update to v0.3.17

Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>

cmd/console/server.go

@@ -47,12 +47,12 @@ var serverCmd = cli.Command{
 		},
 		cli.StringFlag{
 			Name:  "tls-host",
-			Value: restapi.GetSSLHostname(),
+			Value: restapi.GetTLSHostname(),
 			Usage: "HTTPS server hostname",
 		},
 		cli.IntFlag{
 			Name:  "tls-port",
-			Value: restapi.GetSSLPort(),
+			Value: restapi.GetTLSPort(),
 			Usage: "HTTPS server port",
 		},
 		cli.StringFlag{

go.mod

@@ -16,14 +16,15 @@ require (
 	github.com/jessevdk/go-flags v1.4.0
 	github.com/minio/cli v1.22.0
 	github.com/minio/kes v0.11.0
-	github.com/minio/mc v0.0.0-20200725183142-90d22b271f60
-	github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8
-	github.com/minio/minio-go/v7 v7.0.2
+	github.com/minio/mc v0.0.0-20200808005614-7e52c104bee1
+	github.com/minio/minio v0.0.0-20200808024306-2a9819aff876
+	github.com/minio/minio-go/v7 v7.0.5-0.20200807085956-d7db33ea7618
 	github.com/minio/operator v0.0.0-20200806194125-c2ff646f4af1
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
+	github.com/secure-io/sio-go v0.3.1
 	github.com/stretchr/testify v1.6.1
 	github.com/unrolled/secure v1.0.7
-	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
+	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	gopkg.in/yaml.v2 v2.3.0

go.sum

@@ -465,24 +465,26 @@ github.com/minio/highwayhash v1.0.0 h1:iMSDhgUILCr0TNm8LWlSjF8N0ZIj2qbO8WHp6Q/J2
 github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5dxBpaMbdc=
 github.com/minio/kes v0.11.0 h1:8ma6OCVSxKT50b1uYXLJro3m7PmZtCLxBaTddQexI5k=
 github.com/minio/kes v0.11.0/go.mod h1:mTF1Bv8YVEtQqF/B7Felp4tLee44Pp+dgI0rhCvgNg8=
-github.com/minio/mc v0.0.0-20200725183142-90d22b271f60 h1:LevaZ33nx+rUzRsuU7rVvqXUP7VCu2BQanhITw4Z9rA=
-github.com/minio/mc v0.0.0-20200725183142-90d22b271f60/go.mod h1:Hvnyrb/NMM+pJ53JO/J3jxGtwPDYJh7K6c1D+RR2h2g=
+github.com/minio/mc v0.0.0-20200808005614-7e52c104bee1 h1:OrcFWsUIzKoXeIXVReZ7AryDtbPBLtkjDDOBnuU9RWY=
+github.com/minio/mc v0.0.0-20200808005614-7e52c104bee1/go.mod h1:OGP9+cwQ174WKwZTgJOIFstVv19CH0wdSDZSG6NyTuE=
 github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4=
 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
-github.com/minio/minio v0.0.0-20200722004956-c43da3005ae8/go.mod h1:Eu2KC2p+vW03rnYY/6R/D+QduPB7/j4kBaVA/EDLjWM=
 github.com/minio/minio v0.0.0-20200723003940-b9be841fd222 h1:+XFGpEsqmA033nDX8LtjyPZy01Shivf6E2OL67WoGiE=
 github.com/minio/minio v0.0.0-20200723003940-b9be841fd222/go.mod h1:Eu2KC2p+vW03rnYY/6R/D+QduPB7/j4kBaVA/EDLjWM=
-github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8 h1:H0tUGnx1zkZCtqQp3LuV2GNjOasrJ9gmvlwOeDJDvzI=
-github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8/go.mod h1:NBWtYp4t5pt3TmbpW7FHChY6ZCs8n/gTRxZCF0mCcn8=
+github.com/minio/minio v0.0.0-20200807001021-adcaa6f9de88 h1:v2mCqNx6N02jcYHWjMPHdTN9+ogxEN9L+cCQJ+8j2AU=
+github.com/minio/minio v0.0.0-20200807001021-adcaa6f9de88/go.mod h1:r+PkhkMRxudvboO0Wa7F7nMiDfI8Rz1HZSza0uIhtMU=
+github.com/minio/minio v0.0.0-20200808024306-2a9819aff876 h1:e5114Mb8Evzt1QsA8b6PrXZ1KqBLts0CokpKeU1DV2U=
+github.com/minio/minio v0.0.0-20200808024306-2a9819aff876/go.mod h1:r+PkhkMRxudvboO0Wa7F7nMiDfI8Rz1HZSza0uIhtMU=
 github.com/minio/minio-go/v7 v7.0.1/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns=
-github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252 h1:V2JkMDoSmEIhRcMJwX3qeJVOzy1B5bHpHbZaQu77vbs=
-github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns=
 github.com/minio/minio-go/v7 v7.0.2 h1:P/7wFd4KrRBHVo7AKdcqO+9ReoS+XpMjfRFoE5quH0E=
 github.com/minio/minio-go/v7 v7.0.2/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns=
+github.com/minio/minio-go/v7 v7.0.3/go.mod h1:TA0CQCjJZHM5SJj9IjqR0NmpmQJ6bCbXifAJ3mUU6Hw=
+github.com/minio/minio-go/v7 v7.0.5-0.20200807085956-d7db33ea7618 h1:8iTb0TFs6kDGAUnhI/s2QCZOYcSTtYmY9dF+Cbc0WJo=
+github.com/minio/minio-go/v7 v7.0.5-0.20200807085956-d7db33ea7618/go.mod h1:CSt2ETZNs+bIIhWTse0mcZKZWMGrFU7Er7RR0TmkDYk=
 github.com/minio/operator v0.0.0-20200806194125-c2ff646f4af1 h1:ijXSIPjn/GZx1+RW1HQpScoifLNr8lVw5LNVKxysMWg=
 github.com/minio/operator v0.0.0-20200806194125-c2ff646f4af1/go.mod h1:V8RL9xPw3C9rC7DuEy7JHeSiOlTWvQhZvh2+YySBFbk=
-github.com/minio/selfupdate v0.3.0 h1:1qfaZscU3hWwX1cF5m5Dov8Z5aZNvPHk9LROzIkas1k=
-github.com/minio/selfupdate v0.3.0/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
+github.com/minio/selfupdate v0.3.1 h1:BWEFSNnrZVMUWXbXIgLDNDjbejkmpAmZvy/nCz1HlEs=
+github.com/minio/selfupdate v0.3.1/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
 github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU=
 github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
 github.com/minio/simdjson-go v0.1.5-0.20200303142138-b17fe061ea37 h1:pDeao6M5AEd8hwTtGmE0pVKomlL56JFRa5SiXDZAuJE=
@@ -599,6 +601,8 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
+github.com/rs/xid v1.2.1 h1:mhH9Nq+C1fY2l1XIpgxIiUOfNpRBYH1kKcr+qfKgjRc=
+github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
@@ -674,6 +678,7 @@ github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd/v3 v3.3.0-rc.0.0.20200707003333-58bb8ae09f8e h1:HZQLoe71Q24wVyDrGBRcVuogx32U+cPlcm/WoSLUI6c=
@@ -719,6 +724,8 @@ golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899 h1:DZhuSZLsGlFL4CmhA8BcRA0mnthyA/nZ00AqCUo7vHg=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -729,6 +736,8 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.2.0 h1:KU7oHjnv3XNWfa5COkzUifxZmxp1TyI7ImMXqFxLwvQ=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -752,6 +761,7 @@ golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200602114024-627f9648deb9 h1:pNX+40auqi2JqRfOP1akLGtYcn15TUbkhwuCO3foqqM=
 golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -767,6 +777,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEha
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -799,8 +810,8 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20u
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200720211630-cb9d2d5c5666 h1:gVCS+QOncANNPlmlO1AhlU3oxs4V9z+gTtPwIk3p2N8=
-golang.org/x/sys v0.0.0-20200720211630-cb9d2d5c5666/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200806125547-5acd03effb82 h1:6cBnXxYO+CiRVrChvCosSv7magqTPbyAgz1M8iOv5wM=
+golang.org/x/sys v0.0.0-20200806125547-5acd03effb82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -835,6 +846,8 @@ golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200425043458-8463f397d07c h1:iHhCR0b26amDCiiO+kBguKZom9aMF+NrFxh9zeKR/XU=
 golang.org/x/tools v0.0.0-20200425043458-8463f397d07c/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200724172932-b5fc9d354d99 h1:OHn441rq5CeM5r1xJ0OmY7lfdTvnedi6k+vQiI7G9b8=
+golang.org/x/tools v0.0.0-20200724172932-b5fc9d354d99/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=

k8s/console/base/console-deployment.yaml

@@ -15,7 +15,7 @@ spec:
       serviceAccountName: console-sa
       containers:
         - name: console
-          image: minio/console:v0.3.9
+          image: minio/console:v0.3.17
           imagePullPolicy: "IfNotPresent"
           args:
             - server

k8s/console/base/kustomization.yaml

@@ -8,4 +8,4 @@ resources:
   - console-configmap.yaml
   - console-service.yaml
   - console-deployment.yaml
-  - minio-operator.yaml
+  - https://github.com/minio/operator/?ref=v3.0.10

k8s/operator-console/base/console-cluster-role.yaml

@@ -14,6 +14,7 @@ rules:
       - list
       - patch
       - update
+      - deletecollection
   - apiGroups:
       - ""
     resources:
@@ -22,12 +23,21 @@ rules:
       - services
       - events
       - resourcequotas
+      - nodes
     verbs:
       - get
       - watch
       - create
       - list
       - patch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - deletecollection
+      - list
+      - get
   - apiGroups:
       - "storage.k8s.io"
     resources:

k8s/operator-console/base/console-deployment.yaml

@@ -15,7 +15,7 @@ spec:
       serviceAccountName: console-sa
       containers:
         - name: console
-          image: minio/console:v0.3.9
+          image: minio/console:v0.3.17
           imagePullPolicy: "IfNotPresent"
           env:
             - name: CONSOLE_OPERATOR_MODE

k8s/operator-console/base/kustomization.yaml

@@ -8,4 +8,4 @@ resources:
   - console-configmap.yaml
   - console-service.yaml
   - console-deployment.yaml
-  - minio-operator.yaml
+  - https://github.com/minio/operator/?ref=v3.0.10

models/create_tenant_request.go

@@ -42,11 +42,17 @@ type CreateTenantRequest struct {
 	// annotations
 	Annotations map[string]string `json:"annotations,omitempty"`
 
+	// console image
+	ConsoleImage string `json:"console_image,omitempty"`
+
 	// enable console
 	EnableConsole *bool `json:"enable_console,omitempty"`
 
-	// enable ssl
-	EnableSsl *bool `json:"enable_ssl,omitempty"`
+	// enable prometheus
+	EnablePrometheus *bool `json:"enable_prometheus,omitempty"`
+
+	// enable tls
+	EnableTLS *bool `json:"enable_tls,omitempty"`
 
 	// encryption
 	Encryption *EncryptionConfiguration `json:"encryption,omitempty"`
@@ -60,6 +66,9 @@ type CreateTenantRequest struct {
 	// image
 	Image string `json:"image,omitempty"`
 
