfigurationSecretsmanagerCredentials aws configuration secretsmanager credentials
+//
+// swagger:model AwsConfigurationSecretsmanagerCredentials
+type AwsConfigurationSecretsmanagerCredentials struct {
+
+	// accesskey
+	// Required: true
+	Accesskey *string `json:"accesskey"`
+
+	// secretkey
+	// Required: true
+	Secretkey *string `json:"secretkey"`
+
+	// token
+	Token string `json:"token,omitempty"`
+}
+
+// Validate validates this aws configuration secretsmanager credentials
+func (m *AwsConfigurationSecretsmanagerCredentials) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateAccesskey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateSecretkey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AwsConfigurationSecretsmanagerCredentials) validateAccesskey(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager"+"."+"credentials"+"."+"accesskey", "body", m.Accesskey); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *AwsConfigurationSecretsmanagerCredentials) validateSecretkey(formats strfmt.Registry) error {
+
+	if err := validate.Required("secretsmanager"+"."+"credentials"+"."+"secretkey", "body", m.Secretkey); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AwsConfigurationSecretsmanagerCredentials) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AwsConfigurationSecretsmanagerCredentials) UnmarshalBinary(b []byte) error {
+	var res AwsConfigurationSecretsmanagerCredentials
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/create_tenant_request.go

@@ -48,6 +48,9 @@ type CreateTenantRequest struct {
 	// enable ssl
 	EnableSsl *bool `json:"enable_ssl,omitempty"`
 
+	// encryption
+	Encryption *EncryptionConfiguration `json:"encryption,omitempty"`
+
 	// image
 	Image string `json:"image,omitempty"`
 
@@ -69,6 +72,9 @@ type CreateTenantRequest struct {
 	// service name
 	ServiceName string `json:"service_name,omitempty"`
 
+	// tls
+	TLS *TLSConfiguration `json:"tls,omitempty"`
+
 	// zones
 	// Required: true
 	Zones []*Zone `json:"zones"`
@@ -78,6 +84,10 @@ type CreateTenantRequest struct {
 func (m *CreateTenantRequest) Validate(formats strfmt.Registry) error {
 	var res []error
 
+	if err := m.validateEncryption(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateName(formats); err != nil {
 		res = append(res, err)
 	}
@@ -86,6 +96,10 @@ func (m *CreateTenantRequest) Validate(formats strfmt.Registry) error {
 		res = append(res, err)
 	}
 
+	if err := m.validateTLS(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateZones(formats); err != nil {
 		res = append(res, err)
 	}
@@ -96,6 +110,24 @@ func (m *CreateTenantRequest) Validate(formats strfmt.Registry) error {
 	return nil
 }
 
+func (m *CreateTenantRequest) validateEncryption(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Encryption) { // not required
+		return nil
+	}
+
+	if m.Encryption != nil {
+		if err := m.Encryption.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("encryption")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *CreateTenantRequest) validateName(formats strfmt.Registry) error {
 
 	if err := validate.Required("name", "body", m.Name); err != nil {
@@ -118,6 +150,24 @@ func (m *CreateTenantRequest) validateNamespace(formats strfmt.Registry) error {
 	return nil
 }
 
+func (m *CreateTenantRequest) validateTLS(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.TLS) { // not required
+		return nil
+	}
+
+	if m.TLS != nil {
+		if err := m.TLS.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("tls")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *CreateTenantRequest) validateZones(formats strfmt.Registry) error {
 
 	if err := validate.Required("zones", "body", m.Zones); err != nil {

models/create_tenant_response.go

@@ -23,6 +23,7 @@ package models
 // Editing this file might prove futile when you re-run the swagger generate command
 
 import (
+	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
 )
@@ -35,12 +36,42 @@ type CreateTenantResponse struct {
 	// access key
 	AccessKey string `json:"access_key,omitempty"`
 
+	// console
+	Console *CreateTenantResponseConsole `json:"console,omitempty"`
+
 	// secret key
 	SecretKey string `json:"secret_key,omitempty"`
 }
 
 // Validate validates this create tenant response
 func (m *CreateTenantResponse) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateConsole(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *CreateTenantResponse) validateConsole(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Console) { // not required
+		return nil
+	}
+
+	if m.Console != nil {
+		if err := m.Console.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("console")
+			}
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -61,3 +92,38 @@ func (m *CreateTenantResponse) UnmarshalBinary(b []byte) error {
 	*m = res
 	return nil
 }
+
+// CreateTenantResponseConsole create tenant response console
+//
+// swagger:model CreateTenantResponseConsole
+type CreateTenantResponseConsole struct {
+
+	// access key
+	AccessKey string `json:"access_key,omitempty"`
+
+	// secret key
+	SecretKey string `json:"secret_key,omitempty"`
+}
+
+// Validate validates this create tenant response console
+func (m *CreateTenantResponseConsole) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *CreateTenantResponseConsole) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *CreateTenantResponseConsole) UnmarshalBinary(b []byte) error {
+	var res CreateTenantResponseConsole
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/encryption_configuration.go

@@ -0,0 +1,331 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// EncryptionConfiguration encryption configuration
+//
+// swagger:model encryptionConfiguration
+type EncryptionConfiguration struct {
+
+	// aws
+	Aws *AwsConfiguration `json:"aws,omitempty"`
+
+	// client
+	Client *EncryptionConfigurationClient `json:"client,omitempty"`
+
+	// gemalto
+	Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
+
+	// image
+	Image string `json:"image,omitempty"`
+
+	// master key
+	MasterKey string `json:"master_key,omitempty"`
+
+	// server
+	Server *EncryptionConfigurationServer `json:"server,omitempty"`
+
+	// vault
+	Vault *VaultConfiguration `json:"vault,omitempty"`
+}
+
+// Validate validates this encryption configuration
+func (m *EncryptionConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateAws(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateClient(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateGemalto(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateServer(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateVault(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *EncryptionConfiguration) validateAws(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Aws) { // not required
+		return nil
+	}
+
+	if m.Aws != nil {
+		if err := m.Aws.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("aws")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfiguration) validateClient(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Client) { // not required
+		return nil
+	}
+
+	if m.Client != nil {
+		if err := m.Client.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("client")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfiguration) validateGemalto(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Gemalto) { // not required
+		return nil
+	}
+
+	if m.Gemalto != nil {
+		if err := m.Gemalto.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("gemalto")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfiguration) validateServer(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Server) { // not required
+		return nil
+	}
+
+	if m.Server != nil {
+		if err := m.Server.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("server")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfiguration) validateVault(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Vault) { // not required
+		return nil
+	}
+
+	if m.Vault != nil {
+		if err := m.Vault.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("vault")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *EncryptionConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *EncryptionConfiguration) UnmarshalBinary(b []byte) error {
+	var res EncryptionConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// EncryptionConfigurationClient encryption configuration client
+//
+// swagger:model EncryptionConfigurationClient
+type EncryptionConfigurationClient struct {
+
+	// crt
+	// Required: true
+	Crt *string `json:"crt"`
+
+	// key
+	// Required: true
+	Key *string `json:"key"`
+}
+
+// Validate validates this encryption configuration client
+func (m *EncryptionConfigurationClient) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *EncryptionConfigurationClient) validateCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("client"+"."+"crt", "body", m.Crt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfigurationClient) validateKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("client"+"."+"key", "body", m.Key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *EncryptionConfigurationClient) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *EncryptionConfigurationClient) UnmarshalBinary(b []byte) error {
+	var res EncryptionConfigurationClient
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// EncryptionConfigurationServer encryption configuration server
+//
+// swagger:model EncryptionConfigurationServer
+type EncryptionConfigurationServer struct {
+
+	// crt
+	// Required: true
+	Crt *string `json:"crt"`
+
+	// key
+	// Required: true
+	Key *string `json:"key"`
+}
+
+// Validate validates this encryption configuration server
+func (m *EncryptionConfigurationServer) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *EncryptionConfigurationServer) validateCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("server"+"."+"crt", "body", m.Crt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *EncryptionConfigurationServer) validateKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("server"+"."+"key", "body", m.Key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *EncryptionConfigurationServer) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *EncryptionConfigurationServer) UnmarshalBinary(b []byte) error {
+	var res EncryptionConfigurationServer
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/encryption_kes_config.go

@@ -0,0 +1,115 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// EncryptionKesConfig encryption kes config
+//
+// swagger:model encryptionKesConfig
+type EncryptionKesConfig struct {
+
+	// server cert
+	// Required: true
+	ServerCert *string `json:"server_cert"`
+
+	// server config
+	// Required: true
+	ServerConfig *string `json:"server_config"`
+
+	// server key
+	// Required: true
+	ServerKey *string `json:"server_key"`
+}
+
+// Validate validates this encryption kes config
+func (m *EncryptionKesConfig) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateServerCert(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateServerConfig(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateServerKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *EncryptionKesConfig) validateServerCert(formats strfmt.Registry) error {
+
+	if err := validate.Required("server_cert", "body", m.ServerCert); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *EncryptionKesConfig) validateServerConfig(formats strfmt.Registry) error {
+
+	if err := validate.Required("server_config", "body", m.ServerConfig); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *EncryptionKesConfig) validateServerKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("server_key", "body", m.ServerKey); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *EncryptionKesConfig) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *EncryptionKesConfig) UnmarshalBinary(b []byte) error {
+	var res EncryptionKesConfig
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/gemalto_configuration.go