+	// image pull secret
+	ImagePullSecret string `json:"image_pull_secret,omitempty"`
+
 	// image registry
 	ImageRegistry *ImageRegistry `json:"image_registry,omitempty"`
 

models/delete_tenant_request.go

@@ -0,0 +1,60 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// DeleteTenantRequest delete tenant request
+//
+// swagger:model deleteTenantRequest
+type DeleteTenantRequest struct {
+
+	// delete pvcs
+	DeletePvcs bool `json:"delete_pvcs,omitempty"`
+}
+
+// Validate validates this delete tenant request
+func (m *DeleteTenantRequest) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *DeleteTenantRequest) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *DeleteTenantRequest) UnmarshalBinary(b []byte) error {
+	var res DeleteTenantRequest
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/encryption_configuration.go

@@ -26,7 +26,6 @@ import (
 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
-	"github.com/go-openapi/validate"
 )
 
 // EncryptionConfiguration encryption configuration
@@ -38,7 +37,7 @@ type EncryptionConfiguration struct {
 	Aws *AwsConfiguration `json:"aws,omitempty"`
 
 	// client
-	Client *EncryptionConfigurationClient `json:"client,omitempty"`
+	Client *KeyPairConfiguration `json:"client,omitempty"`
 
 	// gemalto
 	Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
@@ -47,7 +46,7 @@ type EncryptionConfiguration struct {
 	Image string `json:"image,omitempty"`
 
 	// server
-	Server *EncryptionConfigurationServer `json:"server,omitempty"`
+	Server *KeyPairConfiguration `json:"server,omitempty"`
 
 	// vault
 	Vault *VaultConfiguration `json:"vault,omitempty"`
@@ -190,139 +189,3 @@ func (m *EncryptionConfiguration) UnmarshalBinary(b []byte) error {
 	*m = res
 	return nil
 }
-
-// EncryptionConfigurationClient encryption configuration client
-//
-// swagger:model EncryptionConfigurationClient
-type EncryptionConfigurationClient struct {
-
-	// crt
-	// Required: true
-	Crt *string `json:"crt"`
-
-	// key
-	// Required: true
-	Key *string `json:"key"`
-}
-
-// Validate validates this encryption configuration client
-func (m *EncryptionConfigurationClient) Validate(formats strfmt.Registry) error {
-	var res []error
-
-	if err := m.validateCrt(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if err := m.validateKey(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if len(res) > 0 {
-		return errors.CompositeValidationError(res...)
-	}
-	return nil
-}
-
-func (m *EncryptionConfigurationClient) validateCrt(formats strfmt.Registry) error {
-
-	if err := validate.Required("client"+"."+"crt", "body", m.Crt); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *EncryptionConfigurationClient) validateKey(formats strfmt.Registry) error {
-
-	if err := validate.Required("client"+"."+"key", "body", m.Key); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// MarshalBinary interface implementation
-func (m *EncryptionConfigurationClient) MarshalBinary() ([]byte, error) {
-	if m == nil {
-		return nil, nil
-	}
-	return swag.WriteJSON(m)
-}
-
-// UnmarshalBinary interface implementation
-func (m *EncryptionConfigurationClient) UnmarshalBinary(b []byte) error {
-	var res EncryptionConfigurationClient
-	if err := swag.ReadJSON(b, &res); err != nil {
-		return err
-	}
-	*m = res
-	return nil
-}
-
-// EncryptionConfigurationServer encryption configuration server
-//
-// swagger:model EncryptionConfigurationServer
-type EncryptionConfigurationServer struct {
-
-	// crt
-	// Required: true
-	Crt *string `json:"crt"`
-
-	// key
-	// Required: true
-	Key *string `json:"key"`
-}
-
-// Validate validates this encryption configuration server
-func (m *EncryptionConfigurationServer) Validate(formats strfmt.Registry) error {
-	var res []error
-
-	if err := m.validateCrt(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if err := m.validateKey(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if len(res) > 0 {
-		return errors.CompositeValidationError(res...)
-	}
-	return nil
-}
-
-func (m *EncryptionConfigurationServer) validateCrt(formats strfmt.Registry) error {
-
-	if err := validate.Required("server"+"."+"crt", "body", m.Crt); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *EncryptionConfigurationServer) validateKey(formats strfmt.Registry) error {
-
-	if err := validate.Required("server"+"."+"key", "body", m.Key); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// MarshalBinary interface implementation
-func (m *EncryptionConfigurationServer) MarshalBinary() ([]byte, error) {
-	if m == nil {
-		return nil, nil
-	}
-	return swag.WriteJSON(m)
-}
-
-// UnmarshalBinary interface implementation
-func (m *EncryptionConfigurationServer) UnmarshalBinary(b []byte) error {
-	var res EncryptionConfigurationServer
-	if err := swag.ReadJSON(b, &res); err != nil {
-		return err
-	}
-	*m = res
-	return nil
-}

models/idp_configuration.go

@@ -130,8 +130,8 @@ type IdpConfigurationActiveDirectory struct {
 	// server insecure
 	ServerInsecure bool `json:"server_insecure,omitempty"`
 
-	// skip ssl verification
-	SkipSslVerification bool `json:"skip_ssl_verification,omitempty"`
+	// skip tls verification
+	SkipTLSVerification bool `json:"skip_tls_verification,omitempty"`
 
 	// url
 	// Required: true

models/key_pair_configuration.go

@@ -0,0 +1,98 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// KeyPairConfiguration key pair configuration
+//
+// swagger:model keyPairConfiguration
+type KeyPairConfiguration struct {
+
+	// crt
+	// Required: true
+	Crt *string `json:"crt"`
+
+	// key
+	// Required: true
+	Key *string `json:"key"`
+}
+
+// Validate validates this key pair configuration
+func (m *KeyPairConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCrt(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateKey(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *KeyPairConfiguration) validateCrt(formats strfmt.Registry) error {
+
+	if err := validate.Required("crt", "body", m.Crt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *KeyPairConfiguration) validateKey(formats strfmt.Registry) error {
+
+	if err := validate.Required("key", "body", m.Key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *KeyPairConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *KeyPairConfiguration) UnmarshalBinary(b []byte) error {
+	var res KeyPairConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}

models/tls_configuration.go

@@ -26,7 +26,6 @@ import (
 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
-	"github.com/go-openapi/validate"
 )
 
 // TLSConfiguration tls configuration
@@ -34,24 +33,22 @@ import (
 // swagger:model tlsConfiguration
 type TLSConfiguration struct {
 
-	// crt
-	// Required: true
-	Crt *string `json:"crt"`
+	// console
+	Console *KeyPairConfiguration `json:"console,omitempty"`
 
-	// key
-	// Required: true
-	Key *string `json:"key"`
+	// minio
+	Minio *KeyPairConfiguration `json:"minio,omitempty"`
 }
 
 // Validate validates this tls configuration
 func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
 	var res []error
 
-	if err := m.validateCrt(formats); err != nil {
+	if err := m.validateConsole(formats); err != nil {
 		res = append(res, err)
 	}
 
-	if err := m.validateKey(formats); err != nil {
+	if err := m.validateMinio(formats); err != nil {
 		res = append(res, err)
 	}
 
@@ -61,19 +58,37 @@ func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
 	return nil
 }
 
-func (m *TLSConfiguration) validateCrt(formats strfmt.Registry) error {
+func (m *TLSConfiguration) validateConsole(formats strfmt.Registry) error {
 
-	if err := validate.Required("crt", "body", m.Crt); err != nil {
-		return err
+	if swag.IsZero(m.Console) { // not required
+		return nil
+	}
+
+	if m.Console != nil {
+		if err := m.Console.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("console")
+			}
+			return err
+		}
 	}
 
 	return nil
 }
 
-func (m *TLSConfiguration) validateKey(formats strfmt.Registry) error {
+func (m *TLSConfiguration) validateMinio(formats strfmt.Registry) error {
 
-	if err := validate.Required("key", "body", m.Key); err != nil {
-		return err
+	if swag.IsZero(m.Minio) { // not required
+		return nil
+	}
+
+	if m.Minio != nil {
+		if err := m.Minio.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("minio")
+			}
+			return err
+		}
 	}
 
 	return nil

models/update_tenant_request.go

@@ -34,10 +34,17 @@ import (
 // swagger:model updateTenantRequest
 type UpdateTenantRequest struct {
 
+	// console image
+	// Pattern: ^((.*?)/(.*?):(.+))$
+	ConsoleImage string `json:"console_image,omitempty"`
+
 	// image
 	// Pattern: ^((.*?)/(.*?):(.+))$
 	Image string `json:"image,omitempty"`
 
+	// image pull secret
+	ImagePullSecret string `json:"image_pull_secret,omitempty"`
+
 	// image registry
 	ImageRegistry *ImageRegistry `json:"image_registry,omitempty"`
 }
@@ -46,6 +53,10 @@ type UpdateTenantRequest struct {
 func (m *UpdateTenantRequest) Validate(formats strfmt.Registry) error {
 	var res []error
 
+	if err := m.validateConsoleImage(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateImage(formats); err != nil {
 		res = append(res, err)
 	}
@@ -60,6 +71,19 @@ func (m *UpdateTenantRequest) Validate(formats strfmt.Registry) error {
 	return nil
 }
 
+func (m *UpdateTenantRequest) validateConsoleImage(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.ConsoleImage) { // not required
+		return nil
+	}
+
+	if err := validate.Pattern("console_image", "body", string(m.ConsoleImage), `^((.*?)/(.*?):(.+))$`); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (m *UpdateTenantRequest) validateImage(formats strfmt.Registry) error {
 
 	if swag.IsZero(m.Image) { // not required

models/zone.go

@@ -207,6 +207,9 @@ func (m *Zone) UnmarshalBinary(b []byte) error {
 // swagger:model ZoneVolumeConfiguration
 type ZoneVolumeConfiguration struct {
 
+	// labels
+	Labels map[string]string `json:"labels,omitempty"`
+
 	// size
 	// Required: true
 	Size *int64 `json:"size"`

pkg/auth/token.go

@@ -17,14 +17,17 @@
 package auth
 
 import (
+	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
+	"crypto/hmac"
 	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"strings"
@@ -33,6 +36,9 @@ import (
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/secure-io/sio-go/sioutil"
+	"golang.org/x/crypto/chacha20"
+	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/pbkdf2"
 )
 
@@ -40,6 +46,7 @@ var (
 	errNoAuthToken  = errors.New("session token missing")
 	errReadingToken = errors.New("session token internal data is malformed")
 	errClaimsFormat = errors.New("encrypted session token claims not in the right format")
+	errorGeneric    = errors.New("an error has occurred")
 )
 
 // derivedKey is the key used to encrypt the session token claims, its derived using pbkdf on CONSOLE_PBKDF_PASSPHRASE with CONSOLE_PBKDF_SALT
@@ -102,9 +109,10 @@ func NewEncryptedTokenForClient(credentials *credentials.Value, actions []string
 // returns a base64 encoded ciphertext
 func encryptClaims(accessKeyID, secretAccessKey, sessionToken string, actions []string) (string, error) {
 	payload := []byte(fmt.Sprintf("%s#%s#%s#%s", accessKeyID, secretAccessKey, sessionToken, strings.Join(actions, ",")))
-	ciphertext, err := encrypt(payload)
+	ciphertext, err := encrypt(payload, []byte{})
 	if err != nil {
-		return "", err
+		log.Println(err)
+		return "", errorGeneric
 	}
 	return base64.StdEncoding.EncodeToString(ciphertext), nil
 }
@@ -116,7 +124,7 @@ func decryptClaims(ciphertext string) (*DecryptedClaims, error) {
 		log.Println(err)
 		return nil, errClaimsFormat
 	}
-	plaintext, err := decrypt(decoded)
+	plaintext, err := decrypt(decoded, []byte{})
 	if err != nil {
 		log.Println(err)
 		return nil, errClaimsFormat
@@ -136,37 +144,137 @@ func decryptClaims(ciphertext string) (*DecryptedClaims, error) {
 	}, nil
 }
 
-// Encrypt a blob of data using AEAD (AES-GCM) with a pbkdf2 derived key
-func encrypt(plaintext []byte) ([]byte, error) {
-	block, _ := aes.NewCipher(derivedKey)
-	gcm, err := cipher.NewGCM(block)
+const (
+	aesGcm   = 0x00
+	c20p1305 = 0x01
+)
+
+// Encrypt a blob of data using AEAD scheme, AES-GCM if the executing CPU
+// provides AES hardware support, otherwise will use ChaCha20-Poly1305
+// with a pbkdf2 derived key, this function should be used to encrypt a session
+// or data key provided as plaintext.
+//
+// The returned ciphertext data consists of:
+//    iv | AEAD ID | nonce | encrypted data
+//     32      1        12      ~ len(data)
+func encrypt(plaintext, associatedData []byte) ([]byte, error) {
+	iv, err := sioutil.Random(32) // 32 bit IV
 	if err != nil {
 		return nil, err
 	}
-	nonce := make([]byte, gcm.NonceSize())
-	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+	var algorithm byte
+	if sioutil.NativeAES() {
+		algorithm = aesGcm
+	} else {
+		algorithm = c20p1305
+	}
+	var aead cipher.AEAD
+	switch algorithm {
+	case aesGcm:
+		mac := hmac.New(sha256.New, derivedKey)
+		mac.Write(iv)
+		sealingKey := mac.Sum(nil)
+
+		var block cipher.Block
+		block, err = aes.NewCipher(sealingKey)
+		if err != nil {
+			return nil, err
+		}
+		aead, err = cipher.NewGCM(block)
+		if err != nil {
+			return nil, err
+		}
+	case c20p1305:
+		var sealingKey []byte
+		sealingKey, err = chacha20.HChaCha20(derivedKey, iv)
+		if err != nil {
+			return nil, err
+		}
+		aead, err = chacha20poly1305.New(sealingKey)
+		if err != nil {
+			return nil, err
+		}
+	}
+	nonce, err := sioutil.Random(aead.NonceSize())
+	if err != nil {
 		return nil, err
 	}
-	cipherText := gcm.Seal(nonce, nonce, plaintext, nil)
-	return cipherText, nil
+
+	sealedBytes := aead.Seal(nil, nonce, plaintext, associatedData)
+
+	// ciphertext = iv | AEAD ID | nonce | sealed bytes
+
+	var buf bytes.Buffer
+	buf.Write(iv)
+	buf.WriteByte(algorithm)
+	buf.Write(nonce)
+	buf.Write(sealedBytes)
+
+	return buf.Bytes(), nil
 }
 
-// Decrypts a blob of data using AEAD (AES-GCM) with a pbkdf2 derived key
-func decrypt(data []byte) ([]byte, error) {
-	block, err := aes.NewCipher(derivedKey)
+// Decrypts a blob of data using AEAD scheme AES-GCM if the executing CPU
+// provides AES hardware support, otherwise will use ChaCha20-Poly1305with
+// and a pbkdf2 derived key
+func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
+	var (
+		iv        [32]byte
+		algorithm [1]byte
+		nonce     [12]byte // This depends on the AEAD but both used ciphers have the same nonce length.
+	)
+
+	r := bytes.NewReader(ciphertext)
+	if _, err := io.ReadFull(r, iv[:]); err != nil {
+		return nil, err
+	}
+	if _, err := io.ReadFull(r, algorithm[:]); err != nil {
+		return nil, err
+	}
+	if _, err := io.ReadFull(r, nonce[:]); err != nil {
+		return nil, err
+	}
+
+	var aead cipher.AEAD
+	switch algorithm[0] {
+	case aesGcm:
+		mac := hmac.New(sha256.New, derivedKey)
+		mac.Write(iv[:])
+		sealingKey := mac.Sum(nil)
+		block, err := aes.NewCipher(sealingKey[:])
+		if err != nil {
+			return nil, err
+		}
+		aead, err = cipher.NewGCM(block)
+		if err != nil {
+			return nil, err
+		}
+	case c20p1305:
+		sealingKey, err := chacha20.HChaCha20(derivedKey, iv[:])
+		if err != nil {
+			return nil, err
+		}
+		aead, err = chacha20poly1305.New(sealingKey)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("invalid algorithm: %v", algorithm)
+	}
+
+	if len(nonce) != aead.NonceSize() {
+		return nil, fmt.Errorf("invalid nonce size %d, expected %d", len(nonce), aead.NonceSize())
+	}
+
+	sealedBytes, err := ioutil.ReadAll(r)
 	if err != nil {
 		return nil, err
 	}
-	gcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return nil, err
-	}
-	nonceSize := gcm.NonceSize()
-	nonce, cipherText := data[:nonceSize], data[nonceSize:]
-	plaintext, err := gcm.Open(nil, nonce, cipherText, nil)
+
+	plaintext, err := aead.Open(nil, nonce[:], sealedBytes, associatedData)
 	if err != nil {
 		return nil, err
 	}
+
 	return plaintext, nil
 }
 

pkg/auth/token_test.go

@@ -36,12 +36,12 @@ func TestNewJWTWithClaimsForClient(t *testing.T) {
 	funcAssert := assert.New(t)
 	// Test-1 : NewEncryptedTokenForClient() is generated correctly without errors
 	function := "NewEncryptedTokenForClient()"
-	jwt, err := NewEncryptedTokenForClient(creds, []string{""})
-	if err != nil || jwt == "" {
+	token, err := NewEncryptedTokenForClient(creds, []string{""})
+	if err != nil || token == "" {
 		t.Errorf("Failed on %s:, error occurred: %s", function, err)
 	}
-	// saving jwt for future tests
-	goodToken = jwt
+	// saving token for future tests
+	goodToken = token
 	// Test-2 : NewEncryptedTokenForClient() throws error because of empty credentials
 	if _, err = NewEncryptedTokenForClient(nil, []string{""}); err != nil {
 		funcAssert.Equal("provided credentials are empty", err.Error())

portal-ui/src/screens/Console/Tenants/ListTenants/AddTenant.tsx

@@ -111,7 +111,7 @@ const AddTenant = ({
   const [accessKey, setAccessKey] = useState<string>("");
   const [secretKey, setSecretKey] = useState<string>("");
   const [enableConsole, setEnableConsole] = useState<boolean>(true);
-  const [enableSSL, setEnableSSL] = useState<boolean>(false);
+  const [enableTLS, setEnableTLS] = useState<boolean>(false);
   const [sizeFactor, setSizeFactor] = useState<string>("Gi");
   const [storageClasses, setStorageClassesList] = useState<Opts[]>([]);
   const [validationErrors, setValidationErrors] = useState<any>({});
@@ -274,7 +274,7 @@ const AddTenant = ({
           name: tenantName,
           service_name: tenantName,
           image: imageName,
-          enable_ssl: enableSSL,
+          enable_tls: enableTLS,
           enable_console: enableConsole,
           access_key: accessKey,
           secret_key: secretKey,
@@ -750,17 +750,17 @@ const AddTenant = ({
           </Grid>
           <Grid item xs={12}>
             <CheckboxWrapper
-              value="enable_ssl"
-              id="enable_ssl"
-              name="enable_ssl"
-              checked={enableSSL}
+              value="enable_tls"
+              id="enable_tls"
+              name="enable_tls"
+              checked={enableTLS}
               onChange={(e) => {
                 const targetD = e.target;
                 const checked = targetD.checked;
 
-                setEnableSSL(checked);
+                setEnableTLS(checked);
               }}
-              label={"Enable SSL"}
+              label={"Enable TLS"}
             />
           </Grid>
         </React.Fragment>
@@ -882,9 +882,9 @@ const AddTenant = ({
                 <React.Fragment>
                   <TableRow>
                     <TableCell align="right" className={classes.tableTitle}>
-                      Enable SSL
+                      Enable TLS
                     </TableCell>
-                    <TableCell>{enableSSL ? "Enabled" : "Disabled"}</TableCell>
+                    <TableCell>{enableTLS ? "Enabled" : "Disabled"}</TableCell>
                   </TableRow>
                   <TableRow>
                     <TableCell align="right" className={classes.tableTitle}>

restapi/admin_tenants.go

@@ -54,10 +54,6 @@ import (
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
 )
 
-const (
-	minioRegCred = "minio-regcred-secret"
-)
-
 type imageRegistry struct {
 	Auths map[string]imageRegistryCredentials `json:"auths"`
 }
@@ -114,7 +110,7 @@ func registerTenantHandlers(api *operations.ConsoleAPI) {
 		err := getDeleteTenantResponse(session, params)
 		if err != nil {
 			log.Println(err)
-			return admin_api.NewTenantInfoDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String("Unable to delete tenant")})
+			return admin_api.NewTenantInfoDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
 		}
 		return admin_api.NewTenantInfoOK()
 
@@ -149,25 +145,58 @@ func registerTenantHandlers(api *operations.ConsoleAPI) {
 	})
 }
 
-// deleteTenantAction performs the actions of deleting a tenant
-func deleteTenantAction(ctx context.Context, operatorClient OperatorClient, nameSpace, instanceName string) error {
-	err := operatorClient.TenantDelete(ctx, nameSpace, instanceName, metav1.DeleteOptions{})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 // getDeleteTenantResponse gets the output of deleting a minio instance
 func getDeleteTenantResponse(session *models.Principal, params admin_api.DeleteTenantParams) error {
 	opClientClientSet, err := cluster.OperatorClient(session.SessionToken)
 	if err != nil {
 		return err
 	}
+	// get Kubernetes Client
+	clientset, err := cluster.K8sClient(session.SessionToken)
+	if err != nil {
+		return err
+	}
 	opClient := &operatorClient{
 		client: opClientClientSet,
 	}
-	return deleteTenantAction(context.Background(), opClient, params.Namespace, params.Tenant)
+	deleteTenantPVCs := false
+	if params.Body != nil {
+		deleteTenantPVCs = params.Body.DeletePvcs
+	}
+	return deleteTenantAction(context.Background(), opClient, clientset.CoreV1(), params.Namespace, params.Tenant, deleteTenantPVCs)
+}
+
+// deleteTenantAction performs the actions of deleting a tenant
+//
+// It also adds the option of deleting the tenant's underlying pvcs if deletePvcs set
+func deleteTenantAction(
+	ctx context.Context,
+	operatorClient OperatorClient,
+	clientset v1.CoreV1Interface,
+	namespace, tenantName string,
+	deletePvcs bool) error {
+
+	err := operatorClient.TenantDelete(ctx, namespace, tenantName, metav1.DeleteOptions{})
+	if err != nil {
+		// try to delete pvc even if the tenant doesn't exist anymore but only if deletePvcs is set to true,
+		// else, we return the error
+		if (deletePvcs && !k8sErrors.IsNotFound(err)) || !deletePvcs {
+			return err
+		}
+	}
+
+	if deletePvcs {
+		opts := metav1.ListOptions{
+			LabelSelector: fmt.Sprintf("%s=%s", operator.TenantLabel, tenantName),
+		}
+		err = clientset.PersistentVolumeClaims(namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
+		if err != nil {
+			return err
+		}
+		// delete all tenant's secrets only if deletePvcs = true
+		return clientset.Secrets(namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
+	}
+	return nil
 }
 
 func getTenantScheme(mi *operator.Tenant) string {
@@ -178,7 +207,7 @@ func getTenantScheme(mi *operator.Tenant) string {
 	return scheme
 }
 