@@ -0,0 +1,314 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// GemaltoConfiguration gemalto configuration
+//
+// swagger:model gemaltoConfiguration
+type GemaltoConfiguration struct {
+
+	// keysecure
+	// Required: true
+	Keysecure *GemaltoConfigurationKeysecure `json:"keysecure"`
+}
+
+// Validate validates this gemalto configuration
+func (m *GemaltoConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateKeysecure(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *GemaltoConfiguration) validateKeysecure(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure", "body", m.Keysecure); err != nil {
+		return err
+	}
+
+	if m.Keysecure != nil {
+		if err := m.Keysecure.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keysecure")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *GemaltoConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *GemaltoConfiguration) UnmarshalBinary(b []byte) error {
+	var res GemaltoConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// GemaltoConfigurationKeysecure gemalto configuration keysecure
+//
+// swagger:model GemaltoConfigurationKeysecure
+type GemaltoConfigurationKeysecure struct {
+
+	// credentials
+	// Required: true
+	Credentials *GemaltoConfigurationKeysecureCredentials `json:"credentials"`
+
+	// endpoint
+	// Required: true
+	Endpoint *string `json:"endpoint"`
+
+	// tls
+	TLS *GemaltoConfigurationKeysecureTLS `json:"tls,omitempty"`
+}
+
+// Validate validates this gemalto configuration keysecure
+func (m *GemaltoConfigurationKeysecure) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCredentials(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateEndpoint(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateTLS(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecure) validateCredentials(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure"+"."+"credentials", "body", m.Credentials); err != nil {
+		return err
+	}
+
+	if m.Credentials != nil {
+		if err := m.Credentials.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keysecure" + "." + "credentials")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecure) validateEndpoint(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure"+"."+"endpoint", "body", m.Endpoint); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecure) validateTLS(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.TLS) { // not required
+		return nil
+	}
+
+	if m.TLS != nil {
+		if err := m.TLS.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keysecure" + "." + "tls")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecure) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecure) UnmarshalBinary(b []byte) error {
+	var res GemaltoConfigurationKeysecure
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// GemaltoConfigurationKeysecureCredentials gemalto configuration keysecure credentials
+//
+// swagger:model GemaltoConfigurationKeysecureCredentials
+type GemaltoConfigurationKeysecureCredentials struct {
+
+	// domain
+	// Required: true
+	Domain *string `json:"domain"`
+
+	// retry
+	Retry int64 `json:"retry,omitempty"`
+
+	// token
+	// Required: true
+	Token *string `json:"token"`
+}
+
+// Validate validates this gemalto configuration keysecure credentials
+func (m *GemaltoConfigurationKeysecureCredentials) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateDomain(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateToken(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecureCredentials) validateDomain(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure"+"."+"credentials"+"."+"domain", "body", m.Domain); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecureCredentials) validateToken(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure"+"."+"credentials"+"."+"token", "body", m.Token); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecureCredentials) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecureCredentials) UnmarshalBinary(b []byte) error {
+	var res GemaltoConfigurationKeysecureCredentials
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// GemaltoConfigurationKeysecureTLS gemalto configuration keysecure TLS
+//
+// swagger:model GemaltoConfigurationKeysecureTLS
+type GemaltoConfigurationKeysecureTLS struct {
+
+	// ca
+	// Required: true
+	Ca *string `json:"ca"`
+}
+
+// Validate validates this gemalto configuration keysecure TLS
+func (m *GemaltoConfigurationKeysecureTLS) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCa(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *GemaltoConfigurationKeysecureTLS) validateCa(formats strfmt.Registry) error {
+
+	if err := validate.Required("keysecure"+"."+"tls"+"."+"ca", "body", m.Ca); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecureTLS) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *GemaltoConfigurationKeysecureTLS) UnmarshalBinary(b []byte) error {
+	var res GemaltoConfigurationKeysecureTLS
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/kes_configuration.go

@@ -0,0 +1,269 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// KesConfiguration kes configuration
+//
+// swagger:model kesConfiguration
+type KesConfiguration struct {
+
+	// client
+	// Required: true
+	Client *KesConfigurationClient `json:"client"`
+
+	// server
+	// Required: true
+	Server *KesConfigurationServer `json:"server"`
+
+	// server config yaml
+	// Required: true
+	ServerConfigYaml *string `json:"server-config.yaml"`
+}
+
+// Validate validates this kes configuration
+func (m *KesConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateClient(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateServer(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateServerConfigYaml(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *KesConfiguration) validateClient(formats strfmt.Registry) error {
+
+	if err := validate.Required("client", "body", m.Client); err != nil {
+		return err
+	}
+
+	if m.Client != nil {
+		if err := m.Client.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("client")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *KesConfiguration) validateServer(formats strfmt.Registry) error {
+
+	if err := validate.Required("server", "body", m.Server); err != nil {
+		return err
+	}
+
+	if m.Server != nil {
+		if err := m.Server.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("server")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *KesConfiguration) validateServerConfigYaml(formats strfmt.Registry) error {
+
+	if err := validate.Required("server-config.yaml", "body", m.ServerConfigYaml); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *KesConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *KesConfiguration) UnmarshalBinary(b []byte) error {
+	var res KesConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// KesConfigurationClient kes configuration client
+//
+// swagger:model KesConfigurationClient
+type KesConfigurationClient struct {
+
+	// tls crt
+	// Required: true
+	TLSCrt *string `json:"tls.crt"`
+
+	// tls key
+	// Required: true
+	TLSKey *string `json:"tls.key"`
+}
+
+// Validate validates this kes configuration client
+func (m *KesConfigurationClient) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateTLSCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateTLSKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *KesConfigurationClient) validateTLSCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("client"+"."+"tls.crt", "body", m.TLSCrt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *KesConfigurationClient) validateTLSKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("client"+"."+"tls.key", "body", m.TLSKey); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *KesConfigurationClient) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *KesConfigurationClient) UnmarshalBinary(b []byte) error {
+	var res KesConfigurationClient
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// KesConfigurationServer kes configuration server
+//
+// swagger:model KesConfigurationServer
+type KesConfigurationServer struct {
+
+	// tls crt
+	// Required: true
+	TLSCrt *string `json:"tls.crt"`
+
+	// tls key
+	// Required: true
+	TLSKey *string `json:"tls.key"`
+}
+
+// Validate validates this kes configuration server
+func (m *KesConfigurationServer) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateTLSCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateTLSKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *KesConfigurationServer) validateTLSCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("server"+"."+"tls.crt", "body", m.TLSCrt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *KesConfigurationServer) validateTLSKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("server"+"."+"tls.key", "body", m.TLSKey); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *KesConfigurationServer) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *KesConfigurationServer) UnmarshalBinary(b []byte) error {
+	var res KesConfigurationServer
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/tls_configuration.go

@@ -0,0 +1,98 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// TLSConfiguration tls configuration
+//
+// swagger:model tlsConfiguration
+type TLSConfiguration struct {
+
+	// crt
+	// Required: true
+	Crt *string `json:"crt"`
+
+	// key
+	// Required: true
+	Key *string `json:"key"`
+}
+
+// Validate validates this tls configuration
+func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *TLSConfiguration) validateCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("crt", "body", m.Crt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *TLSConfiguration) validateKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("key", "body", m.Key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *TLSConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *TLSConfiguration) UnmarshalBinary(b []byte) error {
+	var res TLSConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/vault_configuration.go

@@ -0,0 +1,247 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// VaultConfiguration vault configuration
+//
+// swagger:model vaultConfiguration
+type VaultConfiguration struct {
+
+	// approle
+	// Required: true
+	Approle *VaultConfigurationApprole `json:"approle"`
+
+	// endpoint
+	// Required: true
+	Endpoint *string `json:"endpoint"`
+
+	// engine
+	Engine string `json:"engine,omitempty"`
+
+	// namespace
+	Namespace string `json:"namespace,omitempty"`
+
+	// prefix
+	Prefix string `json:"prefix,omitempty"`
+
+	// status
+	Status *VaultConfigurationStatus `json:"status,omitempty"`
+}
+
+// Validate validates this vault configuration
+func (m *VaultConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateApprole(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateEndpoint(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateStatus(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *VaultConfiguration) validateApprole(formats strfmt.Registry) error {
+
+	if err := validate.Required("approle", "body", m.Approle); err != nil {
+		return err
+	}
+
+	if m.Approle != nil {
+		if err := m.Approle.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("approle")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *VaultConfiguration) validateEndpoint(formats strfmt.Registry) error {
+
+	if err := validate.Required("endpoint", "body", m.Endpoint); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *VaultConfiguration) validateStatus(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Status) { // not required
+		return nil
+	}
+
+	if m.Status != nil {
+		if err := m.Status.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("status")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *VaultConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VaultConfiguration) UnmarshalBinary(b []byte) error {
+	var res VaultConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// VaultConfigurationApprole vault configuration approle
+//
+// swagger:model VaultConfigurationApprole
+type VaultConfigurationApprole struct {
+
+	// engine
+	Engine string `json:"engine,omitempty"`
+
+	// id
+	// Required: true
+	ID *string `json:"id"`
+
+	// retry
+	Retry int64 `json:"retry,omitempty"`
+
+	// secret
+	// Required: true
+	Secret *string `json:"secret"`
+}
+
+// Validate validates this vault configuration approle
+func (m *VaultConfigurationApprole) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateID(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateSecret(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *VaultConfigurationApprole) validateID(formats strfmt.Registry) error {
+
+	if err := validate.Required("approle"+"."+"id", "body", m.ID); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *VaultConfigurationApprole) validateSecret(formats strfmt.Registry) error {
+
+	if err := validate.Required("approle"+"."+"secret", "body", m.Secret); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *VaultConfigurationApprole) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VaultConfigurationApprole) UnmarshalBinary(b []byte) error {
+	var res VaultConfigurationApprole
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// VaultConfigurationStatus vault configuration status
+//
+// swagger:model VaultConfigurationStatus
+type VaultConfigurationStatus struct {
+
+	// ping
+	Ping int64 `json:"ping,omitempty"`
+}
+
+// Validate validates this vault configuration status
+func (m *VaultConfigurationStatus) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *VaultConfigurationStatus) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VaultConfigurationStatus) UnmarshalBinary(b []byte) error {
+	var res VaultConfigurationStatus
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