-func getTenantAdminClient(ctx context.Context, client K8sClient, namespace, tenantName, serviceName, scheme string) (*madmin.AdminClient, error) {
+func getTenantAdminClient(ctx context.Context, client K8sClient, namespace, tenantName, serviceName, scheme string, insecure bool) (*madmin.AdminClient, error) {
 	// get admin credentials from secret
 	creds, err := client.getSecret(ctx, namespace, fmt.Sprintf("%s-secret", tenantName), metav1.GetOptions{})
 	if err != nil {
@@ -194,11 +223,7 @@ func getTenantAdminClient(ctx context.Context, client K8sClient, namespace, tena
 		log.Println("tenant's secret doesn't contain secretkey")
 		return nil, errorGeneric
 	}
-	service, err := client.getService(ctx, namespace, serviceName, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	mAdmin, pErr := NewAdminClient(scheme+"://"+net.JoinHostPort(service.Spec.ClusterIP, strconv.Itoa(operator.MinIOPort)), string(accessKey), string(secretkey))
+	mAdmin, pErr := NewAdminClientWithInsecure(scheme+"://"+net.JoinHostPort(serviceName, strconv.Itoa(operator.MinIOPort)), string(accessKey), string(secretkey), insecure)
 	if pErr != nil {
 		return nil, pErr.Cause
 	}
@@ -349,10 +374,10 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 
 	if minioImage == "" {
 		minImg, err := cluster.GetMinioImage()
-		if err != nil {
-			return nil, err
+		// we can live without figuring out the latest version of MinIO, Operator will use a hardcoded value
+		if err == nil {
+			minioImage = *minImg
 		}
-		minioImage = *minImg
 	}
 	// get Kubernetes Client
 	clientset, err := cluster.K8sClient(session.SessionToken)
@@ -373,12 +398,16 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		secretKey = tenantReq.SecretKey
 	}
 
-	secretName := fmt.Sprintf("%s-secret", *tenantReq.Name)
+	tenantName := *tenantReq.Name
+	secretName := fmt.Sprintf("%s-secret", tenantName)
 	imm := true
 
 	instanceSecret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: secretName,
+			Labels: map[string]string{
+				operator.TenantLabel: tenantName,
+			},
 		},
 		Immutable: &imm,
 		Data: map[string][]byte{
@@ -407,7 +436,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	//Construct a MinIO Instance with everything we are getting from parameters
 	minInst := operator.Tenant{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: *tenantReq.Name,
+			Name: tenantName,
 		},
 		Spec: operator.TenantSpec{
 			Image:     minioImage,
@@ -424,7 +453,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		url := *tenantReq.Idp.ActiveDirectory.URL
 		userNameFormat := *tenantReq.Idp.ActiveDirectory.UsernameFormat
 		userSearchFilter := *tenantReq.Idp.ActiveDirectory.UserSearchFilter
-		tlsSkipVerify := tenantReq.Idp.ActiveDirectory.SkipSslVerification
+		tlsSkipVerify := tenantReq.Idp.ActiveDirectory.SkipTLSVerification
 		serverInsecure := tenantReq.Idp.ActiveDirectory.ServerInsecure
 		groupSearchDN := tenantReq.Idp.ActiveDirectory.GroupSearchBaseDn
 		groupSearchFilter := tenantReq.Idp.ActiveDirectory.GroupSearchFilter
@@ -470,26 +499,26 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		}
 	}
 
-	// operator request AutoCert feature
-	encryption := false
-	if tenantReq.EnableSsl != nil {
-		encryption = true
-		minInst.Spec.RequestAutoCert = *tenantReq.EnableSsl
+	isEncryptionAvailable := false
+	if tenantReq.EnableTLS != nil && *tenantReq.EnableTLS {
+		// If user request autoCert, Operator will generate certificate keypair for MinIO (server), Console (server) and KES (server and app mTLS)
+		isEncryptionAvailable = true
+		minInst.Spec.RequestAutoCert = *tenantReq.EnableTLS
 	}
 
-	// User provided TLS certificates (this will take priority over autoCert)
-	if tenantReq.TLS != nil && tenantReq.TLS.Crt != nil && tenantReq.TLS.Key != nil {
-		encryption = true
+	if !minInst.Spec.RequestAutoCert && tenantReq.TLS != nil && tenantReq.TLS.Minio != nil {
+		// User provided TLS certificates for MinIO
+		isEncryptionAvailable = true
 		externalTLSCertificateSecretName := fmt.Sprintf("%s-instance-external-certificates", secretName)
 		// disable autoCert
 		minInst.Spec.RequestAutoCert = false
 
-		tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Crt)
+		tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Minio.Crt)
 		if err != nil {
 			return nil, err
 		}
 
-		tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Key)
+		tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Minio.Key)
 		if err != nil {
 			return nil, err
 		}
@@ -497,6 +526,9 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		externalTLSCertificateSecret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: externalTLSCertificateSecretName,
+				Labels: map[string]string{
+					operator.TenantLabel: tenantName,
+				},
 			},
 			Type:      corev1.SecretTypeTLS,
 			Immutable: &imm,
@@ -516,19 +548,21 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		}
 	}
 
-	if tenantReq.Encryption != nil && encryption {
+	if tenantReq.Encryption != nil && isEncryptionAvailable {
 		// Enable auto encryption
 		minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
 			Name:  "MINIO_KMS_AUTO_ENCRYPTION",
 			Value: "on",
 		})
-		// KES client mTLSCertificates used by MinIO instance
-		minInst.Spec.ExternalClientCertSecret, err = getTenantExternalClientCertificates(ctx, clientset, ns, tenantReq.Encryption, secretName)
-		if err != nil {
-			return nil, err
+		// KES client mTLSCertificates used by MinIO instance, only if autoCert is not enabled
+		if !minInst.Spec.RequestAutoCert {
+			minInst.Spec.ExternalClientCertSecret, err = getTenantExternalClientCertificates(ctx, clientset, ns, tenantReq.Encryption, secretName, tenantName)
+			if err != nil {
+				return nil, err
+			}
 		}
 		// KES configuration for Tenant instance
-		minInst.Spec.KES, err = getKESConfiguration(ctx, clientset, ns, tenantReq.Encryption, secretName, minInst.Spec.RequestAutoCert)
+		minInst.Spec.KES, err = getKESConfiguration(ctx, clientset, ns, tenantReq.Encryption, secretName, tenantName, minInst.Spec.RequestAutoCert)
 		if err != nil {
 			return nil, err
 		}
@@ -539,12 +573,12 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	var consoleSecret string
 
 	enableConsole := true
-	if tenantReq.EnableConsole != nil {
+	if tenantReq.EnableConsole != nil && *tenantReq.EnableConsole {
 		enableConsole = *tenantReq.EnableConsole
 	}
 
 	if enableConsole {
-		consoleSelector := fmt.Sprintf("%s-console", *tenantReq.Name)
+		consoleSelector := fmt.Sprintf("%s-console", tenantName)
 		consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
 		consoleAccess = RandomCharString(16)
 		consoleSecret = RandomCharString(32)
@@ -552,6 +586,9 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		instanceSecret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: consoleSecretName,
+				Labels: map[string]string{
+					operator.TenantLabel: tenantName,
+				},
 			},
 			Immutable: &imm,
 			Data: map[string][]byte{
@@ -589,9 +626,9 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 			return nil, err
 		}
 
-		const consoleVersion = "minio/console:v0.3.9"
+		const consoleVersion = "minio/console:v0.3.17"
 		minInst.Spec.Console = &operator.ConsoleConfiguration{
-			Replicas:      2,
+			Replicas:      1,
 			Image:         consoleVersion,
 			ConsoleSecret: &corev1.LocalObjectReference{Name: consoleSecretName},
 			Resources: corev1.ResourceRequirements{
@@ -600,6 +637,42 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 				},
 			},
 		}
+
+		if !minInst.Spec.RequestAutoCert && tenantReq.TLS != nil && tenantReq.TLS.Console != nil {
+			consoleExternalTLSCertificateSecretName := fmt.Sprintf("%s-console-external-certificates", secretName)
+			tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Console.Crt)
+			if err != nil {
+				return nil, err
+			}
+			tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Console.Key)
+			if err != nil {
+				return nil, err
+			}
+			consoleExternalTLSCertificateSecret := corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: consoleExternalTLSCertificateSecretName,
+					Labels: map[string]string{
+						operator.TenantLabel: tenantName,
+					},
+				},
+				Type:      corev1.SecretTypeTLS,
+				Immutable: &imm,
+				Data: map[string][]byte{
+					"tls.crt": tlsCrt,
+					"tls.key": tlsKey,
+				},
+			}
+			_, err = clientset.CoreV1().Secrets(ns).Create(ctx, &consoleExternalTLSCertificateSecret, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+			// Certificates used by the minio instance
+			minInst.Spec.Console.ExternalCertSecret = &operator.LocalCertificateReference{
+				Name: consoleExternalTLSCertificateSecretName,
+				Type: "kubernetes.io/tls",
+			}
+		}
+
 	}
 
 	// set the service name if provided
@@ -608,10 +681,12 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	}
 	// add annotations
 	var annotations map[string]string
-	if len(tenantReq.Annotations) > 0 {
-		if minInst.Spec.Metadata == nil {
-			minInst.Spec.Metadata = &metav1.ObjectMeta{}
+	if minInst.Spec.Metadata == nil {
+		minInst.Spec.Metadata = &metav1.ObjectMeta{
+			Annotations: map[string]string{},
 		}
+	}
+	if len(tenantReq.Annotations) > 0 {
 		annotations = tenantReq.Annotations
 		minInst.Spec.Metadata.Annotations = annotations
 	}
@@ -629,13 +704,32 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 		minInst.Spec.Mountpath = tenantReq.MounthPath
 	}
 
-	if err := setImageRegistry(ctx, tenantReq.ImageRegistry, clientset.CoreV1(), ns); err != nil {
+	// We accept either `image_pull_secret` or the individual details of the `image_registry` but not both
+	var imagePullSecret string
+
+	if tenantReq.ImagePullSecret != "" {
+		imagePullSecret = tenantReq.ImagePullSecret
+	} else if imagePullSecret, err = setImageRegistry(ctx, tenantName, tenantReq.ImageRegistry, clientset.CoreV1(), ns); err != nil {
 		log.Println("error setting image registry secret:", err)
 		return nil, err
 	}
+	// pass the image pull secret to the Tenant
+	if imagePullSecret != "" {
+		minInst.Spec.ImagePullSecret = corev1.LocalObjectReference{
+			Name: imagePullSecret,
+		}
+	}
 
-	minInst.Spec.ImagePullSecret = corev1.LocalObjectReference{
-		Name: minioRegCred,
+	// prometheus annotations support
+	if tenantReq.EnablePrometheus != nil && *tenantReq.EnablePrometheus && minInst.Spec.Metadata != nil && minInst.Spec.Metadata.Annotations != nil {
+		minInst.Spec.Metadata.Annotations["prometheus.io/path"] = "/minio/prometheus/metrics"
+		minInst.Spec.Metadata.Annotations["prometheus.io/port"] = fmt.Sprint(operator.MinIOPort)
+		minInst.Spec.Metadata.Annotations["prometheus.io/scrape"] = "true"
+	}
+
+	// set console image if provided
+	if tenantReq.ConsoleImage != "" {
+		minInst.Spec.Console.Image = tenantReq.ConsoleImage
 	}
 
 	opClient, err := cluster.OperatorClient(session.SessionToken)
@@ -650,7 +744,7 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 
 	// Integratrions
 	if os.Getenv("GKE_INTEGRATION") != "" {
-		err := gkeIntegration(clientset, *tenantReq.Name, ns, session.SessionToken)
+		err := gkeIntegration(clientset, tenantName, ns, session.SessionToken)
 		if err != nil {
 			return nil, err
 		}
@@ -669,9 +763,11 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
 	return response, nil
 }
 
-func setImageRegistry(ctx context.Context, req *models.ImageRegistry, clientset v1.CoreV1Interface, namespace string) error {
+// setImageRegistry creates a secret to store the private registry credentials, if one exist it updates the existing one
+// returns the name of the secret created/updated
+func setImageRegistry(ctx context.Context, tenantName string, req *models.ImageRegistry, clientset v1.CoreV1Interface, namespace string) (string, error) {
 	if req == nil || req.Registry == nil || req.Username == nil || req.Password == nil {
-		return nil
+		return "", nil
 	}
 
 	credentials := make(map[string]imageRegistryCredentials)
@@ -689,12 +785,17 @@ func setImageRegistry(ctx context.Context, req *models.ImageRegistry, clientset
 	}
 	imRegistryJSON, err := json.Marshal(imRegistry)
 	if err != nil {
-		return err
+		return "", err
 	}
 
+	pullSecretName := fmt.Sprintf("%s-regcred", tenantName)
+
 	instanceSecret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: minioRegCred,
+			Name: pullSecretName,
+			Labels: map[string]string{
+				operator.TenantLabel: tenantName,
+			},
 		},
 		Data: map[string][]byte{
 			corev1.DockerConfigJsonKey: []byte(string(imRegistryJSON)),
@@ -703,22 +804,22 @@ func setImageRegistry(ctx context.Context, req *models.ImageRegistry, clientset
 	}
 
 	// Get or Create secret if it doesn't exist
-	_, err = clientset.Secrets(namespace).Get(ctx, minioRegCred, metav1.GetOptions{})
+	_, err = clientset.Secrets(namespace).Get(ctx, pullSecretName, metav1.GetOptions{})
 	if err != nil {
 		if k8sErrors.IsNotFound(err) {
 			_, err = clientset.Secrets(namespace).Create(ctx, &instanceSecret, metav1.CreateOptions{})
 			if err != nil {
-				return err
+				return "", err
 			}
-			return nil
+			return "", nil
 		}
-		return err
+		return "", err
 	}
 	_, err = clientset.Secrets(namespace).Update(ctx, &instanceSecret, metav1.UpdateOptions{})
 	if err != nil {
-		return err
+		return "", err
 	}
-	return nil
+	return pullSecretName, nil
 }
 
 // updateTenantAction does an update on the minioTenant by patching the desired changes
@@ -726,25 +827,35 @@ func updateTenantAction(ctx context.Context, operatorClient OperatorClient, clie
 	imageToUpdate := params.Body.Image
 	imageRegistryReq := params.Body.ImageRegistry
 
-	if err := setImageRegistry(ctx, imageRegistryReq, clientset, namespace); err != nil {
-		log.Println("error setting image registry secret:", err)
-		return err
-	}
-
 	minInst, err := operatorClient.TenantGet(ctx, namespace, params.Tenant, metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
+	// we can take either the `image_pull_secret` of the `image_registry` but not both
+	if params.Body.ImagePullSecret != "" {
+		minInst.Spec.ImagePullSecret.Name = params.Body.ImagePullSecret
+	} else {
+		// update the image pull secret content
+		if _, err := setImageRegistry(ctx, params.Tenant, imageRegistryReq, clientset, namespace); err != nil {
+			log.Println("error setting image registry secret:", err)
+			return err
+		}
+	}
+
+	// update the console image
+	if strings.TrimSpace(params.Body.ConsoleImage) != "" && minInst.Spec.Console != nil {
+		minInst.Spec.Console.Image = params.Body.ConsoleImage
+	}
 
 	// if image to update is empty we'll use the latest image by default
 	if strings.TrimSpace(imageToUpdate) != "" {
 		minInst.Spec.Image = imageToUpdate
 	} else {
 		im, err := cluster.GetLatestMinioImage(httpCl)
-		if err != nil {
-			return err
+		// if we can't get the MinIO image, we won' auto-update it unless it's explicit by name
+		if err == nil {
+			minInst.Spec.Image = *im
 		}
-		minInst.Spec.Image = *im
 	}
 
 	payloadBytes, err := json.Marshal(minInst)
@@ -858,15 +969,10 @@ func getTenantUsageResponse(session *models.Principal, params admin_api.GetTenan
 		log.Println("error getting minioTenant:", err)
 		return nil, err
 	}
+	minTenant.EnsureDefaults()
 	tenantScheme := getTenantScheme(minTenant)
 
-	svcName := minTenant.Spec.ServiceName
-	if svcName == "" {
-		svcName = minTenant.Name
-		// TODO:
-		// 1 get tenant services
-		// 2 filter out cluster ip svc
-	}
+	svcName := fmt.Sprintf("%s.%s.svc.cluster.local", minTenant.MinIOCIServiceName(), minTenant.Namespace)
 
 	mAdmin, err := getTenantAdminClient(
 		ctx,
@@ -874,7 +980,8 @@ func getTenantUsageResponse(session *models.Principal, params admin_api.GetTenan
 		params.Namespace,
 		params.Tenant,
 		svcName,
-		tenantScheme)
+		tenantScheme,
+		true)
 	if err != nil {
 		log.Println("error getting tenant's admin client:", err)
 		return nil, err
@@ -1043,7 +1150,8 @@ func parseTenantZoneRequest(zoneParams *models.Zone, annotations map[string]stri
 	// Pass annotations to the volume
 	vct := &corev1.PersistentVolumeClaim{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "data",
+			Name:   "data",
+			Labels: zoneParams.VolumeConfiguration.Labels,
 		},
 		Spec: volTemp,
 	}
@@ -1306,7 +1414,7 @@ func parseNodeSelectorTerm(term *corev1.NodeSelectorTerm) *models.NodeSelectorTe
 	return &t
 }
 
-func getTenantExternalClientCertificates(ctx context.Context, clientSet *kubernetes.Clientset, ns string, encryptionCfg *models.EncryptionConfiguration, secretName string) (clientCertificates *operator.LocalCertificateReference, err error) {
+func getTenantExternalClientCertificates(ctx context.Context, clientSet *kubernetes.Clientset, ns string, encryptionCfg *models.EncryptionConfiguration, secretName, tenantName string) (clientCertificates *operator.LocalCertificateReference, err error) {
 	instanceExternalClientCertificateSecretName := fmt.Sprintf("%s-instance-external-client-mtls-certificates", secretName)
 	// If there's an error during this process we delete all KES configuration secrets
 	defer func() {
@@ -1331,6 +1439,9 @@ func getTenantExternalClientCertificates(ctx context.Context, clientSet *kuberne
 	instanceExternalClientCertificateSecret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: instanceExternalClientCertificateSecretName,
+			Labels: map[string]string{
+				operator.TenantLabel: tenantName,
+			},
 		},
 		Type:      corev1.SecretTypeTLS,
 		Immutable: &imm,
@@ -1351,7 +1462,7 @@ func getTenantExternalClientCertificates(ctx context.Context, clientSet *kuberne
 	return clientCertificates, nil
 }
 
-func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, ns string, encryptionCfg *models.EncryptionConfiguration, secretName string, autoCert bool) (kesConfiguration *operator.KESConfig, err error) {
+func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, ns string, encryptionCfg *models.EncryptionConfiguration, secretName, tenantName string, autoCert bool) (kesConfiguration *operator.KESConfig, err error) {
 	// secrets used by the KES configuration
 	instanceExternalClientCertificateSecretName := fmt.Sprintf("%s-instance-external-client-mtls-certificates", secretName)
 	kesExternalCertificateSecretName := fmt.Sprintf("%s-kes-external-mtls-certificates", secretName)
@@ -1407,6 +1518,9 @@ func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, n
 		kesExternalCertificateSecret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: kesExternalCertificateSecretName,
+				Labels: map[string]string{
+					operator.TenantLabel: tenantName,
+				},
 			},
 			Type:      corev1.SecretTypeTLS,
 			Immutable: &imm,
@@ -1509,6 +1623,7 @@ func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, n
 		// Vault mTLS kesConfiguration
 		if encryptionCfg.Vault.TLS != nil {
 			vaultTLSConfig := encryptionCfg.Vault.TLS
+			kesConfig.Keys.Vault.TLS = &kes.VaultTLS{}
 			if vaultTLSConfig.Crt != "" {
 				clientCrt, err := base64.StdEncoding.DecodeString(vaultTLSConfig.Crt)
 				if err != nil {
@@ -1591,6 +1706,9 @@ func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, n
 		kesClientCertSecret := corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: kesClientCertSecretName,
+				Labels: map[string]string{
+					operator.TenantLabel: tenantName,
+				},
 			},
 			Immutable: &imm,
 			Data:      mTLSCertificates,
@@ -1614,6 +1732,9 @@ func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, n
 	kesConfigurationSecret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: kesConfigurationSecretName,
+			Labels: map[string]string{
+				operator.TenantLabel: tenantName,
+			},
 		},
 		Immutable: &imm,
 		Data: map[string][]byte{