pkg/auth/jwt/parser.go

@@ -1,281 +0,0 @@
-// This file is part of MinIO Console Server
-// Copyright (c) 2020 MinIO, Inc.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package jwt
-
-// This file is a re-implementation of the original code here with some
-// additional allocation tweaks reproduced using GODEBUG=allocfreetrace=1
-// original file https://github.com/dgrijalva/jwt-go/blob/master/parser.go
-// borrowed under MIT License https://github.com/dgrijalva/jwt-go/blob/master/LICENSE
-
-import (
-	"crypto"
-	"crypto/hmac"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"sync"
-	"time"
-
-	jwtgo "github.com/dgrijalva/jwt-go"
-	jsoniter "github.com/json-iterator/go"
-)
-
-const (
-	claimData = "data"
-	claimSub  = "sub"
-)
-
-// SigningMethodHMAC - Implements the HMAC-SHA family of signing methods signing methods
-// Expects key type of []byte for both signing and validation
-type SigningMethodHMAC struct {
-	Name string
-	Hash crypto.Hash
-}
-
-// Specific instances for HS256, HS384, HS512
-var (
-	SigningMethodHS256 *SigningMethodHMAC
-	SigningMethodHS384 *SigningMethodHMAC
-	SigningMethodHS512 *SigningMethodHMAC
-)
-
-var (
-	base64BufPool sync.Pool
-	hmacSigners   []*SigningMethodHMAC
-)
-
-func init() {
-	base64BufPool = sync.Pool{
-		New: func() interface{} {
-			buf := make([]byte, 8192)
-			return &buf
-		},
-	}
-
-	hmacSigners = []*SigningMethodHMAC{
-		{"HS256", crypto.SHA256},
-		{"HS384", crypto.SHA384},
-		{"HS512", crypto.SHA512},
-	}
-}
-
-// StandardClaims are basically standard claims with "Data"
-type StandardClaims struct {
-	Data string `json:"data,omitempty"`
-	jwtgo.StandardClaims
-}
-
-// MapClaims - implements custom unmarshaller
-type MapClaims struct {
-	Data    string `json:"data,omitempty"`
-	Subject string `json:"sub,omitempty"`
-	jwtgo.MapClaims
-}
-
-// NewStandardClaims - initializes standard claims
-func NewStandardClaims() *StandardClaims {
-	return &StandardClaims{}
-}
-
-// SetIssuer sets issuer for these claims
-func (c *StandardClaims) SetIssuer(issuer string) {
-	c.Issuer = issuer
-}
-
-// SetAudience sets audience for these claims
-func (c *StandardClaims) SetAudience(aud string) {
-	c.Audience = aud
-}
-
-// SetExpiry sets expiry in unix epoch secs
-func (c *StandardClaims) SetExpiry(t time.Time) {
-	c.ExpiresAt = t.Unix()
-}
-
-// SetSubject sets unique identifier for the jwt
-func (c *StandardClaims) SetSubject(subject string) {
-	c.Subject = subject
-}
-
-// SetData sets the "Data" custom field.
-func (c *StandardClaims) SetData(data string) {
-	c.Data = data
-}
-
-// Valid - implements https://godoc.org/github.com/dgrijalva/jwt-go#Claims compatible
-// claims interface, additionally validates "Data" field.
-func (c *StandardClaims) Valid() error {
-	if err := c.StandardClaims.Valid(); err != nil {
-		return err
-	}
-
-	if c.Data == "" || c.Subject == "" {
-		return jwtgo.NewValidationError("data/sub",
-			jwtgo.ValidationErrorClaimsInvalid)
-	}
-	return nil
-}
-
-// NewMapClaims - Initializes a new map claims
-func NewMapClaims() *MapClaims {
-	return &MapClaims{MapClaims: jwtgo.MapClaims{}}
-}
-
-// Lookup returns the value and if the key is found.
-func (c *MapClaims) Lookup(key string) (value string, ok bool) {
-	var vinterface interface{}
-	vinterface, ok = c.MapClaims[key]
-	if ok {
-		value, ok = vinterface.(string)
-	}
-	return
-}
-
-// SetExpiry sets expiry in unix epoch secs
-func (c *MapClaims) SetExpiry(t time.Time) {
-	c.MapClaims["exp"] = t.Unix()
-}
-
-// SetData sets the "Data" custom field.
-func (c *MapClaims) SetData(data string) {
-	c.MapClaims[claimData] = data
-}
-
-// Valid - implements https://godoc.org/github.com/dgrijalva/jwt-go#Claims compatible
-// claims interface, additionally validates "Data" field.
-func (c *MapClaims) Valid() error {
-	if err := c.MapClaims.Valid(); err != nil {
-		return err
-	}
-
-	if c.Data == "" || c.Subject == "" {
-		return jwtgo.NewValidationError("data/subject",
-			jwtgo.ValidationErrorClaimsInvalid)
-	}
-	return nil
-}
-
-// Map returns underlying low-level map claims.
-func (c *MapClaims) Map() map[string]interface{} {
-	return c.MapClaims
-}
-
-// MarshalJSON marshals the MapClaims struct
-func (c *MapClaims) MarshalJSON() ([]byte, error) {
-	return json.Marshal(c.MapClaims)
-}
-
-// https://tools.ietf.org/html/rfc7519#page-11
-type jwtHeader struct {
-	Algorithm string `json:"alg"`
-	Type      string `json:"typ"`
-}
-
-// ParseWithClaims - parse the token string, valid methods.
-func ParseWithClaims(tokenStr string, claims *MapClaims) error {
-	bufp := base64BufPool.Get().(*[]byte)
-	defer base64BufPool.Put(bufp)
-
-	signer, err := parseUnverifiedMapClaims(tokenStr, claims, *bufp)
-	if err != nil {
-		return err
-	}
-
-	i := strings.LastIndex(tokenStr, ".")
-	if i < 0 {
-		return jwtgo.ErrSignatureInvalid
-	}
-
-	n, err := base64Decode(tokenStr[i+1:], *bufp)
-	if err != nil {
-		return err
-	}
-
-	var ok bool
-
-	claims.Data, ok = claims.Lookup(claimData)
-	if !ok {
-		return jwtgo.NewValidationError("data missing",
-			jwtgo.ValidationErrorClaimsInvalid)
-	}
-
-	claims.Subject, ok = claims.Lookup(claimSub)
-	if !ok {
-		return jwtgo.NewValidationError("sub missing",
-			jwtgo.ValidationErrorClaimsInvalid)
-	}
-
-	hasher := hmac.New(signer.Hash.New, []byte(GetHmacJWTSecret()))
-	hasher.Write([]byte(tokenStr[:i]))
-	if !hmac.Equal((*bufp)[:n], hasher.Sum(nil)) {
-		return jwtgo.ErrSignatureInvalid
-	}
-
-	// Signature is valid, lets validate the claims for
-	// other fields such as expiry etc.
-	return claims.Valid()
-}
-
-// base64Decode returns the bytes represented by the base64 string s.
-func base64Decode(s string, buf []byte) (int, error) {
-	return base64.RawURLEncoding.Decode(buf, []byte(s))
-}
-
-// ParseUnverifiedMapClaims - WARNING: Don't use this method unless you know what you're doing
-//
-// This method parses the token but doesn't validate the signature. It's only
-// ever useful in cases where you know the signature is valid (because it has
-// been checked previously in the stack) and you want to extract values from
-// it.
-func parseUnverifiedMapClaims(tokenString string, claims *MapClaims, buf []byte) (*SigningMethodHMAC, error) {
-	if strings.Count(tokenString, ".") != 2 {
-		return nil, jwtgo.ErrSignatureInvalid
-	}
-
-	i := strings.Index(tokenString, ".")
-	j := strings.LastIndex(tokenString, ".")
-
-	n, err := base64Decode(tokenString[:i], buf)
-	if err != nil {
-		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
-	}
-
-	var header = jwtHeader{}
-	var json = jsoniter.ConfigCompatibleWithStandardLibrary
-	if err = json.Unmarshal(buf[:n], &header); err != nil {
-		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
-	}
-
-	n, err = base64Decode(tokenString[i+1:j], buf)
-	if err != nil {
-		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
-	}
-
-	if err = json.Unmarshal(buf[:n], &claims.MapClaims); err != nil {
-		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
-	}
-
-	for _, signer := range hmacSigners {
-		if header.Algorithm == signer.Name {
-			return signer, nil
-		}
-	}
-
-	return nil, jwtgo.NewValidationError(fmt.Sprintf("signing method (%s) is unavailable.", header.Algorithm),
-		jwtgo.ValidationErrorUnverifiable)
-}

pkg/auth/ldap.go

@@ -24,11 +24,11 @@ import (
 )
 
 var (
-	errInvalidCredentials = errors.New("invalid Credentials")
+	errInvalidCredentials = errors.New("invalid Login")
 )
 
 // GetConsoleCredentialsFromLDAP authenticates the user against MinIO when the LDAP integration is enabled
-// if the authentication succeed *credentials.Credentials object is returned and we continue with the normal STSAssumeRole flow
+// if the authentication succeed *credentials.Login object is returned and we continue with the normal STSAssumeRole flow
 func GetConsoleCredentialsFromLDAP(endpoint, ldapUser, ldapPassword string) (*credentials.Credentials, error) {
 	creds, err := credentials.NewLDAPIdentity(endpoint, ldapUser, ldapPassword)
 	if err != nil {

pkg/auth/operator.go

@@ -76,7 +76,7 @@ func isServiceAccountTokenValid(ctx context.Context, operatorClient OperatorClie
 	return true
 }
 
-// GetConsoleCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
+// GetConsoleCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Login
 func GetConsoleCredentialsForOperator(jwt string) (*credentials.Credentials, error) {
 	ctx := context.Background()
 	opClientClientSet, err := cluster.OperatorClient(jwt)

pkg/auth/token.go

@@ -28,30 +28,26 @@ import (
 	"log"
 	"net/http"
 	"strings"
-	"time"
 
-	jwtgo "github.com/dgrijalva/jwt-go"
 	"github.com/go-openapi/swag"
 	"github.com/minio/console/models"
-	xjwt "github.com/minio/console/pkg/auth/jwt"
+	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	uuid "github.com/satori/go.uuid"
 	"golang.org/x/crypto/pbkdf2"
 )
 
 var (
-	errAuthentication = errors.New("authentication failed, check your access credentials")
+	errNoAuthToken  = errors.New("session token missing")
-	errNoAuthToken    = errors.New("JWT token missing")
+	errReadingToken = errors.New("session token internal data is malformed")
-	errReadingToken   = errors.New("JWT internal data is malformed")
+	errClaimsFormat = errors.New("encrypted session token claims not in the right format")
-	errClaimsFormat   = errors.New("encrypted jwt claims not in the right format")
 )
 
-// derivedKey is the key used to encrypt the JWT claims, its derived using pbkdf on CONSOLE_PBKDF_PASSPHRASE with CONSOLE_PBKDF_SALT
+// derivedKey is the key used to encrypt the session token claims, its derived using pbkdf on CONSOLE_PBKDF_PASSPHRASE with CONSOLE_PBKDF_SALT
-var derivedKey = pbkdf2.Key([]byte(xjwt.GetPBKDFPassphrase()), []byte(xjwt.GetPBKDFSalt()), 4096, 32, sha1.New)
+var derivedKey = pbkdf2.Key([]byte(token.GetPBKDFPassphrase()), []byte(token.GetPBKDFSalt()), 4096, 32, sha1.New)
 
-// IsJWTValid returns true or false depending if the provided jwt is valid or not
+// IsSessionTokenValid returns true or false depending if the provided session token is valid or not
-func IsJWTValid(token string) bool {
+func IsSessionTokenValid(token string) bool {
-	_, err := JWTAuthenticate(token)
+	_, err := SessionTokenAuthenticate(token)
 	return err == nil
 }
 
@@ -63,8 +59,8 @@ type DecryptedClaims struct {
 	Actions         []string
 }
 
-// JWTAuthenticate takes a jwt, decode it, extract claims and validate the signature
+// SessionTokenAuthenticate takes a session token, decode it, extract claims and validate the signature
-// if the jwt claims.Data is valid we proceed to decrypt the information inside
+// if the session token claims are valid we proceed to decrypt the information inside
 //
 // returns claims after validation in the following format:
 //
@@ -73,48 +69,36 @@ type DecryptedClaims struct {
 //		SecretAccessKey
 //		SessionToken
 //	}
-func JWTAuthenticate(token string) (*DecryptedClaims, error) {
+func SessionTokenAuthenticate(token string) (*DecryptedClaims, error) {
 	if token == "" {
 		return nil, errNoAuthToken
 	}
-	// initialize claims object
+	// decrypt encrypted token
-	claims := xjwt.NewMapClaims()
+	claimTokens, err := decryptClaims(token)
-	// populate the claims object
-	if err := xjwt.ParseWithClaims(token, claims); err != nil {
-		return nil, errAuthentication
-	}
-	// decrypt the claims.Data field
-	claimTokens, err := decryptClaims(claims.Data)
 	if err != nil {
 		// we print decryption token error information for debugging purposes
 		log.Println(err)
 		// we return a generic error that doesn't give any information to attackers
 		return nil, errReadingToken
 	}
-	// claimsTokens contains the decrypted STS claims
+	// claimsTokens contains the decrypted JWT for Console
 	return claimTokens, nil
 }
 
-// NewJWTWithClaimsForClient generates a new jwt with claims based on the provided STS credentials, first
+// NewEncryptedTokenForClient generates a new session token with claims based on the provided STS credentials, first
 // encrypts the claims and the sign them
-func NewJWTWithClaimsForClient(credentials *credentials.Value, actions []string, audience string) (string, error) {
+func NewEncryptedTokenForClient(credentials *credentials.Value, actions []string) (string, error) {
 	if credentials != nil {
 		encryptedClaims, err := encryptClaims(credentials.AccessKeyID, credentials.SecretAccessKey, credentials.SessionToken, actions)
 		if err != nil {
 			return "", err
 		}
-		claims := xjwt.NewStandardClaims()
+		return encryptedClaims, nil
-		claims.SetExpiry(time.Now().UTC().Add(xjwt.GetConsoleSTSAndJWTDurationTime()))
-		claims.SetSubject(uuid.NewV4().String())
-		claims.SetData(encryptedClaims)
-		claims.SetAudience(audience)
-		jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
-		return jwt.SignedString([]byte(xjwt.GetHmacJWTSecret()))
 	}
 	return "", errors.New("provided credentials are empty")
 }
 
-// encryptClaims() receives the 3 STS claims, concatenate them and encrypt them using AES-GCM
+// encryptClaims() receives the STS claims, concatenate them and encrypt them using AES-GCM
 // returns a base64 encoded ciphertext
 func encryptClaims(accessKeyID, secretAccessKey, sessionToken string, actions []string) (string, error) {
 	payload := []byte(fmt.Sprintf("%s#%s#%s#%s", accessKeyID, secretAccessKey, sessionToken, strings.Join(actions, ",")))
@@ -189,7 +173,7 @@ func decrypt(data []byte) ([]byte, error) {
 // GetTokenFromRequest returns a token from a http Request
 // either defined on a cookie `token` or on Authorization header.
 //
-// Authorization Header needs to be like "Authorization Bearer <jwt_token>"
+// Authorization Header needs to be like "Authorization Bearer <token>"
 func GetTokenFromRequest(r *http.Request) (*string, error) {
 	// Get Auth token
 	var reqToken string
@@ -216,9 +200,9 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
 	if err != nil {
 		return nil, err
 	}
-	// Perform decryption of the JWT, if Console is able to decrypt the JWT that means a valid session
+	// Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session
 	// was used in the first place to get it
-	claims, err := JWTAuthenticate(*sessionID)
+	claims, err := SessionTokenAuthenticate(*sessionID)
 	if err != nil {
 		return nil, err
 	}

pkg/auth/token/config.go

@@ -14,24 +14,15 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-package jwt
+package token
 
 import (
 	"strconv"
-	"time"
 
 	"github.com/minio/console/pkg/auth/utils"
 	"github.com/minio/minio/pkg/env"
 )
 
-// defaultHmacJWTPassphrase will be used by default if application is not configured with a custom CONSOLE_HMAC_JWT_SECRET secret
-var defaultHmacJWTPassphrase = utils.RandomCharString(64)
-
-// GetHmacJWTSecret returns the 64 bytes secret used for signing the generated JWT for the application
-func GetHmacJWTSecret() string {
-	return env.Get(ConsoleHmacJWTSecret, defaultHmacJWTPassphrase)
-}
-
 // ConsoleSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
 // Ideally both values should match so jwt and Minio sts sessions expires at the same time.
 func GetConsoleSTSAndJWTDurationInSeconds() int {
@@ -42,12 +33,6 @@ func GetConsoleSTSAndJWTDurationInSeconds() int {
 	return duration
 }
 
-// GetConsoleSTSAndJWTDurationTime returns GetConsoleSTSAndJWTDurationInSeconds in duration format
-func GetConsoleSTSAndJWTDurationTime() time.Duration {
-	duration := GetConsoleSTSAndJWTDurationInSeconds()
-	return time.Duration(duration) * time.Second
-}
-
 var defaultPBKDFPassphrase = utils.RandomCharString(64)
 
 // GetPBKDFPassphrase returns passphrase for the pbkdf2 function used to encrypt JWT payload

pkg/auth/token/const.go

@@ -14,10 +14,9 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-package jwt
+package token
 
 const (
-	ConsoleHmacJWTSecret            = "CONSOLE_HMAC_JWT_SECRET"
 	ConsoleSTSAndJWTDurationSeconds = "CONSOLE_STS_AND_JWT_DURATION_SECONDS"
 	ConsolePBKDFPassphrase          = "CONSOLE_PBKDF_PASSPHRASE"
 	ConsolePBKDFSalt                = "CONSOLE_PBKDF_SALT"

pkg/auth/token_test.go

@@ -23,7 +23,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-var audience = ""
 var creds = &credentials.Value{
 	AccessKeyID:     "fakeAccessKeyID",
 	SecretAccessKey: "fakeSecretAccessKey",
@@ -35,25 +34,25 @@ var badToken = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoiRDMwYWE0ekQ1bWt
 
 func TestNewJWTWithClaimsForClient(t *testing.T) {
 	funcAssert := assert.New(t)
-	// Test-1 : NewJWTWithClaimsForClient() is generated correctly without errors
+	// Test-1 : NewEncryptedTokenForClient() is generated correctly without errors
-	function := "NewJWTWithClaimsForClient()"
+	function := "NewEncryptedTokenForClient()"
-	jwt, err := NewJWTWithClaimsForClient(creds, []string{""}, audience)
+	jwt, err := NewEncryptedTokenForClient(creds, []string{""})
 	if err != nil || jwt == "" {
 		t.Errorf("Failed on %s:, error occurred: %s", function, err)
 	}
 	// saving jwt for future tests
 	goodToken = jwt
-	// Test-2 : NewJWTWithClaimsForClient() throws error because of empty credentials
+	// Test-2 : NewEncryptedTokenForClient() throws error because of empty credentials
-	if _, err = NewJWTWithClaimsForClient(nil, []string{""}, audience); err != nil {
+	if _, err = NewEncryptedTokenForClient(nil, []string{""}); err != nil {
 		funcAssert.Equal("provided credentials are empty", err.Error())
 	}
 }
 
 func TestJWTAuthenticate(t *testing.T) {
 	funcAssert := assert.New(t)
-	// Test-1 : JWTAuthenticate() should correctly return the claims
+	// Test-1 : SessionTokenAuthenticate() should correctly return the claims
-	function := "JWTAuthenticate()"
+	function := "SessionTokenAuthenticate()"
-	claims, err := JWTAuthenticate(goodToken)
+	claims, err := SessionTokenAuthenticate(goodToken)
 	if err != nil || claims == nil {
 		t.Errorf("Failed on %s:, error occurred: %s", function, err)
 	} else {
@@ -61,20 +60,20 @@ func TestJWTAuthenticate(t *testing.T) {
 		funcAssert.Equal(claims.SecretAccessKey, creds.SecretAccessKey)
 		funcAssert.Equal(claims.SessionToken, creds.SessionToken)
 	}
-	// Test-2 : JWTAuthenticate() return an error because of a tampered jwt
+	// Test-2 : SessionTokenAuthenticate() return an error because of a tampered jwt
-	if _, err := JWTAuthenticate(badToken); err != nil {
+	if _, err := SessionTokenAuthenticate(badToken); err != nil {
-		funcAssert.Equal("authentication failed, check your access credentials", err.Error())
+		funcAssert.Equal("session token internal data is malformed", err.Error())
 	}
-	// Test-3 : JWTAuthenticate() return an error because of an empty jwt
+	// Test-3 : SessionTokenAuthenticate() return an error because of an empty jwt
-	if _, err := JWTAuthenticate(""); err != nil {
+	if _, err := SessionTokenAuthenticate(""); err != nil {
-		funcAssert.Equal("JWT token missing", err.Error())
+		funcAssert.Equal("session token missing", err.Error())
 	}
 }
 
 func TestIsJWTValid(t *testing.T) {
 	funcAssert := assert.New(t)
-	// Test-1 : JWTAuthenticate() provided token is valid
+	// Test-1 : SessionTokenAuthenticate() provided token is valid
-	funcAssert.Equal(true, IsJWTValid(goodToken))
+	funcAssert.Equal(true, IsSessionTokenValid(goodToken))
-	// Test-2 : JWTAuthenticate() provided token is invalid
+	// Test-2 : SessionTokenAuthenticate() provided token is invalid
-	funcAssert.Equal(false, IsJWTValid(badToken))
+	funcAssert.Equal(false, IsSessionTokenValid(badToken))
 }