restapi/admin_tenants_test.go

@@ -33,9 +33,11 @@ import (
 	operator "github.com/minio/operator/pkg/apis/minio.min.io/v1"
 	v1 "github.com/minio/operator/pkg/apis/minio.min.io/v1"
 	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/fake"
 )
@@ -91,6 +93,7 @@ func Test_TenantInfoTenantAdminClient(t *testing.T) {
 		tenantName  string
 		serviceName string
 		scheme      string
+		insecure    bool
 	}
 	tests := []struct {
 		name           string
@@ -236,7 +239,7 @@ func Test_TenantInfoTenantAdminClient(t *testing.T) {
 		k8sclientGetSecretMock = tt.mockGetSecret
 		k8sclientGetServiceMock = tt.mockGetService
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := getTenantAdminClient(tt.args.ctx, tt.args.client, tt.args.namespace, tt.args.tenantName, tt.args.serviceName, tt.args.scheme)
+			got, err := getTenantAdminClient(tt.args.ctx, tt.args.client, tt.args.namespace, tt.args.tenantName, tt.args.serviceName, tt.args.scheme, tt.args.insecure)
 			if err != nil {
 				if tt.wantErr {
 					return
@@ -334,12 +337,13 @@ func Test_TenantInfo(t *testing.T) {
 
 func Test_deleteTenantAction(t *testing.T) {
 	opClient := opClientMock{}
-
 	type args struct {
 		ctx              context.Context
 		operatorClient   OperatorClient
 		nameSpace        string
 		tenantName       string
+		deletePvcs       bool
+		objs             []runtime.Object
 		mockTenantDelete func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error
 	}
 	tests := []struct {
@@ -354,6 +358,7 @@ func Test_deleteTenantAction(t *testing.T) {
 				operatorClient: opClient,
 				nameSpace:      "default",
 				tenantName:     "minio-tenant",
+				deletePvcs:     false,
 				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
 					return nil
 				},
@@ -367,17 +372,155 @@ func Test_deleteTenantAction(t *testing.T) {
 				operatorClient: opClient,
 				nameSpace:      "default",
 				tenantName:     "minio-tenant",
+				deletePvcs:     false,
 				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
 					return errors.New("something happened")
 				},
 			},
 			wantErr: true,
 		},
+		{
+			// Delete only PVCs of the defined tenant on the specific namespace
+			name: "Delete PVCs on Tenant Deletion",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				nameSpace:      "minio-tenant",
+				tenantName:     "tenant1",
+				deletePvcs:     true,
+				objs: []runtime.Object{
+					&corev1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "PVC1",
+							Namespace: "minio-tenant",
+							Labels: map[string]string{
+								operator.TenantLabel: "tenant1",
+								operator.ZoneLabel:   "zone-1",
+							},
+						},
+					},
+				},
+				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
+					return nil
+				},
+			},
+			wantErr: false,
+		},
+		{
+			// Do not delete underlying pvcs
+			name: "Don't Delete PVCs on Tenant Deletion",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				nameSpace:      "minio-tenant",
+				tenantName:     "tenant1",
+				deletePvcs:     false,
+				objs: []runtime.Object{
+					&corev1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "PVC1",
+							Namespace: "minio-tenant",
+							Labels: map[string]string{
+								operator.TenantLabel: "tenant1",
+								operator.ZoneLabel:   "zone-1",
+							},
+						},
+					},
+				},
+				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
+					return nil
+				},
+			},
+			wantErr: false,
+		},
+		{
+			// If error is different than NotFound, PVC deletion should not continue
+			name: "Don't delete pvcs if error Deleting Tenant, return",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				nameSpace:      "minio-tenant",
+				tenantName:     "tenant1",
+				deletePvcs:     true,
+				objs: []runtime.Object{
+					&corev1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "PVC1",
+							Namespace: "minio-tenant",
+							Labels: map[string]string{
+								operator.TenantLabel: "tenant1",
+								operator.ZoneLabel:   "zone-1",
+							},
+						},
+					},
+				},
+				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
+					return errors.New("error returned")
+				},
+			},
+			wantErr: true,
+		},
+		{
+			// If error is NotFound while trying to Delete Tenant, PVC deletion should continue
+			name: "Delete pvcs if tenant not found",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				nameSpace:      "minio-tenant",
+				tenantName:     "tenant1",
+				deletePvcs:     true,
+				objs: []runtime.Object{
+					&corev1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "PVC1",
+							Namespace: "minio-tenant",
+							Labels: map[string]string{
+								operator.TenantLabel: "tenant1",
+								operator.ZoneLabel:   "zone-1",
+							},
+						},
+					},
+				},
+				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
+					return k8sErrors.NewNotFound(schema.GroupResource{}, "tenant1")
+				},
+			},
+			wantErr: false,
+		},
+		{
+			// If error is NotFound while trying to Delete Tenant and pvcdeletion=false,
+			// error should be returned
+			name: "Don't delete pvcs and return error if tenant not found",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				nameSpace:      "minio-tenant",
+				tenantName:     "tenant1",
+				deletePvcs:     false,
+				objs: []runtime.Object{
+					&corev1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "PVC1",
+							Namespace: "minio-tenant",
+							Labels: map[string]string{
+								operator.TenantLabel: "tenant1",
+								operator.ZoneLabel:   "zone-1",
+							},
+						},
+					},
+				},
+				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
+					return k8sErrors.NewNotFound(schema.GroupResource{}, "tenant1")
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		opClientTenantDeleteMock = tt.args.mockTenantDelete
+		kubeClient := fake.NewSimpleClientset(tt.args.objs...)
 		t.Run(tt.name, func(t *testing.T) {
-			if err := deleteTenantAction(tt.args.ctx, tt.args.operatorClient, tt.args.nameSpace, tt.args.tenantName); (err != nil) != tt.wantErr {
+			if err := deleteTenantAction(tt.args.ctx, tt.args.operatorClient, kubeClient.CoreV1(), tt.args.nameSpace, tt.args.tenantName, tt.args.deletePvcs); (err != nil) != tt.wantErr {
 				t.Errorf("deleteTenantAction() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
@@ -646,6 +789,7 @@ func Test_UpdateTenantAction(t *testing.T) {
 					return &http.Response{}, nil
 				},
 				params: admin_api.UpdateTenantParams{
+					Tenant: "minio-tenant",
 					Body: &models.UpdateTenantRequest{
 						Image: "minio/minio:RELEASE.2020-06-03T22-13-49Z",
 					},
@@ -674,6 +818,7 @@ func Test_UpdateTenantAction(t *testing.T) {
 					}, nil
 				},
 				params: admin_api.UpdateTenantParams{
+					Tenant: "minio-tenant",
 					Body: &models.UpdateTenantRequest{
 						Image: "",
 					},
@@ -682,7 +827,7 @@ func Test_UpdateTenantAction(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "Empty image input Error retrieving latest image",
+			name: "Empty image input Error retrieving latest image, nothing happens",
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
@@ -699,12 +844,63 @@ func Test_UpdateTenantAction(t *testing.T) {
 					return nil, errors.New("error")
 				},
 				params: admin_api.UpdateTenantParams{
+					Tenant: "minio-tenant",
 					Body: &models.UpdateTenantRequest{
 						Image: "",
 					},
 				},
 			},
-			wantErr: true,
+			wantErr: false,
+		},
+		{
+			name: "Update minio console version no errors",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				httpCl:         httpClientM,
+				nameSpace:      "default",
+				tenantName:     "minio-tenant",
+				mockTenantPatch: func(ctx context.Context, namespace string, tenantName string, pt types.PatchType, data []byte, options metav1.PatchOptions) (*v1.Tenant, error) {
+					return &v1.Tenant{}, nil
+				},
+				mockTenantGet: func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*v1.Tenant, error) {
+					return &v1.Tenant{}, nil
+				},
+				mockHTTPClientGet: func(url string) (resp *http.Response, err error) {
+					return nil, errors.New("use default minio")
+				},
+				params: admin_api.UpdateTenantParams{
+					Body: &models.UpdateTenantRequest{
+						ConsoleImage: "minio/console:v0.3.17",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Update minio image pull secrets no errors",
+			args: args{
+				ctx:            context.Background(),
+				operatorClient: opClient,
+				httpCl:         httpClientM,
+				nameSpace:      "default",
+				tenantName:     "minio-tenant",
+				mockTenantPatch: func(ctx context.Context, namespace string, tenantName string, pt types.PatchType, data []byte, options metav1.PatchOptions) (*v1.Tenant, error) {
+					return &v1.Tenant{}, nil
+				},
+				mockTenantGet: func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*v1.Tenant, error) {
+					return &v1.Tenant{}, nil
+				},
+				mockHTTPClientGet: func(url string) (resp *http.Response, err error) {
+					return nil, errors.New("use default minio")
+				},
+				params: admin_api.UpdateTenantParams{
+					Body: &models.UpdateTenantRequest{
+						ImagePullSecret: "minio-regcred",
+					},
+				},
+			},
+			wantErr: false,
 		},
 	}
 	for _, tt := range tests {
@@ -714,7 +910,7 @@ func Test_UpdateTenantAction(t *testing.T) {
 		cnsClient := fake.NewSimpleClientset(tt.objs...)
 		t.Run(tt.name, func(t *testing.T) {
 			if err := updateTenantAction(tt.args.ctx, tt.args.operatorClient, cnsClient.CoreV1(), tt.args.httpCl, tt.args.nameSpace, tt.args.params); (err != nil) != tt.wantErr {
-				t.Errorf("deleteTenantAction() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("updateTenantAction() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}

restapi/client-admin.go

@@ -54,7 +54,8 @@ func NewAdminClientWithInsecure(url, accessKey, secretKey string, insecure bool)
 	if err != nil {
 		return nil, err.Trace(url)
 	}
-	s3Client.SetCustomTransport(STSClient.Transport)
+	stsClient := PrepareSTSClient(insecure)
+	s3Client.SetCustomTransport(stsClient.Transport)
 	return s3Client, nil
 }
 
@@ -266,7 +267,8 @@ func newAdminFromClaims(claims *models.Principal) (*madmin.AdminClient, error) {
 	if err != nil {
 		return nil, err
 	}
-	adminClient.SetCustomTransport(STSClient.Transport)
+	stsClient := PrepareSTSClient(false)
+	adminClient.SetCustomTransport(stsClient.Transport)
 	return adminClient, nil
 }
 

restapi/client.go

@@ -164,7 +164,6 @@ func (s consoleSTSAssumeRole) IsExpired() bool {
 
 // STSClient contains http.client configuration need it by STSAssumeRole
 var (
-	STSClient     = PrepareSTSClient()
 	MinioEndpoint = getMinIOServer()
 )
 
@@ -204,8 +203,9 @@ func newConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 				Location:        location,
 				DurationSeconds: xjwt.GetConsoleSTSAndJWTDurationInSeconds(),
 			}
+			stsClient := PrepareSTSClient(false)
 			stsAssumeRole := &credentials.STSAssumeRole{
-				Client:      STSClient,
+				Client:      stsClient,
 				STSEndpoint: MinioEndpoint,
 				Options:     opts,
 			}
@@ -234,10 +234,11 @@ func getConsoleCredentialsFromSession(claims *models.Principal) *credentials.Cre
 // from the provided jwt
 func newMinioClient(claims *models.Principal) (*minio.Client, error) {
 	creds := getConsoleCredentialsFromSession(claims)
+	stsClient := PrepareSTSClient(false)
 	minioClient, err := minio.New(getMinIOEndpoint(), &minio.Options{
 		Creds:     creds,
 		Secure:    getMinIOEndpointIsSecure(),
-		Transport: STSClient.Transport,
+		Transport: stsClient.Transport,
 	})
 	if err != nil {
 		return nil, err
@@ -248,7 +249,7 @@ func newMinioClient(claims *models.Principal) (*minio.Client, error) {
 // newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
 func newS3BucketClient(claims *models.Principal, bucketName string) (*mc.S3Client, error) {
 	endpoint := getMinIOServer()
-	useSSL := getMinIOEndpointIsSecure()
+	useTLS := getMinIOEndpointIsSecure()
 
 	if strings.TrimSpace(bucketName) != "" {
 		endpoint += fmt.Sprintf("/%s", bucketName)
@@ -258,7 +259,7 @@ func newS3BucketClient(claims *models.Principal, bucketName string) (*mc.S3Clien
 		return nil, fmt.Errorf("the provided credentials are invalid")
 	}
 
-	s3Config := newS3Config(endpoint, claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken, !useSSL)
+	s3Config := newS3Config(endpoint, claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken, !useTLS)
 	client, pErr := mc.S3New(s3Config)
 	if pErr != nil {
 		return nil, pErr.Cause

restapi/config.go

@@ -105,15 +105,15 @@ func GetPort() int {
 	return port
 }
 
-// GetSSLHostname gets console ssl hostname set on env variable
+// GetTLSHostname gets console tls hostname set on env variable
 // or default one
-func GetSSLHostname() string {
+func GetTLSHostname() string {
 	return strings.ToLower(env.Get(ConsoleTLSHostname, TLSHostname))
 }
 
-// GetSSLPort gets console ssl port set on env variable
+// GetTLSPort gets console tls port set on env variable
 // or default one
-func GetSSLPort() int {
+func GetTLSPort() int {
 	port, err := strconv.Atoi(env.Get(ConsoleTLSPort, TLSPort))
 	if err != nil {
 		port = 9443
@@ -171,14 +171,14 @@ func getSecureHostsProxyHeaders() []string {
 	return []string{}
 }
 
-// If SSLRedirect is set to true, then only allow HTTPS requests. Default is true.
-func getSSLRedirect() bool {
-	return strings.ToLower(env.Get(ConsoleSecureSSLRedirect, TLSRedirect)) == "on"
+// If TLSRedirect is set to true, then only allow HTTPS requests. Default is true.
+func getTLSRedirect() bool {
+	return strings.ToLower(env.Get(ConsoleSecureTLSRedirect, TLSRedirect)) == "on"
 }
 
-// SSLHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
-func getSecureSSLHost() string {
-	return env.Get(ConsoleSecureSSLHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
+// TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
+func getSecureTLSHost() string {
+	return env.Get(ConsoleSecureTLSHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
 }
 
 // STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
@@ -200,9 +200,9 @@ func getSecureSTSPreload() bool {
 	return strings.ToLower(env.Get(ConsoleSecureSTSPreload, "off")) == "on"
 }
 
-// If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
-func getSecureSSLTemporaryRedirect() bool {
-	return strings.ToLower(env.Get(ConsoleSecureSSLTemporaryRedirect, "off")) == "on"
+// If TLSTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
+func getSecureTLSTemporaryRedirect() bool {
+	return strings.ToLower(env.Get(ConsoleSecureTLSTemporaryRedirect, "off")) == "on"
 }
 
 // STS header is only included when the connection is HTTPS.

restapi/configure_console.go

@@ -149,12 +149,12 @@ func setupGlobalMiddleware(handler http.Handler) http.Handler {
 		AllowedHosts:                    getSecureAllowedHosts(),
 		AllowedHostsAreRegex:            getSecureAllowedHostsAreRegex(),
 		HostsProxyHeaders:               getSecureHostsProxyHeaders(),
-		SSLRedirect:                     getSSLRedirect(),
-		SSLHost:                         getSecureSSLHost(),
+		SSLRedirect:                     getTLSRedirect(),
+		SSLHost:                         getSecureTLSHost(),
 		STSSeconds:                      getSecureSTSSeconds(),
 		STSIncludeSubdomains:            getSecureSTSIncludeSubdomains(),
 		STSPreload:                      getSecureSTSPreload(),
-		SSLTemporaryRedirect:            getSecureSSLTemporaryRedirect(),
+		SSLTemporaryRedirect:            getSecureTLSTemporaryRedirect(),
 		SSLHostFunc:                     nil,
 		ForceSTSHeader:                  getSecureForceSTSHeader(),
 		FrameDeny:                       getSecureFrameDeny(),

restapi/consts.go

@@ -41,9 +41,9 @@ const (
 	ConsoleSecureSTSSeconds                      = "CONSOLE_SECURE_STS_SECONDS"
 	ConsoleSecureSTSIncludeSubdomains            = "CONSOLE_SECURE_STS_INCLUDE_SUB_DOMAINS"
 	ConsoleSecureSTSPreload                      = "CONSOLE_SECURE_STS_PRELOAD"
-	ConsoleSecureSSLRedirect                     = "CONSOLE_SECURE_SSL_REDIRECT"
-	ConsoleSecureSSLHost                         = "CONSOLE_SECURE_SSL_HOST"
-	ConsoleSecureSSLTemporaryRedirect            = "CONSOLE_SECURE_SSL_TEMPORARY_REDIRECT"
+	ConsoleSecureTLSRedirect                     = "CONSOLE_SECURE_TLS_REDIRECT"
+	ConsoleSecureTLSHost                         = "CONSOLE_SECURE_TLS_HOST"
+	ConsoleSecureTLSTemporaryRedirect            = "CONSOLE_SECURE_TLS_TEMPORARY_REDIRECT"
 	ConsoleSecureForceSTSHeader                  = "CONSOLE_SECURE_FORCE_STS_HEADER"
 	ConsoleSecurePublicKey                       = "CONSOLE_SECURE_PUBLIC_KEY"
 	ConsoleSecureReferrerPolicy                  = "CONSOLE_SECURE_REFERRER_POLICY"

restapi/embedded_spec.go

@@ -1007,7 +1007,7 @@ func init() {
         "tags": [
           "AdminAPI"
         ],
-        "summary": "Delete Tenant",
+        "summary": "Delete tenant and underlying pvcs",
         "operationId": "DeleteTenant",
         "parameters": [
           {
@@ -1021,6 +1021,13 @@ func init() {
             "name": "tenant",
             "in": "path",
             "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/deleteTenantRequest"
+            }
           }
         ],
         "responses": {
@@ -2024,11 +2031,18 @@ func init() {
             "type": "string"
           }
         },
+        "console_image": {
+          "type": "string"
+        },
         "enable_console": {
           "type": "boolean",
           "default": true
         },
-        "enable_ssl": {
+        "enable_prometheus": {
+          "type": "boolean",
+          "default": false
+        },
+        "enable_tls": {
           "type": "boolean",
           "default": true
         },
@@ -2046,6 +2060,9 @@ func init() {
         "image": {
           "type": "string"
         },
+        "image_pull_secret": {
+          "type": "string"
+        },
         "image_registry": {
           "$ref": "#/definitions/imageRegistry"
         },
@@ -2099,6 +2116,14 @@ func init() {
         }
       }
     },
+    "deleteTenantRequest": {
+      "type": "object",
+      "properties": {
+        "delete_pvcs": {
+          "type": "boolean"
+        }
+      }
+    },
     "encryptionConfiguration": {
       "type": "object",
       "properties": {
@@ -2108,18 +2133,7 @@ func init() {
         },
         "client": {
           "type": "object",
-          "required": [
-            "crt",
-            "key"
-          ],
-          "properties": {
-            "crt": {
-              "type": "string"
-            },
-            "key": {
-              "type": "string"
-            }
-          }
+          "$ref": "#/definitions/keyPairConfiguration"
         },
         "gemalto": {
           "type": "object",
@@ -2130,18 +2144,7 @@ func init() {
         },
         "server": {
           "type": "object",
-          "required": [
-            "crt",
-            "key"
-          ],
-          "properties": {
-            "crt": {
-              "type": "string"
-            },
-            "key": {
-              "type": "string"
-            }
-          }
+          "$ref": "#/definitions/keyPairConfiguration"
         },
         "vault": {
           "type": "object",
@@ -2257,7 +2260,7 @@ func init() {
             "server_insecure": {
               "type": "boolean"
             },
-            "skip_ssl_verification": {
+            "skip_tls_verification": {
               "type": "boolean"
             },
             "url": {
@@ -2311,6 +2314,21 @@ func init() {
         }
       }
     },
+    "keyPairConfiguration": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
     "listBucketEventsResponse": {
       "type": "object",
       "properties": {
@@ -3034,16 +3052,14 @@ func init() {
     },
     "tlsConfiguration": {
       "type": "object",
-      "required": [
-        "crt",
-        "key"
-      ],
       "properties": {
-        "crt": {
-          "type": "string"
+        "console": {
+          "type": "object",
+          "$ref": "#/definitions/keyPairConfiguration"
         },
-        "key": {
-          "type": "string"
+        "minio": {
+          "type": "object",
+          "$ref": "#/definitions/keyPairConfiguration"
         }
       }
     },
@@ -3068,10 +3084,17 @@ func init() {
     "updateTenantRequest": {
       "type": "object",
       "properties": {
+        "console_image": {
+          "type": "string",
+          "pattern": "^((.*?)/(.*?):(.+))$"
+        },
         "image": {
           "type": "string",
           "pattern": "^((.*?)/(.*?):(.+))$"
         },
+        "image_pull_secret": {
+          "type": "string"
+        },
         "image_registry": {
           "$ref": "#/definitions/imageRegistry"
         }
@@ -3231,6 +3254,12 @@ func init() {
             "size"
           ],
           "properties": {
+            "labels": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
             "size": {
               "type": "integer"
             },
@@ -4419,7 +4448,7 @@ func init() {
         "tags": [
           "AdminAPI"
         ],
-        "summary": "Delete Tenant",
+        "summary": "Delete tenant and underlying pvcs",
         "operationId": "DeleteTenant",
         "parameters": [
           {
@@ -4433,6 +4462,13 @@ func init() {
             "name": "tenant",
             "in": "path",
             "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/deleteTenantRequest"
+            }
           }
         ],
         "responses": {
@@ -5258,36 +5294,6 @@ func init() {
         }
       }
     },
-    "EncryptionConfigurationClient": {
-      "type": "object",
-      "required": [
-        "crt",
-        "key"
-      ],
-      "properties": {
-        "crt": {
-          "type": "string"
-        },
-        "key": {
-          "type": "string"
-        }
-      }
-    },
-    "EncryptionConfigurationServer": {
-      "type": "object",
-      "required": [
-        "crt",
-        "key"
-      ],
-      "properties": {
-        "crt": {
-          "type": "string"
-        },
-        "key": {
-          "type": "string"
-        }
-      }
-    },
     "GemaltoConfigurationKeysecure": {
       "type": "object",
       "required": [
@@ -5380,7 +5386,7 @@ func init() {
         "server_insecure": {
           "type": "boolean"
         },
-        "skip_ssl_verification": {
+        "skip_tls_verification": {
           "type": "boolean"
         },
         "url": {
@@ -5725,6 +5731,12 @@ func init() {
         "size"
       ],
       "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
         "size": {
           "type": "integer"
         },
@@ -5977,11 +5989,18 @@ func init() {
             "type": "string"
           }
         },
+        "console_image": {
+          "type": "string"
+        },
         "enable_console": {
           "type": "boolean",
           "default": true
         },
-        "enable_ssl": {
+        "enable_prometheus": {
+          "type": "boolean",
+          "default": false
+        },
+        "enable_tls": {
           "type": "boolean",
           "default": true
         },
@@ -5999,6 +6018,9 @@ func init() {
         "image": {
           "type": "string"
         },
+        "image_pull_secret": {
+          "type": "string"
+        },
         "image_registry": {
           "$ref": "#/definitions/imageRegistry"
         },
@@ -6052,6 +6074,14 @@ func init() {
         }
       }
     },
+    "deleteTenantRequest": {
+      "type": "object",
+      "properties": {
+        "delete_pvcs": {
+          "type": "boolean"
+        }
+      }
+    },
     "encryptionConfiguration": {
       "type": "object",
       "properties": {
@@ -6061,18 +6091,7 @@ func init() {
         },
         "client": {
           "type": "object",
-          "required": [
-            "crt",
-            "key"
-          ],
-          "properties": {
-            "crt": {
-              "type": "string"
-            },
-            "key": {
-              "type": "string"
-            }
-          }
+          "$ref": "#/definitions/keyPairConfiguration"
         },
         "gemalto": {
           "type": "object",
@@ -6083,18 +6102,7 @@ func init() {
         },
         "server": {
           "type": "object",
-          "required": [
-            "crt",
-            "key"
-          ],
-          "properties": {
-            "crt": {
-              "type": "string"
-            },
-            "key": {
-              "type": "string"
-            }
-          }
+          "$ref": "#/definitions/keyPairConfiguration"
         },
         "vault": {
           "type": "object",
@@ -6210,7 +6218,7 @@ func init() {
             "server_insecure": {
               "type": "boolean"
             },
-            "skip_ssl_verification": {
+            "skip_tls_verification": {
               "type": "boolean"
             },
             "url": {
@@ -6264,6 +6272,21 @@ func init() {
         }
       }
     },
+    "keyPairConfiguration": {
+      "type": "object",
+      "required": [
+        "crt",
+        "key"
+      ],
+      "properties": {
+        "crt": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
     "listBucketEventsResponse": {
       "type": "object",
       "properties": {
@@ -6921,16 +6944,14 @@ func init() {
     },
     "tlsConfiguration": {
       "type": "object",
-      "required": [
-        "crt",
-        "key"
-      ],
       "properties": {
-        "crt": {
-          "type": "string"
+        "console": {
+          "type": "object",
+          "$ref": "#/definitions/keyPairConfiguration"
         },
-        "key": {
-          "type": "string"
+        "minio": {
+          "type": "object",
+          "$ref": "#/definitions/keyPairConfiguration"
         }
       }
     },
@@ -6955,10 +6976,17 @@ func init() {
     "updateTenantRequest": {
       "type": "object",
       "properties": {
+        "console_image": {
+          "type": "string",
+          "pattern": "^((.*?)/(.*?):(.+))$"
+        },
         "image": {
           "type": "string",
           "pattern": "^((.*?)/(.*?):(.+))$"
         },
+        "image_pull_secret": {
+          "type": "string"
+        },
         "image_registry": {
           "$ref": "#/definitions/imageRegistry"
         }
@@ -7118,6 +7146,12 @@ func init() {
             "size"
           ],
           "properties": {
+            "labels": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
             "size": {
               "type": "integer"
             },

restapi/operations/admin_api/delete_tenant.go

@@ -50,7 +50,7 @@ func NewDeleteTenant(ctx *middleware.Context, handler DeleteTenantHandler) *Dele
 
 /*DeleteTenant swagger:route DELETE /namespaces/{namespace}/tenants/{tenant} AdminAPI deleteTenant
 
-Delete Tenant
+Delete tenant and underlying pvcs
 
 */
 type DeleteTenant struct {

restapi/operations/admin_api/delete_tenant_parameters.go

@@ -26,8 +26,11 @@ import (
 	"net/http"
 
 	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/go-openapi/strfmt"
+
+	"github.com/minio/console/models"
 )
 
 // NewDeleteTenantParams creates a new DeleteTenantParams object
@@ -46,6 +49,10 @@ type DeleteTenantParams struct {
 	// HTTP Request Object
 	HTTPRequest *http.Request `json:"-"`
 
+	/*
+	  In: body
+	*/
+	Body *models.DeleteTenantRequest
 	/*
 	  Required: true
 	  In: path
@@ -67,6 +74,22 @@ func (o *DeleteTenantParams) BindRequest(r *http.Request, route *middleware.Matc
 
 	o.HTTPRequest = r
 
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body models.DeleteTenantRequest
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = &body
+			}
+		}
+	}
 	rNamespace, rhkNamespace, _ := route.Params.GetOK("namespace")
 	if err := o.bindNamespace(rNamespace, rhkNamespace, route.Formats); err != nil {
 		res = append(res, err)

restapi/tls.go

@@ -19,18 +19,32 @@ package restapi
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"fmt"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
 	"time"
 )
 
-var (
-	certDontExists = "File certificate doesn't exists: %s"
-)
+func getCertPool() *x509.CertPool {
+	caCertFileNames := getMinioServerTLSRootCAs()
+	// If CAs certificates are configured we save them to the http.Client RootCAs store
+	certs := x509.NewCertPool()
+	for _, caCert := range caCertFileNames {
+		pemData, err := ioutil.ReadFile(caCert)
+		if err != nil {
+			// logging this error
+			log.Println(err)
+			continue
+		}
+		certs.AppendCertsFromPEM(pemData)
+	}
+	return certs
+}
 
-func prepareSTSClientTransport() *http.Transport {
+var certPool = getCertPool()
+
+func prepareSTSClientTransport(insecure bool) *http.Transport {
 	// This takes github.com/minio/minio/pkg/madmin/transport.go as an example
 	//
 	// DefaultTransport - this default transport is similar to
@@ -49,47 +63,25 @@ func prepareSTSClientTransport() *http.Transport {
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DisableCompression:    true,
-	}
-	// If Minio instance is running with TLS enabled and it's using a self-signed certificate
-	// or a certificate issued by a custom certificate authority we prepare a new custom *http.Transport
-	if getMinIOEndpointIsSecure() {
-		caCertFileNames := getMinioServerTLSRootCAs()
-		tlsConfig := &tls.Config{
+		TLSClientConfig: &tls.Config{
 			// Can't use SSLv3 because of POODLE and BEAST
 			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
 			// Can't use TLSv1.1 because of RC4 cipher usage
-			MinVersion: tls.VersionTLS12,
-		}
-		// If CAs certificates are configured we save them to the http.Client RootCAs store
-		if len(caCertFileNames) > 0 {
-			certs := x509.NewCertPool()
-			for _, caCert := range caCertFileNames {
-				// Validate certificate exists
-				if FileExists(caCert) {
-					pemData, err := ioutil.ReadFile(caCert)
-					if err != nil {
-						// if there was an error reading pem file stop console
-						panic(err)
-					}
-					certs.AppendCertsFromPEM(pemData)
-				} else {
-					// if provided cert filename doesn't exists stop console
-					panic(fmt.Sprintf(certDontExists, caCert))
-				}
-			}
-			tlsConfig.RootCAs = certs
-		}
-		DefaultTransport.TLSClientConfig = tlsConfig
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: insecure,
+			RootCAs:            certPool,
+		},
 	}
 	return DefaultTransport
 }
 
 // PrepareSTSClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
 // custom configurations include the use of CA certificates
-func PrepareSTSClient() *http.Client {
-	transport := prepareSTSClientTransport()
+func PrepareSTSClient(insecure bool) *http.Client {
+	transport := prepareSTSClientTransport(insecure)
 	// Return http client with default configuration
-	return &http.Client{
+	c := &http.Client{
 		Transport: transport,
 	}
+	return c
 }

swagger.yml

@@ -1069,7 +1069,7 @@ paths:
       tags:
         - AdminAPI
     delete:
-      summary: Delete Tenant
+      summary: Delete tenant and underlying pvcs
       operationId: DeleteTenant
       parameters:
         - name: namespace
@@ -1080,6 +1080,11 @@ paths:
           in: path
           required: true
           type: string
+        - name: body
+          in: body
+          required: false
+          schema:
+            $ref: "#/definitions/deleteTenantRequest"
       responses:
         204:
           description: A successful response.
@@ -1778,8 +1783,13 @@ definitions:
       image:
         type: string
         pattern: "^((.*?)/(.*?):(.+))$"
+      console_image:
+        type: string
+        pattern: "^((.*?)/(.*?):(.+))$"
       image_registry:
         $ref: "#/definitions/imageRegistry"
+      image_pull_secret:
+        type: string
   
   imageRegistry:
     type: object
@@ -1807,6 +1817,8 @@ definitions:
         pattern: "^[a-z0-9-]{3,63}$"
       image:
         type: string
+      console_image:
+        type: string
       service_name:
         type: string
       zones:
@@ -1822,9 +1834,12 @@ definitions:
       enable_console:
         type: boolean
         default: true
-      enable_ssl:
+      enable_tls:
         type: boolean
         default: true
+      enable_prometheus:
+        type: boolean
+        default: false
       namespace:
         type: string
       erasureCodingParity:
@@ -1835,6 +1850,8 @@ definitions:
           type: string
       image_registry:
         $ref: "#/definitions/imageRegistry"
+      image_pull_secret:
+        type: string
       idp:
         type: object
         $ref: "#/definitions/idpConfiguration"
@@ -1845,7 +1862,7 @@ definitions:
         type: object
         $ref: "#/definitions/encryptionConfiguration"
 
-  tlsConfiguration:
+  keyPairConfiguration:
     type: object
     required:
       - crt
@@ -1856,6 +1873,16 @@ definitions:
       key:
         type: string
 
+  tlsConfiguration:
+    type: object
+    properties:
+      minio:
+        type: object
+        $ref: "#/definitions/keyPairConfiguration"
+      console:
+        type: object
+        $ref: "#/definitions/keyPairConfiguration"
+
   idpConfiguration:
     type: object
     properties:
@@ -1891,7 +1918,7 @@ definitions:
             type: string
           group_name_attribute:
             type: string
-          skip_ssl_verification:
+          skip_tls_verification:
             type: boolean
           server_insecure:
             type: boolean
@@ -1903,24 +1930,10 @@ definitions:
         type: string
       server:
         type: object
-        required:
-          - crt
-          - key
-        properties:
-          crt:
-            type: string
-          key:
-            type: string
+        $ref: "#/definitions/keyPairConfiguration"
       client:
         type: object
-        required:
-          - crt
-          - key
-        properties:
-          crt:
-            type: string
-          key:
-            type: string
+        $ref: "#/definitions/keyPairConfiguration"
       gemalto:
         type: object
         $ref: "#/definitions/gemaltoConfiguration"
@@ -2078,6 +2091,10 @@ definitions:
             type: integer
           storage_class_name:
             type: string
+          labels:
+            type: object
+            additionalProperties:
+              type: string
       resources:
         $ref: "#/definitions/zoneResources"
       node_selector:
@@ -2511,3 +2528,9 @@ definitions:
       used:
         type: integer
         format: int64
+  
+  deleteTenantRequest:
+    type: object
+    properties:
+      delete_pvcs:
+        type: boolean