pkg/kes/kes.go

@@ -0,0 +1,144 @@
+package kes
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"time"
+
+	"github.com/minio/kes"
+)
+
+type TLSProxyHeader struct {
+	ClientCert string `yaml:"cert,omitempty"`
+}
+
+type TLSProxy struct {
+	Identities *[]kes.Identity `yaml:"identities,omitempty"`
+	Header     *TLSProxyHeader `yaml:"header,omitempty"`
+}
+
+type TLS struct {
+	KeyPath  string    `yaml:"key,omitempty"`
+	CertPath string    `yaml:"cert,omitempty"`
+	Proxy    *TLSProxy `yaml:"proxy,omitempty"`
+}
+
+type Policy struct {
+	Paths      []string       `yaml:"paths,omitempty"`
+	Identities []kes.Identity `yaml:"identities,omitempty"`
+}
+
+type Expiry struct {
+	Any    time.Duration `yaml:"any,omitempty"`
+	Unused time.Duration `yaml:"unused,omitempty"`
+}
+
+type Cache struct {
+	Expiry *Expiry `yaml:"expiry,omitempty"`
+}
+
+type Log struct {
+	Error string `yaml:"error,omitempty"`
+	Audit string `yaml:"audit,omitempty"`
+}
+
+type Fs struct {
+	Path string `yaml:"path,omitempty"`
+}
+
+type AppRole struct {
+	EnginePath string        `yaml:"engine,omitempty"`
+	ID         string        `yaml:"id,omitempty"`
+	Secret     string        `yaml:"secret,omitempty"`
+	Retry      time.Duration `yaml:"retry,omitempty"`
+}
+
+type VaultTLS struct {
+	KeyPath  string `yaml:"key,omitempty"`
+	CertPath string `yaml:"cert,omitempty"`
+	CAPath   string `yaml:"ca,omitempty"`
+}
+
+type VaultStatus struct {
+	Ping time.Duration `yaml:"ping,omitempty"`
+}
+
+type Vault struct {
+	Endpoint   string       `yaml:"endpoint,omitempty"`
+	EnginePath string       `yaml:"engine,omitempty"`
+	Namespace  string       `yaml:"namespace,omitempty"`
+	Prefix     string       `yaml:"prefix,omitempty"`
+	AppRole    *AppRole     `yaml:"approle,omitempty"`
+	TLS        *VaultTLS    `yaml:"tls,omitempty"`
+	Status     *VaultStatus `yaml:"status,omitempty"`
+}
+
+type AwsSecretManagerLogin struct {
+	AccessKey    string `yaml:"accesskey"`
+	SecretKey    string `yaml:"secretkey"`
+	SessionToken string `yaml:"token"`
+}
+
+type AwsSecretManager struct {
+	Endpoint string                 `yaml:"endpoint,omitempty"`
+	Region   string                 `yaml:"region,omitempty"`
+	KmsKey   string                 ` yaml:"kmskey,omitempty"`
+	Login    *AwsSecretManagerLogin `yaml:"credentials,omitempty"`
+}
+
+type Aws struct {
+	SecretsManager *AwsSecretManager `yaml:"secretsmanager,omitempty"`
+}
+
+type GemaltoCredentials struct {
+	Token  string        `yaml:"token,omitempty"`
+	Domain string        `yaml:"domain,omitempty"`
+	Retry  time.Duration `yaml:"retry,omitempty"`
+}
+
+type GemaltoTLS struct {
+	CAPath string `yaml:"ca,omitempty"`
+}
+
+type GemaltoKeySecure struct {
+	Endpoint    string              `yaml:"endpoint,omitempty"`
+	Credentials *GemaltoCredentials `yaml:"credentials,omitempty"`
+	TLS         *GemaltoTLS         `yaml:"tls,omitempty"`
+}
+
+type Gemalto struct {
+	KeySecure *GemaltoKeySecure `yaml:"keysecure,omitempty"`
+}
+
+type Keys struct {
+	Fs      *Fs      `yaml:"fs,omitempty"`
+	Vault   *Vault   `yaml:"vault,omitempty"`
+	Aws     *Aws     `yaml:"aws,omitempty"`
+	Gemalto *Gemalto `yaml:"gemalto,omitempty"`
+}
+
+type ServerConfig struct {
+	Addr     string            `yaml:"address,omitempty"`
+	Root     kes.Identity      `yaml:"root,omitempty"`
+	TLS      TLS               `yaml:"tls,omitempty"`
+	Policies map[string]Policy `yaml:"policy,omitempty"`
+	Cache    Cache             `yaml:"cache,omitempty"`
+	Log      Log               `yaml:"log,omitempty"`
+	Keys     Keys              `yaml:"keys,omitempty"`
+}
+
+func ParseCertificate(cert []byte) (*x509.Certificate, error) {
+	for {
+		var certDERBlock *pem.Block
+		certDERBlock, cert = pem.Decode(cert)
+		if certDERBlock == nil {
+			break
+		}
+
+		if certDERBlock.Type == "CERTIFICATE" {
+			return x509.ParseCertificate(certDERBlock.Bytes)
+		}
+	}
+	return nil, errors.New("found no (non-CA) certificate in any PEM block")
+}

restapi/admin_tenants.go

@@ -18,6 +18,9 @@ package restapi
 
 import (
 	"context"
+	"crypto"
+	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -29,13 +32,16 @@ import (
 	"strings"
 	"time"
 
+	"github.com/minio/console/pkg/kes"
+	kes2 "github.com/minio/kes"
+	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/api/resource"
-	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/types"
 
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/minio/console/cluster"
-	madmin "github.com/minio/minio/pkg/madmin"
+	"github.com/minio/minio/pkg/madmin"
 
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/go-openapi/swag"
@@ -254,12 +260,12 @@ func listTenants(ctx context.Context, operatorClient OperatorClient, namespace s
 	}
 
 	var tenants []*models.TenantList
-	var totalSize int64
 
-	for _, minInst := range minTenants.Items {
+	for _, tenant := range minTenants.Items {
+		var totalSize int64
 		var instanceCount int64
 		var volumeCount int64
-		for _, zone := range minInst.Spec.Zones {
+		for _, zone := range tenant.Spec.Zones {
 			instanceCount = instanceCount + int64(zone.Servers)
 			volumeCount = volumeCount + int64(zone.Servers*zone.VolumesPerServer)
 			if zone.VolumeClaimTemplate != nil {
@@ -269,20 +275,20 @@ func listTenants(ctx context.Context, operatorClient OperatorClient, namespace s
 		}
 
 		tenants = append(tenants, &models.TenantList{
-			CreationDate:  minInst.ObjectMeta.CreationTimestamp.String(),
+			CreationDate:  tenant.ObjectMeta.CreationTimestamp.String(),
-			Name:          minInst.ObjectMeta.Name,
+			Name:          tenant.ObjectMeta.Name,
-			ZoneCount:     int64(len(minInst.Spec.Zones)),
+			ZoneCount:     int64(len(tenant.Spec.Zones)),
 			InstanceCount: instanceCount,
 			VolumeCount:   volumeCount,
-			CurrentState:  minInst.Status.CurrentState,
+			CurrentState:  tenant.Status.CurrentState,
-			Namespace:     minInst.ObjectMeta.Namespace,
+			Namespace:     tenant.ObjectMeta.Namespace,
 			TotalSize:     totalSize,
 		})
 	}
 
 	return &models.ListTenantsResponse{
 		Tenants: tenants,
-		Total:   0,
+		Total:   int64(len(tenants)),
 	}, nil
 }
 
@@ -325,6 +331,7 @@ func getListTenantsResponse(session *models.Principal, params admin_api.ListTena
 
 func getTenantCreatedResponse(session *models.Principal, params admin_api.CreateTenantParams) (*models.CreateTenantResponse, error) {
 	minioImage := params.Body.Image
+
 	if minioImage == "" {
 		minImg, err := cluster.GetMinioImage()
 		if err != nil {
@@ -332,18 +339,28 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		}
 		minioImage = *minImg
 	}
+	// get Kubernetes Client
+	clientset, err := cluster.K8sClient(session.SessionToken)
+	if err != nil {
+		return nil, err
+	}
+
+	ns := *params.Body.Namespace
 
 	// if access/secret are provided, use them, else create a random pair
 	accessKey := RandomCharString(16)
 	secretKey := RandomCharString(32)
+
 	if params.Body.AccessKey != "" {
 		accessKey = params.Body.AccessKey
 	}
 	if params.Body.SecretKey != "" {
 		secretKey = params.Body.SecretKey
 	}
+
 	secretName := fmt.Sprintf("%s-secret", *params.Body.Name)
 	imm := true
+
 	instanceSecret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: secretName,
@@ -355,25 +372,11 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		},
 	}
 
-	clientset, err := cluster.K8sClient(session.SessionToken)
-	if err != nil {
-		return nil, err
-	}
-	ns := *params.Body.Namespace
 	_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &instanceSecret, metav1.CreateOptions{})
 	if err != nil {
 		return nil, err
 	}
 
-	enableSSL := false
-	if params.Body.EnableSsl != nil {
-		enableSSL = *params.Body.EnableSsl
-	}
-	enableConsole := true
-	if params.Body.EnableConsole != nil {
-		enableConsole = *params.Body.EnableConsole
-	}
-
 	//Construct a MinIO Instance with everything we are getting from parameters
 	minInst := operator.Tenant{
 		ObjectMeta: metav1.ObjectMeta{
@@ -385,14 +388,289 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 			CredsSecret: &corev1.LocalObjectReference{
 				Name: secretName,
 			},
-			RequestAutoCert: enableSSL,
+			Env: []corev1.EnvVar{},
 		},
 	}
+
+	// operator request AutoCert feature
+	encryption := false
+	if params.Body.EnableSsl != nil {
+		encryption = true
+		minInst.Spec.RequestAutoCert = *params.Body.EnableSsl
+	}
+
+	// User provided TLS certificates (this will take priority over autoCert)
+	if params.Body.TLS != nil && params.Body.TLS.Crt != nil && params.Body.TLS.Key != nil {
+		encryption = true
+		externalTLSCertificateSecretName := fmt.Sprintf("%s-instance-external-certificates", secretName)
+		// disable autoCert
+		minInst.Spec.RequestAutoCert = false
+
+		tlsCrt, err := base64.StdEncoding.DecodeString(*params.Body.TLS.Crt)
+		if err != nil {
+			return nil, err
+		}
+
+		tlsKey, err := base64.StdEncoding.DecodeString(*params.Body.TLS.Key)
+		if err != nil {
+			return nil, err
+		}
+
+		externalTLSCertificateSecret := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: externalTLSCertificateSecretName,
+			},
+			Type:      corev1.SecretTypeTLS,
+			Immutable: &imm,
+			Data: map[string][]byte{
+				"tls.crt": tlsCrt,
+				"tls.key": tlsKey,
+			},
+		}
+		_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &externalTLSCertificateSecret, metav1.CreateOptions{})
+		if err != nil {
+			return nil, err
+		}
+		// Certificates used by the minio instance
+		minInst.Spec.ExternalCertSecret = &operator.LocalCertificateReference{
+			Name: externalTLSCertificateSecretName,
+			Type: "kubernetes.io/tls",
+		}
+	}
+
+	if params.Body.Encryption != nil && encryption {
+		// Enable auto encryption
+		minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
+			Name:  "MINIO_KMS_AUTO_ENCRYPTION",
+			Value: "on",
+		})
+
+		if params.Body.Encryption.MasterKey != "" {
+			// Configure MinIO to use MINIO_KMS_MASTER_KEY legacy key
+			// https://docs.min.io/docs/minio-vault-legacy.html
+			minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
+				Name:  "MINIO_KMS_MASTER_KEY",
+				Value: params.Body.Encryption.MasterKey,
+			})
+		} else {
+			// KES configuration for Tenant instance
+			minInst.Spec.KES = &operator.KESConfig{
+				Image:    "minio/kes:latest",
+				Replicas: 1,
+				Metadata: nil,
+			}
+			// Using custom image for KES
+			if params.Body.Encryption.Image != "" {
+				minInst.Spec.KES.Image = params.Body.Encryption.Image
+			}
+			// Secret to store KES server TLS certificates
+			serverTLSCrt, err := base64.StdEncoding.DecodeString(*params.Body.Encryption.Server.Crt)
+			if err != nil {
+				return nil, err
+			}
+			serverTLSKey, err := base64.StdEncoding.DecodeString(*params.Body.Encryption.Server.Key)
+			if err != nil {
+				return nil, err
+			}
+			kesExternalCertificateSecretName := fmt.Sprintf("%s-kes-external-certificates", secretName)
+			kesExternalCertificateSecret := corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: kesExternalCertificateSecretName,
+				},
+				Type:      corev1.SecretTypeTLS,
+				Immutable: &imm,
+				Data: map[string][]byte{
+					"tls.crt": serverTLSCrt,
+					"tls.key": serverTLSKey,
+				},
+			}
+			_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &kesExternalCertificateSecret, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+			// External certificates used by KES
+			minInst.Spec.KES.ExternalCertSecret = &operator.LocalCertificateReference{
+				Name: kesExternalCertificateSecretName,
+				Type: "kubernetes.io/tls",
+			}
+
+			// Secret to store KES clients TLS certificates (mTLS authentication)
+			clientTLSCrt, err := base64.StdEncoding.DecodeString(*params.Body.Encryption.Client.Crt)
+			if err != nil {
+				return nil, err
+			}
+			clientTLSKey, err := base64.StdEncoding.DecodeString(*params.Body.Encryption.Client.Key)
+			if err != nil {
+				return nil, err
+			}
+			instanceExternalClientCertificateSecretName := fmt.Sprintf("%s-instance-external-client-certificates", secretName)
+			instanceExternalClientCertificateSecret := corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: instanceExternalClientCertificateSecretName,
+				},
+				Type:      corev1.SecretTypeTLS,
+				Immutable: &imm,
+				Data: map[string][]byte{
+					"tls.crt": clientTLSCrt,
+					"tls.key": clientTLSKey,
+				},
+			}
+			_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &instanceExternalClientCertificateSecret, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+			// KES client certificates used by MinIO instance
+			minInst.Spec.ExternalClientCertSecret = &operator.LocalCertificateReference{
+				Name: instanceExternalClientCertificateSecretName,
+				Type: "kubernetes.io/tls",
+			}
+			// Calculate the client cert identity based on the clientTLSCrt
+			h := crypto.SHA256.New()
+			certificate, err := kes.ParseCertificate(clientTLSCrt)
+			if err != nil {
+				return nil, err
+			}
+			h.Write(certificate.RawSubjectPublicKeyInfo)
+			clientCrtIdentity := hex.EncodeToString(h.Sum(nil))
+			// Default configuration for KES
+			kesConfig := kes.ServerConfig{
+				Addr: "0.0.0.0:7373",
+				Root: "disabled",
+				TLS: kes.TLS{
+					KeyPath:  "/tmp/kes/server.key",
+					CertPath: "/tmp/kes/server.crt",
+				},
+				Policies: map[string]kes.Policy{
+					"default-policy": {
+						Paths: []string{
+							"/v1/key/create/my-minio-key",
+							"/v1/key/generate/my-minio-key",
+							"/v1/key/decrypt/my-minio-key",
+						},
+						Identities: []kes2.Identity{
+							kes2.Identity(clientCrtIdentity),
+						},
+					},
+				},
+				Cache: kes.Cache{
+					Expiry: &kes.Expiry{
+						Any:    5 * time.Minute,
+						Unused: 20 * time.Second,
+					},
+				},
+				Log: kes.Log{
+					Error: "on",
+					Audit: "off",
+				},
+				Keys: kes.Keys{},
+			}
+			// if encryption is enabled and encryption is configured to use Vault
+			if params.Body.Encryption.Vault != nil {
+				// Initialize Vault Config
+				kesConfig.Keys.Vault = &kes.Vault{
+					Endpoint:   *params.Body.Encryption.Vault.Endpoint,
+					EnginePath: params.Body.Encryption.Vault.Engine,
+					Namespace:  params.Body.Encryption.Vault.Namespace,
+					Prefix:     params.Body.Encryption.Vault.Prefix,
+					Status: &kes.VaultStatus{
+						Ping: 10 * time.Second,
+					},
+				}
+				// Vault AppRole credentials
+				if params.Body.Encryption.Vault.Approle != nil {
+					kesConfig.Keys.Vault.AppRole = &kes.AppRole{
+						EnginePath: params.Body.Encryption.Vault.Approle.Engine,
+						ID:         *params.Body.Encryption.Vault.Approle.ID,
+						Secret:     *params.Body.Encryption.Vault.Approle.Secret,
+						Retry:      15 * time.Second,
+					}
+				} else {
+					return nil, errors.New("approle credentials missing for kes")
+				}
+			} else if params.Body.Encryption.Aws != nil {
+				// Initialize AWS
+				kesConfig.Keys.Aws = &kes.Aws{
+					SecretsManager: &kes.AwsSecretManager{},
+				}
+				// AWS basic configuration
+				if params.Body.Encryption.Aws.Secretsmanager != nil {
+					kesConfig.Keys.Aws.SecretsManager.Endpoint = *params.Body.Encryption.Aws.Secretsmanager.Endpoint
+					kesConfig.Keys.Aws.SecretsManager.Region = *params.Body.Encryption.Aws.Secretsmanager.Region
+					kesConfig.Keys.Aws.SecretsManager.KmsKey = params.Body.Encryption.Aws.Secretsmanager.Kmskey
+					// AWS credentials
+					if params.Body.Encryption.Aws.Secretsmanager.Credentials != nil {
+						kesConfig.Keys.Aws.SecretsManager.Login = &kes.AwsSecretManagerLogin{
+							AccessKey:    *params.Body.Encryption.Aws.Secretsmanager.Credentials.Accesskey,
+							SecretKey:    *params.Body.Encryption.Aws.Secretsmanager.Credentials.Secretkey,
+							SessionToken: params.Body.Encryption.Aws.Secretsmanager.Credentials.Token,
+						}
+					}
+				}
+			} else if params.Body.Encryption.Gemalto != nil {
+				// Initialize Gemalto
+				kesConfig.Keys.Gemalto = &kes.Gemalto{
+					KeySecure: &kes.GemaltoKeySecure{},
+				}
+				// Gemalto Configuration
+				if params.Body.Encryption.Gemalto.Keysecure != nil {
+					kesConfig.Keys.Gemalto.KeySecure.Endpoint = *params.Body.Encryption.Gemalto.Keysecure.Endpoint
+					// Gemalto TLS configuration
+					if params.Body.Encryption.Gemalto.Keysecure.TLS != nil {
+						kesConfig.Keys.Gemalto.KeySecure.TLS = &kes.GemaltoTLS{
+							CAPath: *params.Body.Encryption.Gemalto.Keysecure.TLS.Ca,
+						}
+					}
+					// Gemalto Login
+					if params.Body.Encryption.Gemalto.Keysecure.Credentials != nil {
+						kesConfig.Keys.Gemalto.KeySecure.Credentials = &kes.GemaltoCredentials{
+							Token:  *params.Body.Encryption.Gemalto.Keysecure.Credentials.Token,
+							Domain: *params.Body.Encryption.Gemalto.Keysecure.Credentials.Domain,
+							Retry:  15 * time.Second,
+						}
+					}
+				}
+			}
+			// Generate Yaml configuration for KES
+			serverConfigYaml, err := yaml.Marshal(kesConfig)
+			if err != nil {
+				return nil, err
+			}
+			// Secret to store KES server configuration
+			kesConfigurationSecretName := fmt.Sprintf("%s-kes-configuration", secretName)
+			kesConfigurationSecret := corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: kesConfigurationSecretName,
+				},
+				Immutable: &imm,
+				Data: map[string][]byte{
+					"server-config.yaml": serverConfigYaml,
+				},
+			}
+			_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &kesConfigurationSecret, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+			// Configuration used by KES
+			minInst.Spec.KES.Configuration = &corev1.LocalObjectReference{
+				Name: kesConfigurationSecretName,
+			}
+		}
+	}
+
 	// optionals are set below
+	var consoleAccess string
+	var consoleSecret string
+
+	enableConsole := true
+	if params.Body.EnableConsole != nil {
+		enableConsole = *params.Body.EnableConsole
+	}
 
 	if enableConsole {
 		consoleSelector := fmt.Sprintf("%s-console", *params.Body.Name)
 		consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
+		consoleAccess = RandomCharString(16)
+		consoleSecret = RandomCharString(32)
 		imm := true
 		instanceSecret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
@@ -403,8 +681,8 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 				"CONSOLE_HMAC_JWT_SECRET":  []byte(RandomCharString(16)),
 				"CONSOLE_PBKDF_PASSPHRASE": []byte(RandomCharString(16)),
 				"CONSOLE_PBKDF_SALT":       []byte(RandomCharString(8)),
-				"CONSOLE_ACCESS_KEY":       []byte(RandomCharString(16)),
+				"CONSOLE_ACCESS_KEY":       []byte(consoleAccess),
-				"CONSOLE_SECRET_KEY":       []byte(RandomCharString(32)),
+				"CONSOLE_SECRET_KEY":       []byte(consoleSecret),
 			},
 		}
 		_, err = clientset.CoreV1().Secrets(ns).Create(context.Background(), &instanceSecret, metav1.CreateOptions{})
@@ -412,7 +690,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 			return nil, err
 		}
 
-		const consoleVersion = "minio/console:v0.3.0"
+		const consoleVersion = "minio/console:v0.3.4"
 		minInst.Spec.Console = &operator.ConsoleConfiguration{
 			Replicas:      2,
 			Image:         consoleVersion,
@@ -462,11 +740,17 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 			return nil, err
 		}
 	}
-
+	response := &models.CreateTenantResponse{
-	return &models.CreateTenantResponse{
 		AccessKey: accessKey,
 		SecretKey: secretKey,
-	}, nil
+	}
+	// Attach Console Credentials
+	if enableConsole {
+		response.Console = &models.CreateTenantResponseConsole{}
+		response.Console.AccessKey = consoleAccess
+		response.Console.SecretKey = consoleSecret
+	}
+	return response, nil
 }
 
 // updateTenantAction does an update on the minioTenant by patching the desired changes
@@ -661,8 +945,8 @@ func parseTenantZoneRequest(zoneParams *models.Zone) (*operator.Zone, error) {
 	}
 
 	// parse resources' requests
-	var resourcesRequests corev1.ResourceList
+	resourcesRequests := make(corev1.ResourceList)
-	var resourcesLimits corev1.ResourceList
+	resourcesLimits := make(corev1.ResourceList)
 	if zoneParams.Resources != nil {
 		for key, val := range zoneParams.Resources.Requests {
 			resourcesRequests[corev1.ResourceName(key)] = *resource.NewQuantity(val, resource.BinarySI)
@@ -846,8 +1130,8 @@ func parseTenantZone(zone *operator.Zone) *models.Zone {
 
 	// parse resources' requests
 	var resources *models.ZoneResources
-	var resourcesRequests map[string]int64
+	resourcesRequests := make(map[string]int64)
-	var resourcesLimits map[string]int64
+	resourcesLimits := make(map[string]int64)
 	for key, val := range zone.Resources.Requests {
 		resourcesRequests[key.String()] = val.Value()
 	}

restapi/client.go

@@ -26,8 +26,8 @@ import (
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/acl"
 	"github.com/minio/console/pkg/auth"
-	xjwt "github.com/minio/console/pkg/auth/jwt"
 	"github.com/minio/console/pkg/auth/ldap"
+	xjwt "github.com/minio/console/pkg/auth/token"
 	mc "github.com/minio/mc/cmd"
 	"github.com/minio/mc/pkg/probe"
 	"github.com/minio/minio-go/v7"
@@ -125,7 +125,7 @@ func (c mcClient) watch(ctx context.Context, options mc.WatchOptions) (*mc.Watch
 }
 
 // ConsoleCredentials interface with all functions to be implemented
-// by mock when testing, it should include all needed consoleCredentials.Credentials api calls
+// by mock when testing, it should include all needed consoleCredentials.Login api calls
 // that are used within this project.
 type ConsoleCredentials interface {
 	Get() (credentials.Value, error)
@@ -137,12 +137,12 @@ type consoleCredentials struct {
 	consoleCredentials *credentials.Credentials
 }
 
-// implements *Credentials.Get()
+// implements *Login.Get()
 func (c consoleCredentials) Get() (credentials.Value, error) {
 	return c.consoleCredentials.Get()
 }
 
-// implements *Credentials.Expire()
+// implements *Login.Expire()
 func (c consoleCredentials) Expire() {
 	c.consoleCredentials.Expire()
 }
@@ -217,14 +217,14 @@ func newConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 
 // GetClaimsFromJWT decrypt and returns the claims associated to a provided jwt
 func GetClaimsFromJWT(jwt string) (*auth.DecryptedClaims, error) {
-	claims, err := auth.JWTAuthenticate(jwt)
+	claims, err := auth.SessionTokenAuthenticate(jwt)
 	if err != nil {
 		return nil, err
 	}
 	return claims, nil
 }
 
-// getConsoleCredentialsFromSession returns the *consoleCredentials.Credentials associated to the
+// getConsoleCredentialsFromSession returns the *consoleCredentials.Login associated to the
 // provided jwt, this is useful for running the Expire() or IsExpired() operations
 func getConsoleCredentialsFromSession(claims *models.Principal) *credentials.Credentials {
 	return credentials.NewStaticV4(claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken)

restapi/configure_console.go

@@ -63,7 +63,7 @@ func configureAPI(api *operations.ConsoleAPI) http.Handler {
 	api.KeyAuth = func(token string, scopes []string) (*models.Principal, error) {
 		// we are validating the jwt by decrypting the claims inside, if the operation succed that means the jwt
 		// was generated and signed by us in the first place
-		claims, err := auth.JWTAuthenticate(token)
+		claims, err := auth.SessionTokenAuthenticate(token)
 		if err != nil {
 			log.Println(err)
 			return nil, errors.New(401, "incorrect api key auth")

restapi/embedded_spec.go

@@ -1860,6 +1860,51 @@ func init() {
         }
       }
     },
+    "awsConfiguration": {
+      "type": "object",
+      "required": [
+        "secretsmanager"
+      ],
+      "properties": {
+        "secretsmanager": {
+          "type": "object",
+          "required": [
+            "endpoint",
+            "region",
+            "credentials"
+          ],
+          "properties": {
+            "credentials": {
+              "type": "object",
+              "required": [
+                "accesskey",
+                "secretkey"
+              ],
+              "properties": {
+                "accesskey": {
+                  "type": "string"
+                },
+                "secretkey": {
+                  "type": "string"
+                },
+                "token": {
+                  "type": "string"
+                }
+              }
+            },
+            "endpoint": {
+              "type": "string"
+            },
+            "kmskey": {
+              "type": "string"
+            },
+            "region": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
     "bucket": {
       "type": "object",
       "required": [
@@ -1987,6 +2032,10 @@ func init() {
           "type": "boolean",
           "default": true
         },
+        "encryption": {
+          "type": "object",
+          "$ref": "#/definitions/encryptionConfiguration"
+        },
         "image": {
           "type": "string"
         },
@@ -2006,6 +2055,10 @@ func init() {
         "service_name": {
           "type": "string"
         },
+        "tls": {
+          "type": "object",
+          "$ref": "#/definitions/tlsConfiguration"
+        },
         "zones": {
           "type": "array",
           "items": {
@@ -2020,11 +2073,75 @@ func init() {
         "access_key": {
           "type": "string"
         },
+        "console": {
+          "type": "object",
+          "properties": {
+            "access_key": {
+              "type": "string"
+            },
+            "secret_key": {
+              "type": "string"
+            }
+          }
+        },
         "secret_key": {
           "type": "string"
         }
       }
     },
+    "encryptionConfiguration": {
+      "type": "object",
+      "properties": {
+        "aws": {
+          "type": "object",
+          "$ref": "#/definitions/awsConfiguration"
+        },
+        "client": {
+          "type": "object",
+          "required": [
+            "crt",
+            "key"
+          ],
+          "properties": {
+            "crt": {
+              "type": "string"
+            },
+            "key": {
+              "type": "string"
+            }
+          }
+        },
+        "gemalto": {
+          "type": "object",
+          "$ref": "#/definitions/gemaltoConfiguration"
+        },
+        "image": {
+          "type": "string"
+        },
+        "master_key": {
+          "type": "string"
+        },
+        "server": {
+          "type": "object",
+          "required": [
+            "crt",
+            "key"
+          ],
+          "properties": {
+            "crt": {
+              "type": "string"
+            },
+            "key": {
+              "type": "string"
+            }
+          }
+        },
+        "vault": {
+          "type": "object",
+          "$ref": "#/definitions/vaultConfiguration"
+        }
+      }
+    },
     "error": {
       "type": "object",
       "required": [
@@ -2040,6 +2157,56 @@ func init() {
         }
       }
     },
+    "gemaltoConfiguration": {
+      "type": "object",
+      "required": [
+        "keysecure"
+      ],
+      "properties": {
+        "keysecure": {
+          "type": "object",
+          "required": [
+            "endpoint",
+            "credentials"
+          ],
+          "properties": {
+            "credentials": {
+              "type": "object",
+              "required": [
+                "token",
+                "domain"
+              ],
+              "properties": {
+                "domain": {
+                  "type": "string"
+                },
+                "retry": {
+                  "type": "integer",
+                  "format": "int64"
+                },
+                "token": {
+                  "type": "string"
+                }
+              }
+            },
+            "endpoint": {
+              "type": "string"
+            },
+            "tls": {
+              "type": "object",
+              "required": [
+                "ca"
+              ],
+              "properties": {
+                "ca": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "group": {
       "type": "object",
       "properties": {
@@ -2777,6 +2944,21 @@ func init() {
         }
       }
     },
+    "tlsConfiguration": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
     "updateGroupRequest": {
       "type": "object",
       "required": [
@@ -2856,6 +3038,58 @@ func init() {
         }
       }
     },
+    "vaultConfiguration": {
+      "type": "object",
+      "required": [
+        "endpoint",
+        "approle"
+      ],
+      "properties": {
+        "approle": {
+          "type": "object",
+          "required": [
+            "id",
+            "secret"
+          ],
+          "properties": {
+            "engine": {
+              "type": "string"
+            },
+            "id": {
+              "type": "string"
+            },
+            "retry": {
+              "type": "integer",
+              "format": "int64"
+            },
+            "secret": {
+              "type": "string"
+            }
+          }
+        },
+        "endpoint": {
+          "type": "string"
+        },
+        "engine": {
+          "type": "string"
+        },
+        "namespace": {
+          "type": "string"
+        },
+        "prefix": {
+          "type": "string"
+        },
+        "status": {
+          "type": "object",
+          "properties": {
+            "ping": {
+              "type": "integer",
+              "format": "int64"
+            }
+          }
+        }
+      }
+    },
     "zone": {
       "type": "object",
       "required": [
@@ -4842,6 +5076,174 @@ func init() {
     }
   },
   "definitions": {
+    "AwsConfigurationSecretsmanager": {
+      "type": "object",
+      "required": [
+        "endpoint",
+        "region",
+        "credentials"
+      ],
+      "properties": {
+        "credentials": {
+          "type": "object",
+          "required": [
+            "accesskey",
+            "secretkey"
+          ],
+          "properties": {
+            "accesskey": {
+              "type": "string"
+            },
+            "secretkey": {
+              "type": "string"
+            },
+            "token": {
+              "type": "string"
+            }
+          }
+        },
+        "endpoint": {
+          "type": "string"
+        },
+        "kmskey": {
+          "type": "string"
+        },
+        "region": {
+          "type": "string"
+        }
+      }
+    },
+    "AwsConfigurationSecretsmanagerCredentials": {
+      "type": "object",
+      "required": [
+        "accesskey",
+        "secretkey"
+      ],
+      "properties": {
+        "accesskey": {
+          "type": "string"
+        },
+        "secretkey": {
+          "type": "string"
+        },
+        "token": {
+          "type": "string"
+        }
+      }
+    },
+    "CreateTenantResponseConsole": {
+      "type": "object",
+      "properties": {
+        "access_key": {
+          "type": "string"
+        },
+        "secret_key": {
+          "type": "string"
+        }
+      }
+    },
+    "EncryptionConfigurationClient": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
+    "EncryptionConfigurationServer": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
+    "GemaltoConfigurationKeysecure": {
+      "type": "object",
+      "required": [
+        "endpoint",
+        "credentials"
+      ],
+      "properties": {
+        "credentials": {
+          "type": "object",
+          "required": [
+            "token",
+            "domain"
+          ],
+          "properties": {
+            "domain": {
+              "type": "string"
+            },
+            "retry": {
+              "type": "integer",
+              "format": "int64"
+            },
+            "token": {
+              "type": "string"
+            }
+          }
+        },
+        "endpoint": {
+          "type": "string"
+        },
+        "tls": {
+          "type": "object",
+          "required": [
+            "ca"
+          ],
+          "properties": {
+            "ca": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
+    "GemaltoConfigurationKeysecureCredentials": {
+      "type": "object",
+      "required": [
+        "token",
+        "domain"
+      ],
+      "properties": {
+        "domain": {
+          "type": "string"
+        },
+        "retry": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "token": {
+          "type": "string"
+        }
+      }
+    },
+    "GemaltoConfigurationKeysecureTLS": {
+      "type": "object",
+      "required": [
+        "ca"
+      ],
+      "properties": {
+        "ca": {
+          "type": "string"
+        }
+      }
+    },
     "NodeSelectorTermMatchExpressionsItems0": {
       "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
       "type": "object",
@@ -4937,6 +5339,37 @@ func init() {
         }
       }
     },
+    "VaultConfigurationApprole": {
+      "type": "object",
+      "required": [
+        "id",
+        "secret"
+      ],
+      "properties": {
+        "engine": {
+          "type": "string"
+        },
+        "id": {
+          "type": "string"
+        },
+        "retry": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "secret": {
+          "type": "string"
+        }
+      }
+    },
+    "VaultConfigurationStatus": {
+      "type": "object",
+      "properties": {
+        "ping": {
+          "type": "integer",
+          "format": "int64"
+        }
+      }
+    },
     "ZoneAffinityNodeAffinity": {
       "description": "Describes node affinity scheduling rules for the pod.",
       "type": "object",
@@ -5199,6 +5632,51 @@ func init() {
         }
       }
     },
+    "awsConfiguration": {
+      "type": "object",
+      "required": [
+        "secretsmanager"
+      ],
+      "properties": {
+        "secretsmanager": {
+          "type": "object",
+          "required": [
+            "endpoint",
+            "region",
+            "credentials"
+          ],
+          "properties": {
+            "credentials": {
+              "type": "object",
+              "required": [
+                "accesskey",
+                "secretkey"
+              ],
+              "properties": {
+                "accesskey": {
+                  "type": "string"
+                },
+                "secretkey": {
+                  "type": "string"
+                },
+                "token": {
+                  "type": "string"
+                }
+              }
+            },
+            "endpoint": {
+              "type": "string"
+            },
+            "kmskey": {
+              "type": "string"
+            },
+            "region": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
     "bucket": {
       "type": "object",
       "required": [
@@ -5326,6 +5804,10 @@ func init() {
           "type": "boolean",
           "default": true
         },
+        "encryption": {
+          "type": "object",
+          "$ref": "#/definitions/encryptionConfiguration"
+        },
         "image": {
           "type": "string"
         },
@@ -5345,6 +5827,10 @@ func init() {
         "service_name": {
           "type": "string"
         },
+        "tls": {
+          "type": "object",
+          "$ref": "#/definitions/tlsConfiguration"
+        },
         "zones": {
           "type": "array",
           "items": {
@@ -5359,11 +5845,75 @@ func init() {
         "access_key": {
           "type": "string"
         },
+        "console": {
+          "type": "object",
+          "properties": {
+            "access_key": {
+              "type": "string"
+            },
+            "secret_key": {
+              "type": "string"
+            }
+          }
+        },
         "secret_key": {
           "type": "string"
         }
       }
     },
+    "encryptionConfiguration": {
+      "type": "object",
+      "properties": {
+        "aws": {
+          "type": "object",
+          "$ref": "#/definitions/awsConfiguration"
+        },
+        "client": {
+          "type": "object",
+          "required": [
+            "crt",
+            "key"
+          ],
+          "properties": {
+            "crt": {
+              "type": "string"
+            },
+            "key": {
+              "type": "string"
+            }
+          }
+        },
+        "gemalto": {
+          "type": "object",
+          "$ref": "#/definitions/gemaltoConfiguration"
+        },
+        "image": {
+          "type": "string"
+        },
+        "master_key": {
+          "type": "string"
+        },
+        "server": {
+          "type": "object",
+          "required": [
+            "crt",
+            "key"
+          ],
+          "properties": {
+            "crt": {
+              "type": "string"
+            },
+            "key": {
+              "type": "string"
+            }
+          }
+        },
+        "vault": {
+          "type": "object",
+          "$ref": "#/definitions/vaultConfiguration"
+        }
+      }
+    },
     "error": {
       "type": "object",
       "required": [
@@ -5379,6 +5929,56 @@ func init() {
         }
       }
     },
+    "gemaltoConfiguration": {
+      "type": "object",
+      "required": [
+        "keysecure"
+      ],
+      "properties": {
+        "keysecure": {
+          "type": "object",
+          "required": [
+            "endpoint",
+            "credentials"
+          ],
+          "properties": {
+            "credentials": {
+              "type": "object",
+              "required": [
+                "token",
+                "domain"
+              ],
+              "properties": {
+                "domain": {
+                  "type": "string"
+                },
+                "retry": {
+                  "type": "integer",
+                  "format": "int64"
+                },
+                "token": {
+                  "type": "string"
+                }
+              }
+            },
+            "endpoint": {
+              "type": "string"
+            },
+            "tls": {
+              "type": "object",
+              "required": [
+                "ca"
+              ],
+              "properties": {
+                "ca": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "group": {
       "type": "object",
       "properties": {
@@ -6050,6 +6650,21 @@ func init() {
         }
       }
     },
+    "tlsConfiguration": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
     "updateGroupRequest": {
       "type": "object",
       "required": [
@@ -6129,6 +6744,58 @@ func init() {
         }
       }
     },
+    "vaultConfiguration": {
+      "type": "object",
+      "required": [
+        "endpoint",
+        "approle"
+      ],
+      "properties": {
+        "approle": {
+          "type": "object",
+          "required": [
+            "id",
+            "secret"
+          ],
+          "properties": {
+            "engine": {
+              "type": "string"
+            },
+            "id": {
+              "type": "string"
+            },
+            "retry": {
+              "type": "integer",
+              "format": "int64"
+            },
+            "secret": {
+              "type": "string"
+            }
+          }
+        },
+        "endpoint": {
+          "type": "string"
+        },
+        "engine": {
+          "type": "string"
+        },
+        "namespace": {
+          "type": "string"
+        },
+        "prefix": {
+          "type": "string"
+        },
+        "status": {
+          "type": "object",
+          "properties": {
+            "ping": {
+              "type": "integer",
+              "format": "int64"
+            }
+          }
+        }
+      }
+    },
     "zone": {
       "type": "object",
       "required": [

restapi/user_login.go

@@ -34,7 +34,7 @@ import (
 
 var (
 	errorGeneric          = errors.New("an error occurred, please try again")
-	errInvalidCredentials = errors.New("invalid Credentials")
+	errInvalidCredentials = errors.New("invalid Login")
 )
 
 func registerLoginHandlers(api *operations.ConsoleAPI) {
@@ -80,7 +80,7 @@ func login(credentials ConsoleCredentials, actions []string) (*string, error) {
 		return nil, errInvalidCredentials
 	}
 	// if we made it here, the consoleCredentials work, generate a jwt with claims
-	jwt, err := auth.NewJWTWithClaimsForClient(&tokens, actions, getMinIOServer())
+	jwt, err := auth.NewEncryptedTokenForClient(&tokens, actions)
 	if err != nil {
 		log.Println("error authenticating user", err)
 		return nil, errInvalidCredentials

swagger.yml

@@ -1810,6 +1810,162 @@ definitions:
         type: object
         additionalProperties:
           type: string
+      tls:
+        type: object
+        $ref: "#/definitions/tlsConfiguration"
+      encryption:
+        type: object
+        $ref: "#/definitions/encryptionConfiguration"
+
+  tlsConfiguration:
+    type: object
+    required:
+      - crt
+      - key
+    properties:
+      crt:
+        type: string
+      key:
+        type: string
+
+  encryptionConfiguration:
+    type: object
+    properties:
+      image:
+        type: string
+      server:
+        type: object
+        required:
+          - crt
+          - key
+        properties:
+          crt:
+            type: string
+          key:
+            type: string
+      client:
+        type: object
+        required:
+          - crt
+          - key
+        properties:
+          crt:
+            type: string
+          key:
+            type: string
+      master_key:
+        type: string
+      gemalto:
+        type: object
+        $ref: "#/definitions/gemaltoConfiguration"
+      aws:
+        type: object
+        $ref: "#/definitions/awsConfiguration"
+      vault:
+        type: object
+        $ref: "#/definitions/vaultConfiguration"
+
+  vaultConfiguration:
+    type: object
+    required:
+      - endpoint
+      - approle
+    properties:
+      endpoint:
+        type: string
+      engine:
+        type: string
+      namespace:
+        type: string
+      prefix:
+        type: string
+      approle:
+        type: object
+        required:
+          - id
+          - secret
+        properties:
+          engine:
+            type: string
+          id:
+            type: string
+          secret:
+            type: string
+          retry:
+            type: integer
+            format: int64
+      status:
+        type: object
+        properties:
+          ping:
+            type: integer
+            format: int64
+
+  awsConfiguration:
+    type: object
+    required:
+      - secretsmanager
+    properties:
+      secretsmanager:
+        type: object
+        required:
+          - endpoint
+          - region
+          - credentials
+        properties:
+          endpoint:
+            type: string
+          region:
+            type: string
+          kmskey:
+            type: string
+          credentials:
+            type: object
+            required:
+              - accesskey
+              - secretkey
+            properties:
+              accesskey:
+                type: string
+              secretkey:
+                type: string
+              token:
+                type: string
+
+  gemaltoConfiguration:
+    type: object
+    required:
+      - keysecure
+    properties:
+      keysecure:
+        type: object
+        required:
+          - endpoint
+          - credentials
+        properties:
+          endpoint:
+            type: string
+          credentials:
+            type: object
+            required:
+              - token
+              - domain
+            properties:
+              token:
+                type: string
+              domain:
+                type: string
+              retry:
+                type: integer
+                format: int64
+          tls:
+            type: object
+            required:
+              - ca
+            properties:
+              ca:
+                type: string
+
   createTenantResponse:
     type: object
     properties:
@@ -1817,6 +1973,13 @@ definitions:
         type: string
       secret_key:
         type: string
+      console:
+        type: object
+        properties:
+          access_key:
+            type: string
+          secret_key:
+            type: string
   zone:
     type: object
     required: