Release v0.10.4 (#1108 )

Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
update to new minio/pkg v1.1.5 (#1107 )
2021-10-12 16:41:25 -07:00 · 2021-10-12 16:21:13 -07:00 · 2021-10-12 14:35:12 -07:00 · 2021-10-12 11:18:56 -07:00 · 2021-10-11 19:17:18 -07:00 · 2021-10-11 12:32:27 -07:00
555 changed files with 132756 additions and 16510 deletions
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        go-version: [1.16.x]
+        go-version: [1.16.x, 1.17.x]
        os: [ubuntu-latest]
    steps:
      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -0,0 +1,39 @@
+name: Go
+
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Integration Tests with Latest Distributed MinIO
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [1.16.x]
+        os: [ubuntu-latest]
+    steps:
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+          CGO_ENABLED: 0
+        run: |
+          wget -O /tmp/minio https://dl.minio.io/server/minio/release/linux-amd64/minio
+          chmod +x /tmp/minio
+          mkdir -p /tmp/certs-dir
+          /tmp/minio server --quiet -S /tmp/certs-dir /tmp/fs{1...4} &
+          go test github.com/minio/console/integration/...
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        go-version: [1.16.x]
+        go-version: [1.16.x, 1.17.x]
        os: [ubuntu-latest]
    steps:
      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -86,7 +86,7 @@ nfpms:
 dockers:
 - image_templates:
  - "minio/console:{{ .Tag }}-amd64"
-  use_buildx: true
+  use: buildx
  goarch: amd64
  dockerfile: Dockerfile.release
  extra_files:
@@ -97,7 +97,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "minio/console:{{ .Tag }}-ppc64le"
-  use_buildx: true
+  use: buildx
  goarch: ppc64le
  dockerfile: Dockerfile.release
  extra_files:
@@ -108,7 +108,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "minio/console:{{ .Tag }}-s390x"
-  use_buildx: true
+  use: buildx
  goarch: s390x
  dockerfile: Dockerfile.release
  extra_files:
@@ -119,7 +119,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "minio/console:{{ .Tag }}-arm64"
-  use_buildx: true
+  use: buildx
  goarch: arm64
  goos: linux
  dockerfile: Dockerfile.release
@@ -131,7 +131,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "quay.io/minio/console:{{ .Tag }}-amd64"
-  use_buildx: true
+  use: buildx
  goarch: amd64
  dockerfile: Dockerfile.release
  extra_files:
@@ -142,7 +142,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "quay.io/minio/console:{{ .Tag }}-ppc64le"
-  use_buildx: true
+  use: buildx
  goarch: ppc64le
  dockerfile: Dockerfile.release
  extra_files:
@@ -153,7 +153,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "quay.io/minio/console:{{ .Tag }}-s390x"
-  use_buildx: true
+  use: buildx
  goarch: s390x
  dockerfile: Dockerfile.release
  extra_files:
@@ -164,7 +164,7 @@ dockers:
  - "--build-arg=TAG={{ .Tag }}"
 - image_templates:
  - "quay.io/minio/console:{{ .Tag }}-arm64"
-  use_buildx: true
+  use: buildx
  goarch: arm64
  goos: linux
  dockerfile: Dockerfile.release
--- a/compose/.env
+++ b/compose/.env
@@ -1,61 +0,0 @@
-## PostgreSQL related variables
-
-# Postgres Docker image
-POSTGRES_IMAGE=library/postgres
-
-# Postgres user
-POSTGRES_USER=postgres
-
-# Postgres password
-POSTGRES_PASSWORD=magical_password
-
-# Postgres port number
-POSTGRES_PORT=5432
-
-# Postgres data directory
-PGDATA=/data/postgres
-
-
-## Logsearch related variables
-
-# Logsearch Docker image
-LOGSEARCH_IMAGE=minio/logsearchapi:v4.1.2
-
-# Logsearch storage max
-LOGSEARCH_DISK_CAPACITY_GB=5
-
-# Logsearch port number
-LOGSEARCH_PORT=8080
-
-# Log retention duration
-LOGSEARCH_MAX_RETENTION_MONTHS=1
-
-# Logsearch audit authentication token
-LOGSEARCH_AUDIT_AUTH_TOKEN=c6rkqjZ03ElEUKQ7MtSeYBJ8q_p3GDFPBQAQJlcbBLA=
-
-# Logsearch query authentication token
-LOGSEARCH_QUERY_AUTH_TOKEN=c6rkqjZ03ElEUKQ7MtSeYBJ8q_p3GDFPBQAQJlcbBLA=
-
-
-## Console related variables
-
-# Console Docker image
-CONSOLE_IMAGE=minio/console:v0.8.0
-
-# Salt to encrypt JWT payload
-CONSOLE_PBKDF_PASSPHRASE=top_secret
-
-# Required to encrypt JWT payload
-CONSOLE_PBKDF_SALT=top_secret1
-
-# MinIO Server URL
-CONSOLE_MINIO_SERVER=http://localhost:9000
-
-
-## Prometheus related variables
-
-# Prometheus Docker image
-PROMETHEUS_IMAGE=prom/prometheus:latest
-
-# Prometheus port number
-PROMETHEUS_PORT=9999
--- a/compose/README.md
+++ b/compose/README.md
@@ -1,64 +0,0 @@
-
-## Console Docker Compose
-
-This compose file allows users to quickly deploy MinIO Console, LogSearch & Prometheus in a baremetal (non Kubernetes) environment.
-
-### Pre-requisites
-
-1. [MinIO](https://docs.minio.io/docs/distributed-minio-quickstart-guide.html) cluster up and running.
-2. [mc](https://docs.minio.io/docs/minio-client-quickstart-guide.html) configured for this MinIO cluster.
-3. [Docker-Compose](https://docs.docker.com/compose/) installed on the server.
-
-### Getting Started
-
- Download the contents of `compose` directory on your machine.
-
- Edit the `prometheus.yaml` file and fill in the correct target (MinIO Endpoint). Optionally setup the `bearer_token` as explained [here](https://github.com/minio/minio/tree/master/docs/metrics/prometheus#31-authenticated-prometheus-config).
-
- Setup a console admin policy.
-
-```sh
-cat > admin.json << EOF
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-			"Action": [
-				"admin:*"
-			],
-			"Effect": "Allow",
-			"Sid": ""
-		},
-		{
-			"Action": [
-                "s3:*"
-			],
-			"Effect": "Allow",
-			"Resource": [
-				"arn:aws:s3:::*"
-			],
-			"Sid": ""
-		}
-	]
-}
-EOF
-```
-
-Then create this policy on MinIO server: `mc admin policy add myminio consoleAdmin admin.json`.
-
- Setup user and policy for Console
-
-```
-mc admin user add myminio console console123
-mc admin policy set myminio consoleAdmin user=console
-```
-
- Configure Webhook target on the MinIO server. Remember to change the `token` value in below URL to the actual token value as set in the `.env` file.
-
-```
-mc admin config set myminio audit_webhook:1 endpoint=http://localhost:8080/api/ingest?token=c6rkqjZ03ElEUKQ7MtSeYBJ8q_p3GDFPBQAQJlcbBLA=
-mc admin service restart myminio
-```
-
-### Configuration
-
-To configure the Console Compose file to custom setup, please take a look at the [`.env`](./.env) file.
--- a/compose/docker-compose.yaml
+++ b/compose/docker-compose.yaml
@@ -1,62 +0,0 @@
-version: '3.4'
-services:
-  pg_database:
-    image: ${POSTGRES_IMAGE}
-    network_mode: host
-    environment:
-      - POSTGRES_USER=${POSTGRES_USER}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - PGDATA=${PGDATA}
-      - POSTGRES_DB=minio_logs
-    volumes:
-      - database:${PGDATA}
-    ports:
-      - ${POSTGRES_PORT}:${POSTGRES_PORT}
-
-  log_search:
-    image: ${LOGSEARCH_IMAGE}
-    network_mode: host
-    environment:
-      - LOGSEARCH_AUDIT_AUTH_TOKEN=${LOGSEARCH_AUDIT_AUTH_TOKEN}
-      - LOGSEARCH_QUERY_AUTH_TOKEN=${LOGSEARCH_QUERY_AUTH_TOKEN}
-      - LOGSEARCH_DISK_CAPACITY_GB=${LOGSEARCH_DISK_CAPACITY_GB}
-      - LOGSEARCH_MAX_RETENTION_MONTHS=${LOGSEARCH_MAX_RETENTION_MONTHS}
-      - LOGSEARCH_PG_CONN_STR=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:${POSTGRES_PORT}/minio_logs?sslmode=disable
-    ports:
-      - ${LOGSEARCH_PORT}:${LOGSEARCH_PORT}
-    command: ["/usr/bin/wait-for-it.sh", "localhost:${POSTGRES_PORT}", "--", "/logsearchapi"]
-    volumes:
-      - ./wait-for-it.sh:/usr/bin/wait-for-it.sh
-    depends_on:
-      - pg_database
-
-  console:
-    image: ${CONSOLE_IMAGE}
-    network_mode: host
-    environment:
-      - CONSOLE_PBKDF_PASSPHRASE=${CONSOLE_PBKDF_PASSPHRASE}
-      - CONSOLE_PBKDF_SALT=${CONSOLE_PBKDF_SALT}
-      - LOGSEARCH_QUERY_AUTH_TOKEN=${LOGSEARCH_QUERY_AUTH_TOKEN}
-      - CONSOLE_MINIO_SERVER=${CONSOLE_MINIO_SERVER}
-      - CONSOLE_LOG_QUERY_URL=http://localhost:${LOGSEARCH_PORT}
-      - CONSOLE_PROMETHEUS_URL=http://localhost:${PROMETHEUS_PORT}
-    ports:
-      - "9090:9090"
-    command: server
-    depends_on:
-      - log_search
-      - prometheus
-
-  prometheus:
-    image: ${PROMETHEUS_IMAGE}
-    network_mode: host
-    ports:
-      - ${PROMETHEUS_PORT}:${PROMETHEUS_PORT}
-    command:
-      - --config.file=/etc/prometheus/prometheus.yml
-      - --web.listen-address=:${PROMETHEUS_PORT}
-    volumes:
-      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
-
-volumes:
-  database:
--- a/compose/prometheus.yml
+++ b/compose/prometheus.yml
@@ -1,15 +0,0 @@
-global:
-  scrape_interval:     10s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 30s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs:
-    # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
-  - job_name: minio-job
-    metrics_path: /minio/v2/metrics/cluster
-    scheme: http
-    static_configs:
-    - targets:
-      - 'localhost:9000'
--- a/compose/wait-for-it.sh
+++ b/compose/wait-for-it.sh
@@ -1,182 +0,0 @@
-#!/usr/bin/env bash
-# Use this script to test if a given TCP host/port are available
-
-WAITFORIT_cmdname=${0##*/}
-
-echoerr() { if [[ $WAITFORIT_QUIET -ne 1 ]]; then echo "$@" 1>&2; fi }
-
-usage()
-{
-    cat << USAGE >&2
-Usage:
-    $WAITFORIT_cmdname host:port [-s] [-t timeout] [-- command args]
-    -h HOST | --host=HOST       Host or IP under test
-    -p PORT | --port=PORT       TCP port under test
-                                Alternatively, you specify the host and port as host:port
-    -s | --strict               Only execute subcommand if the test succeeds
-    -q | --quiet                Don't output any status messages
-    -t TIMEOUT | --timeout=TIMEOUT
-                                Timeout in seconds, zero for no timeout
-    -- COMMAND ARGS             Execute command with args after the test finishes
-USAGE
-    exit 1
-}
-
-wait_for()
-{
-    if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
-        echoerr "$WAITFORIT_cmdname: waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
-    else
-        echoerr "$WAITFORIT_cmdname: waiting for $WAITFORIT_HOST:$WAITFORIT_PORT without a timeout"
-    fi
-    WAITFORIT_start_ts=$(date +%s)
-    while :
-    do
-        if [[ $WAITFORIT_ISBUSY -eq 1 ]]; then
-            nc -z $WAITFORIT_HOST $WAITFORIT_PORT
-            WAITFORIT_result=$?
-        else
-            (echo -n > /dev/tcp/$WAITFORIT_HOST/$WAITFORIT_PORT) >/dev/null 2>&1
-            WAITFORIT_result=$?
-        fi
-        if [[ $WAITFORIT_result -eq 0 ]]; then
-            WAITFORIT_end_ts=$(date +%s)
-            echoerr "$WAITFORIT_cmdname: $WAITFORIT_HOST:$WAITFORIT_PORT is available after $((WAITFORIT_end_ts - WAITFORIT_start_ts)) seconds"
-            break
-        fi
-        sleep 1
-    done
-    return $WAITFORIT_result
-}
-
-wait_for_wrapper()
-{
-    # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
-    if [[ $WAITFORIT_QUIET -eq 1 ]]; then
-        timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --quiet --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
-    else
-        timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
-    fi
-    WAITFORIT_PID=$!
-    trap "kill -INT -$WAITFORIT_PID" INT
-    wait $WAITFORIT_PID
-    WAITFORIT_RESULT=$?
-    if [[ $WAITFORIT_RESULT -ne 0 ]]; then
-        echoerr "$WAITFORIT_cmdname: timeout occurred after waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
-    fi
-    return $WAITFORIT_RESULT
-}
-
-# process arguments
-while [[ $# -gt 0 ]]
-do
-    case "$1" in
-        *:* )
-        WAITFORIT_hostport=(${1//:/ })
-        WAITFORIT_HOST=${WAITFORIT_hostport[0]}
-        WAITFORIT_PORT=${WAITFORIT_hostport[1]}
-        shift 1
-        ;;
-        --child)
-        WAITFORIT_CHILD=1
-        shift 1
-        ;;
-        -q | --quiet)
-        WAITFORIT_QUIET=1
-        shift 1
-        ;;
-        -s | --strict)
-        WAITFORIT_STRICT=1
-        shift 1
-        ;;
-        -h)
-        WAITFORIT_HOST="$2"
-        if [[ $WAITFORIT_HOST == "" ]]; then break; fi
-        shift 2
-        ;;
-        --host=*)
-        WAITFORIT_HOST="${1#*=}"
-        shift 1
-        ;;
-        -p)
-        WAITFORIT_PORT="$2"
-        if [[ $WAITFORIT_PORT == "" ]]; then break; fi
-        shift 2
-        ;;
-        --port=*)
-        WAITFORIT_PORT="${1#*=}"
-        shift 1
-        ;;
-        -t)
-        WAITFORIT_TIMEOUT="$2"
-        if [[ $WAITFORIT_TIMEOUT == "" ]]; then break; fi
-        shift 2
-        ;;
-        --timeout=*)
-        WAITFORIT_TIMEOUT="${1#*=}"
-        shift 1
-        ;;
-        --)
-        shift
-        WAITFORIT_CLI=("$@")
-        break
-        ;;
-        --help)
-        usage
-        ;;
-        *)
-        echoerr "Unknown argument: $1"
-        usage
-        ;;
-    esac
-done
-
-if [[ "$WAITFORIT_HOST" == "" || "$WAITFORIT_PORT" == "" ]]; then
-    echoerr "Error: you need to provide a host and port to test."
-    usage
-fi
-
-WAITFORIT_TIMEOUT=${WAITFORIT_TIMEOUT:-15}
-WAITFORIT_STRICT=${WAITFORIT_STRICT:-0}
-WAITFORIT_CHILD=${WAITFORIT_CHILD:-0}
-WAITFORIT_QUIET=${WAITFORIT_QUIET:-0}
-
-# Check to see if timeout is from busybox?
-WAITFORIT_TIMEOUT_PATH=$(type -p timeout)
-WAITFORIT_TIMEOUT_PATH=$(realpath $WAITFORIT_TIMEOUT_PATH 2>/dev/null || readlink -f $WAITFORIT_TIMEOUT_PATH)
-
-WAITFORIT_BUSYTIMEFLAG=""
-if [[ $WAITFORIT_TIMEOUT_PATH =~ "busybox" ]]; then
-    WAITFORIT_ISBUSY=1
-    # Check if busybox timeout uses -t flag
-    # (recent Alpine versions don't support -t anymore)
-    if timeout &>/dev/stdout | grep -q -e '-t '; then
-        WAITFORIT_BUSYTIMEFLAG="-t"
-    fi
-else
-    WAITFORIT_ISBUSY=0
-fi
-
-if [[ $WAITFORIT_CHILD -gt 0 ]]; then
-    wait_for
-    WAITFORIT_RESULT=$?
-    exit $WAITFORIT_RESULT
-else
-    if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
-        wait_for_wrapper
-        WAITFORIT_RESULT=$?
-    else
-        wait_for
-        WAITFORIT_RESULT=$?
-    fi
-fi
-
-if [[ $WAITFORIT_CLI != "" ]]; then
-    if [[ $WAITFORIT_RESULT -ne 0 && $WAITFORIT_STRICT -eq 1 ]]; then
-        echoerr "$WAITFORIT_cmdname: strict mode, refusing to execute subprocess"
-        exit $WAITFORIT_RESULT
-    fi
-    exec "${WAITFORIT_CLI[@]}"
-else
-    exit $WAITFORIT_RESULT
-fi
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,6 @@ go 1.16
 require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/cheggaaa/pb/v3 v3.0.6
-	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/dustin/go-humanize v1.0.0
 	github.com/go-openapi/errors v0.19.9
 	github.com/go-openapi/loads v0.20.2
@@ -19,19 +18,18 @@ require (
 	github.com/minio/cli v1.22.0
 	github.com/minio/direct-csi v1.3.5-0.20210601185811-f7776f7961bf
 	github.com/minio/kes v0.11.0
-	github.com/minio/madmin-go v1.0.17
+	github.com/minio/madmin-go v1.1.6
 	github.com/minio/mc v0.0.0-20210626002108-cebf3318546f
-	github.com/minio/minio-go/v7 v7.0.13-0.20210715203016-9e713532886e
-	github.com/minio/operator v0.0.0-20210616045941-65f31f5f78ae
-	github.com/minio/operator/logsearchapi v0.0.0-20210604224119-7e256f98cf90
-	github.com/minio/pkg v1.0.8
+	github.com/minio/minio-go/v7 v7.0.14
+	github.com/minio/operator v0.0.0-20210812082324-26350f153661
+	github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661
+	github.com/minio/pkg v1.1.5
 	github.com/minio/selfupdate v0.3.1
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/rs/xid v1.2.1
 	github.com/secure-io/sio-go v0.3.1
 	github.com/stretchr/testify v1.7.0
-	github.com/unrolled/secure v1.0.7
+	github.com/unrolled/secure v1.0.9
 	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
 	golang.org/x/net v0.0.0-20210421230115-4e50805a0758
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
--- a/go.sum
+++ b/go.sum
@@ -196,8 +196,6 @@ github.com/cockroachdb/cockroach-go/v2 v2.0.3 h1:ZA346ACHIZctef6trOTwBAEvPVm1k0u
 github.com/cockroachdb/cockroach-go/v2 v2.0.3/go.mod h1:hAuDgiVgDVkfirP9JnhXEfcXEPRKBpYdGz+l7mvYSzw=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
-github.com/codegangsta/negroni v1.0.0 h1:+aYywywx4bnKXWvoWtRfJ91vC59NbEhEY03sZjQhbVY=
-github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
 github.com/container-storage-interface/spec v1.1.0/go.mod h1:6URME8mwIBbpVyZV93Ce5St17xBiQJQY67NDsuohiy4=
 github.com/container-storage-interface/spec v1.3.0/go.mod h1:6URME8mwIBbpVyZV93Ce5St17xBiQJQY67NDsuohiy4=
 github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
@@ -206,8 +204,6 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -469,6 +465,8 @@ github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -876,10 +874,9 @@ github.com/minio/filepath v1.0.0 h1:fvkJu1+6X+ECRA6G3+JJETj4QeAYO9sV43I79H8ubDY=
 github.com/minio/filepath v1.0.0/go.mod h1:/nRZA2ldl5z6jT9/KQuvZcQlxZIMQoFFQPvEXx9T/Bw=
 github.com/minio/kes v0.11.0 h1:8ma6OCVSxKT50b1uYXLJro3m7PmZtCLxBaTddQexI5k=
 github.com/minio/kes v0.11.0/go.mod h1:mTF1Bv8YVEtQqF/B7Felp4tLee44Pp+dgI0rhCvgNg8=
-github.com/minio/madmin-go v1.0.6/go.mod h1:BK+z4XRx7Y1v8SFWXsuLNqQqnq5BO/axJ8IDJfgyvfs=
 github.com/minio/madmin-go v1.0.12/go.mod h1:BK+z4XRx7Y1v8SFWXsuLNqQqnq5BO/axJ8IDJfgyvfs=
-github.com/minio/madmin-go v1.0.17 h1:VMEn4nMKf0X3uNH0u+fZcn17KSwVkQGwyER/igG556E=
-github.com/minio/madmin-go v1.0.17/go.mod h1:4nl9hvLWFnwCjkLfZSsZXEHgDODa2XSG6xGlIZyQ2oA=
+github.com/minio/madmin-go v1.1.6 h1:L53ALIbAilaEvuvMMT4XkJpd6mtaorkMBwCQ+zraYBA=
+github.com/minio/madmin-go v1.1.6/go.mod h1:vw+c3/u+DeVKqReEavo///Cl2OO8nt5s4ee843hJeLs=
 github.com/minio/mc v0.0.0-20210626002108-cebf3318546f h1:hyFvo5hSFw2K417YvDr/vAKlgCG69uTuhZW/5LNdL0U=
 github.com/minio/mc v0.0.0-20210626002108-cebf3318546f/go.mod h1:tuaonkPjVApCXkbtKENHBtsqUf7YTV33qmFrC+Pgp5g=
 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
@@ -887,16 +884,17 @@ github.com/minio/md5-simd v1.1.1 h1:9ojcLbuZ4gXbB2sX53MKn8JUZ0sB/2wfwsEcRw+I08U=
 github.com/minio/md5-simd v1.1.1/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
 github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78/go.mod h1:mTh2uJuAbEqdhMVl6CMIIZLUeiMiWtJR4JB8/5g2skw=
 github.com/minio/minio-go/v7 v7.0.11-0.20210607181445-e162fdb8e584/go.mod h1:WoyW+ySKAKjY98B9+7ZbI8z8S3jaxaisdcvj9TGlazA=
-github.com/minio/minio-go/v7 v7.0.13-0.20210715203016-9e713532886e h1:aVnxKPpUI1gVeEf9vC+QEt8OxMXiiNMeUWcrBM62oDU=
-github.com/minio/minio-go/v7 v7.0.13-0.20210715203016-9e713532886e/go.mod h1:S23iSP5/gbMwtxeY5FM71R+TkAYyzEdoNEDDwpt8yWs=
-github.com/minio/operator v0.0.0-20210616045941-65f31f5f78ae h1:GONmqbjCi/KTEc1CGujnS/m1qeJeghcQ8dUBLh19qQo=
-github.com/minio/operator v0.0.0-20210616045941-65f31f5f78ae/go.mod h1:8/mIXK+CFdL6VqyxRn1SwD+PEX0jsN8uqjoadaw/Np0=
-github.com/minio/operator/logsearchapi v0.0.0-20210604224119-7e256f98cf90 h1:Qu6j6oE7+QNuq7Kr2DLyVYq3fqMdqFd/T8NAeNp47og=
-github.com/minio/operator/logsearchapi v0.0.0-20210604224119-7e256f98cf90/go.mod h1:R+38Pf3wfm+JMiyLPb/r8OMrBm0vK2hZgUT4y4aYoSY=
+github.com/minio/minio-go/v7 v7.0.14 h1:T7cw8P586gVwEEd0y21kTYtloD576XZgP62N8pE130s=
+github.com/minio/minio-go/v7 v7.0.14/go.mod h1:S23iSP5/gbMwtxeY5FM71R+TkAYyzEdoNEDDwpt8yWs=
+github.com/minio/operator v0.0.0-20210812082324-26350f153661 h1:dGAJHpfmhNukFg0M0wDqH+G1OB2YPgZCcT6uv4n9YQk=
+github.com/minio/operator v0.0.0-20210812082324-26350f153661/go.mod h1:zQqn6VGT46xlSpVXh1I/VZRv+eSgHtVu6URdg71YKX8=
+github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661 h1:tJw15hS3b1dVTf5PwA4roXZ/oRNnHyZ/8Y+yNTmQ5rA=
+github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661/go.mod h1:R+38Pf3wfm+JMiyLPb/r8OMrBm0vK2hZgUT4y4aYoSY=
 github.com/minio/pkg v1.0.3/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8=
 github.com/minio/pkg v1.0.4/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8=
-github.com/minio/pkg v1.0.8 h1:lWQwHSeYlvnRoPpO+wS0I4mL6c00ABxBgbGjSmjwOi4=
 github.com/minio/pkg v1.0.8/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
+github.com/minio/pkg v1.1.5 h1:phwKkJBQdVLyxOXC3RChPVGLtebplzQJ5jJ3l/HBvnk=
+github.com/minio/pkg v1.1.5/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
 github.com/minio/selfupdate v0.3.1 h1:BWEFSNnrZVMUWXbXIgLDNDjbejkmpAmZvy/nCz1HlEs=
 github.com/minio/selfupdate v0.3.1/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
 github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
@@ -1025,8 +1023,6 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.44.1/go.mod h1:3WYi4xqXxGGXWDdQIITnLNmuDzO5n6wYva9spVhR4fg=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.46.0/go.mod h1:3WYi4xqXxGGXWDdQIITnLNmuDzO5n6wYva9spVhR4fg=
 github.com/prometheus-operator/prometheus-operator/pkg/client v0.46.0/go.mod h1:k4BrWlVQQsvBiTcDnKEMgyh/euRxyxgrHdur/ZX/sdA=
@@ -1062,8 +1058,9 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
+github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI=
 github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8/go.mod h1:CGFX09Ci3pq9QZdj86B+VGIdNj4VyCo2iPOGS9esB/k=
@@ -1208,10 +1205,12 @@ github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4A
 github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.0.2/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=
 github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA=
-github.com/unrolled/secure v1.0.7 h1:BcQHp3iKZyZCKj5gRqwQG+5urnGBF00wGgoPPwtheVQ=
-github.com/unrolled/secure v1.0.7/go.mod h1:uGc1OcRF8gCVBA+ANksKmvM85Hka6SZtQIbrKc3sHS4=
+github.com/unrolled/secure v1.0.9 h1:BWRuEb1vDrBFFDdbCnKkof3gZ35I/bnHGyt0LB0TNyQ=
+github.com/unrolled/secure v1.0.9/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc=
+github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
 github.com/uudashr/gocognit v1.0.1/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.2.0/go.mod h1:4vX61m6KN+xDduDNwXrhIAVZaZaZiQ1luJk8LWSxF3s=
@@ -1715,7 +1714,6 @@ gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
--- a/integration/buckets_test.go
+++ b/integration/buckets_test.go
@@ -0,0 +1,340 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package integration
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/go-openapi/loads"
+	"github.com/minio/console/restapi"
+	"github.com/minio/console/restapi/operations"
+
+	"github.com/minio/console/models"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var token string
+
+func initConsoleServer() (*restapi.Server, error) {
+
+	//os.Setenv("CONSOLE_MINIO_SERVER", "localhost:9000")
+
+	swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
+	if err != nil {
+		return nil, err
+	}
+
+	noLog := func(string, ...interface{}) {
+		// nothing to log
+	}
+
+	// Initialize MinIO loggers
+	restapi.LogInfo = noLog
+	restapi.LogError = noLog
+
+	api := operations.NewConsoleAPI(swaggerSpec)
+	api.Logger = noLog
+
+	server := restapi.NewServer(api)
+	// register all APIs
+	server.ConfigureAPI()
+
+	//restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = globalRootCAs, globalPublicCerts, globalTLSCerts
+
+	consolePort, _ := strconv.Atoi("9090")
+
+	server.Host = "0.0.0.0"
+	server.Port = consolePort
+	restapi.Port = "9090"
+	restapi.Hostname = "0.0.0.0"
+
+	return server, nil
+}
+
+func TestMain(m *testing.M) {
+
+	// start console server
+	go func() {
+		fmt.Println("start server")
+		srv, err := initConsoleServer()
+		if err != nil {
+			log.Println(err)
+			log.Println("init fail")
+			return
+		}
+		srv.Serve()
+
+	}()
+
+	fmt.Println("sleeping")
+	time.Sleep(2 * time.Second)
+
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+	// get login credentials
+
+	requestData := map[string]string{
+		"accessKey": "minioadmin",
+		"secretKey": "minioadmin",
+	}
+
+	requestDataJSON, _ := json.Marshal(requestData)
+
+	requestDataBody := bytes.NewReader(requestDataJSON)
+
+	request, err := http.NewRequest("POST", "http://localhost:9090/api/v1/login", requestDataBody)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Content-Type", "application/json")
+
+	response, err := client.Do(request)
+
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		bodyBytes, _ := ioutil.ReadAll(response.Body)
+
+		loginResponse := models.LoginResponse{}
+		err = json.Unmarshal(bodyBytes, &loginResponse)
+		if err != nil {
+			log.Println(err)
+		}
+
+		token = loginResponse.SessionID
+
+	}
+
+	code := m.Run()
+
+	requestDataAdd := map[string]interface{}{
+		"name": "test1",
+	}
+
+	requestDataJSON, _ = json.Marshal(requestDataAdd)
+
+	requestDataBody = bytes.NewReader(requestDataJSON)
+
+	// get list of buckets
+	request, err = http.NewRequest("DELETE", "http://localhost:9090/api/v1/buckets/test1", requestDataBody)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+	request.Header.Add("Content-Type", "application/json")
+
+	response, err = client.Do(request)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		fmt.Println("DELETE StatusCode:", response.StatusCode)
+	}
+
+	os.Exit(code)
+}
+
+func TestAddBucket(t *testing.T) {
+	assert := assert.New(t)
+
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+
+	requestDataAdd := map[string]interface{}{
+		"name":       "test1",
+		"versioning": false,
+		"locking":    false,
+	}
+
+	requestDataJSON, _ := json.Marshal(requestDataAdd)
+
+	requestDataBody := bytes.NewReader(requestDataJSON)
+
+	// get list of buckets
+	request, err := http.NewRequest("POST", "http://localhost:9090/api/v1/buckets", requestDataBody)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+	request.Header.Add("Content-Type", "application/json")
+
+	response, err := client.Do(request)
+	assert.Nil(err)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		assert.Equal(201, response.StatusCode, "Status Code is incorrect")
+	}
+}
+
+func TestBucketVersioning(t *testing.T) {
+	assert := assert.New(t)
+
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+
+	request, err := http.NewRequest("GET", "http://localhost:9090/api/v1/session", nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+
+	response, err := client.Do(request)
+	assert.Nil(err)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	var distributedSystem bool
+
+	if response != nil {
+
+		bodyBytes, _ := ioutil.ReadAll(response.Body)
+
+		sessionResponse := models.SessionResponse{}
+		err = json.Unmarshal(bodyBytes, &sessionResponse)
+		if err != nil {
+			log.Println(err)
+		}
+
+		distributedSystem = sessionResponse.DistributedMode
+
+	}
+
+	requestDataVersioning := map[string]interface{}{
+		"name":       "test2",
+		"versioning": true,
+		"locking":    false,
+	}
+
+	requestDataJSON, _ := json.Marshal(requestDataVersioning)
+
+	requestDataBody := bytes.NewReader(requestDataJSON)
+
+	request, err = http.NewRequest("POST", "http://localhost:9090/api/v1/buckets", requestDataBody)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+	request.Header.Add("Content-Type", "application/json")
+
+	response, err = client.Do(request)
+	assert.Nil(err)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	fmt.Println("Versioned bucket creation test status:", response.Status)
+	if distributedSystem {
+		assert.Equal(201, response.StatusCode, "Versioning test Status Code is incorrect - bucket failed to create")
+	} else {
+		assert.NotEqual(201, response.StatusCode, "Versioning test Status Code is incorrect -  versioned bucket created on non-distributed system")
+	}
+
+	request, err = http.NewRequest("DELETE", "http://localhost:9090/api/v1/buckets/test2", requestDataBody)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+	request.Header.Add("Content-Type", "application/json")
+
+	response, err = client.Do(request)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		fmt.Println("DELETE StatusCode:", response.StatusCode)
+	}
+
+}
+
+func TestBucketsGet(t *testing.T) {
+	assert := assert.New(t)
+
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+
+	// get list of buckets
+	request, err := http.NewRequest("GET", "http://localhost:9090/api/v1/buckets", nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+
+	response, err := client.Do(request)
+	assert.Nil(err)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		assert.Equal(200, response.StatusCode, "Status Code is incorrect")
+		bodyBytes, _ := ioutil.ReadAll(response.Body)
+
+		listBuckets := models.ListBucketsResponse{}
+		err = json.Unmarshal(bodyBytes, &listBuckets)
+		if err != nil {
+			log.Println(err)
+			assert.Nil(err)
+		}
+
+		assert.Greater(len(listBuckets.Buckets), 0, "No bucket was returned")
+		assert.Greater(listBuckets.Total, int64(0), "Total buckets is 0")
+
+	}
+
+}
--- a/integration/login_test.go
+++ b/integration/login_test.go
@@ -0,0 +1,71 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package integration
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/minio/console/models"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLoginStrategy(t *testing.T) {
+	assert := assert.New(t)
+
+	// image for now:
+	// minio: 9000
+	// console: 9090
+
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+	// copy query params
+	request, err := http.NewRequest("GET", "http://localhost:9090/api/v1/login", nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	response, err := client.Do(request)
+	assert.Nil(err)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if response != nil {
+		bodyBytes, _ := ioutil.ReadAll(response.Body)
+
+		loginDetails := models.LoginDetails{}
+
+		err = json.Unmarshal(bodyBytes, &loginDetails)
+		if err != nil {
+			log.Println(err)
+		}
+		assert.Nil(err)
+
+		assert.Equal(models.LoginDetailsLoginStrategyForm, loginDetails.LoginStrategy, "Login Details don't match")
+
+	}
+
+}
--- a/k8s/console/base/console-cluster-role-binding.yaml
+++ b/k8s/console/base/console-cluster-role-binding.yaml
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: console-sa-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: console-sa-role
-subjects:
-  - kind: ServiceAccount
-    name: console-sa
-    namespace: default
--- a/k8s/console/base/console-cluster-role.yaml
+++ b/k8s/console/base/console-cluster-role.yaml
@@ -1,222 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: console-sa-role
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - watch
-      - create
-      - list
-      - patch
-      - update
-      - deletecollection
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - pods
-      - services
-      - events
-      - resourcequotas
-      - nodes
-    verbs:
-      - get
-      - watch
-      - create
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - persistentvolumeclaims
-    verbs:
-      - deletecollection
-      - list
-      - get
-      - watch
-      - update
-  - apiGroups:
-      - "storage.k8s.io"
-    resources:
-      - storageclasses
-    verbs:
-      - get
-      - watch
-      - create
-      - list
-      - patch
-  - apiGroups:
-      - apps
-    resources:
-      - statefulsets
-      - deployments
-    verbs:
-      - get
-      - create
-      - list
-      - patch
-      - watch
-      - update
-      - delete
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
-    verbs:
-      - get
-      - create
-      - list
-      - patch
-      - watch
-      - update
-      - delete
-  - apiGroups:
-      - "certificates.k8s.io"
-    resources:
-      - "certificatesigningrequests"
-      - "certificatesigningrequests/approval"
-      - "certificatesigningrequests/status"
-    verbs:
-      - update
-      - create
-      - get
-  - apiGroups:
-      - minio.min.io
-    resources:
-      - "*"
-    verbs:
-      - "*"
-  - apiGroups:
-      - min.io
-    resources:
-      - "*"
-    verbs:
-      - "*"
-  - apiGroups:
-    - ""
-    resources:
-    - persistentvolumes
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - delete
-  - apiGroups:
-    - ""
-    resources:
-    - persistentvolumeclaims
-    verbs:
-    - get
-    - list
-    - watch
-    - update
-  - apiGroups:
-    - ""
-    resources:
-    - events
-    verbs:
-    - create
-    - list
-    - watch
-    - update
-    - patch
-  - apiGroups:
-    - snapshot.storage.k8s.io
-    resources:
-    - volumesnapshots
-    verbs:
-    - get
-    - list
-  - apiGroups:
-    - snapshot.storage.k8s.io
-    resources:
-    - volumesnapshotcontents
-    verbs:
-    - get
-    - list
-  - apiGroups:
-    - storage.k8s.io
-    resources:
-    - csinodes
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - storage.k8s.io
-    resources:
-    - volumeattachments
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - ""
-    resources:
-    - endpoints
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - delete
-  - apiGroups:
-    - coordination.k8s.io
-    resources:
-    - leases
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - delete
-  - apiGroups:
-    - direct.csi.min.io
-    resources:
-    - volumes
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - delete
-  - apiGroups:
-    - apiextensions.k8s.io
-    resources:
-    - customresourcedefinitions
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - delete
-  - apiGroups:
-    - direct.csi.min.io
-    resources:
-    - directcsidrives
-    - directcsivolumes
-    verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - delete
-  - apiGroups:
-    - ""
-    resources:
-    - pod
-    verbs:
-    - get
-    - list
-    - watch
--- a/k8s/console/base/console-configmap.yaml
+++ b/k8s/console/base/console-configmap.yaml
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: console-env
-data:
-  CONSOLE_PORT: "9090"
-  CONSOLE_TLS_PORT: "9443"
--- a/k8s/console/base/console-deployment.yaml
+++ b/k8s/console/base/console-deployment.yaml
@@ -1,26 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: console
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: console
-  template:
-    metadata:
-      labels:
-        app: console
-    spec:
-      serviceAccountName: console-sa
-      containers:
-        - name: console
-          image: minio/console:v0.8.0
-          imagePullPolicy: "IfNotPresent"
-          args:
-            - server
-          ports:
-            - containerPort: 9090
-              name: http
-            - containerPort: 9433
-              name: https
--- a/k8s/console/base/console-service-account.yaml
+++ b/k8s/console/base/console-service-account.yaml
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: console-sa
-  namespace: default
--- a/k8s/console/base/console-service.yaml
+++ b/k8s/console/base/console-service.yaml
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: console
-  labels:
-    name: console
-spec:
-  ports:
-    - port: 9090
-      name: http
-    - port: 9443
-      name: https
-  selector:
-    app: console
--- a/k8s/console/base/kustomization.yaml
+++ b/k8s/console/base/kustomization.yaml
@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-# beginning of customizations
-resources:
-  - console-service-account.yaml
-  - console-cluster-role.yaml
-  - console-cluster-role-binding.yaml
-  - console-configmap.yaml
-  - console-service.yaml
-  - console-deployment.yaml
-  - https://github.com/minio/operator/?ref=v3.0.10
--- a/k8s/operator-console/base/console-cluster-role.yaml
+++ b/k8s/operator-console/base/console-cluster-role.yaml
@@ -19,7 +19,6 @@ rules:
      - ""
    resources:
      - namespaces
-      - pods
      - services
      - events
      - resourcequotas
@@ -30,6 +29,18 @@ rules:
      - create
      - list
      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - create
+      - list
+      - patch
+      - delete
+      - deletecollection
  - apiGroups:
      - ""
    resources:
--- a/k8s/operator-console/base/console-deployment.yaml
+++ b/k8s/operator-console/base/console-deployment.yaml
@@ -15,7 +15,7 @@ spec:
      serviceAccountName: console-sa
      containers:
        - name: console
-          image: minio/console:v0.8.0
+          image: minio/console:v0.10.4
          imagePullPolicy: "IfNotPresent"
          env:
            - name: CONSOLE_OPERATOR_MODE
--- a/models/access_rule.go
+++ b/models/access_rule.go
@@ -0,0 +1,70 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// AccessRule access rule
+//
+// swagger:model accessRule
+type AccessRule struct {
+
+	// access
+	Access string `json:"access,omitempty"`
+
+	// prefix
+	Prefix string `json:"prefix,omitempty"`
+}
+
+// Validate validates this access rule
+func (m *AccessRule) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this access rule based on context it is used
+func (m *AccessRule) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AccessRule) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AccessRule) UnmarshalBinary(b []byte) error {
+	var res AccessRule
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/add_user_request.go
+++ b/models/add_user_request.go
@@ -44,6 +44,10 @@ type AddUserRequest struct {
 	// Required: true
 	Groups []string `json:"groups"`

+	// policies
+	// Required: true
+	Policies []string `json:"policies"`
+
 	// secret key
 	// Required: true
 	SecretKey *string `json:"secretKey"`
@@ -61,6 +65,10 @@ func (m *AddUserRequest) Validate(formats strfmt.Registry) error {
 		res = append(res, err)
 	}

+	if err := m.validatePolicies(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateSecretKey(formats); err != nil {
 		res = append(res, err)
 	}
@@ -89,6 +97,15 @@ func (m *AddUserRequest) validateGroups(formats strfmt.Registry) error {
 	return nil
 }

+func (m *AddUserRequest) validatePolicies(formats strfmt.Registry) error {
+
+	if err := validate.Required("policies", "body", m.Policies); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (m *AddUserRequest) validateSecretKey(formats strfmt.Registry) error {

 	if err := validate.Required("secretKey", "body", m.SecretKey); err != nil {
--- a/models/admin_info_response.go
+++ b/models/admin_info_response.go
@@ -42,6 +42,9 @@ type AdminInfoResponse struct {
 	// objects
 	Objects int64 `json:"objects,omitempty"`

+	// servers
+	Servers []*ServerProperties `json:"servers"`
+
 	// usage
 	Usage int64 `json:"usage,omitempty"`

@@ -53,6 +56,10 @@ type AdminInfoResponse struct {
 func (m *AdminInfoResponse) Validate(formats strfmt.Registry) error {
 	var res []error

+	if err := m.validateServers(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateWidgets(formats); err != nil {
 		res = append(res, err)
 	}
@@ -63,6 +70,30 @@ func (m *AdminInfoResponse) Validate(formats strfmt.Registry) error {
 	return nil
 }

+func (m *AdminInfoResponse) validateServers(formats strfmt.Registry) error {
+	if swag.IsZero(m.Servers) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(m.Servers); i++ {
+		if swag.IsZero(m.Servers[i]) { // not required
+			continue
+		}
+
+		if m.Servers[i] != nil {
+			if err := m.Servers[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("servers" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
 func (m *AdminInfoResponse) validateWidgets(formats strfmt.Registry) error {
 	if swag.IsZero(m.Widgets) { // not required
 		return nil
@@ -91,6 +122,10 @@ func (m *AdminInfoResponse) validateWidgets(formats strfmt.Registry) error {
 func (m *AdminInfoResponse) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

+	if err := m.contextValidateServers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.contextValidateWidgets(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -101,6 +136,24 @@ func (m *AdminInfoResponse) ContextValidate(ctx context.Context, formats strfmt.
 	return nil
 }

+func (m *AdminInfoResponse) contextValidateServers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(m.Servers); i++ {
+
+		if m.Servers[i] != nil {
+			if err := m.Servers[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("servers" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
 func (m *AdminInfoResponse) contextValidateWidgets(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Widgets); i++ {
--- a/models/azure_configuration.go
+++ b/models/azure_configuration.go
@@ -0,0 +1,313 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// AzureConfiguration azure configuration
+//
+// swagger:model azureConfiguration
+type AzureConfiguration struct {
+
+	// keyvault
+	// Required: true
+	Keyvault *AzureConfigurationKeyvault `json:"keyvault"`
+}
+
+// Validate validates this azure configuration
+func (m *AzureConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateKeyvault(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AzureConfiguration) validateKeyvault(formats strfmt.Registry) error {
+
+	if err := validate.Required("keyvault", "body", m.Keyvault); err != nil {
+		return err
+	}
+
+	if m.Keyvault != nil {
+		if err := m.Keyvault.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keyvault")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ContextValidate validate this azure configuration based on the context it is used
+func (m *AzureConfiguration) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateKeyvault(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AzureConfiguration) contextValidateKeyvault(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.Keyvault != nil {
+		if err := m.Keyvault.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keyvault")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AzureConfiguration) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AzureConfiguration) UnmarshalBinary(b []byte) error {
+	var res AzureConfiguration
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// AzureConfigurationKeyvault azure configuration keyvault
+//
+// swagger:model AzureConfigurationKeyvault
+type AzureConfigurationKeyvault struct {
+
+	// credentials
+	Credentials *AzureConfigurationKeyvaultCredentials `json:"credentials,omitempty"`
+
+	// endpoint
+	// Required: true
+	Endpoint *string `json:"endpoint"`
+}
+
+// Validate validates this azure configuration keyvault
+func (m *AzureConfigurationKeyvault) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateCredentials(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateEndpoint(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AzureConfigurationKeyvault) validateCredentials(formats strfmt.Registry) error {
+	if swag.IsZero(m.Credentials) { // not required
+		return nil
+	}
+
+	if m.Credentials != nil {
+		if err := m.Credentials.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keyvault" + "." + "credentials")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *AzureConfigurationKeyvault) validateEndpoint(formats strfmt.Registry) error {
+
+	if err := validate.Required("keyvault"+"."+"endpoint", "body", m.Endpoint); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ContextValidate validate this azure configuration keyvault based on the context it is used
+func (m *AzureConfigurationKeyvault) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateCredentials(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AzureConfigurationKeyvault) contextValidateCredentials(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.Credentials != nil {
+		if err := m.Credentials.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("keyvault" + "." + "credentials")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AzureConfigurationKeyvault) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AzureConfigurationKeyvault) UnmarshalBinary(b []byte) error {
+	var res AzureConfigurationKeyvault
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// AzureConfigurationKeyvaultCredentials azure configuration keyvault credentials
+//
+// swagger:model AzureConfigurationKeyvaultCredentials
+type AzureConfigurationKeyvaultCredentials struct {
+
+	// client id
+	// Required: true
+	ClientID *string `json:"client_id"`
+
+	// client secret
+	// Required: true
+	ClientSecret *string `json:"client_secret"`
+
+	// tenant id
+	// Required: true
+	TenantID *string `json:"tenant_id"`
+}
+
+// Validate validates this azure configuration keyvault credentials
+func (m *AzureConfigurationKeyvaultCredentials) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateClientID(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateClientSecret(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateTenantID(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *AzureConfigurationKeyvaultCredentials) validateClientID(formats strfmt.Registry) error {
+
+	if err := validate.Required("keyvault"+"."+"credentials"+"."+"client_id", "body", m.ClientID); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *AzureConfigurationKeyvaultCredentials) validateClientSecret(formats strfmt.Registry) error {
+
+	if err := validate.Required("keyvault"+"."+"credentials"+"."+"client_secret", "body", m.ClientSecret); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *AzureConfigurationKeyvaultCredentials) validateTenantID(formats strfmt.Registry) error {
+
+	if err := validate.Required("keyvault"+"."+"credentials"+"."+"tenant_id", "body", m.TenantID); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ContextValidate validates this azure configuration keyvault credentials based on context it is used
+func (m *AzureConfigurationKeyvaultCredentials) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AzureConfigurationKeyvaultCredentials) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AzureConfigurationKeyvaultCredentials) UnmarshalBinary(b []byte) error {
+	var res AzureConfigurationKeyvaultCredentials
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/bucket.go
+++ b/models/bucket.go
@@ -24,6 +24,7 @@ package models

 import (
 	"context"
+	"encoding/json"

 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
@@ -42,11 +43,20 @@ type Bucket struct {
 	// creation date
 	CreationDate string `json:"creation_date,omitempty"`

+	// details
+	Details *BucketDetails `json:"details,omitempty"`
+
 	// name
 	// Required: true
 	// Min Length: 3
 	Name *string `json:"name"`

+	// objects
+	Objects int64 `json:"objects,omitempty"`
+
+	// rw access
+	RwAccess *BucketRwAccess `json:"rw_access,omitempty"`
+
 	// size
 	Size int64 `json:"size,omitempty"`
 }
@@ -59,10 +69,18 @@ func (m *Bucket) Validate(formats strfmt.Registry) error {
 		res = append(res, err)
 	}

+	if err := m.validateDetails(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateName(formats); err != nil {
 		res = append(res, err)
 	}

+	if err := m.validateRwAccess(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if len(res) > 0 {
 		return errors.CompositeValidationError(res...)
 	}
@@ -86,6 +104,23 @@ func (m *Bucket) validateAccess(formats strfmt.Registry) error {
 	return nil
 }

+func (m *Bucket) validateDetails(formats strfmt.Registry) error {
+	if swag.IsZero(m.Details) { // not required
+		return nil
+	}
+
+	if m.Details != nil {
+		if err := m.Details.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("details")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *Bucket) validateName(formats strfmt.Registry) error {

 	if err := validate.Required("name", "body", m.Name); err != nil {
@@ -99,6 +134,23 @@ func (m *Bucket) validateName(formats strfmt.Registry) error {
 	return nil
 }

+func (m *Bucket) validateRwAccess(formats strfmt.Registry) error {
+	if swag.IsZero(m.RwAccess) { // not required
+		return nil
+	}
+
+	if m.RwAccess != nil {
+		if err := m.RwAccess.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("rw_access")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 // ContextValidate validate this bucket based on the context it is used
 func (m *Bucket) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error
@@ -107,6 +159,14 @@ func (m *Bucket) ContextValidate(ctx context.Context, formats strfmt.Registry) e
 		res = append(res, err)
 	}

+	if err := m.contextValidateDetails(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.contextValidateRwAccess(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
 	if len(res) > 0 {
 		return errors.CompositeValidationError(res...)
 	}
@@ -127,6 +187,34 @@ func (m *Bucket) contextValidateAccess(ctx context.Context, formats strfmt.Regis
 	return nil
 }

+func (m *Bucket) contextValidateDetails(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.Details != nil {
+		if err := m.Details.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("details")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Bucket) contextValidateRwAccess(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.RwAccess != nil {
+		if err := m.RwAccess.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("rw_access")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 // MarshalBinary interface implementation
 func (m *Bucket) MarshalBinary() ([]byte, error) {
 	if m == nil {
@@ -144,3 +232,236 @@ func (m *Bucket) UnmarshalBinary(b []byte) error {
 	*m = res
 	return nil
 }
+
+// BucketDetails bucket details
+//
+// swagger:model BucketDetails
+type BucketDetails struct {
+
+	// locking
+	Locking bool `json:"locking,omitempty"`
+
+	// quota
+	Quota *BucketDetailsQuota `json:"quota,omitempty"`
+
+	// replication
+	Replication bool `json:"replication,omitempty"`
+
+	// tags
+	Tags map[string]string `json:"tags,omitempty"`
+
+	// versioning
+	Versioning bool `json:"versioning,omitempty"`
+
+	// versioning suspended
+	VersioningSuspended bool `json:"versioningSuspended,omitempty"`
+}
+
+// Validate validates this bucket details
+func (m *BucketDetails) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateQuota(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *BucketDetails) validateQuota(formats strfmt.Registry) error {
+	if swag.IsZero(m.Quota) { // not required
+		return nil
+	}
+
+	if m.Quota != nil {
+		if err := m.Quota.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("details" + "." + "quota")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ContextValidate validate this bucket details based on the context it is used
+func (m *BucketDetails) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateQuota(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *BucketDetails) contextValidateQuota(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.Quota != nil {
+		if err := m.Quota.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("details" + "." + "quota")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *BucketDetails) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *BucketDetails) UnmarshalBinary(b []byte) error {
+	var res BucketDetails
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// BucketDetailsQuota bucket details quota
+//
+// swagger:model BucketDetailsQuota
+type BucketDetailsQuota struct {
+
+	// quota
+	Quota int64 `json:"quota,omitempty"`
+
+	// type
+	// Enum: [fifo hard]
+	Type string `json:"type,omitempty"`
+}
+
+// Validate validates this bucket details quota
+func (m *BucketDetailsQuota) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateType(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+var bucketDetailsQuotaTypeTypePropEnum []interface{}
+
+func init() {
+	var res []string
+	if err := json.Unmarshal([]byte(`["fifo","hard"]`), &res); err != nil {
+		panic(err)
+	}
+	for _, v := range res {
+		bucketDetailsQuotaTypeTypePropEnum = append(bucketDetailsQuotaTypeTypePropEnum, v)
+	}
+}
+
+const (
+
+	// BucketDetailsQuotaTypeFifo captures enum value "fifo"
+	BucketDetailsQuotaTypeFifo string = "fifo"
+
+	// BucketDetailsQuotaTypeHard captures enum value "hard"
+	BucketDetailsQuotaTypeHard string = "hard"
+)
+
+// prop value enum
+func (m *BucketDetailsQuota) validateTypeEnum(path, location string, value string) error {
+	if err := validate.EnumCase(path, location, value, bucketDetailsQuotaTypeTypePropEnum, true); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (m *BucketDetailsQuota) validateType(formats strfmt.Registry) error {
+	if swag.IsZero(m.Type) { // not required
+		return nil
+	}
+
+	// value enum
+	if err := m.validateTypeEnum("details"+"."+"quota"+"."+"type", "body", m.Type); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ContextValidate validates this bucket details quota based on context it is used
+func (m *BucketDetailsQuota) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *BucketDetailsQuota) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *BucketDetailsQuota) UnmarshalBinary(b []byte) error {
+	var res BucketDetailsQuota
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
+
+// BucketRwAccess bucket rw access
+//
+// swagger:model BucketRwAccess
+type BucketRwAccess struct {
+
+	// read
+	Read bool `json:"read,omitempty"`
+
+	// write
+	Write bool `json:"write,omitempty"`
+}
+
+// Validate validates this bucket rw access
+func (m *BucketRwAccess) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this bucket rw access based on context it is used
+func (m *BucketRwAccess) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *BucketRwAccess) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *BucketRwAccess) UnmarshalBinary(b []byte) error {
+	var res BucketRwAccess
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/bucket_object.go
+++ b/models/bucket_object.go
@@ -55,6 +55,9 @@ type BucketObject struct {
 	// legal hold status
 	LegalHoldStatus string `json:"legal_hold_status,omitempty"`

+	// metadata
+	Metadata map[string]string `json:"metadata,omitempty"`
+
 	// name
 	Name string `json:"name,omitempty"`

@@ -70,6 +73,9 @@ type BucketObject struct {
 	// tags
 	Tags map[string]string `json:"tags,omitempty"`

+	// user metadata
+	UserMetadata map[string]string `json:"user_metadata,omitempty"`
+
 	// user tags
 	UserTags map[string]string `json:"user_tags,omitempty"`

--- a/models/console_configuration.go
+++ b/models/console_configuration.go
@@ -1,134 +0,0 @@
-// Code generated by go-swagger; DO NOT EDIT.
-
-// This file is part of MinIO Console Server
-// Copyright (c) 2021 MinIO, Inc.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-//
-
-package models
-
-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-import (
-	"context"
-
-	"github.com/go-openapi/errors"
-	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
-)
-
-// ConsoleConfiguration console configuration
-//
-// swagger:model consoleConfiguration
-type ConsoleConfiguration struct {
-	MetadataFields
-
-	// image
-	Image string `json:"image,omitempty"`
-}
-
-// UnmarshalJSON unmarshals this object from a JSON structure
-func (m *ConsoleConfiguration) UnmarshalJSON(raw []byte) error {
-	// AO0
-	var aO0 MetadataFields
-	if err := swag.ReadJSON(raw, &aO0); err != nil {
-		return err
-	}
-	m.MetadataFields = aO0
-
-	// AO1
-	var dataAO1 struct {
-		Image string `json:"image,omitempty"`
-	}
-	if err := swag.ReadJSON(raw, &dataAO1); err != nil {
-		return err
-	}
-
-	m.Image = dataAO1.Image
-
-	return nil
-}
-
-// MarshalJSON marshals this object to a JSON structure
-func (m ConsoleConfiguration) MarshalJSON() ([]byte, error) {
-	_parts := make([][]byte, 0, 2)
-
-	aO0, err := swag.WriteJSON(m.MetadataFields)
-	if err != nil {
-		return nil, err
-	}
-	_parts = append(_parts, aO0)
-	var dataAO1 struct {
-		Image string `json:"image,omitempty"`
-	}
-
-	dataAO1.Image = m.Image
-
-	jsonDataAO1, errAO1 := swag.WriteJSON(dataAO1)
-	if errAO1 != nil {
-		return nil, errAO1
-	}
-	_parts = append(_parts, jsonDataAO1)
-	return swag.ConcatJSON(_parts...), nil
-}
-
-// Validate validates this console configuration
-func (m *ConsoleConfiguration) Validate(formats strfmt.Registry) error {
-	var res []error
-
-	// validation for a type composition with MetadataFields
-	if err := m.MetadataFields.Validate(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if len(res) > 0 {
-		return errors.CompositeValidationError(res...)
-	}
-	return nil
-}
-
-// ContextValidate validate this console configuration based on the context it is used
-func (m *ConsoleConfiguration) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
-	var res []error
-
-	// validation for a type composition with MetadataFields
-	if err := m.MetadataFields.ContextValidate(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
-	if len(res) > 0 {
-		return errors.CompositeValidationError(res...)
-	}
-	return nil
-}
-
-// MarshalBinary interface implementation
-func (m *ConsoleConfiguration) MarshalBinary() ([]byte, error) {
-	if m == nil {
-		return nil, nil
-	}
-	return swag.WriteJSON(m)
-}
-
-// UnmarshalBinary interface implementation
-func (m *ConsoleConfiguration) UnmarshalBinary(b []byte) error {
-	var res ConsoleConfiguration
-	if err := swag.ReadJSON(b, &res); err != nil {
-		return err
-	}
-	*m = res
-	return nil
-}
--- a/models/create_tenant_request.go
+++ b/models/create_tenant_request.go
@@ -43,12 +43,6 @@ type CreateTenantRequest struct {
 	// annotations
 	Annotations map[string]string `json:"annotations,omitempty"`

-	// console
-	Console *ConsoleConfiguration `json:"console,omitempty"`
-
-	// console image
-	ConsoleImage string `json:"console_image,omitempty"`
-
 	// enable console
 	EnableConsole *bool `json:"enable_console,omitempty"`

@@ -118,10 +112,6 @@ type CreateTenantRequest struct {
 func (m *CreateTenantRequest) Validate(formats strfmt.Registry) error {
 	var res []error

-	if err := m.validateConsole(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateEncryption(formats); err != nil {
 		res = append(res, err)
 	}
@@ -164,23 +154,6 @@ func (m *CreateTenantRequest) Validate(formats strfmt.Registry) error {
 	return nil
 }

-func (m *CreateTenantRequest) validateConsole(formats strfmt.Registry) error {
-	if swag.IsZero(m.Console) { // not required
-		return nil
-	}
-
-	if m.Console != nil {
-		if err := m.Console.Validate(formats); err != nil {
-			if ve, ok := err.(*errors.Validation); ok {
-				return ve.ValidateName("console")
-			}
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (m *CreateTenantRequest) validateEncryption(formats strfmt.Registry) error {
 	if swag.IsZero(m.Encryption) { // not required
 		return nil
@@ -334,10 +307,6 @@ func (m *CreateTenantRequest) validateTLS(formats strfmt.Registry) error {
 func (m *CreateTenantRequest) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

-	if err := m.contextValidateConsole(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.contextValidateEncryption(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -372,20 +341,6 @@ func (m *CreateTenantRequest) ContextValidate(ctx context.Context, formats strfm
 	return nil
 }

-func (m *CreateTenantRequest) contextValidateConsole(ctx context.Context, formats strfmt.Registry) error {
-
-	if m.Console != nil {
-		if err := m.Console.ContextValidate(ctx, formats); err != nil {
-			if ve, ok := err.(*errors.Validation); ok {
-				return ve.ValidateName("console")
-			}
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (m *CreateTenantRequest) contextValidateEncryption(ctx context.Context, formats strfmt.Registry) error {

 	if m.Encryption != nil {
--- a/models/create_tenant_response.go
+++ b/models/create_tenant_response.go
@@ -38,6 +38,9 @@ type CreateTenantResponse struct {

 	// console
 	Console []*TenantResponseItem `json:"console"`
+
+	// external ID p
+	ExternalIDP bool `json:"externalIDP,omitempty"`
 }

 // Validate validates this create tenant response
--- a/models/encryption_configuration.go
+++ b/models/encryption_configuration.go
@@ -39,6 +39,9 @@ type EncryptionConfiguration struct {
 	// aws
 	Aws *AwsConfiguration `json:"aws,omitempty"`

+	// azure
+	Azure *AzureConfiguration `json:"azure,omitempty"`
+
 	// client
 	Client *KeyPairConfiguration `json:"client,omitempty"`

@@ -74,6 +77,8 @@ func (m *EncryptionConfiguration) UnmarshalJSON(raw []byte) error {
 	var dataAO1 struct {
 		Aws *AwsConfiguration `json:"aws,omitempty"`

+		Azure *AzureConfiguration `json:"azure,omitempty"`
+
 		Client *KeyPairConfiguration `json:"client,omitempty"`

 		Gcp *GcpConfiguration `json:"gcp,omitempty"`
@@ -94,6 +99,8 @@ func (m *EncryptionConfiguration) UnmarshalJSON(raw []byte) error {

 	m.Aws = dataAO1.Aws

+	m.Azure = dataAO1.Azure
+
 	m.Client = dataAO1.Client

 	m.Gcp = dataAO1.Gcp
@@ -123,6 +130,8 @@ func (m EncryptionConfiguration) MarshalJSON() ([]byte, error) {
 	var dataAO1 struct {
 		Aws *AwsConfiguration `json:"aws,omitempty"`

+		Azure *AzureConfiguration `json:"azure,omitempty"`
+
 		Client *KeyPairConfiguration `json:"client,omitempty"`

 		Gcp *GcpConfiguration `json:"gcp,omitempty"`
@@ -140,6 +149,8 @@ func (m EncryptionConfiguration) MarshalJSON() ([]byte, error) {

 	dataAO1.Aws = m.Aws

+	dataAO1.Azure = m.Azure
+
 	dataAO1.Client = m.Client

 	dataAO1.Gcp = m.Gcp
@@ -175,6 +186,10 @@ func (m *EncryptionConfiguration) Validate(formats strfmt.Registry) error {
 		res = append(res, err)
 	}

+	if err := m.validateAzure(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateClient(formats); err != nil {
 		res = append(res, err)
 	}
@@ -219,6 +234,24 @@ func (m *EncryptionConfiguration) validateAws(formats strfmt.Registry) error {
 	return nil
 }

+func (m *EncryptionConfiguration) validateAzure(formats strfmt.Registry) error {
+
+	if swag.IsZero(m.Azure) { // not required
+		return nil
+	}
+
+	if m.Azure != nil {
+		if err := m.Azure.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("azure")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *EncryptionConfiguration) validateClient(formats strfmt.Registry) error {

 	if swag.IsZero(m.Client) { // not required
@@ -322,6 +355,10 @@ func (m *EncryptionConfiguration) ContextValidate(ctx context.Context, formats s
 		res = append(res, err)
 	}

+	if err := m.contextValidateAzure(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.contextValidateClient(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -362,6 +399,20 @@ func (m *EncryptionConfiguration) contextValidateAws(ctx context.Context, format
 	return nil
 }

+func (m *EncryptionConfiguration) contextValidateAzure(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.Azure != nil {
+		if err := m.Azure.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("azure")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m *EncryptionConfiguration) contextValidateClient(ctx context.Context, formats strfmt.Registry) error {

 	if m.Client != nil {
--- a/models/error.go
+++ b/models/error.go
@@ -39,6 +39,10 @@ type Error struct {
 	// code
 	Code int32 `json:"code,omitempty"`

+	// detailed message
+	// Required: true
+	DetailedMessage *string `json:"detailedMessage"`
+
 	// message
 	// Required: true
 	Message *string `json:"message"`
@@ -48,6 +52,10 @@ type Error struct {
 func (m *Error) Validate(formats strfmt.Registry) error {
 	var res []error

+	if err := m.validateDetailedMessage(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateMessage(formats); err != nil {
 		res = append(res, err)
 	}
@@ -58,6 +66,15 @@ func (m *Error) Validate(formats strfmt.Registry) error {
 	return nil
 }

+func (m *Error) validateDetailedMessage(formats strfmt.Registry) error {
+
+	if err := validate.Required("detailedMessage", "body", m.DetailedMessage); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (m *Error) validateMessage(formats strfmt.Registry) error {

 	if err := validate.Required("message", "body", m.Message); err != nil {
--- a/models/idp_configuration.go
+++ b/models/idp_configuration.go
@@ -227,9 +227,18 @@ type IdpConfigurationActiveDirectory struct {
 	// group search filter
 	GroupSearchFilter string `json:"group_search_filter,omitempty"`

+	// lookup bind dn
+	LookupBindDn string `json:"lookup_bind_dn,omitempty"`
+
+	// lookup bind password
+	LookupBindPassword string `json:"lookup_bind_password,omitempty"`
+
 	// server insecure
 	ServerInsecure bool `json:"server_insecure,omitempty"`

+	// server start tls
+	ServerStartTLS bool `json:"server_start_tls,omitempty"`
+
 	// skip tls verification
 	SkipTLSVerification bool `json:"skip_tls_verification,omitempty"`

@@ -237,13 +246,20 @@ type IdpConfigurationActiveDirectory struct {
 	// Required: true
 	URL *string `json:"url"`

-	// user search filter
-	// Required: true
-	UserSearchFilter *string `json:"user_search_filter"`
+	// user dn search base dn
+	UserDnSearchBaseDn string `json:"user_dn_search_base_dn,omitempty"`
+
+	// user dn search filter
+	UserDnSearchFilter string `json:"user_dn_search_filter,omitempty"`
+
+	// user dns
+	UserDNS []string `json:"user_dns"`

 	// username format
-	// Required: true
-	UsernameFormat *string `json:"username_format"`
+	UsernameFormat string `json:"username_format,omitempty"`
+
+	// username search filter
+	UsernameSearchFilter string `json:"username_search_filter,omitempty"`
 }

 // Validate validates this idp configuration active directory
@@ -254,14 +270,6 @@ func (m *IdpConfigurationActiveDirectory) Validate(formats strfmt.Registry) erro
 		res = append(res, err)
 	}

-	if err := m.validateUserSearchFilter(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if err := m.validateUsernameFormat(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if len(res) > 0 {
 		return errors.CompositeValidationError(res...)
 	}
@@ -277,24 +285,6 @@ func (m *IdpConfigurationActiveDirectory) validateURL(formats strfmt.Registry) e
 	return nil
 }

-func (m *IdpConfigurationActiveDirectory) validateUserSearchFilter(formats strfmt.Registry) error {
-
-	if err := validate.Required("active_directory"+"."+"user_search_filter", "body", m.UserSearchFilter); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *IdpConfigurationActiveDirectory) validateUsernameFormat(formats strfmt.Registry) error {
-
-	if err := validate.Required("active_directory"+"."+"username_format", "body", m.UsernameFormat); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 // ContextValidate validates this idp configuration active directory based on context it is used
 func (m *IdpConfigurationActiveDirectory) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	return nil
@@ -396,41 +386,64 @@ func (m *IdpConfigurationKeysItems0) UnmarshalBinary(b []byte) error {
 // swagger:model IdpConfigurationOidc
 type IdpConfigurationOidc struct {

+	// callback url
+	CallbackURL string `json:"callback_url,omitempty"`
+
+	// claim name
+	// Required: true
+	ClaimName *string `json:"claim_name"`
+
 	// client id
 	// Required: true
 	ClientID *string `json:"client_id"`

+	// configuration url
+	// Required: true
+	ConfigurationURL *string `json:"configuration_url"`
+
+	// scopes
+	Scopes string `json:"scopes,omitempty"`
+
 	// secret id
 	// Required: true
 	SecretID *string `json:"secret_id"`
-
-	// url
-	// Required: true
-	URL *string `json:"url"`
 }

 // Validate validates this idp configuration oidc
 func (m *IdpConfigurationOidc) Validate(formats strfmt.Registry) error {
 	var res []error

+	if err := m.validateClaimName(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateClientID(formats); err != nil {
 		res = append(res, err)
 	}

+	if err := m.validateConfigurationURL(formats); err != nil {
+		res = append(res, err)
+	}
+
 	if err := m.validateSecretID(formats); err != nil {
 		res = append(res, err)
 	}

-	if err := m.validateURL(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if len(res) > 0 {
 		return errors.CompositeValidationError(res...)
 	}
 	return nil
 }

+func (m *IdpConfigurationOidc) validateClaimName(formats strfmt.Registry) error {
+
+	if err := validate.Required("oidc"+"."+"claim_name", "body", m.ClaimName); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (m *IdpConfigurationOidc) validateClientID(formats strfmt.Registry) error {

 	if err := validate.Required("oidc"+"."+"client_id", "body", m.ClientID); err != nil {
@@ -440,18 +453,18 @@ func (m *IdpConfigurationOidc) validateClientID(formats strfmt.Registry) error {
 	return nil
 }

-func (m *IdpConfigurationOidc) validateSecretID(formats strfmt.Registry) error {
+func (m *IdpConfigurationOidc) validateConfigurationURL(formats strfmt.Registry) error {

-	if err := validate.Required("oidc"+"."+"secret_id", "body", m.SecretID); err != nil {
+	if err := validate.Required("oidc"+"."+"configuration_url", "body", m.ConfigurationURL); err != nil {
 		return err
 	}

 	return nil
 }

-func (m *IdpConfigurationOidc) validateURL(formats strfmt.Registry) error {
+func (m *IdpConfigurationOidc) validateSecretID(formats strfmt.Registry) error {

-	if err := validate.Required("oidc"+"."+"url", "body", m.URL); err != nil {
+	if err := validate.Required("oidc"+"."+"secret_id", "body", m.SecretID); err != nil {
 		return err
 	}

--- a/models/list_access_rules_response.go
+++ b/models/list_access_rules_response.go
@@ -0,0 +1,132 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ListAccessRulesResponse list access rules response
+//
+// swagger:model listAccessRulesResponse
+type ListAccessRulesResponse struct {
+
+	// list of policies
+	AccessRules []*AccessRule `json:"accessRules"`
+
+	// total number of policies
+	Total int64 `json:"total,omitempty"`
+}
+
+// Validate validates this list access rules response
+func (m *ListAccessRulesResponse) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateAccessRules(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *ListAccessRulesResponse) validateAccessRules(formats strfmt.Registry) error {
+	if swag.IsZero(m.AccessRules) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(m.AccessRules); i++ {
+		if swag.IsZero(m.AccessRules[i]) { // not required
+			continue
+		}
+
+		if m.AccessRules[i] != nil {
+			if err := m.AccessRules[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("accessRules" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this list access rules response based on the context it is used
+func (m *ListAccessRulesResponse) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateAccessRules(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *ListAccessRulesResponse) contextValidateAccessRules(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(m.AccessRules); i++ {
+
+		if m.AccessRules[i] != nil {
+			if err := m.AccessRules[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("accessRules" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *ListAccessRulesResponse) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *ListAccessRulesResponse) UnmarshalBinary(b []byte) error {
+	var res ListAccessRulesResponse
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/list_buckets_response.go
+++ b/models/list_buckets_response.go
@@ -39,7 +39,7 @@ type ListBucketsResponse struct {
 	// list of resulting buckets
 	Buckets []*Bucket `json:"buckets"`

-	// number of buckets accessible to tenant user
+	// number of buckets accessible to the user
 	Total int64 `json:"total,omitempty"`
 }

--- a/models/log_search_configuration.go
+++ b/models/log_search_configuration.go
@@ -40,6 +40,9 @@ type LogSearchConfiguration struct {
 	// postgres image
 	PostgresImage string `json:"postgres_image,omitempty"`

+	// postgres init image
+	PostgresInitImage string `json:"postgres_init_image,omitempty"`
+
 	// storage class
 	StorageClass string `json:"storageClass,omitempty"`

--- a/models/prefix_access_pair.go
+++ b/models/prefix_access_pair.go
@@ -0,0 +1,70 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// PrefixAccessPair prefix access pair
+//
+// swagger:model prefixAccessPair
+type PrefixAccessPair struct {
+
+	// access
+	Access string `json:"access,omitempty"`
+
+	// prefix
+	Prefix string `json:"prefix,omitempty"`
+}
+
+// Validate validates this prefix access pair
+func (m *PrefixAccessPair) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this prefix access pair based on context it is used
+func (m *PrefixAccessPair) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *PrefixAccessPair) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *PrefixAccessPair) UnmarshalBinary(b []byte) error {
+	var res PrefixAccessPair
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/prefix_wrapper.go
+++ b/models/prefix_wrapper.go
@@ -0,0 +1,67 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// PrefixWrapper prefix wrapper
+//
+// swagger:model prefixWrapper
+type PrefixWrapper struct {
+
+	// prefix
+	Prefix string `json:"prefix,omitempty"`
+}
+
+// Validate validates this prefix wrapper
+func (m *PrefixWrapper) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this prefix wrapper based on context it is used
+func (m *PrefixWrapper) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *PrefixWrapper) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *PrefixWrapper) UnmarshalBinary(b []byte) error {
+	var res PrefixWrapper
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/prometheus_configuration.go
+++ b/models/prometheus_configuration.go
@@ -25,6 +25,7 @@ package models
 import (
 	"context"

+	"github.com/go-openapi/errors"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
 )
@@ -37,6 +38,15 @@ type PrometheusConfiguration struct {
 	// image
 	Image string `json:"image,omitempty"`

+	// init image
+	InitImage string `json:"init_image,omitempty"`
+
+	// security context
+	SecurityContext *SecurityContext `json:"securityContext,omitempty"`
+
+	// sidecar image
+	SidecarImage string `json:"sidecar_image,omitempty"`
+
 	// storage class
 	StorageClass string `json:"storageClass,omitempty"`

@@ -46,11 +56,60 @@ type PrometheusConfiguration struct {

 // Validate validates this prometheus configuration
 func (m *PrometheusConfiguration) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateSecurityContext(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
 	return nil
 }

-// ContextValidate validates this prometheus configuration based on context it is used
+func (m *PrometheusConfiguration) validateSecurityContext(formats strfmt.Registry) error {
+	if swag.IsZero(m.SecurityContext) { // not required
+		return nil
+	}
+
+	if m.SecurityContext != nil {
+		if err := m.SecurityContext.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("securityContext")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ContextValidate validate this prometheus configuration based on the context it is used
 func (m *PrometheusConfiguration) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateSecurityContext(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *PrometheusConfiguration) contextValidateSecurityContext(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.SecurityContext != nil {
+		if err := m.SecurityContext.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("securityContext")
+			}
+			return err
+		}
+	}
+
 	return nil
 }

--- a/models/security_context.go
+++ b/models/security_context.go
@@ -0,0 +1,139 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// SecurityContext security context
+//
+// swagger:model securityContext
+type SecurityContext struct {
+
+	// fs group
+	// Required: true
+	FsGroup *int64 `json:"fsGroup"`
+
+	// run as group
+	// Required: true
+	RunAsGroup *int64 `json:"runAsGroup"`
+
+	// run as non root
+	// Required: true
+	RunAsNonRoot *bool `json:"runAsNonRoot"`
+
+	// run as user
+	// Required: true
+	RunAsUser *int64 `json:"runAsUser"`
+}
+
+// Validate validates this security context
+func (m *SecurityContext) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateFsGroup(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateRunAsGroup(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateRunAsNonRoot(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateRunAsUser(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *SecurityContext) validateFsGroup(formats strfmt.Registry) error {
+
+	if err := validate.Required("fsGroup", "body", m.FsGroup); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *SecurityContext) validateRunAsGroup(formats strfmt.Registry) error {
+
+	if err := validate.Required("runAsGroup", "body", m.RunAsGroup); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *SecurityContext) validateRunAsNonRoot(formats strfmt.Registry) error {
+
+	if err := validate.Required("runAsNonRoot", "body", m.RunAsNonRoot); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *SecurityContext) validateRunAsUser(formats strfmt.Registry) error {
+
+	if err := validate.Required("runAsUser", "body", m.RunAsUser); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ContextValidate validates this security context based on context it is used
+func (m *SecurityContext) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *SecurityContext) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *SecurityContext) UnmarshalBinary(b []byte) error {
+	var res SecurityContext
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/server_drives.go
+++ b/models/server_drives.go
@@ -0,0 +1,94 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ServerDrives server drives
+//
+// swagger:model serverDrives
+type ServerDrives struct {
+
+	// available space
+	AvailableSpace int64 `json:"availableSpace,omitempty"`
+
+	// drive path
+	DrivePath string `json:"drivePath,omitempty"`
+
+	// endpoint
+	Endpoint string `json:"endpoint,omitempty"`
+
+	// healing
+	Healing bool `json:"healing,omitempty"`
+
+	// model
+	Model string `json:"model,omitempty"`
+
+	// root disk
+	RootDisk bool `json:"rootDisk,omitempty"`
+
+	// state
+	State string `json:"state,omitempty"`
+
+	// total space
+	TotalSpace int64 `json:"totalSpace,omitempty"`
+
+	// used space
+	UsedSpace int64 `json:"usedSpace,omitempty"`
+
+	// uuid
+	UUID string `json:"uuid,omitempty"`
+}
+
+// Validate validates this server drives
+func (m *ServerDrives) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this server drives based on context it is used
+func (m *ServerDrives) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *ServerDrives) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *ServerDrives) UnmarshalBinary(b []byte) error {
+	var res ServerDrives
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/server_properties.go
+++ b/models/server_properties.go
@@ -0,0 +1,150 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ServerProperties server properties
+//
+// swagger:model serverProperties
+type ServerProperties struct {
+
+	// commit ID
+	CommitID string `json:"commitID,omitempty"`
+
+	// drives
+	Drives []*ServerDrives `json:"drives"`
+
+	// endpoint
+	Endpoint string `json:"endpoint,omitempty"`
+
+	// network
+	Network map[string]string `json:"network,omitempty"`
+
+	// pool number
+	PoolNumber int64 `json:"poolNumber,omitempty"`
+
+	// state
+	State string `json:"state,omitempty"`
+
+	// uptime
+	Uptime int64 `json:"uptime,omitempty"`
+
+	// version
+	Version string `json:"version,omitempty"`
+}
+
+// Validate validates this server properties
+func (m *ServerProperties) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateDrives(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *ServerProperties) validateDrives(formats strfmt.Registry) error {
+	if swag.IsZero(m.Drives) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(m.Drives); i++ {
+		if swag.IsZero(m.Drives[i]) { // not required
+			continue
+		}
+
+		if m.Drives[i] != nil {
+			if err := m.Drives[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("drives" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this server properties based on the context it is used
+func (m *ServerProperties) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateDrives(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *ServerProperties) contextValidateDrives(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(m.Drives); i++ {
+
+		if m.Drives[i] != nil {
+			if err := m.Drives[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("drives" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *ServerProperties) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *ServerProperties) UnmarshalBinary(b []byte) error {
+	var res ServerProperties
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/service_account_request_creds.go
+++ b/models/service_account_request_creds.go
@@ -0,0 +1,73 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ServiceAccountRequestCreds service account request creds
+//
+// swagger:model serviceAccountRequestCreds
+type ServiceAccountRequestCreds struct {
+
+	// access key
+	AccessKey string `json:"accessKey,omitempty"`
+
+	// policy to be applied to the Service Account if any
+	Policy string `json:"policy,omitempty"`
+
+	// secret key
+	SecretKey string `json:"secretKey,omitempty"`
+}
+
+// Validate validates this service account request creds
+func (m *ServiceAccountRequestCreds) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this service account request creds based on context it is used
+func (m *ServiceAccountRequestCreds) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *ServiceAccountRequestCreds) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *ServiceAccountRequestCreds) UnmarshalBinary(b []byte) error {
+	var res ServiceAccountRequestCreds
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/set_policy_multiple_name_request.go
+++ b/models/set_policy_multiple_name_request.go
@@ -31,20 +31,23 @@ import (
 	"github.com/go-openapi/swag"
 )

-// SetPolicyMultipleRequest set policy multiple request
+// SetPolicyMultipleNameRequest set policy multiple name request
 //
-// swagger:model setPolicyMultipleRequest
-type SetPolicyMultipleRequest struct {
+// swagger:model setPolicyMultipleNameRequest
+type SetPolicyMultipleNameRequest struct {

 	// groups
 	Groups []IamEntity `json:"groups"`

+	// name
+	Name []string `json:"name"`
+
 	// users
 	Users []IamEntity `json:"users"`
 }

-// Validate validates this set policy multiple request
-func (m *SetPolicyMultipleRequest) Validate(formats strfmt.Registry) error {
+// Validate validates this set policy multiple name request
+func (m *SetPolicyMultipleNameRequest) Validate(formats strfmt.Registry) error {
 	var res []error

 	if err := m.validateGroups(formats); err != nil {
@@ -61,7 +64,7 @@ func (m *SetPolicyMultipleRequest) Validate(formats strfmt.Registry) error {
 	return nil
 }

-func (m *SetPolicyMultipleRequest) validateGroups(formats strfmt.Registry) error {
+func (m *SetPolicyMultipleNameRequest) validateGroups(formats strfmt.Registry) error {
 	if swag.IsZero(m.Groups) { // not required
 		return nil
 	}
@@ -80,7 +83,7 @@ func (m *SetPolicyMultipleRequest) validateGroups(formats strfmt.Registry) error
 	return nil
 }

-func (m *SetPolicyMultipleRequest) validateUsers(formats strfmt.Registry) error {
+func (m *SetPolicyMultipleNameRequest) validateUsers(formats strfmt.Registry) error {
 	if swag.IsZero(m.Users) { // not required
 		return nil
 	}
@@ -99,8 +102,8 @@ func (m *SetPolicyMultipleRequest) validateUsers(formats strfmt.Registry) error
 	return nil
 }

-// ContextValidate validate this set policy multiple request based on the context it is used
-func (m *SetPolicyMultipleRequest) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+// ContextValidate validate this set policy multiple name request based on the context it is used
+func (m *SetPolicyMultipleNameRequest) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

 	if err := m.contextValidateGroups(ctx, formats); err != nil {
@@ -117,7 +120,7 @@ func (m *SetPolicyMultipleRequest) ContextValidate(ctx context.Context, formats
 	return nil
 }

-func (m *SetPolicyMultipleRequest) contextValidateGroups(ctx context.Context, formats strfmt.Registry) error {
+func (m *SetPolicyMultipleNameRequest) contextValidateGroups(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Groups); i++ {

@@ -133,7 +136,7 @@ func (m *SetPolicyMultipleRequest) contextValidateGroups(ctx context.Context, fo
 	return nil
 }

-func (m *SetPolicyMultipleRequest) contextValidateUsers(ctx context.Context, formats strfmt.Registry) error {
+func (m *SetPolicyMultipleNameRequest) contextValidateUsers(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Users); i++ {

@@ -150,7 +153,7 @@ func (m *SetPolicyMultipleRequest) contextValidateUsers(ctx context.Context, for
 }

 // MarshalBinary interface implementation
-func (m *SetPolicyMultipleRequest) MarshalBinary() ([]byte, error) {
+func (m *SetPolicyMultipleNameRequest) MarshalBinary() ([]byte, error) {
 	if m == nil {
 		return nil, nil
 	}
@@ -158,8 +161,8 @@ func (m *SetPolicyMultipleRequest) MarshalBinary() ([]byte, error) {
 }

 // UnmarshalBinary interface implementation
-func (m *SetPolicyMultipleRequest) UnmarshalBinary(b []byte) error {
-	var res SetPolicyMultipleRequest
+func (m *SetPolicyMultipleNameRequest) UnmarshalBinary(b []byte) error {
+	var res SetPolicyMultipleNameRequest
 	if err := swag.ReadJSON(b, &res); err != nil {
 		return err
 	}
--- a/models/set_policy_name_request.go
+++ b/models/set_policy_name_request.go
@@ -0,0 +1,158 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
+)
+
+// SetPolicyNameRequest set policy name request
+//
+// swagger:model setPolicyNameRequest
+type SetPolicyNameRequest struct {
+
+	// entity name
+	// Required: true
+	EntityName *string `json:"entityName"`
+
+	// entity type
+	// Required: true
+	EntityType *PolicyEntity `json:"entityType"`
+
+	// name
+	// Required: true
+	Name []string `json:"name"`
+}
+
+// Validate validates this set policy name request
+func (m *SetPolicyNameRequest) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.validateEntityName(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateEntityType(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := m.validateName(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *SetPolicyNameRequest) validateEntityName(formats strfmt.Registry) error {
+
+	if err := validate.Required("entityName", "body", m.EntityName); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (m *SetPolicyNameRequest) validateEntityType(formats strfmt.Registry) error {
+
+	if err := validate.Required("entityType", "body", m.EntityType); err != nil {
+		return err
+	}
+
+	if err := validate.Required("entityType", "body", m.EntityType); err != nil {
+		return err
+	}
+
+	if m.EntityType != nil {
+		if err := m.EntityType.Validate(formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("entityType")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *SetPolicyNameRequest) validateName(formats strfmt.Registry) error {
+
+	if err := validate.Required("name", "body", m.Name); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ContextValidate validate this set policy name request based on the context it is used
+func (m *SetPolicyNameRequest) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := m.contextValidateEntityType(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (m *SetPolicyNameRequest) contextValidateEntityType(ctx context.Context, formats strfmt.Registry) error {
+
+	if m.EntityType != nil {
+		if err := m.EntityType.ContextValidate(ctx, formats); err != nil {
+			if ve, ok := err.(*errors.Validation); ok {
+				return ve.ValidateName("entityType")
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *SetPolicyNameRequest) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *SetPolicyNameRequest) UnmarshalBinary(b []byte) error {
+	var res SetPolicyNameRequest
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/models/tenant.go
+++ b/models/tenant.go
@@ -36,15 +36,6 @@ import (
 // swagger:model tenant
 type Tenant struct {

-	// console enabled
-	ConsoleEnabled bool `json:"consoleEnabled,omitempty"`
-
-	// console TLS
-	ConsoleTLS bool `json:"consoleTLS,omitempty"`
-
-	// console image
-	ConsoleImage string `json:"console_image,omitempty"`
-
 	// creation date
 	CreationDate string `json:"creation_date,omitempty"`

@@ -66,8 +57,8 @@ type Tenant struct {
 	// idp ad enabled
 	IdpAdEnabled bool `json:"idpAdEnabled,omitempty"`

-	// idp oic enabled
-	IdpOicEnabled bool `json:"idpOicEnabled,omitempty"`
+	// idp oidc enabled
+	IdpOidcEnabled bool `json:"idpOidcEnabled,omitempty"`

 	// image
 	Image string `json:"image,omitempty"`
--- a/models/tenant_security_response.go
+++ b/models/tenant_security_response.go
@@ -125,12 +125,6 @@ func (m *TenantSecurityResponse) UnmarshalBinary(b []byte) error {
 // swagger:model TenantSecurityResponseCustomCertificates
 type TenantSecurityResponseCustomCertificates struct {

-	// console
-	Console []*CertificateInfo `json:"console"`
-
-	// console c as
-	ConsoleCAs []*CertificateInfo `json:"consoleCAs"`
-
 	// minio
 	Minio []*CertificateInfo `json:"minio"`

@@ -142,14 +136,6 @@ type TenantSecurityResponseCustomCertificates struct {
 func (m *TenantSecurityResponseCustomCertificates) Validate(formats strfmt.Registry) error {
 	var res []error

-	if err := m.validateConsole(formats); err != nil {
-		res = append(res, err)
-	}
-
-	if err := m.validateConsoleCAs(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateMinio(formats); err != nil {
 		res = append(res, err)
 	}
@@ -164,54 +150,6 @@ func (m *TenantSecurityResponseCustomCertificates) Validate(formats strfmt.Regis
 	return nil
 }

-func (m *TenantSecurityResponseCustomCertificates) validateConsole(formats strfmt.Registry) error {
-	if swag.IsZero(m.Console) { // not required
-		return nil
-	}
-
-	for i := 0; i < len(m.Console); i++ {
-		if swag.IsZero(m.Console[i]) { // not required
-			continue
-		}
-
-		if m.Console[i] != nil {
-			if err := m.Console[i].Validate(formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "console" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
-func (m *TenantSecurityResponseCustomCertificates) validateConsoleCAs(formats strfmt.Registry) error {
-	if swag.IsZero(m.ConsoleCAs) { // not required
-		return nil
-	}
-
-	for i := 0; i < len(m.ConsoleCAs); i++ {
-		if swag.IsZero(m.ConsoleCAs[i]) { // not required
-			continue
-		}
-
-		if m.ConsoleCAs[i] != nil {
-			if err := m.ConsoleCAs[i].Validate(formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "consoleCAs" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
 func (m *TenantSecurityResponseCustomCertificates) validateMinio(formats strfmt.Registry) error {
 	if swag.IsZero(m.Minio) { // not required
 		return nil
@@ -264,14 +202,6 @@ func (m *TenantSecurityResponseCustomCertificates) validateMinioCAs(formats strf
 func (m *TenantSecurityResponseCustomCertificates) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

-	if err := m.contextValidateConsole(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
-	if err := m.contextValidateConsoleCAs(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.contextValidateMinio(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -286,42 +216,6 @@ func (m *TenantSecurityResponseCustomCertificates) ContextValidate(ctx context.C
 	return nil
 }

-func (m *TenantSecurityResponseCustomCertificates) contextValidateConsole(ctx context.Context, formats strfmt.Registry) error {
-
-	for i := 0; i < len(m.Console); i++ {
-
-		if m.Console[i] != nil {
-			if err := m.Console[i].ContextValidate(ctx, formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "console" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
-func (m *TenantSecurityResponseCustomCertificates) contextValidateConsoleCAs(ctx context.Context, formats strfmt.Registry) error {
-
-	for i := 0; i < len(m.ConsoleCAs); i++ {
-
-		if m.ConsoleCAs[i] != nil {
-			if err := m.ConsoleCAs[i].ContextValidate(ctx, formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "consoleCAs" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
 func (m *TenantSecurityResponseCustomCertificates) contextValidateMinio(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Minio); i++ {
--- a/models/tls_configuration.go
+++ b/models/tls_configuration.go
@@ -39,12 +39,6 @@ type TLSConfiguration struct {
 	// ca certificates
 	CaCertificates []string `json:"ca_certificates"`

-	// console
-	Console *KeyPairConfiguration `json:"console,omitempty"`
-
-	// console ca certificates
-	ConsoleCaCertificates []string `json:"console_ca_certificates"`
-
 	// minio
 	Minio []*KeyPairConfiguration `json:"minio"`
 }
@@ -53,10 +47,6 @@ type TLSConfiguration struct {
 func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
 	var res []error

-	if err := m.validateConsole(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateMinio(formats); err != nil {
 		res = append(res, err)
 	}
@@ -67,23 +57,6 @@ func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
 	return nil
 }

-func (m *TLSConfiguration) validateConsole(formats strfmt.Registry) error {
-	if swag.IsZero(m.Console) { // not required
-		return nil
-	}
-
-	if m.Console != nil {
-		if err := m.Console.Validate(formats); err != nil {
-			if ve, ok := err.(*errors.Validation); ok {
-				return ve.ValidateName("console")
-			}
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (m *TLSConfiguration) validateMinio(formats strfmt.Registry) error {
 	if swag.IsZero(m.Minio) { // not required
 		return nil
@@ -112,10 +85,6 @@ func (m *TLSConfiguration) validateMinio(formats strfmt.Registry) error {
 func (m *TLSConfiguration) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

-	if err := m.contextValidateConsole(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.contextValidateMinio(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -126,20 +95,6 @@ func (m *TLSConfiguration) ContextValidate(ctx context.Context, formats strfmt.R
 	return nil
 }

-func (m *TLSConfiguration) contextValidateConsole(ctx context.Context, formats strfmt.Registry) error {
-
-	if m.Console != nil {
-		if err := m.Console.ContextValidate(ctx, formats); err != nil {
-			if ve, ok := err.(*errors.Validation); ok {
-				return ve.ValidateName("console")
-			}
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (m *TLSConfiguration) contextValidateMinio(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Minio); i++ {
--- a/models/update_tenant_request.go
+++ b/models/update_tenant_request.go
@@ -36,10 +36,6 @@ import (
 // swagger:model updateTenantRequest
 type UpdateTenantRequest struct {

-	// console image
-	// Pattern: ^((.*?)/(.*?):(.+))$
-	ConsoleImage string `json:"console_image,omitempty"`
-
 	// enable prometheus
 	EnablePrometheus bool `json:"enable_prometheus,omitempty"`

@@ -58,10 +54,6 @@ type UpdateTenantRequest struct {
 func (m *UpdateTenantRequest) Validate(formats strfmt.Registry) error {
 	var res []error

-	if err := m.validateConsoleImage(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateImage(formats); err != nil {
 		res = append(res, err)
 	}
@@ -76,18 +68,6 @@ func (m *UpdateTenantRequest) Validate(formats strfmt.Registry) error {
 	return nil
 }

-func (m *UpdateTenantRequest) validateConsoleImage(formats strfmt.Registry) error {
-	if swag.IsZero(m.ConsoleImage) { // not required
-		return nil
-	}
-
-	if err := validate.Pattern("console_image", "body", m.ConsoleImage, `^((.*?)/(.*?):(.+))$`); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (m *UpdateTenantRequest) validateImage(formats strfmt.Registry) error {
 	if swag.IsZero(m.Image) { // not required
 		return nil
--- a/models/update_tenant_security_request.go
+++ b/models/update_tenant_security_request.go
@@ -125,12 +125,6 @@ func (m *UpdateTenantSecurityRequest) UnmarshalBinary(b []byte) error {
 // swagger:model UpdateTenantSecurityRequestCustomCertificates
 type UpdateTenantSecurityRequestCustomCertificates struct {

-	// console
-	Console []*KeyPairConfiguration `json:"console"`
-
-	// console c as
-	ConsoleCAs []string `json:"consoleCAs"`
-
 	// minio
 	Minio []*KeyPairConfiguration `json:"minio"`

@@ -145,10 +139,6 @@ type UpdateTenantSecurityRequestCustomCertificates struct {
 func (m *UpdateTenantSecurityRequestCustomCertificates) Validate(formats strfmt.Registry) error {
 	var res []error

-	if err := m.validateConsole(formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.validateMinio(formats); err != nil {
 		res = append(res, err)
 	}
@@ -159,30 +149,6 @@ func (m *UpdateTenantSecurityRequestCustomCertificates) Validate(formats strfmt.
 	return nil
 }

-func (m *UpdateTenantSecurityRequestCustomCertificates) validateConsole(formats strfmt.Registry) error {
-	if swag.IsZero(m.Console) { // not required
-		return nil
-	}
-
-	for i := 0; i < len(m.Console); i++ {
-		if swag.IsZero(m.Console[i]) { // not required
-			continue
-		}
-
-		if m.Console[i] != nil {
-			if err := m.Console[i].Validate(formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "console" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
 func (m *UpdateTenantSecurityRequestCustomCertificates) validateMinio(formats strfmt.Registry) error {
 	if swag.IsZero(m.Minio) { // not required
 		return nil
@@ -211,10 +177,6 @@ func (m *UpdateTenantSecurityRequestCustomCertificates) validateMinio(formats st
 func (m *UpdateTenantSecurityRequestCustomCertificates) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
 	var res []error

-	if err := m.contextValidateConsole(ctx, formats); err != nil {
-		res = append(res, err)
-	}
-
 	if err := m.contextValidateMinio(ctx, formats); err != nil {
 		res = append(res, err)
 	}
@@ -225,24 +187,6 @@ func (m *UpdateTenantSecurityRequestCustomCertificates) ContextValidate(ctx cont
 	return nil
 }

-func (m *UpdateTenantSecurityRequestCustomCertificates) contextValidateConsole(ctx context.Context, formats strfmt.Registry) error {
-
-	for i := 0; i < len(m.Console); i++ {
-
-		if m.Console[i] != nil {
-			if err := m.Console[i].ContextValidate(ctx, formats); err != nil {
-				if ve, ok := err.(*errors.Validation); ok {
-					return ve.ValidateName("customCertificates" + "." + "console" + "." + strconv.Itoa(i))
-				}
-				return err
-			}
-		}
-
-	}
-
-	return nil
-}
-
 func (m *UpdateTenantSecurityRequestCustomCertificates) contextValidateMinio(ctx context.Context, formats strfmt.Registry) error {

 	for i := 0; i < len(m.Minio); i++ {
--- a/models/user.go
+++ b/models/user.go
@@ -37,6 +37,9 @@ type User struct {
 	// access key
 	AccessKey string `json:"accessKey,omitempty"`

+	// has policy
+	HasPolicy bool `json:"hasPolicy,omitempty"`
+
 	// member of
 	MemberOf []string `json:"memberOf"`

--- a/node_modules/.yarn-integrity
+++ b/node_modules/.yarn-integrity
@@ -1,10 +1,12 @@
 {
-  "systemParams": "darwin-x64-93",
+  "systemParams": "linux-x64-93",
  "modulesFolders": [
    "node_modules"
  ],
  "flags": [],
-  "linkedModules": [],
+  "linkedModules": [
+    "one-ui-common"
+  ],
  "topLevelPatterns": [],
  "lockfileEntries": {},
  "files": [],
--- a/operatorapi/config.go
+++ b/operatorapi/config.go
@@ -56,12 +56,6 @@ var (
 	GlobalTLSCertsManager *xcerts.Manager
 )

-var consoleImage string
-
-func init() {
-	consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion)
-}
-
 // getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the
 // /var/run/secrets/kubernetes.io/serviceaccount/token file
 func getK8sSAToken() string {
@@ -71,6 +65,3 @@ func getK8sSAToken() string {
 	}
 	return string(dat)
 }
-func getConsoleImage() string {
-	return consoleImage
-}
--- a/operatorapi/configure_operator.go
+++ b/operatorapi/configure_operator.go
@@ -93,7 +93,7 @@ func configureAPI(api *operations.OperatorAPI) http.Handler {
 	// Namespaces handlers
 	registerNamespaceHandlers(api)
 	// Subscription handlers
-	registerOperatorSubscriptionHandlers(api)
+	registerSubscriptionHandlers(api)

 	api.PreServerShutdown = func() {}

--- a/operatorapi/consts.go
+++ b/operatorapi/consts.go
@@ -18,37 +18,9 @@ package operatorapi

 // list of all console environment constants
 const (
-	// Constants for common configuration
-	ConsoleMinIOServer   = "CONSOLE_MINIO_SERVER"
-	ConsoleMinIORegion   = "CONSOLE_MINIO_REGION"
-	ConsoleHostname      = "CONSOLE_HOSTNAME"
-	ConsolePort          = "CONSOLE_PORT"
-	ConsoleTLSHostname   = "CONSOLE_TLS_HOSTNAME"
-	ConsoleTLSPort       = "CONSOLE_TLS_PORT"
-	ConsoleSubnetLicense = "CONSOLE_SUBNET_LICENSE"
-
-	// Constants for Secure middleware
-	ConsoleSecureAllowedHosts                    = "CONSOLE_SECURE_ALLOWED_HOSTS"
-	ConsoleSecureAllowedHostsAreRegex            = "CONSOLE_SECURE_ALLOWED_HOSTS_ARE_REGEX"
-	ConsoleSecureFrameDeny                       = "CONSOLE_SECURE_FRAME_DENY"
-	ConsoleSecureContentTypeNoSniff              = "CONSOLE_SECURE_CONTENT_TYPE_NO_SNIFF"
-	ConsoleSecureBrowserXSSFilter                = "CONSOLE_SECURE_BROWSER_XSS_FILTER"
-	ConsoleSecureContentSecurityPolicy           = "CONSOLE_SECURE_CONTENT_SECURITY_POLICY"
-	ConsoleSecureContentSecurityPolicyReportOnly = "CONSOLE_SECURE_CONTENT_SECURITY_POLICY_REPORT_ONLY"
-	ConsoleSecureHostsProxyHeaders               = "CONSOLE_SECURE_HOSTS_PROXY_HEADERS"
-	ConsoleSecureSTSSeconds                      = "CONSOLE_SECURE_STS_SECONDS"
-	ConsoleSecureSTSIncludeSubdomains            = "CONSOLE_SECURE_STS_INCLUDE_SUB_DOMAINS"
-	ConsoleSecureSTSPreload                      = "CONSOLE_SECURE_STS_PRELOAD"
-	ConsoleSecureTLSRedirect                     = "CONSOLE_SECURE_TLS_REDIRECT"
-	ConsoleSecureTLSHost                         = "CONSOLE_SECURE_TLS_HOST"
-	ConsoleSecureTLSTemporaryRedirect            = "CONSOLE_SECURE_TLS_TEMPORARY_REDIRECT"
-	ConsoleSecureForceSTSHeader                  = "CONSOLE_SECURE_FORCE_STS_HEADER"
-	ConsoleSecurePublicKey                       = "CONSOLE_SECURE_PUBLIC_KEY"
-	ConsoleSecureReferrerPolicy                  = "CONSOLE_SECURE_REFERRER_POLICY"
-	ConsoleSecureFeaturePolicy                   = "CONSOLE_SECURE_FEATURE_POLICY"
-	ConsoleSecureExpectCTHeader                  = "CONSOLE_SECURE_EXPECT_CT_HEADER"
-	ConsoleOperatorSAToken                       = "CONSOLE_OPERATOR_SA_TOKEN"
-	ConsoleOperatorConsoleImage                  = "CONSOLE_OPERATOR_CONSOLE_IMAGE"
+	ConsoleSubnetLicense   = "CONSOLE_SUBNET_LICENSE"
+	ConsoleOperatorSAToken = "CONSOLE_OPERATOR_SA_TOKEN"
+	MinIOSubnetLicense     = "MINIO_SUBNET_LICENSE"

 	// Constants for prometheus annotations
 	prometheusPath   = "prometheus.io/path"
@@ -58,8 +30,7 @@ const (

 // Image versions
 const (
-	KESImageVersion            = "minio/kes:v0.13.4"
-	ConsoleImageDefaultVersion = "minio/console:v0.8.0"
+	KESImageVersion = "minio/kes:v0.16.1"
 )

 // K8s
--- a/operatorapi/embedded_spec.go
+++ b/operatorapi/embedded_spec.go
--- a/operatorapi/error.go
+++ b/operatorapi/error.go
@@ -38,6 +38,10 @@ var (
 	errLicenseNotFound                    = errors.New("license not found")
 	errAvoidSelfAccountDelete             = errors.New("logged in user cannot be deleted by itself")
 	errAccessDenied                       = errors.New("access denied")
+	errTooManyNodes                       = errors.New("cannot request more nodes than what is available in the cluster")
+	errTooFewNodes                        = errors.New("there are not enough nodes in the cluster to support this tenant")
+	errTooFewSchedulableNodes             = errors.New("there is not enough schedulable nodes to satisfy this requirement")
+	errFewerThanFourNodes                 = errors.New("at least 4 nodes are required for a tenant")
 )

 // prepareError receives an error object and parse it against k8sErrors, returns the right error code paired with a generic error message
@@ -156,8 +160,20 @@ func prepareError(err ...error) *models.Error {
 		if errors.Is(err[0], errRemoteTierExists) {
 			errorMessage = err[0].Error()
 		}
+		if errors.Is(err[0], errTooFewNodes) {
+			errorCode = 507
+			errorMessage = errTooFewNodes.Error()
+		}
+		if errors.Is(err[0], errTooFewSchedulableNodes) {
+			errorCode = 507
+			errorMessage = errTooFewSchedulableNodes.Error()
+		}
+		if errors.Is(err[0], errFewerThanFourNodes) {
+			errorCode = 507
+			errorMessage = errFewerThanFourNodes.Error()
+		}
 	}
-	return &models.Error{Code: errorCode, Message: swag.String(errorMessage)}
+	return &models.Error{Code: errorCode, Message: swag.String(errorMessage), DetailedMessage: swag.String(err[0].Error())}
 }

 func getFrame(skipFrames int) runtime.Frame {
--- a/operatorapi/k8s_client.go
+++ b/operatorapi/k8s_client.go
@@ -37,6 +37,7 @@ type K8sClientI interface {
 	deletePodCollection(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
 	deleteSecret(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error
 	createSecret(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error)
+	updateSecret(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error)
 }

 // Interface implementation
@@ -70,6 +71,10 @@ func (c *k8sClient) createSecret(ctx context.Context, namespace string, secret *
 	return c.client.CoreV1().Secrets(namespace).Create(ctx, secret, opts)
 }

+func (c *k8sClient) updateSecret(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error) {
+	return c.client.CoreV1().Secrets(namespace).Update(ctx, secret, opts)
+}
+
 func (c *k8sClient) getNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Namespace, error) {
 	return c.client.CoreV1().Namespaces().Get(ctx, name, opts)
 }
--- a/operatorapi/operations/operator_api.go
+++ b/operatorapi/operations/operator_api.go
@@ -117,6 +117,9 @@ func NewOperatorAPI(spec *loads.Document) *OperatorAPI {
 		OperatorAPIListPVCsHandler: operator_api.ListPVCsHandlerFunc(func(params operator_api.ListPVCsParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation operator_api.ListPVCs has not yet been implemented")
 		}),
+		OperatorAPIListPVCsForTenantHandler: operator_api.ListPVCsForTenantHandlerFunc(func(params operator_api.ListPVCsForTenantParams, principal *models.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation operator_api.ListPVCsForTenant has not yet been implemented")
+		}),
 		OperatorAPIListTenantsHandler: operator_api.ListTenantsHandlerFunc(func(params operator_api.ListTenantsParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation operator_api.ListTenants has not yet been implemented")
 		}),
@@ -262,6 +265,8 @@ type OperatorAPI struct {
 	OperatorAPIListNodeLabelsHandler operator_api.ListNodeLabelsHandler
 	// OperatorAPIListPVCsHandler sets the operation handler for the list p v cs operation
 	OperatorAPIListPVCsHandler operator_api.ListPVCsHandler
+	// OperatorAPIListPVCsForTenantHandler sets the operation handler for the list p v cs for tenant operation
+	OperatorAPIListPVCsForTenantHandler operator_api.ListPVCsForTenantHandler
 	// OperatorAPIListTenantsHandler sets the operation handler for the list tenants operation
 	OperatorAPIListTenantsHandler operator_api.ListTenantsHandler
 	// UserAPILoginHandler sets the operation handler for the login operation
@@ -437,6 +442,9 @@ func (o *OperatorAPI) Validate() error {
 	if o.OperatorAPIListPVCsHandler == nil {
 		unregistered = append(unregistered, "operator_api.ListPVCsHandler")
 	}
+	if o.OperatorAPIListPVCsForTenantHandler == nil {
+		unregistered = append(unregistered, "operator_api.ListPVCsForTenantHandler")
+	}
 	if o.OperatorAPIListTenantsHandler == nil {
 		unregistered = append(unregistered, "operator_api.ListTenantsHandler")
 	}
@@ -670,6 +678,10 @@ func (o *OperatorAPI) initHandlerCache() {
 	if o.handlers["GET"] == nil {
 		o.handlers["GET"] = make(map[string]http.Handler)
 	}
+	o.handlers["GET"]["/namespaces/{namespace}/tenants/{tenant}/pvcs"] = operator_api.NewListPVCsForTenant(o.context, o.OperatorAPIListPVCsForTenantHandler)
+	if o.handlers["GET"] == nil {
+		o.handlers["GET"] = make(map[string]http.Handler)
+	}
 	o.handlers["GET"]["/namespaces/{namespace}/tenants"] = operator_api.NewListTenants(o.context, o.OperatorAPIListTenantsHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
--- a/operatorapi/operations/operator_api/list_p_v_cs_for_tenant.go
+++ b/operatorapi/operations/operator_api/list_p_v_cs_for_tenant.go
@@ -0,0 +1,88 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/minio/console/models"
+)
+
+// ListPVCsForTenantHandlerFunc turns a function with the right signature into a list p v cs for tenant handler
+type ListPVCsForTenantHandlerFunc func(ListPVCsForTenantParams, *models.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn ListPVCsForTenantHandlerFunc) Handle(params ListPVCsForTenantParams, principal *models.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// ListPVCsForTenantHandler interface for that can handle valid list p v cs for tenant params
+type ListPVCsForTenantHandler interface {
+	Handle(ListPVCsForTenantParams, *models.Principal) middleware.Responder
+}
+
+// NewListPVCsForTenant creates a new http.Handler for the list p v cs for tenant operation
+func NewListPVCsForTenant(ctx *middleware.Context, handler ListPVCsForTenantHandler) *ListPVCsForTenant {
+	return &ListPVCsForTenant{Context: ctx, Handler: handler}
+}
+
+/* ListPVCsForTenant swagger:route GET /namespaces/{namespace}/tenants/{tenant}/pvcs OperatorAPI listPVCsForTenant
+
+List all PVCs from given Tenant
+
+*/
+type ListPVCsForTenant struct {
+	Context *middleware.Context
+	Handler ListPVCsForTenantHandler
+}
+
+func (o *ListPVCsForTenant) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewListPVCsForTenantParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *models.Principal
+	if uprinc != nil {
+		principal = uprinc.(*models.Principal) // this is really a models.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
--- a/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_parameters.go
+++ b/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_parameters.go
@@ -0,0 +1,112 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListPVCsForTenantParams creates a new ListPVCsForTenantParams object
+//
+// There are no default values defined in the spec.
+func NewListPVCsForTenantParams() ListPVCsForTenantParams {
+
+	return ListPVCsForTenantParams{}
+}
+
+// ListPVCsForTenantParams contains all the bound params for the list p v cs for tenant operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters ListPVCsForTenant
+type ListPVCsForTenantParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: path
+	*/
+	Namespace string
+	/*
+	  Required: true
+	  In: path
+	*/
+	Tenant string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewListPVCsForTenantParams() beforehand.
+func (o *ListPVCsForTenantParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	rNamespace, rhkNamespace, _ := route.Params.GetOK("namespace")
+	if err := o.bindNamespace(rNamespace, rhkNamespace, route.Formats); err != nil {
+		res = append(res, err)
+	}
+
+	rTenant, rhkTenant, _ := route.Params.GetOK("tenant")
+	if err := o.bindTenant(rTenant, rhkTenant, route.Formats); err != nil {
+		res = append(res, err)
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindNamespace binds and validates parameter Namespace from path.
+func (o *ListPVCsForTenantParams) bindNamespace(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.Namespace = raw
+
+	return nil
+}
+
+// bindTenant binds and validates parameter Tenant from path.
+func (o *ListPVCsForTenantParams) bindTenant(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.Tenant = raw
+
+	return nil
+}
--- a/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_responses.go
+++ b/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_responses.go
@@ -0,0 +1,133 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/minio/console/models"
+)
+
+// ListPVCsForTenantOKCode is the HTTP code returned for type ListPVCsForTenantOK
+const ListPVCsForTenantOKCode int = 200
+
+/*ListPVCsForTenantOK A successful response.
+
+swagger:response listPVCsForTenantOK
+*/
+type ListPVCsForTenantOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *models.ListPVCsResponse `json:"body,omitempty"`
+}
+
+// NewListPVCsForTenantOK creates ListPVCsForTenantOK with default headers values
+func NewListPVCsForTenantOK() *ListPVCsForTenantOK {
+
+	return &ListPVCsForTenantOK{}
+}
+
+// WithPayload adds the payload to the list p v cs for tenant o k response
+func (o *ListPVCsForTenantOK) WithPayload(payload *models.ListPVCsResponse) *ListPVCsForTenantOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the list p v cs for tenant o k response
+func (o *ListPVCsForTenantOK) SetPayload(payload *models.ListPVCsResponse) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *ListPVCsForTenantOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+/*ListPVCsForTenantDefault Generic error response.
+
+swagger:response listPVCsForTenantDefault
+*/
+type ListPVCsForTenantDefault struct {
+	_statusCode int
+
+	/*
+	  In: Body
+	*/
+	Payload *models.Error `json:"body,omitempty"`
+}
+
+// NewListPVCsForTenantDefault creates ListPVCsForTenantDefault with default headers values
+func NewListPVCsForTenantDefault(code int) *ListPVCsForTenantDefault {
+	if code <= 0 {
+		code = 500
+	}
+
+	return &ListPVCsForTenantDefault{
+		_statusCode: code,
+	}
+}
+
+// WithStatusCode adds the status to the list p v cs for tenant default response
+func (o *ListPVCsForTenantDefault) WithStatusCode(code int) *ListPVCsForTenantDefault {
+	o._statusCode = code
+	return o
+}
+
+// SetStatusCode sets the status to the list p v cs for tenant default response
+func (o *ListPVCsForTenantDefault) SetStatusCode(code int) {
+	o._statusCode = code
+}
+
+// WithPayload adds the payload to the list p v cs for tenant default response
+func (o *ListPVCsForTenantDefault) WithPayload(payload *models.Error) *ListPVCsForTenantDefault {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the list p v cs for tenant default response
+func (o *ListPVCsForTenantDefault) SetPayload(payload *models.Error) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *ListPVCsForTenantDefault) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(o._statusCode)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
--- a/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_urlbuilder.go
+++ b/operatorapi/operations/operator_api/list_p_v_cs_for_tenant_urlbuilder.go
@@ -0,0 +1,124 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// ListPVCsForTenantURL generates an URL for the list p v cs for tenant operation
+type ListPVCsForTenantURL struct {
+	Namespace string
+	Tenant    string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListPVCsForTenantURL) WithBasePath(bp string) *ListPVCsForTenantURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListPVCsForTenantURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *ListPVCsForTenantURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/namespaces/{namespace}/tenants/{tenant}/pvcs"
+
+	namespace := o.Namespace
+	if namespace != "" {
+		_path = strings.Replace(_path, "{namespace}", namespace, -1)
+	} else {
+		return nil, errors.New("namespace is required on ListPVCsForTenantURL")
+	}
+
+	tenant := o.Tenant
+	if tenant != "" {
+		_path = strings.Replace(_path, "{tenant}", tenant, -1)
+	} else {
+		return nil, errors.New("tenant is required on ListPVCsForTenantURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *ListPVCsForTenantURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *ListPVCsForTenantURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *ListPVCsForTenantURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on ListPVCsForTenantURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on ListPVCsForTenantURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *ListPVCsForTenantURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/operatorapi/operator_login.go
+++ b/operatorapi/operator_login.go
@@ -55,8 +55,10 @@ func registerLoginHandlers(api *operations.OperatorAPI) {
 		}
 		// Custom response writer to set the session cookies
 		return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) {
-			cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
-			http.SetCookie(w, &cookie)
+			cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
+			for _, cookie := range cookies {
+				http.SetCookie(w, &cookie)
+			}
 			user_api.NewLoginCreated().WithPayload(loginResponse).WriteResponse(w, p)
 		})
 	})
@@ -67,8 +69,10 @@ func registerLoginHandlers(api *operations.OperatorAPI) {
 		}
 		// Custom response writer to set the session cookies
 		return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) {
-			cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
-			http.SetCookie(w, &cookie)
+			cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
+			for _, cookie := range cookies {
+				http.SetCookie(w, &cookie)
+			}
 			user_api.NewLoginOauth2AuthCreated().WithPayload(loginResponse).WriteResponse(w, p)
 		})
 	})
@@ -79,8 +83,10 @@ func registerLoginHandlers(api *operations.OperatorAPI) {
 		}
 		// Custom response writer to set the session cookies
 		return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) {
-			cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
-			http.SetCookie(w, &cookie)
+			cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID)
+			for _, cookie := range cookies {
+				http.SetCookie(w, &cookie)
+			}
 			user_api.NewLoginOperatorCreated().WithPayload(loginResponse).WriteResponse(w, p)
 		})
 	})
@@ -180,15 +186,13 @@ func getLoginResponse(lr *models.LoginRequest) (*models.LoginResponse, *models.E

 // getLoginDetailsResponse returns information regarding the Console authentication mechanism.
 func getLoginDetailsResponse() (*models.LoginDetails, *models.Error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
 	loginStrategy := models.LoginDetailsLoginStrategyServiceDashAccount
 	redirectURL := ""

-	if oauth2.IsIdpEnabled() {
+	if oauth2.IsIDPEnabled() {
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, restapi.GetConsoleSTSClient())
+		oauth2Client, err := oauth2.NewOauth2ProviderClient(nil, restapi.GetConsoleHTTPClient())
 		if err != nil {
 			return nil, prepareError(err)
 		}
--- a/operatorapi/operator_nodes.go
+++ b/operatorapi/operator_nodes.go
@@ -26,8 +26,6 @@ import (

 	"github.com/minio/console/cluster"

-	"errors"
-
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/minio/console/models"
 	"github.com/minio/console/operatorapi/operations"
@@ -56,8 +54,9 @@ func registerNodesHandlers(api *operations.OperatorAPI) {

 // getMaxAllocatableMemory get max allocatable memory given a desired number of nodes
 func getMaxAllocatableMemory(ctx context.Context, clientset v1.CoreV1Interface, numNodes int32) (*models.MaxAllocatableMemResponse, error) {
-	if numNodes == 0 {
-		return nil, errors.New("error NumNodes must be greated than 0")
+	// can't request less than 4 nodes
+	if numNodes < 4 {
+		return nil, errFewerThanFourNodes
 	}

 	// get all nodes from cluster
@@ -66,6 +65,34 @@ func getMaxAllocatableMemory(ctx context.Context, clientset v1.CoreV1Interface,
 		return nil, err
 	}

+	// requesting more nodes than are schedulable in the cluster
+	schedulableNodes := len(nodes.Items)
+	nonMasterNodes := len(nodes.Items)
+	for _, node := range nodes.Items {
+		// check taints to check if node is schedulable
+		for _, taint := range node.Spec.Taints {
+			if taint.Effect == corev1.TaintEffectNoSchedule {
+				schedulableNodes--
+			}
+			// check if the node is a master
+			if taint.Key == "node-role.kubernetes.io/master" {
+				nonMasterNodes--
+			}
+		}
+	}
+	// requesting more nodes than schedulable and less than total number of workers
+	if int(numNodes) > schedulableNodes && int(numNodes) < nonMasterNodes {
+		return nil, errTooManyNodes
+	}
+	if nonMasterNodes < int(numNodes) {
+		return nil, errTooFewNodes
+	}
+
+	// not enough schedulable nodes
+	if schedulableNodes < int(numNodes) {
+		return nil, errTooFewSchedulableNodes
+	}
+
 	availableMemSizes := []int64{}
 OUTER:
 	for _, n := range nodes.Items {
--- a/operatorapi/operator_subscription.go
+++ b/operatorapi/operator_subscription.go
@@ -20,13 +20,12 @@ package operatorapi
 import (
 	"context"
 	"errors"
-	"fmt"
 	"time"

 	"github.com/minio/console/pkg/subnet"
-
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
 	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/minio/console/restapi"
@@ -38,10 +37,10 @@ import (
 	"github.com/minio/console/operatorapi/operations/operator_api"
 )

-func registerOperatorSubscriptionHandlers(api *operations.OperatorAPI) {
+func registerSubscriptionHandlers(api *operations.OperatorAPI) {
 	// Activate license subscription for a particular tenant
 	api.OperatorAPISubscriptionActivateHandler = operator_api.SubscriptionActivateHandlerFunc(func(params operator_api.SubscriptionActivateParams, session *models.Principal) middleware.Responder {
-		err := getOperatorSubscriptionActivateResponse(session, params.Namespace, params.Tenant)
+		err := getSubscriptionActivateResponse(session, params.Namespace, params.Tenant)
 		if err != nil {
 			return operator_api.NewSubscriptionActivateDefault(int(err.Code)).WithPayload(err)
 		}
@@ -55,10 +54,33 @@ func registerOperatorSubscriptionHandlers(api *operations.OperatorAPI) {
 		}
 		return operator_api.NewSubscriptionRefreshOK().WithPayload(license)
 	})
+	// Validate subscription handler
+	api.OperatorAPISubscriptionValidateHandler = operator_api.SubscriptionValidateHandlerFunc(func(params operator_api.SubscriptionValidateParams, session *models.Principal) middleware.Responder {
+		license, err := getSubscriptionValidateResponse(session, params.Body)
+		if err != nil {
+			return operator_api.NewSubscriptionValidateDefault(int(err.Code)).WithPayload(err)
+		}
+		return operator_api.NewSubscriptionValidateOK().WithPayload(license)
+	})
+	// Get subscription information handler
+	api.OperatorAPISubscriptionInfoHandler = operator_api.SubscriptionInfoHandlerFunc(func(params operator_api.SubscriptionInfoParams, session *models.Principal) middleware.Responder {
+		license, err := getSubscriptionInfoResponse(session)
+		if err != nil {
+			return operator_api.NewSubscriptionInfoDefault(int(err.Code)).WithPayload(err)
+		}
+		return operator_api.NewSubscriptionInfoOK().WithPayload(license)
+	})
+	// Refresh license for k8s cluster
+	api.OperatorAPISubscriptionRefreshHandler = operator_api.SubscriptionRefreshHandlerFunc(func(params operator_api.SubscriptionRefreshParams, session *models.Principal) middleware.Responder {
+		license, err := getSubscriptionRefreshResponse(session)
+		if err != nil {
+			return operator_api.NewSubscriptionRefreshDefault(int(err.Code)).WithPayload(err)
+		}
+		return operator_api.NewSubscriptionRefreshOK().WithPayload(license)
+	})
 }

-// retrieveLicense returns license from K8S secrets (If console is deployed in operator mode) or from
-// the configured CONSOLE_SUBNET_LICENSE environment variable
+// retrieveLicense returns license from K8S secrets
 func retrieveLicense(ctx context.Context, sessionToken string) (string, error) {
 	var license string

@@ -79,46 +101,6 @@ func retrieveLicense(ctx context.Context, sessionToken string) (string, error) {
 	return license, nil
 }

-func getOperatorSubscriptionActivateResponse(session *models.Principal, namespace, tenant string) *models.Error {
-	// 20 seconds timeout
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
-	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
-	if err != nil {
-		return prepareError(restapi.ErrorGeneric, nil, err)
-	}
-	clientSet, err := cluster.K8sClient(session.STSSessionToken)
-	if err != nil {
-		return prepareError(restapi.ErrorGeneric, nil, err)
-	}
-	opClient := &operatorClient{
-		client: opClientClientSet,
-	}
-	minTenant, err := getTenant(ctx, opClient, namespace, tenant)
-	if err != nil {
-		return prepareError(err, restapi.ErrorGeneric)
-	}
-	// If console is not deployed for this tenant return an error
-	if minTenant.Spec.Console == nil {
-		return prepareError(restapi.ErrorGenericNotFound)
-	}
-
-	// configure kubernetes client
-	k8sClient := k8sClient{
-		client: clientSet,
-	}
-	// Get cluster subscription license
-	license, err := getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
-	if err != nil {
-		return prepareError(errInvalidCredentials, nil, err)
-	}
-	// add subscription license to existing console Tenant
-	if err = addSubscriptionLicenseToTenant(ctx, &k8sClient, license, namespace, tenant, minTenant.Spec.Console.ConsoleSecret.Name); err != nil {
-		return prepareError(err, restapi.ErrorGeneric)
-	}
-	return nil
-}
-
 // getSubscriptionLicense will retrieve stored license jwt from k8s secret
 func getSubscriptionLicense(ctx context.Context, clientSet K8sClientI, namespace, secretName string) (string, error) {
 	// retrieve license stored in k8s
@@ -135,86 +117,66 @@ func getSubscriptionLicense(ctx context.Context, clientSet K8sClientI, namespace
 }

 // addSubscriptionLicenseToTenant replace existing console tenant secret and adds the subnet license key
-func addSubscriptionLicenseToTenant(ctx context.Context, clientSet K8sClientI, license, namespace, tenantName, secretName string) error {
-	// Retrieve console secret for Tenant
-	consoleSecret, err := clientSet.getSecret(ctx, namespace, secretName, metav1.GetOptions{})
-	if err != nil {
-		return err
-	}
-	// Copy current console secret
-	dataNewSecret := consoleSecret.Data
-	// Add subnet license to the new console secret
-	dataNewSecret[ConsoleSubnetLicense] = []byte(license)
-	// Delete existing console secret
-	err = clientSet.deleteSecret(ctx, namespace, secretName, metav1.DeleteOptions{})
-	if err != nil {
-		return err
-	}
-	// Prepare the new Console Secret
-	imm := true
-	newConsoleSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: secretName,
-			Labels: map[string]string{
-				miniov2.TenantLabel: tenantName,
-			},
-		},
-		Immutable: &imm,
-		Data:      dataNewSecret,
-	}
-	// Create new Console secret with the subnet License
-	_, err = clientSet.createSecret(ctx, namespace, newConsoleSecret, metav1.CreateOptions{})
-	if err != nil {
-		return err
-	}
-	// restart Console pods based on label:
-	//  v1.min.io/console: TENANT-console
-	err = clientSet.deletePodCollection(ctx, namespace, metav1.DeleteOptions{}, metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s%s", miniov2.ConsoleTenantLabel, tenantName, miniov2.ConsoleName),
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// updateTenantLicenseAndRestartConsole
-func updateTenantLicenseAndRestartConsole(ctx context.Context, clientSet K8sClientI, license, namespace, tenantName string) error {
-	consoleSelector := fmt.Sprintf("%s-console", tenantName)
-	consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
-	// read current console configuration from k8s secrets
-	currentConsoleSecret, err := clientSet.getSecret(ctx, namespace, consoleSecretName, metav1.GetOptions{})
-	if err != nil || currentConsoleSecret == nil {
-		return err
-	}
-	secretData := currentConsoleSecret.Data
-	secretData[ConsoleSubnetLicense] = []byte(license)
-	// delete existing console configuration from k8s secrets
-	err = clientSet.deleteSecret(ctx, namespace, consoleSecretName, metav1.DeleteOptions{})
-	if err != nil {
-		// log the error if any and continue
-		LogError("unable to delete secret %s: %v", consoleSecretName, err)
-	}
-	// Save subnet license in k8s secrets
-	imm := true
-	consoleConfigSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: consoleSecretName,
-		},
-		Immutable: &imm,
-		Data:      secretData,
-	}
-	_, err = clientSet.createSecret(ctx, namespace, consoleConfigSecret, metav1.CreateOptions{})
-	if err != nil {
-		return err
-	}
-	// restart Console pods based on label:
-	//  v1.min.io/console: TENANT-console
-	err = clientSet.deletePodCollection(ctx, namespace, metav1.DeleteOptions{}, metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s%s", miniov2.ConsoleTenantLabel, tenantName, miniov2.ConsoleName),
-	})
-	if err != nil {
-		return err
+func addSubscriptionLicenseToTenant(ctx context.Context, clientSet K8sClientI, opClient OperatorClientI, license string, tenant *miniov2.Tenant) error {
+	// If Tenant has a configuration secret update the license there and MinIO pods doesn't need to get restarted
+	if tenant.HasConfigurationSecret() {
+		// Update the Tenant Configuration
+		tenantConfigurationSecret, err := clientSet.getSecret(ctx, tenant.Namespace, tenant.Spec.Configuration.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		if _, ok := tenantConfigurationSecret.Data["config.env"]; ok {
+			updatedTenantConfiguration := map[string]string{}
+			tenantConfigurationMap := miniov2.ParseRawConfiguration(tenantConfigurationSecret.Data["config.env"])
+			for key, val := range tenantConfigurationMap {
+				updatedTenantConfiguration[key] = string(val)
+			}
+			updatedTenantConfiguration[MinIOSubnetLicense] = license
+			// removing accesskey & secretkey that are added automatically by parsing function
+			// and are not need it for the tenant itself
+			delete(updatedTenantConfiguration, "accesskey")
+			delete(updatedTenantConfiguration, "secretkey")
+			tenantConfigurationSecret.Data = map[string][]byte{
+				"config.env": []byte(GenerateTenantConfigurationFile(updatedTenantConfiguration)),
+			}
+			_, err = clientSet.updateSecret(ctx, tenant.Namespace, tenantConfigurationSecret, metav1.UpdateOptions{})
+			if err != nil {
+				return err
+			}
+		} else {
+			return errors.New("tenant configuration secret has wrong format")
+		}
+	} else {
+		// If configuration file is not present set the license to the container env
+		updatedTenant := tenant.DeepCopy()
+		// reset container env vars
+		updatedTenant.Spec.Env = []corev1.EnvVar{}
+		var licenseIsSet bool
+		for _, env := range tenant.GetEnvVars() {
+			// check if license already exists and override
+			if env.Name == MinIOSubnetLicense {
+				updatedTenant.Spec.Env = append(updatedTenant.Spec.Env, corev1.EnvVar{
+					Name:  MinIOSubnetLicense,
+					Value: license,
+				})
+				licenseIsSet = true
+			} else {
+				// copy existing container env variables
+				updatedTenant.Spec.Env = append(updatedTenant.Spec.Env, env)
+			}
+		}
+		// if license didnt exists append it
+		if !licenseIsSet {
+			updatedTenant.Spec.Env = append(updatedTenant.Spec.Env, corev1.EnvVar{
+				Name:  MinIOSubnetLicense,
+				Value: license,
+			})
+		}
+		// this will start MinIO pods rolling restart
+		_, err := opClient.TenantUpdate(ctx, updatedTenant, metav1.UpdateOptions{})
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -224,9 +186,9 @@ func getSubscriptionRefreshResponse(session *models.Principal) (*models.License,
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 	client := &cluster.HTTPClient{
-		Client: restapi.GetConsoleSTSClient(),
+		Client: restapi.GetConsoleHTTPClient(),
 	}
-	licenseKey, err := retrieveLicense(context.Background(), session.STSSessionToken)
+	licenseKey, err := retrieveLicense(ctx, session.STSSessionToken)
 	if err != nil {
 		return nil, prepareError(errLicenseNotFound, nil, err)
 	}
@@ -251,17 +213,17 @@ func getSubscriptionRefreshResponse(session *models.Principal) (*models.License,
 	if err != nil {
 		return nil, prepareError(err)
 	}
-	opClient := &operatorClient{
+	opClient := operatorClient{
 		client: opClientClientSet,
 	}
-	tenants, err := listTenants(ctx, opClient, "", nil)
+	// iterate over all tenants and update licenses
+	tenants, err := opClient.TenantList(ctx, "", metav1.ListOptions{})
 	if err != nil {
 		return nil, prepareError(err)
 	}
-	// iterate over all tenants, update console configuration and restart console pods
-	for _, tenant := range tenants.Tenants {
-		if err := updateTenantLicenseAndRestartConsole(ctx, &k8sClient, licenseRaw, tenant.Namespace, tenant.Name); err != nil {
-			LogError("unable to updateTenantLicenseAndRestartConsole: %v", err)
+	for _, tenant := range tenants.Items {
+		if err = addSubscriptionLicenseToTenant(ctx, &k8sClient, &opClient, licenseRaw, &tenant); err != nil {
+			return nil, prepareError(err)
 		}
 	}

@@ -280,7 +242,7 @@ func RefreshLicense() error {
 		return err
 	}
 	client := &cluster.HTTPClient{
-		Client: restapi.GetConsoleSTSClient(),
+		Client: restapi.GetConsoleHTTPClient(),
 	}
 	// Attempt to refresh license
 	_, refreshedLicenseKey, err := subscriptionRefresh(client, licenseKey)
@@ -321,24 +283,31 @@ func subscriptionRefresh(httpClient *cluster.HTTPClient, license string) (*model

 // saveSubscriptionLicense will create or replace an existing subnet license secret in the k8s cluster
 func saveSubscriptionLicense(ctx context.Context, clientSet K8sClientI, license string) error {
-	// Delete subnet license secret if exists
-	err := clientSet.deleteSecret(ctx, cluster.Namespace, OperatorSubnetLicenseSecretName, metav1.DeleteOptions{})
+	licenseSecret, err := clientSet.getSecret(ctx, cluster.Namespace, OperatorSubnetLicenseSecretName, metav1.GetOptions{})
 	if err != nil {
-		// log the error if any and continue
-		LogError("unable to delete secret %s: %v", OperatorSubnetLicenseSecretName, err)
+		if k8serrors.IsNotFound(err) {
+			// Save subnet license in k8s secrets
+			licenseSecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: OperatorSubnetLicenseSecretName,
+				},
+				Data: map[string][]byte{
+					ConsoleSubnetLicense: []byte(license),
+				},
+			}
+			_, err = clientSet.createSecret(ctx, cluster.Namespace, licenseSecret, metav1.CreateOptions{})
+			if err != nil {
+				return err
+			}
+			return nil
+		}
+		return err
 	}
-	// Save subnet license in k8s secrets
-	imm := true
-	licenseSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: OperatorSubnetLicenseSecretName,
-		},
-		Immutable: &imm,
-		Data: map[string][]byte{
-			ConsoleSubnetLicense: []byte(license),
-		},
+	// update existing license
+	licenseSecret.Data = map[string][]byte{
+		ConsoleSubnetLicense: []byte(license),
 	}
-	_, err = clientSet.createSecret(ctx, cluster.Namespace, licenseSecret, metav1.CreateOptions{})
+	_, err = clientSet.updateSecret(ctx, cluster.Namespace, licenseSecret, metav1.UpdateOptions{})
 	if err != nil {
 		return err
 	}
@@ -360,3 +329,88 @@ func subscriptionValidate(client cluster.HTTPClientI, license, email, password s
 		Organization:    licenseInfo.Organization,
 	}, rawLicense, nil
 }
+
+// getSubscriptionValidateResponse
+func getSubscriptionValidateResponse(session *models.Principal, params *models.SubscriptionValidateRequest) (*models.License, *models.Error) {
+	// 20 seconds timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	client := &cluster.HTTPClient{
+		Client: restapi.GetConsoleHTTPClient(),
+	}
+	// validate license key
+	licenseInfo, license, err := subscriptionValidate(client, params.License, params.Email, params.Password)
+	if err != nil {
+		return nil, prepareError(errInvalidLicense, nil, err)
+	}
+	// configure kubernetes client
+	clientSet, err := cluster.K8sClient(session.STSSessionToken)
+	k8sClient := k8sClient{
+		client: clientSet,
+	}
+	if err != nil {
+		return nil, prepareError(errorGeneric, nil, err)
+	}
+	// save license key to k8s
+	if err = saveSubscriptionLicense(ctx, &k8sClient, license); err != nil {
+		return nil, prepareError(errorGeneric, nil, err)
+	}
+	return licenseInfo, nil
+}
+
+func getSubscriptionActivateResponse(session *models.Principal, namespace, tenantName string) *models.Error {
+	// 20 seconds timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
+	if err != nil {
+		return prepareError(errorGeneric, nil, err)
+	}
+	clientSet, err := cluster.K8sClient(session.STSSessionToken)
+	if err != nil {
+		return prepareError(errorGeneric, nil, err)
+	}
+	opClient := operatorClient{
+		client: opClientClientSet,
+	}
+	tenant, err := getTenant(ctx, &opClient, namespace, tenantName)
+	if err != nil {
+		return prepareError(err, errorGeneric)
+	}
+	// configure kubernetes client
+	k8sClient := k8sClient{
+		client: clientSet,
+	}
+	// Get cluster subscription license
+	license, err := getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
+	if err != nil {
+		return prepareError(errInvalidCredentials, nil, err)
+	}
+	// add subscription license to existing console Tenant
+	if err = addSubscriptionLicenseToTenant(ctx, &k8sClient, &opClient, license, tenant); err != nil {
+		return prepareError(err, errorGeneric)
+	}
+	return nil
+}
+
+// getSubscriptionInfoResponse returns information about the current configured subnet license for Console
+func getSubscriptionInfoResponse(session *models.Principal) (*models.License, *models.Error) {
+	// 20 seconds timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+	var licenseInfo *models.License
+	client := &cluster.HTTPClient{
+		Client: restapi.GetConsoleHTTPClient(),
+	}
+	licenseKey, err := retrieveLicense(ctx, session.STSSessionToken)
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
+	}
+	// validate license key and obtain license info
+	licenseInfo, _, err = subscriptionValidate(client, licenseKey, "", "")
+	if err != nil {
+		return nil, prepareError(errLicenseNotFound, nil, err)
+	}
+	return licenseInfo, nil
+}
--- a/operatorapi/operator_subscription_test.go
+++ b/operatorapi/operator_subscription_test.go
@@ -20,6 +20,8 @@ import (
 	"context"
 	"testing"

+	v2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+
 	"errors"

 	corev1 "k8s.io/api/core/v1"
@@ -28,13 +30,17 @@ import (

 func Test_addSubscriptionLicenseToTenant(t *testing.T) {
 	k8sClient := k8sClientMock{}
+	opClient := opClientMock{}
+	tenant := &v2.Tenant{
+		ObjectMeta: metav1.ObjectMeta{},
+		Spec:       v2.TenantSpec{},
+	}
 	type args struct {
-		ctx        context.Context
-		clientSet  K8sClientI
-		license    string
-		namespace  string
-		tenantName string
-		secretName string
+		ctx       context.Context
+		clientSet K8sClientI
+		opClient  OperatorClientI
+		license   string
+		tenant    *v2.Tenant
 	}
 	tests := []struct {
 		name     string
@@ -43,150 +49,158 @@ func Test_addSubscriptionLicenseToTenant(t *testing.T) {
 		mockFunc func()
 	}{
 		{
-			name: "error because subnet license doesnt exists",
+			name: "success updating subscription for tenant with configuration file",
 			args: args{
-				ctx:        context.Background(),
-				clientSet:  k8sClient,
-				license:    "",
-				namespace:  "",
-				tenantName: "",
-				secretName: "subnet-license",
-			},
-			wantErr: true,
-			mockFunc: func() {
-				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-					return nil, errors.New("something went wrong")
-				}
-			},
-		},
-		{
-			name: "error because existing license could not be deleted",
-			args: args{
-				ctx:        context.Background(),
-				clientSet:  k8sClient,
-				license:    "",
-				namespace:  "",
-				tenantName: "",
-				secretName: OperatorSubnetLicenseSecretName,
-			},
-			wantErr: true,
-			mockFunc: func() {
-				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-					imm := true
-					return &corev1.Secret{
-						ObjectMeta: metav1.ObjectMeta{
-							Name: OperatorSubnetLicenseSecretName,
-						},
-						Immutable: &imm,
-						Data: map[string][]byte{
-							ConsoleSubnetLicense: []byte("eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I"),
-						},
-					}, nil
-				}
-				DeleteSecretMock = func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
-					return errors.New("something went wrong")
-				}
-			},
-		},
-		{
-			name: "error because unable to create new subnet license",
-			args: args{
-				ctx:        context.Background(),
-				clientSet:  k8sClient,
-				license:    "",
-				namespace:  "",
-				tenantName: "",
-				secretName: OperatorSubnetLicenseSecretName,
-			},
-			wantErr: true,
-			mockFunc: func() {
-				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-					imm := true
-					return &corev1.Secret{
-						ObjectMeta: metav1.ObjectMeta{
-							Name: OperatorSubnetLicenseSecretName,
-						},
-						Immutable: &imm,
-						Data: map[string][]byte{
-							ConsoleSubnetLicense: []byte("eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I"),
-						},
-					}, nil
-				}
-				DeleteSecretMock = func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
-					return nil
-				}
-				CreateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.CreateOptions) (*corev1.Secret, error) {
-					return nil, errors.New("something went wrong")
-				}
-			},
-		},
-		{
-			name: "error because unable to delete pod collection",
-			args: args{
-				ctx:        context.Background(),
-				clientSet:  k8sClient,
-				license:    "",
-				namespace:  "",
-				tenantName: "",
-				secretName: OperatorSubnetLicenseSecretName,
-			},
-			wantErr: true,
-			mockFunc: func() {
-				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-					imm := true
-					return &corev1.Secret{
-						ObjectMeta: metav1.ObjectMeta{
-							Name: OperatorSubnetLicenseSecretName,
-						},
-						Immutable: &imm,
-						Data: map[string][]byte{
-							ConsoleSubnetLicense: []byte("eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I"),
-						},
-					}, nil
-				}
-				DeleteSecretMock = func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
-					return nil
-				}
-				CreateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.CreateOptions) (*corev1.Secret, error) {
-					return nil, nil
-				}
-				DeletePodCollectionMock = func(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
-					return errors.New("something went wrong")
-				}
-			},
-		},
-		{
-			name: "subscription updated successfully",
-			args: args{
-				ctx:        context.Background(),
-				clientSet:  k8sClient,
-				license:    "",
-				namespace:  "",
-				tenantName: "",
-				secretName: OperatorSubnetLicenseSecretName,
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
 			},
 			wantErr: false,
 			mockFunc: func() {
+				tenant.Spec.Configuration = &corev1.LocalObjectReference{
+					Name: "minio-configuration",
+				}
 				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-					imm := true
 					return &corev1.Secret{
 						ObjectMeta: metav1.ObjectMeta{
-							Name: OperatorSubnetLicenseSecretName,
+							Name: "minio-configuration",
 						},
-						Immutable: &imm,
 						Data: map[string][]byte{
-							ConsoleSubnetLicense: []byte("eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I"),
+							"config.env": []byte("export MINIO_SUBNET_LICENSE=\"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I\""),
 						},
 					}, nil
 				}
-				DeleteSecretMock = func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
-					return nil
-				}
-				CreateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.CreateOptions) (*corev1.Secret, error) {
+				UpdateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.UpdateOptions) (*corev1.Secret, error) {
 					return nil, nil
 				}
-				DeletePodCollectionMock = func(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
-					return nil
+			},
+		},
+		{
+			name: "error updating subscription for tenant because cannot get configuration file",
+			args: args{
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
+			},
+			wantErr: true,
+			mockFunc: func() {
+				tenant.Spec.Configuration = &corev1.LocalObjectReference{
+					Name: "minio-configuration",
+				}
+				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
+					return nil, errors.New("something wrong happened")
+				}
+				UpdateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.UpdateOptions) (*corev1.Secret, error) {
+					return nil, nil
+				}
+			},
+		},
+		{
+			name: "error updating subscription for tenant because configuration file has wrong format",
+			args: args{
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
+			},
+			wantErr: true,
+			mockFunc: func() {
+				tenant.Spec.Configuration = &corev1.LocalObjectReference{
+					Name: "minio-configuration",
+				}
+				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
+					return &corev1.Secret{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "minio-configuration",
+						},
+						Data: map[string][]byte{
+							"aaaaa": []byte("export MINIO_SUBNET_LICENSE=\"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I\""),
+						},
+					}, nil
+				}
+				UpdateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.UpdateOptions) (*corev1.Secret, error) {
+					return nil, nil
+				}
+			},
+		},
+		{
+			name: "error updating subscription for tenant because cannot update configuration file",
+			args: args{
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
+			},
+			wantErr: true,
+			mockFunc: func() {
+				tenant.Spec.Configuration = &corev1.LocalObjectReference{
+					Name: "minio-configuration",
+				}
+				k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
+					return &corev1.Secret{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "minio-configuration",
+						},
+						Data: map[string][]byte{
+							"config.env": []byte("export MINIO_SUBNET_LICENSE=\"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsZW5pbitjMUBtaW5pby5pbyIsInRlYW1OYW1lIjoiY29uc29sZS1jdXN0b21lciIsImV4cCI6MS42Mzk5NTI2MTE2MDkxNDQ3MzJlOSwiaXNzIjoic3VibmV0QG1pbmlvLmlvIiwiY2FwYWNpdHkiOjI1LCJpYXQiOjEuNjA4NDE2NjExNjA5MTQ0NzMyZTksImFjY291bnRJZCI6MTc2LCJzZXJ2aWNlVHlwZSI6IlNUQU5EQVJEIn0.ndtf8V_FJTvhXeemVLlORyDev6RJaSPhZ2djkMVK9SvXD0srR_qlYJATPjC4NljkS71nXMGVDov5uCTuUL97x6FGQEKDruA-z24x_2Zr8kof4LfBb3HUHudCR8QvE--I\""),
+						},
+					}, nil
+				}
+				UpdateSecretMock = func(ctx context.Context, namespace string, secret *corev1.Secret, opts metav1.UpdateOptions) (*corev1.Secret, error) {
+					return nil, errors.New("something wrong happened")
+				}
+
+			},
+		},
+		{
+			name: "success updating subscription for tenant with env variable",
+			args: args{
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
+			},
+			wantErr: false,
+			mockFunc: func() {
+				tenant.Spec.Env = []corev1.EnvVar{
+					{
+						Name:      "MINIO_SUBNET_LICENSE",
+						Value:     "",
+						ValueFrom: nil,
+					},
+				}
+				opClientTenantUpdateMock = func(ctx context.Context, tenant *v2.Tenant, opts metav1.UpdateOptions) (*v2.Tenant, error) {
+					return nil, nil
+				}
+			},
+		},
+		{
+			name: "error updating subscription for tenant with env variable because of update tenant error",
+			args: args{
+				ctx:       context.Background(),
+				clientSet: k8sClient,
+				opClient:  opClient,
+				license:   "",
+				tenant:    tenant,
+			},
+			wantErr: true,
+			mockFunc: func() {
+				tenant.Spec.Env = []corev1.EnvVar{
+					{
+						Name:      "MINIO_SUBNET_LICENSE",
+						Value:     "",
+						ValueFrom: nil,
+					},
+				}
+				opClientTenantUpdateMock = func(ctx context.Context, tenant *v2.Tenant, opts metav1.UpdateOptions) (*v2.Tenant, error) {
+					return nil, errors.New("something wrong happened")
 				}
 			},
 		},
@@ -196,7 +210,7 @@ func Test_addSubscriptionLicenseToTenant(t *testing.T) {
 			if tt.mockFunc != nil {
 				tt.mockFunc()
 			}
-			if err := addSubscriptionLicenseToTenant(tt.args.ctx, tt.args.clientSet, tt.args.license, tt.args.namespace, tt.args.tenantName, tt.args.secretName); (err != nil) != tt.wantErr {
+			if err := addSubscriptionLicenseToTenant(tt.args.ctx, tt.args.clientSet, tt.args.opClient, tt.args.license, tt.args.tenant); (err != nil) != tt.wantErr {
 				t.Errorf("addSubscriptionLicenseToTenant() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
--- a/operatorapi/operator_tenants.go
+++ b/operatorapi/operator_tenants.go
@@ -264,7 +264,14 @@ func getDeleteTenantResponse(session *models.Principal, params operator_api.Dele
 	if params.Body != nil {
 		deleteTenantPVCs = params.Body.DeletePvcs
 	}
-	if err = deleteTenantAction(context.Background(), opClient, clientset.CoreV1(), params.Namespace, params.Tenant, deleteTenantPVCs); err != nil {
+
+	tenant, err := opClient.TenantGet(params.HTTPRequest.Context(), params.Namespace, params.Tenant, metav1.GetOptions{})
+	if err != nil {
+		return prepareError(err)
+	}
+	tenant.EnsureDefaults()
+
+	if err = deleteTenantAction(params.HTTPRequest.Context(), opClient, clientset.CoreV1(), tenant, deleteTenantPVCs); err != nil {
 		return prepareError(err)
 	}
 	return nil
@@ -277,10 +284,10 @@ func deleteTenantAction(
 	ctx context.Context,
 	operatorClient OperatorClientI,
 	clientset v1.CoreV1Interface,
-	namespace, tenantName string,
+	tenant *miniov2.Tenant,
 	deletePvcs bool) error {

-	err := operatorClient.TenantDelete(ctx, namespace, tenantName, metav1.DeleteOptions{})
+	err := operatorClient.TenantDelete(ctx, tenant.Namespace, tenant.Name, metav1.DeleteOptions{})
 	if err != nil {
 		// try to delete pvc even if the tenant doesn't exist anymore but only if deletePvcs is set to true,
 		// else, we return the error
@@ -290,15 +297,37 @@ func deleteTenantAction(
 	}

 	if deletePvcs {
+
+		// delete MinIO PVCs
 		opts := metav1.ListOptions{
-			LabelSelector: fmt.Sprintf("%s=%s", miniov2.TenantLabel, tenantName),
+			LabelSelector: fmt.Sprintf("%s=%s", miniov2.TenantLabel, tenant.Name),
 		}
-		err = clientset.PersistentVolumeClaims(namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
+		err = clientset.PersistentVolumeClaims(tenant.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
 		if err != nil {
 			return err
 		}
+		// delete postgres PVCs
+
+		logOpts := metav1.ListOptions{
+			LabelSelector: fmt.Sprintf("%s=%s", miniov2.LogDBInstanceLabel, tenant.LogStatefulsetName()),
+		}
+		err := clientset.PersistentVolumeClaims(tenant.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, logOpts)
+		if err != nil {
+			return err
+		}
+
+		// delete prometheus PVCs
+
+		promOpts := metav1.ListOptions{
+			LabelSelector: fmt.Sprintf("%s=%s", miniov2.PrometheusInstanceLabel, tenant.PrometheusStatefulsetName()),
+		}
+
+		if err := clientset.PersistentVolumeClaims(tenant.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, promOpts); err != nil {
+			return err
+		}
+
 		// delete all tenant's secrets only if deletePvcs = true
-		return clientset.Secrets(namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
+		return clientset.Secrets(tenant.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, opts)
 	}
 	return nil
 }
@@ -338,7 +367,7 @@ func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *miniov
 		return nil, err
 	}
 	sessionToken := ""
-	mAdmin, pErr := restapi.NewAdminClientWithInsecure(svcURL, tenantCreds.accessKey, tenantCreds.secretKey, sessionToken, false)
+	mAdmin, pErr := restapi.NewAdminClientWithInsecure(svcURL, tenantCreds.accessKey, tenantCreds.secretKey, sessionToken, true)
 	if pErr != nil {
 		return nil, pErr.Cause
 	}
@@ -351,36 +380,29 @@ type tenantKeys struct {
 }

 func getTenantCreds(ctx context.Context, client K8sClientI, tenant *miniov2.Tenant) (*tenantKeys, error) {
-	if tenant == nil || tenant.Spec.CredsSecret == nil {
-		return nil, errors.New("invalid arguments")
-	}
-	// get admin credentials from secret
-	creds, err := client.getSecret(ctx, tenant.Namespace, tenant.Spec.CredsSecret.Name, metav1.GetOptions{})
+	tenantConfiguration, err := GetTenantConfiguration(ctx, client, tenant)
 	if err != nil {
 		return nil, err
 	}
-	tenantAccessKey, ok := creds.Data["accesskey"]
+	tenantAccessKey, ok := tenantConfiguration["accesskey"]
 	if !ok {
 		restapi.LogError("tenant's secret doesn't contain accesskey")
 		return nil, restapi.ErrorGeneric
 	}
-	tenantSecretKey, ok := creds.Data["secretkey"]
+	tenantSecretKey, ok := tenantConfiguration["secretkey"]
 	if !ok {
 		restapi.LogError("tenant's secret doesn't contain secretkey")
 		return nil, restapi.ErrorGeneric
 	}
-	// TODO:
-	// We need to avoid using minio root credentials to talk to tenants, and instead use a different user credentials
-	// when that its implemented we also need to check here if the tenant has LDAP enabled so we authenticate first against AD
-	return &tenantKeys{accessKey: string(tenantAccessKey), secretKey: string(tenantSecretKey)}, nil
+	return &tenantKeys{accessKey: tenantAccessKey, secretKey: tenantSecretKey}, nil
 }

 func getTenant(ctx context.Context, operatorClient OperatorClientI, namespace, tenantName string) (*miniov2.Tenant, error) {
-	minInst, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
+	tenant, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
-	return minInst, nil
+	return tenant, nil
 }

 func isPrometheusEnabled(annotations map[string]string) bool {
@@ -403,7 +425,6 @@ func isPrometheusEnabled(annotations map[string]string) bool {

 func getTenantInfo(tenant *miniov2.Tenant) *models.Tenant {
 	var pools []*models.Pool
-	consoleImage := ""
 	var totalSize int64
 	for _, p := range tenant.Spec.Pools {
 		pools = append(pools, parseTenantPool(&p))
@@ -415,10 +436,6 @@ func getTenantInfo(tenant *miniov2.Tenant) *models.Tenant {
 		deletion = tenant.ObjectMeta.DeletionTimestamp.Format(time.RFC3339)
 	}

-	if tenant.HasConsoleEnabled() {
-		consoleImage = tenant.Spec.Console.Image
-	}
-
 	return &models.Tenant{
 		CreationDate:     tenant.ObjectMeta.CreationTimestamp.Format(time.RFC3339),
 		DeletionDate:     deletion,
@@ -428,7 +445,6 @@ func getTenantInfo(tenant *miniov2.Tenant) *models.Tenant {
 		Pools:            pools,
 		Namespace:        tenant.ObjectMeta.Namespace,
 		Image:            tenant.Spec.Image,
-		ConsoleImage:     consoleImage,
 		EnablePrometheus: isPrometheusEnabled(tenant.Annotations),
 	}
 }
@@ -453,14 +469,6 @@ func getTenantDetailsResponse(session *models.Principal, params operator_api.Ten

 	info := getTenantInfo(minTenant)

-	// detect if AD is enabled
-	adEnabled := false
-	for _, env := range minTenant.Spec.Env {
-		if env.Name == "MINIO_IDENTITY_LDAP_SERVER_ADDR" && env.Value != "" {
-			adEnabled = true
-		}
-	}
-
 	// get Kubernetes Client
 	clientSet, err := cluster.K8sClient(session.STSSessionToken)
 	if err != nil {
@@ -471,50 +479,43 @@ func getTenantDetailsResponse(session *models.Principal, params operator_api.Ten
 		client: clientSet,
 	}

-	// detect if OpenID is enabled
-
-	oicEnabled := false
-	consoleSelector := fmt.Sprintf("%s-console", minTenant.Name)
-	consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
-	consoleSecret, err := clientSet.CoreV1().Secrets(minTenant.Namespace).Get(ctx, consoleSecretName, metav1.GetOptions{})
-	// we can tolerate not getting this secret
+	tenantConfiguration, err := GetTenantConfiguration(ctx, &k8sClient, minTenant)
 	if err != nil {
-		restapi.LogError("unable to fetch existing secrets for %s: %v", minTenant.Name, err)
+		restapi.LogError("unable to fetch configuration for tenant %s: %v", minTenant.Name, err)
 	}
-	if consoleSecret != nil {
-		if _, ok := consoleSecret.Data["CONSOLE_IDP_URL"]; ok {
-			oicEnabled = true
-		}
+
+	// detect if AD/LDAP is enabled
+	ldapEnabled := false
+	if string(tenantConfiguration["MINIO_IDENTITY_LDAP_SERVER_ADDR"]) != "" {
+		ldapEnabled = true
 	}
-	if minTenant.HasConsoleEnabled() {
-		for _, env := range minTenant.Spec.Console.Env {
-			if env.Name == "CONSOLE_IDP_URL" {
-				oicEnabled = true
-			}
-		}
+
+	// detect if OpenID is enabled
+	oidcEnabled := false
+	if string(tenantConfiguration["MINIO_IDENTITY_OPENID_CONFIG_URL"]) != "" {
+		oidcEnabled = true
+	}
+
+	// detect if encryption is enabled
+	if minTenant.HasKESEnabled() || string(tenantConfiguration["MINIO_KMS_SECRET_KEY"]) != "" {
+		info.EncryptionEnabled = true
 	}

 	info.LogEnabled = minTenant.HasLogEnabled()
 	info.MonitoringEnabled = minTenant.HasPrometheusEnabled()
-	info.EncryptionEnabled = minTenant.HasKESEnabled()
-	info.IdpAdEnabled = adEnabled
-	info.IdpOicEnabled = oicEnabled
+	info.IdpAdEnabled = ldapEnabled
+	info.IdpOidcEnabled = oidcEnabled
 	info.MinioTLS = minTenant.TLS()
-	info.ConsoleTLS = minTenant.AutoCert() || minTenant.ConsoleExternalCert()
-	info.ConsoleEnabled = minTenant.HasConsoleEnabled()

-	if minTenant.Spec.Console != nil {
-		// obtain current subnet license for tenant (if exists)
-		license, _ := getSubscriptionLicense(context.Background(), &k8sClient, params.Namespace, minTenant.Spec.Console.ConsoleSecret.Name)
-		if license != "" {
-			client := &cluster.HTTPClient{
-				Client: restapi.GetConsoleSTSClient(),
-			}
-			licenseInfo, _, _ := subscriptionValidate(client, license, "", "")
-			// if licenseInfo is present attach it to the tenantInfo response
-			if licenseInfo != nil {
-				info.SubnetLicense = licenseInfo
-			}
+	// obtain current subnet license for tenant (if exists)
+	if license, ok := tenantConfiguration[MinIOSubnetLicense]; ok {
+		client := &cluster.HTTPClient{
+			Client: restapi.GetConsoleHTTPClient(),
+		}
+		licenseInfo, _, _ := subscriptionValidate(client, string(license), "", "")
+		// if licenseInfo is present attach it to the tenantInfo response
+		if licenseInfo != nil {
+			info.SubnetLicense = licenseInfo
 		}
 	}

@@ -544,13 +545,11 @@ func getTenantDetailsResponse(session *models.Principal, params operator_api.Ten

 	schema := "http"
 	consoleSchema := "http"
-	consolePort := ":9090"
+	consolePort := fmt.Sprintf(":%d", miniov2.ConsolePort)
 	if minTenant.TLS() {
 		schema = "https"
-	}
-	if minTenant.AutoCert() || minTenant.ConsoleExternalCert() {
 		consoleSchema = "https"
-		consolePort = ":9443"
+		consolePort = fmt.Sprintf(":%d", miniov2.ConsoleTLSPort)
 	}
 	var minioEndpoint string
 	var consoleEndpoint string
@@ -607,10 +606,21 @@ func parseTenantCertificates(ctx context.Context, clientSet K8sClientI, namespac
 			if err != nil {
 				return nil, err
 			}
+			domains := []string{}
+			// append certificate domain names
+			if len(cert.DNSNames) > 0 {
+				domains = append(domains, cert.DNSNames...)
+			}
+			// append certificate IPs
+			if len(cert.IPAddresses) > 0 {
+				for _, ip := range cert.IPAddresses {
+					domains = append(domains, ip.String())
+				}
+			}
 			certificates = append(certificates, &models.CertificateInfo{
 				SerialNumber: cert.SerialNumber.String(),
 				Name:         secret.Name,
-				Domains:      cert.DNSNames,
+				Domains:      domains,
 				Expiry:       cert.NotAfter.String(),
 			})
 		}
@@ -621,8 +631,6 @@ func parseTenantCertificates(ctx context.Context, clientSet K8sClientI, namespac
 func getTenantSecurity(ctx context.Context, clientSet K8sClientI, tenant *miniov2.Tenant) (response *models.TenantSecurityResponse, err error) {
 	var minioExternalCertificates []*models.CertificateInfo
 	var minioExternalCaCertificates []*models.CertificateInfo
-	var consoleExternalCertificates []*models.CertificateInfo
-	var consoleExternalCaCertificates []*models.CertificateInfo
 	// Certificates used by MinIO server
 	if minioExternalCertificates, err = parseTenantCertificates(ctx, clientSet, tenant.Namespace, tenant.Spec.ExternalCertSecret); err != nil {
 		return nil, err
@@ -631,32 +639,19 @@ func getTenantSecurity(ctx context.Context, clientSet K8sClientI, tenant *miniov
 	if minioExternalCaCertificates, err = parseTenantCertificates(ctx, clientSet, tenant.Namespace, tenant.Spec.ExternalCaCertSecret); err != nil {
 		return nil, err
 	}
-	if tenant.HasConsoleEnabled() {
-		// Certificate used by Console server
-		if tenant.Spec.Console.ExternalCertSecret != nil {
-			if consoleExternalCertificates, err = parseTenantCertificates(ctx, clientSet, tenant.Namespace, []*miniov2.LocalCertificateReference{tenant.Spec.Console.ExternalCertSecret}); err != nil {
-				return nil, err
-			}
-		}
-		// CA Certificates used by Console server
-		if consoleExternalCaCertificates, err = parseTenantCertificates(ctx, clientSet, tenant.Namespace, tenant.Spec.Console.ExternalCaCertSecret); err != nil {
-			return nil, err
-		}
-	}
 	return &models.TenantSecurityResponse{
 		AutoCert: tenant.AutoCert(),
 		CustomCertificates: &models.TenantSecurityResponseCustomCertificates{
-			Minio:      minioExternalCertificates,
-			MinioCAs:   minioExternalCaCertificates,
-			Console:    consoleExternalCertificates,
-			ConsoleCAs: consoleExternalCaCertificates,
+			Minio:    minioExternalCertificates,
+			MinioCAs: minioExternalCaCertificates,
 		},
 	}, nil
 }

 func getTenantSecurityResponse(session *models.Principal, params operator_api.TenantSecurityParams) (*models.TenantSecurityResponse, *models.Error) {
 	// 5 seconds timeout
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
 	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	//defer cancel()
 	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
@@ -720,8 +715,6 @@ func updateTenantSecurity(ctx context.Context, operatorClient OperatorClientI, c
 	minInst.Spec.RequestAutoCert = &params.Body.AutoCert
 	var newMinIOExternalCertSecret []*miniov2.LocalCertificateReference
 	var newMinIOExternalCaCertSecret []*miniov2.LocalCertificateReference
-	var newConsoleExternalCertSecret *miniov2.LocalCertificateReference
-	var newConsoleExternalCaCertSecret []*miniov2.LocalCertificateReference
 	// Remove Certificate Secrets from MinIO (Tenant.Spec.ExternalCertSecret)
 	for _, certificate := range minInst.Spec.ExternalCertSecret {
 		skip := false
@@ -750,33 +743,6 @@ func updateTenantSecurity(ctx context.Context, operatorClient OperatorClientI, c
 		}
 		newMinIOExternalCaCertSecret = append(newMinIOExternalCaCertSecret, certificate)
 	}
-	if minInst.HasConsoleEnabled() {
-		// Remove Certificate Secrets from Console (Tenant.Spec.Console.ExternalCertSecret)
-		if minInst.ConsoleExternalCert() {
-			newConsoleExternalCertSecret = minInst.Spec.Console.ExternalCertSecret
-			for _, certificateToBeDeleted := range params.Body.CustomCertificates.SecretsToBeDeleted {
-				if newConsoleExternalCertSecret.Name == certificateToBeDeleted {
-					newConsoleExternalCertSecret = nil
-					break
-				}
-			}
-		}
-		// Remove Certificate Secrets from Console CAs (Tenant.Spec.Console.ExternalCaCertSecret)
-		for _, certificate := range minInst.Spec.Console.ExternalCaCertSecret {
-			skip := false
-			for _, certificateToBeDeleted := range params.Body.CustomCertificates.SecretsToBeDeleted {
-				if certificate.Name == certificateToBeDeleted {
-					skip = true
-					break
-				}
-			}
-			if skip {
-				continue
-			}
-			newConsoleExternalCaCertSecret = append(newConsoleExternalCaCertSecret, certificate)
-		}
-	}
-
 	//Create new Certificate Secrets for MinIO
 	secretName := fmt.Sprintf("%s-%s", minInst.Name, strings.ToLower(utils.RandomCharString(5)))
 	externalCertSecretName := fmt.Sprintf("%s-external-certificates", secretName)
@@ -785,7 +751,6 @@ func updateTenantSecurity(ctx context.Context, operatorClient OperatorClientI, c
 		return err
 	}
 	newMinIOExternalCertSecret = append(newMinIOExternalCertSecret, externalCertSecrets...)
-
 	// Create new CAs Certificate Secrets for MinIO
 	var caCertificates []tenantSecret
 	for i, caCertificate := range params.Body.CustomCertificates.MinioCAs {
@@ -807,46 +772,9 @@ func updateTenantSecurity(ctx context.Context, operatorClient OperatorClientI, c
 		}
 		newMinIOExternalCaCertSecret = append(newMinIOExternalCaCertSecret, certificateSecrets...)
 	}
-
-	// Create new Certificate Secrets for Console
-	consoleExternalCertSecretName := fmt.Sprintf("%s-console-external-certificates", secretName)
-	consoleExternalCertSecrets, err := createOrReplaceExternalCertSecrets(ctx, client, minInst.Namespace, params.Body.CustomCertificates.Console, consoleExternalCertSecretName, minInst.Name)
-	if err != nil {
-		return err
-	}
-	if len(consoleExternalCertSecrets) > 0 {
-		newConsoleExternalCertSecret = consoleExternalCertSecrets[0]
-	}
-
-	// Create new CAs Certificate Secrets for Console
-	var consoleCaCertificates []tenantSecret
-	for i, caCertificate := range params.Body.CustomCertificates.ConsoleCAs {
-		certificateContent, err := base64.StdEncoding.DecodeString(caCertificate)
-		if err != nil {
-			return err
-		}
-		consoleCaCertificates = append(consoleCaCertificates, tenantSecret{
-			Name: fmt.Sprintf("%s-console-ca-certificate-%d", secretName, i),
-			Content: map[string][]byte{
-				"public.crt": certificateContent,
-			},
-		})
-	}
-	if len(consoleCaCertificates) > 0 {
-		certificateSecrets, err := createOrReplaceSecrets(ctx, client, minInst.Namespace, consoleCaCertificates, minInst.Name)
-		if err != nil {
-			return err
-		}
-		newConsoleExternalCaCertSecret = append(newConsoleExternalCaCertSecret, certificateSecrets...)
-	}
-
 	// Update External Certificates
 	minInst.Spec.ExternalCertSecret = newMinIOExternalCertSecret
 	minInst.Spec.ExternalCaCertSecret = newMinIOExternalCaCertSecret
-	if minInst.HasConsoleEnabled() {
-		minInst.Spec.Console.ExternalCertSecret = newConsoleExternalCertSecret
-		minInst.Spec.Console.ExternalCaCertSecret = newConsoleExternalCaCertSecret
-	}
 	_, err = operatorClient.TenantUpdate(ctx, minInst, metav1.UpdateOptions{})
 	if err != nil {
 		return err
@@ -952,8 +880,6 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 	tenantReq := params.Body
 	minioImage := tenantReq.Image
 	ctx := context.Background()
-	consoleHasTLS := false
-
 	if minioImage == "" {
 		minImg, err := cluster.GetMinioImage()
 		// we can live without figuring out the latest version of MinIO, Operator will use a hardcoded value
@@ -989,7 +915,9 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 	var instanceSecret corev1.Secret
 	var users []*corev1.LocalObjectReference

-	// Create the secret for the root credentials
+	tenantConfigurationENV := map[string]string{}
+
+	// Create the secret for the root credentials (deprecated)
 	secretName := fmt.Sprintf("%s-secret", tenantName)
 	instanceSecret = corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1000,10 +928,20 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		},
 		Immutable: &imm,
 		Data: map[string][]byte{
-			"accesskey": []byte(accessKey),
-			"secretkey": []byte(secretKey),
+			"accesskey": []byte(""),
+			"secretkey": []byte(""),
 		},
 	}
+
+	// Enable/Disable console object browser for MinIO tenant (default is on)
+	enabledConsole := "on"
+	if tenantReq.EnableConsole != nil && !*tenantReq.EnableConsole {
+		enabledConsole = "off"
+	}
+	tenantConfigurationENV["MINIO_BROWSER"] = enabledConsole
+	tenantConfigurationENV["MINIO_ROOT_USER"] = accessKey
+	tenantConfigurationENV["MINIO_ROOT_PASSWORD"] = secretKey
+
 	_, err = clientSet.CoreV1().Secrets(ns).Create(ctx, &instanceSecret, metav1.CreateOptions{})
 	if err != nil {
 		return nil, prepareError(err)
@@ -1023,16 +961,12 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		}
 	}()

-	var environmentVariables []corev1.EnvVar
 	// Check the Erasure Coding Parity for validity and pass it to Tenant
 	if tenantReq.ErasureCodingParity > 0 {
 		if tenantReq.ErasureCodingParity < 2 || tenantReq.ErasureCodingParity > 8 {
 			return nil, prepareError(errorInvalidErasureCodingValue)
 		}
-		environmentVariables = append(environmentVariables, corev1.EnvVar{
-			Name:  "MINIO_STORAGE_CLASS_STANDARD",
-			Value: fmt.Sprintf("EC:%d", tenantReq.ErasureCodingParity),
-		})
+		tenantConfigurationENV["MINIO_STORAGE_CLASS_STANDARD"] = fmt.Sprintf("EC:%d", tenantReq.ErasureCodingParity)
 	}

 	//Construct a MinIO Instance with everything we are getting from parameters
@@ -1047,87 +981,124 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 			CredsSecret: &corev1.LocalObjectReference{
 				Name: secretName,
 			},
-			Env: environmentVariables,
 		},
 	}
-	idpEnabled := false
-
-	// Enable IDP (Active Directory) for MinIO
-	if tenantReq.Idp != nil && tenantReq.Idp.ActiveDirectory != nil {
-		url := *tenantReq.Idp.ActiveDirectory.URL
-		userNameFormat := *tenantReq.Idp.ActiveDirectory.UsernameFormat
-		userSearchFilter := *tenantReq.Idp.ActiveDirectory.UserSearchFilter
-		tlsSkipVerify := tenantReq.Idp.ActiveDirectory.SkipTLSVerification
-		serverInsecure := tenantReq.Idp.ActiveDirectory.ServerInsecure
-		groupSearchDN := tenantReq.Idp.ActiveDirectory.GroupSearchBaseDn
-		groupSearchFilter := tenantReq.Idp.ActiveDirectory.GroupSearchFilter
-		groupNameAttribute := tenantReq.Idp.ActiveDirectory.GroupNameAttribute
-		if url != "" && userNameFormat != "" && userSearchFilter != "" {
-			// CONSOLE_LDAP_ENABLED
-			idpEnabled = true
-			minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_SERVER_ADDR",
-				Value: userNameFormat,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_USERNAME_FORMAT",
-				Value: userNameFormat,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER",
-				Value: userSearchFilter,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER",
-				Value: userSearchFilter,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN",
-				Value: groupSearchDN,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER",
-				Value: groupSearchFilter,
-			}, corev1.EnvVar{
-				Name:  "MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE",
-				Value: groupNameAttribute,
-			})
+	var tenantExternalIDPConfigured bool
+	if tenantReq.Idp != nil {
+		// Enable IDP (Active Directory) for MinIO
+		if tenantReq.Idp.ActiveDirectory != nil {
+			tenantExternalIDPConfigured = true
+			serverAddress := *tenantReq.Idp.ActiveDirectory.URL
+			userNameFormat := tenantReq.Idp.ActiveDirectory.UsernameFormat
+			userNameSearchFilter := tenantReq.Idp.ActiveDirectory.UsernameSearchFilter
+			groupNameAttribute := tenantReq.Idp.ActiveDirectory.GroupNameAttribute
+			tlsSkipVerify := tenantReq.Idp.ActiveDirectory.SkipTLSVerification
+			serverInsecure := tenantReq.Idp.ActiveDirectory.ServerInsecure
+			lookupBindDN := tenantReq.Idp.ActiveDirectory.LookupBindDn
+			lookupBindPassword := tenantReq.Idp.ActiveDirectory.LookupBindPassword
+			userDNSearchBaseDN := tenantReq.Idp.ActiveDirectory.UserDnSearchBaseDn
+			userDNSearchFilter := tenantReq.Idp.ActiveDirectory.UserDnSearchFilter
+			groupSearchBaseDN := tenantReq.Idp.ActiveDirectory.GroupSearchBaseDn
+			groupSearchFilter := tenantReq.Idp.ActiveDirectory.GroupSearchFilter
+			serverStartTLS := tenantReq.Idp.ActiveDirectory.ServerStartTLS

+			// LDAP Server
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_SERVER_ADDR"] = serverAddress
 			if tlsSkipVerify {
-				minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
-					Name:  "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY",
-					Value: "on",
-				})
+				tenantConfigurationENV["MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"] = "on"
 			}
 			if serverInsecure {
-				minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
-					Name:  "MINIO_IDENTITY_LDAP_SERVER_INSECURE",
-					Value: "on",
-				})
+				tenantConfigurationENV["MINIO_IDENTITY_LDAP_SERVER_INSECURE"] = "on"
+			}
+			if serverStartTLS {
+				tenantConfigurationENV["MINIO_IDENTITY_LDAP_SERVER_STARTTLS"] = "on"
 			}
-		}
-	}

-	// Create the secret any built-in user passed if no external IDP was configured
-	if tenantReq.Idp != nil && len(tenantReq.Idp.Keys) > 0 && tenantReq.Idp.ActiveDirectory == nil && tenantReq.Idp.Oidc == nil {
-		for i := 0; i < len(tenantReq.Idp.Keys); i++ {
-			userSecretName := fmt.Sprintf("%s-user-%d", tenantName, i)
-			users = append(users, &corev1.LocalObjectReference{Name: userSecretName})
-			userSecret := corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: userSecretName,
-					Labels: map[string]string{
-						miniov2.TenantLabel: tenantName,
+			// LDAP Username
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_USERNAME_FORMAT"] = userNameFormat
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER"] = userNameSearchFilter
+
+			// LDAP Lookup
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"] = lookupBindDN
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"] = lookupBindPassword
+
+			// LDAP User DN
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"] = userDNSearchBaseDN
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"] = userDNSearchFilter
+
+			// LDAP Group
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE"] = groupNameAttribute
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"] = groupSearchBaseDN
+			tenantConfigurationENV["MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"] = groupSearchFilter
+
+			// Attach the list of LDAP user DNs that will be administrator for the Tenant
+			for i, userDN := range tenantReq.Idp.ActiveDirectory.UserDNS {
+				userSecretName := fmt.Sprintf("%s-user-%d", tenantName, i)
+				users = append(users, &corev1.LocalObjectReference{Name: userSecretName})
+				userSecret := corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: userSecretName,
+						Labels: map[string]string{
+							miniov2.TenantLabel: tenantName,
+						},
 					},
-				},
-				Immutable: &imm,
-				Data: map[string][]byte{
-					"CONSOLE_ACCESS_KEY": []byte(*tenantReq.Idp.Keys[i].AccessKey),
-					"CONSOLE_SECRET_KEY": []byte(*tenantReq.Idp.Keys[i].SecretKey),
-				},
+					Immutable: &imm,
+					Data: map[string][]byte{
+						"CONSOLE_ACCESS_KEY": []byte(userDN),
+					},
+				}
+				_, err := clientSet.CoreV1().Secrets(ns).Create(ctx, &userSecret, metav1.CreateOptions{})
+				if err != nil {
+					return nil, prepareError(err)
+				}
 			}
-			_, err := clientSet.CoreV1().Secrets(ns).Create(ctx, &userSecret, metav1.CreateOptions{})
-			if err != nil {
-				return nil, prepareError(err)
+			// attach the users to the tenant
+			minInst.Spec.Users = users
+
+		} else if tenantReq.Idp.Oidc != nil {
+			tenantExternalIDPConfigured = true
+			// Enable IDP (OIDC) for MinIO
+			configurationURL := *tenantReq.Idp.Oidc.ConfigurationURL
+			clientID := *tenantReq.Idp.Oidc.ClientID
+			secretID := *tenantReq.Idp.Oidc.SecretID
+			claimName := *tenantReq.Idp.Oidc.ClaimName
+			scopes := tenantReq.Idp.Oidc.Scopes
+			callbackURL := tenantReq.Idp.Oidc.CallbackURL
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_CONFIG_URL"] = configurationURL
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_CLIENT_ID"] = clientID
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_CLIENT_SECRET"] = secretID
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_CLAIM_NAME"] = claimName
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_REDIRECT_URI"] = callbackURL
+			if scopes == "" {
+				scopes = "openid,profile,email"
 			}
+			tenantConfigurationENV["MINIO_IDENTITY_OPENID_SCOPES"] = scopes
+		} else if len(tenantReq.Idp.Keys) > 0 {
+			// Create the secret any built-in user passed if no external IDP was configured
+			for i := 0; i < len(tenantReq.Idp.Keys); i++ {
+				userSecretName := fmt.Sprintf("%s-user-%d", tenantName, i)
+				users = append(users, &corev1.LocalObjectReference{Name: userSecretName})
+				userSecret := corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: userSecretName,
+						Labels: map[string]string{
+							miniov2.TenantLabel: tenantName,
+						},
+					},
+					Immutable: &imm,
+					Data: map[string][]byte{
+						"CONSOLE_ACCESS_KEY": []byte(*tenantReq.Idp.Keys[i].AccessKey),
+						"CONSOLE_SECRET_KEY": []byte(*tenantReq.Idp.Keys[i].SecretKey),
+					},
+				}
+				_, err := clientSet.CoreV1().Secrets(ns).Create(ctx, &userSecret, metav1.CreateOptions{})
+				if err != nil {
+					return nil, prepareError(err)
+				}
+			}
+			// attach the users to the tenant
+			minInst.Spec.Users = users
 		}
-		// attach the users to the tenant
-		minInst.Spec.Users = users
 	}

 	isEncryptionEnabled := false
@@ -1139,7 +1110,6 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		if *tenantReq.EnableTLS {
 			// requestAutoCert is enabled, MinIO will be deployed with TLS enabled and encryption can be enabled
 			isEncryptionEnabled = true
-			consoleHasTLS = true
 		}
 	}
 	// External TLS certificates for MinIO
@@ -1201,123 +1171,12 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 			minInst.Spec.ExternalCaCertSecret = certificateSecrets
 		}
 	}
-	// optionals are set below
-	var tenantUserAccessKey string
-	var tenantUserSecretKey string
-	keyElementEmpty := len(tenantReq.Idp.Keys) == 1 && (*tenantReq.Idp.Keys[0].AccessKey == "" && *tenantReq.Idp.Keys[0].SecretKey == "")

-	enableConsole := true
-	if tenantReq.EnableConsole != nil && *tenantReq.EnableConsole {
-		enableConsole = *tenantReq.EnableConsole
-	}
-
-	if enableConsole {
-		consoleSelector := fmt.Sprintf("%s-console", tenantName)
-		consoleSecretName := fmt.Sprintf("%s-secret", consoleSelector)
-		consoleSecretData := map[string][]byte{
-			"CONSOLE_PBKDF_PASSPHRASE": []byte(restapi.RandomCharString(16)),
-			"CONSOLE_PBKDF_SALT":       []byte(restapi.RandomCharString(8)),
-		}
-		// If Subnet License is present in k8s secrets, copy that to the CONSOLE_SUBNET_LICENSE env variable
-		// of the console tenant
-		license, _ := getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
-		if license != "" {
-			consoleSecretData[restapi.ConsoleSubnetLicense] = []byte(license)
-		}
-		imm := true
-		instanceSecret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: consoleSecretName,
-				Labels: map[string]string{
-					miniov2.TenantLabel: tenantName,
-				},
-			},
-			Immutable: &imm,
-			Data:      consoleSecretData,
-		}
-
-		minInst.Spec.Console = &miniov2.ConsoleConfiguration{
-			Replicas:      1,
-			Image:         getConsoleImage(),
-			ConsoleSecret: &corev1.LocalObjectReference{Name: consoleSecretName},
-			Resources: corev1.ResourceRequirements{
-				Requests: map[corev1.ResourceName]resource.Quantity{
-					"memory": resource.MustParse("64Mi"),
-				},
-			},
-		}
-		if tenantReq.TLS != nil && tenantReq.TLS.Console != nil {
-			consoleHasTLS = true
-			// Certificates used by the console instance
-			externalCertSecretName := fmt.Sprintf("%s-console-external-certificates", secretName)
-			certificates := []*models.KeyPairConfiguration{tenantReq.TLS.Console}
-			externalCertSecret, err := createOrReplaceExternalCertSecrets(ctx, &k8sClient, ns, certificates, externalCertSecretName, tenantName)
-			if err != nil {
-				return nil, prepareError(restapi.ErrorGeneric)
-			}
-			if len(externalCertSecret) > 0 {
-				minInst.Spec.Console.ExternalCertSecret = externalCertSecret[0]
-			}
-		}
-
-		// If IDP is not already enabled via LDAP (Active Directory) and OIDC configuration is present then
-		// enable oidc for console
-		if !idpEnabled && tenantReq.Idp != nil && tenantReq.Idp.Oidc != nil {
-			url := *tenantReq.Idp.Oidc.URL
-			clientID := *tenantReq.Idp.Oidc.ClientID
-			secretID := *tenantReq.Idp.Oidc.SecretID
-			if url != "" && clientID != "" && secretID != "" {
-				instanceSecret.Data["CONSOLE_IDP_URL"] = []byte(url)
-				instanceSecret.Data["CONSOLE_IDP_CLIENT_ID"] = []byte(clientID)
-				instanceSecret.Data["CONSOLE_IDP_SECRET"] = []byte(secretID)
-				consoleScheme := "http"
-				consolePort := 9090
-				// If Console will be deployed with TLS enabled (using AutoCert or External certificates)
-				if consoleHasTLS {
-					consoleScheme = "https"
-					consolePort = 9443
-				}
-				// https://[HOSTNAME]:9443 will be replaced by javascript in the browser to use the actual hostname
-				// assigned to Console, eg: https://localhost:9443
-				instanceSecret.Data["CONSOLE_IDP_CALLBACK"] = []byte(fmt.Sprintf("%s://[HOSTNAME]:%d/oauth_callback", consoleScheme, consolePort))
-			}
-		}
-
-		_, err = clientSet.CoreV1().Secrets(ns).Create(ctx, &instanceSecret, metav1.CreateOptions{})
-		if err != nil {
-			return nil, prepareError(restapi.ErrorGeneric)
-		}
-
-		// Set Labels, Annotations and Node Selector for Console
-		if tenantReq.Console != nil {
-			minInst.Spec.Console.Annotations = tenantReq.Console.Annotations
-			minInst.Spec.Console.Labels = tenantReq.Console.Labels
-			minInst.Spec.Console.NodeSelector = tenantReq.Console.NodeSelector
-		}
-
-		// External TLS CA certificates for Console
-		if tenantReq.TLS != nil && len(tenantReq.TLS.ConsoleCaCertificates) > 0 {
-			var caCertificates []tenantSecret
-			for i, caCertificate := range tenantReq.TLS.ConsoleCaCertificates {
-				certificateContent, err := base64.StdEncoding.DecodeString(caCertificate)
-				if err != nil {
-					return nil, prepareError(restapi.ErrorGeneric, nil, err)
-				}
-				caCertificates = append(caCertificates, tenantSecret{
-					Name: fmt.Sprintf("console-ca-certificate-%d", i),
-					Content: map[string][]byte{
-						"public.crt": certificateContent,
-					},
-				})
-			}
-			if len(caCertificates) > 0 {
-				certificateSecrets, err := createOrReplaceSecrets(ctx, &k8sClient, ns, caCertificates, tenantName)
-				if err != nil {
-					return nil, prepareError(restapi.ErrorGeneric, nil, err)
-				}
-				minInst.Spec.Console.ExternalCaCertSecret = certificateSecrets
-			}
-		}
+	// If Subnet License is present in k8s secrets, copy that to the MINIO_SUBNET_LICENSE env variable
+	// of the console tenant
+	license, _ := getSubscriptionLicense(ctx, &k8sClient, cluster.Namespace, OperatorSubnetLicenseSecretName)
+	if license != "" {
+		tenantConfigurationENV[MinIOSubnetLicense] = license
 	}

 	// add annotations
@@ -1364,16 +1223,12 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		minInst.Annotations[prometheusScrape] = "true"
 	}

-	// set console image if provided
-	if tenantReq.ConsoleImage != "" {
-		minInst.Spec.Console.Image = tenantReq.ConsoleImage
-	}
-
 	//Default class name for Log search
 	diskSpaceFromAPI := int64(5) * humanize.GiByte // Default is 5Gi
 	logSearchStorageClass := ""                    // Default is ""
 	logSearchImage := ""
 	logSearchPgImage := ""
+	logSearchPgInitImage := ""

 	if tenantReq.LogSearchConfiguration != nil {
 		if tenantReq.LogSearchConfiguration.StorageSize != nil {
@@ -1382,18 +1237,18 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		if tenantReq.LogSearchConfiguration.StorageClass != "" {
 			logSearchStorageClass = tenantReq.LogSearchConfiguration.StorageClass
 		}
-
 		if tenantReq.LogSearchConfiguration.StorageClass == "" && len(tenantReq.Pools) > 0 {
 			logSearchStorageClass = tenantReq.Pools[0].VolumeConfiguration.StorageClassName
 		}
-
 		if tenantReq.LogSearchConfiguration.Image != "" {
 			logSearchImage = tenantReq.LogSearchConfiguration.Image
 		}
 		if tenantReq.LogSearchConfiguration.PostgresImage != "" {
 			logSearchPgImage = tenantReq.LogSearchConfiguration.PostgresImage
 		}
-
+		if tenantReq.LogSearchConfiguration.PostgresInitImage != "" {
+			logSearchPgInitImage = tenantReq.LogSearchConfiguration.PostgresInitImage
+		}
 	}

 	logSearchDiskSpace := resource.NewQuantity(diskSpaceFromAPI, resource.DecimalExponent)
@@ -1425,16 +1280,22 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 			},
 		},
 	}
+	// set log search images if any
 	if logSearchImage != "" {
 		minInst.Spec.Log.Image = logSearchImage
 	}
 	if logSearchPgImage != "" {
 		minInst.Spec.Log.Db.Image = logSearchPgImage
 	}
+	if logSearchPgInitImage != "" {
+		minInst.Spec.Log.Db.InitImage = logSearchPgInitImage
+	}

-	prometheusDiskSpace := 5     // Default is 5 by API
-	prometheusStorageClass := "" // Default is ""
-	prometheusImage := ""        // Default is ""
+	prometheusDiskSpace := 5      // Default is 5 by API
+	prometheusStorageClass := ""  // Default is ""
+	prometheusImage := ""         // Default is ""
+	prometheusSidecardImage := "" // Default is ""
+	prometheusInitImage := ""     // Default is ""

 	if tenantReq.PrometheusConfiguration != nil {
 		if tenantReq.PrometheusConfiguration.StorageSize != nil {
@@ -1452,6 +1313,12 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 		if tenantReq.PrometheusConfiguration.Image != "" {
 			prometheusImage = tenantReq.PrometheusConfiguration.Image
 		}
+		if tenantReq.PrometheusConfiguration.SidecarImage != "" {
+			prometheusSidecardImage = tenantReq.PrometheusConfiguration.SidecarImage
+		}
+		if tenantReq.PrometheusConfiguration.InitImage != "" {
+			prometheusInitImage = tenantReq.PrometheusConfiguration.InitImage
+		}
 	}

 	minInst.Spec.Prometheus = &miniov2.PrometheusConfig{
@@ -1461,15 +1328,44 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 	if prometheusImage != "" {
 		minInst.Spec.Prometheus.Image = prometheusImage
 	}
-
-	// expose services
-	if tenantReq.ExposeMinio || tenantReq.ExposeConsole {
-		minInst.Spec.ExposeServices = &miniov2.ExposeServices{
-			MinIO:   tenantReq.ExposeMinio,
-			Console: tenantReq.ExposeConsole,
+	if prometheusSidecardImage != "" {
+		minInst.Spec.Prometheus.SideCarImage = prometheusSidecardImage
+	}
+	if prometheusInitImage != "" {
+		minInst.Spec.Prometheus.InitImage = prometheusInitImage
+	}
+	// if security context for prometheus is present, configure it.
+	if tenantReq.PrometheusConfiguration != nil && tenantReq.PrometheusConfiguration.SecurityContext != nil {
+		sc := tenantReq.PrometheusConfiguration.SecurityContext
+		minInst.Spec.Prometheus.SecurityContext = &corev1.PodSecurityContext{
+			RunAsUser:    sc.RunAsUser,
+			RunAsGroup:   sc.RunAsGroup,
+			RunAsNonRoot: sc.RunAsNonRoot,
+			FSGroup:      sc.FsGroup,
 		}
 	}

+	// expose services
+	minInst.Spec.ExposeServices = &miniov2.ExposeServices{
+		MinIO:   tenantReq.ExposeMinio,
+		Console: tenantReq.ExposeConsole,
+	}
+
+	// write tenant configuration to secret that contains config.env
+	tenantConfigurationName := fmt.Sprintf("%s-env-configuration", tenantName)
+	_, err = createOrReplaceSecrets(ctx, &k8sClient, ns, []tenantSecret{
+		{
+			Name: tenantConfigurationName,
+			Content: map[string][]byte{
+				"config.env": []byte(GenerateTenantConfigurationFile(tenantConfigurationENV)),
+			},
+		},
+	}, tenantName)
+	if err != nil {
+		return nil, prepareError(restapi.ErrorGeneric, nil, err)
+	}
+	minInst.Spec.Configuration = &corev1.LocalObjectReference{Name: tenantConfigurationName}
+
 	opClient, err := cluster.OperatorClient(session.STSSessionToken)
 	if err != nil {
 		return nil, prepareError(err)
@@ -1488,20 +1384,16 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 			return nil, prepareError(err)
 		}
 	}
-	response = &models.CreateTenantResponse{}
-	// Attach Console Credentials
-	if enableConsole {
-		var itemsToReturn []*models.TenantResponseItem
-
-		if len(tenantReq.Idp.Keys) == 0 || keyElementEmpty {
-			itemsToReturn = append(itemsToReturn, &models.TenantResponseItem{AccessKey: tenantUserAccessKey, SecretKey: tenantUserSecretKey})
-		} else { // IDP Keys
-			for _, item := range tenantReq.Idp.Keys {
-				itemsToReturn = append(itemsToReturn, &models.TenantResponseItem{AccessKey: *item.AccessKey, SecretKey: *item.SecretKey})
-			}
+	response = &models.CreateTenantResponse{
+		ExternalIDP: tenantExternalIDPConfigured,
+	}
+	if tenantReq.Idp != nil && !tenantExternalIDPConfigured {
+		for _, credential := range tenantReq.Idp.Keys {
+			response.Console = append(response.Console, &models.TenantResponseItem{
+				AccessKey: *credential.AccessKey,
+				SecretKey: *credential.SecretKey,
+			})
 		}
-
-		response.Console = itemsToReturn
 	}
 	return response, nil
 }
@@ -1585,11 +1477,6 @@ func updateTenantAction(ctx context.Context, operatorClient OperatorClientI, cli
 		}
 	}

-	// update the console image
-	if strings.TrimSpace(params.Body.ConsoleImage) != "" && minInst.Spec.Console != nil {
-		minInst.Spec.Console.Image = params.Body.ConsoleImage
-	}
-
 	// if image to update is empty we'll use the latest image by default
 	if strings.TrimSpace(imageToUpdate) != "" {
 		minInst.Spec.Image = imageToUpdate
@@ -1730,8 +1617,8 @@ func getTenantAddPoolResponse(session *models.Principal, params operator_api.Ten

 // getTenantUsageResponse returns the usage of a tenant
 func getTenantUsageResponse(session *models.Principal, params operator_api.GetTenantUsageParams) (*models.TenantUsage, *models.Error) {
-	// 5 seconds timeout
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	// 30 seconds timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()

 	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
--- a/operatorapi/operator_tenants_helper.go
+++ b/operatorapi/operator_tenants_helper.go
@@ -63,22 +63,6 @@ func tenantUpdateCertificates(ctx context.Context, operatorClient OperatorClient
 			return err
 		}
 	}
-	// check if Console is deployed with external certs and user provided new Console keypair
-	if tenant.ConsoleExternalCert() && tenant.HasConsoleEnabled() && body.Console != nil {
-		consoleCertSecretName := fmt.Sprintf("%s-console-external-certificates", secretName)
-		// update certificates
-		certificates := []*models.KeyPairConfiguration{body.Console}
-		if _, err := createOrReplaceExternalCertSecrets(ctx, clientSet, namespace, certificates, consoleCertSecretName, tenantName); err != nil {
-			return err
-		}
-		// restart Console pods
-		err := clientSet.deletePodCollection(ctx, namespace, metav1.DeleteOptions{}, metav1.ListOptions{
-			LabelSelector: fmt.Sprintf("%s=%s", miniov2.ConsoleTenantLabel, fmt.Sprintf("%s-console", tenantName)),
-		})
-		if err != nil {
-			return err
-		}
-	}
 	return nil
 }

@@ -251,7 +235,6 @@ func createOrReplaceSecrets(ctx context.Context, clientSet K8sClientI, ns string
 				// log the error if any and continue
 				LogError("deleting secret name %s failed: %v, continuing..", secret.Name, err)
 			}
-			imm := true
 			k8sSecret := &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: secret.Name,
@@ -259,9 +242,8 @@ func createOrReplaceSecrets(ctx context.Context, clientSet K8sClientI, ns string
 						miniov2.TenantLabel: tenantName,
 					},
 				},
-				Type:      corev1.SecretTypeOpaque,
-				Immutable: &imm,
-				Data:      secret.Content,
+				Type: corev1.SecretTypeOpaque,
+				Data: secret.Content,
 			}
 			_, err = clientSet.createSecret(ctx, ns, k8sSecret, metav1.CreateOptions{})
 			if err != nil {
@@ -516,6 +498,21 @@ func createOrReplaceKesConfigurationSecrets(ctx context.Context, clientSet K8sCl
 				}
 			}
 		}
+	} else if encryptionCfg.Azure != nil {
+		// Initialize Azure
+		kesConfig.Keys.Azure = &kes.Azure{
+			KeyVault: &kes.AzureKeyVault{},
+		}
+		if encryptionCfg.Azure.Keyvault != nil {
+			kesConfig.Keys.Azure.KeyVault.Endpoint = *encryptionCfg.Azure.Keyvault.Endpoint
+			if encryptionCfg.Azure.Keyvault.Credentials != nil {
+				kesConfig.Keys.Azure.KeyVault.Credentials = &kes.AzureCredentials{
+					TenantID:     *encryptionCfg.Azure.Keyvault.Credentials.TenantID,
+					ClientID:     *encryptionCfg.Azure.Keyvault.Credentials.ClientID,
+					ClientSecret: *encryptionCfg.Azure.Keyvault.Credentials.ClientSecret,
+				}
+			}
+		}
 	}
 	imm := true
 	// if mTLSCertificates contains elements we create the kubernetes secret
--- a/operatorapi/operator_tenants_helper_test.go
+++ b/operatorapi/operator_tenants_helper_test.go
@@ -33,6 +33,7 @@ import (
 var DeletePodCollectionMock func(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
 var DeleteSecretMock func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error
 var CreateSecretMock func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error)
+var UpdateSecretMock func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error)

 func (c k8sClientMock) deletePodCollection(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
 	return DeletePodCollectionMock(ctx, namespace, opts, listOpts)
@@ -46,6 +47,10 @@ func (c k8sClientMock) createSecret(ctx context.Context, namespace string, secre
 	return CreateSecretMock(ctx, namespace, secret, opts)
 }

+func (c k8sClientMock) updateSecret(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error) {
+	return UpdateSecretMock(ctx, namespace, secret, opts)
+}
+
 func Test_tenantUpdateCertificates(t *testing.T) {
 	k8sClient := k8sClientMock{}
 	opClient := opClientMock{}
@@ -228,70 +233,6 @@ func Test_tenantUpdateCertificates(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		{
-			name: "error replacing external certs for console because of missing keypair",
-			args: args{
-				ctx:       context.Background(),
-				opClient:  opClient,
-				clientSet: k8sClient,
-				namespace: "",
-				params: operator_api.TenantUpdateCertificateParams{
-					Body: &models.TLSConfiguration{
-						Console: &models.KeyPairConfiguration{},
-					},
-				},
-				mockTenantGet: func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
-					return &miniov2.Tenant{
-						Spec: miniov2.TenantSpec{
-							Console: &miniov2.ConsoleConfiguration{
-								ExternalCertSecret: &miniov2.LocalCertificateReference{
-									Name: "secret",
-								},
-							},
-						},
-					}, nil
-				},
-			},
-			wantErr: true,
-		},
-		{
-			name: "certificates replaced but error during deleting existing tenant pods",
-			args: args{
-				ctx:       context.Background(),
-				opClient:  opClient,
-				clientSet: k8sClient,
-				namespace: "",
-				params: operator_api.TenantUpdateCertificateParams{
-					Body: &models.TLSConfiguration{
-						Console: &models.KeyPairConfiguration{
-							Crt: &crt,
-							Key: &key,
-						},
-					},
-				},
-				mockTenantGet: func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
-					return &miniov2.Tenant{
-						Spec: miniov2.TenantSpec{
-							Console: &miniov2.ConsoleConfiguration{
-								ExternalCertSecret: &miniov2.LocalCertificateReference{
-									Name: "secret",
-								},
-							},
-						},
-					}, nil
-				},
-				mockDeleteSecret: func(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
-					return nil
-				},
-				mockCreateSecret: func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
-					return &v1.Secret{}, nil
-				},
-				mockDeletePodCollection: func(ctx context.Context, namespace string, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
-					return errors.New("error deleting console pods")
-				},
-			},
-			wantErr: true,
-		},
 	}
 	for _, tt := range tests {
 		opClientTenantGetMock = tt.args.mockTenantGet
--- a/operatorapi/operator_tenants_test.go
+++ b/operatorapi/operator_tenants_test.go
@@ -468,9 +468,6 @@ func Test_TenantInfo(t *testing.T) {
 					Spec: miniov2.TenantSpec{
 						Pools: []miniov2.Pool{},
 						Image: "minio/minio:RELEASE.2020-06-14T18-32-17Z",
-						Console: &miniov2.ConsoleConfiguration{
-							Image: "minio/console:master",
-						},
 					},
 					Status: miniov2.TenantStatus{
 						CurrentState: "ready",
@@ -484,7 +481,6 @@ func Test_TenantInfo(t *testing.T) {
 				Namespace:        "minio-ns",
 				Image:            "minio/minio:RELEASE.2020-06-14T18-32-17Z",
 				EnablePrometheus: false,
-				ConsoleImage:     "minio/console:master",
 			},
 		},
 	}
@@ -505,8 +501,7 @@ func Test_deleteTenantAction(t *testing.T) {
 	type args struct {
 		ctx              context.Context
 		operatorClient   OperatorClientI
-		nameSpace        string
-		tenantName       string
+		tenant           *miniov2.Tenant
 		deletePvcs       bool
 		objs             []runtime.Object
 		mockTenantDelete func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error
@@ -521,9 +516,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "default",
-				tenantName:     "minio-tenant",
-				deletePvcs:     false,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "default",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: false,
 				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
 					return nil
 				},
@@ -535,9 +534,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "default",
-				tenantName:     "minio-tenant",
-				deletePvcs:     false,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "default",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: false,
 				mockTenantDelete: func(ctx context.Context, namespace string, tenantName string, options metav1.DeleteOptions) error {
 					return errors.New("something happened")
 				},
@@ -550,9 +553,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "minio-tenant",
-				tenantName:     "tenant1",
-				deletePvcs:     true,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tenant1",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: true,
 				objs: []runtime.Object{
 					&corev1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
@@ -577,9 +584,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "minio-tenant",
-				tenantName:     "tenant1",
-				deletePvcs:     false,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tenant1",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: false,
 				objs: []runtime.Object{
 					&corev1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
@@ -604,9 +615,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "minio-tenant",
-				tenantName:     "tenant1",
-				deletePvcs:     true,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tenant1",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: true,
 				objs: []runtime.Object{
 					&corev1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
@@ -631,9 +646,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "minio-tenant",
-				tenantName:     "tenant1",
-				deletePvcs:     true,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tenant1",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: true,
 				objs: []runtime.Object{
 					&corev1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
@@ -659,9 +678,13 @@ func Test_deleteTenantAction(t *testing.T) {
 			args: args{
 				ctx:            context.Background(),
 				operatorClient: opClient,
-				nameSpace:      "minio-tenant",
-				tenantName:     "tenant1",
-				deletePvcs:     false,
+				tenant: &miniov2.Tenant{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tenant1",
+						Namespace: "minio-tenant",
+					},
+				},
+				deletePvcs: false,
 				objs: []runtime.Object{
 					&corev1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
@@ -685,7 +708,7 @@ func Test_deleteTenantAction(t *testing.T) {
 		opClientTenantDeleteMock = tt.args.mockTenantDelete
 		kubeClient := fake.NewSimpleClientset(tt.args.objs...)
 		t.Run(tt.name, func(t *testing.T) {
-			if err := deleteTenantAction(tt.args.ctx, tt.args.operatorClient, kubeClient.CoreV1(), tt.args.nameSpace, tt.args.tenantName, tt.args.deletePvcs); (err != nil) != tt.wantErr {
+			if err := deleteTenantAction(tt.args.ctx, tt.args.operatorClient, kubeClient.CoreV1(), tt.args.tenant, tt.args.deletePvcs); (err != nil) != tt.wantErr {
 				t.Errorf("deleteTenantAction() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
@@ -1017,31 +1040,6 @@ func Test_UpdateTenantAction(t *testing.T) {
 			},
 			wantErr: false,
 		},
-		{
-			name: "Update minio console version no errors",
-			args: args{
-				ctx:            context.Background(),
-				operatorClient: opClient,
-				httpCl:         httpClientM,
-				nameSpace:      "default",
-				tenantName:     "minio-tenant",
-				mockTenantPatch: func(ctx context.Context, namespace string, tenantName string, pt types.PatchType, data []byte, options metav1.PatchOptions) (*miniov2.Tenant, error) {
-					return &miniov2.Tenant{}, nil
-				},
-				mockTenantGet: func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
-					return &miniov2.Tenant{}, nil
-				},
-				mockHTTPClientGet: func(url string) (resp *http.Response, err error) {
-					return nil, errors.New("use default minio")
-				},
-				params: operator_api.UpdateTenantParams{
-					Body: &models.UpdateTenantRequest{
-						ConsoleImage: "minio/console:v0.8.0",
-					},
-				},
-			},
-			wantErr: false,
-		},
 		{
 			name: "Update minio image pull secrets no errors",
 			args: args{
--- a/operatorapi/operator_volumes.go
+++ b/operatorapi/operator_volumes.go
@@ -18,6 +18,7 @@ package operatorapi

 import (
 	"context"
+	"fmt"

 	miniov1 "github.com/minio/operator/pkg/apis/minio.min.io/v1"

@@ -39,6 +40,16 @@ func registerVolumesHandlers(api *operations.OperatorAPI) {

 		return operator_api.NewListPVCsOK().WithPayload(payload)
 	})
+
+	api.OperatorAPIListPVCsForTenantHandler = operator_api.ListPVCsForTenantHandlerFunc(func(params operator_api.ListPVCsForTenantParams, session *models.Principal) middleware.Responder {
+		payload, err := getPVCsForTenantResponse(session, params)
+
+		if err != nil {
+			return operator_api.NewListPVCsForTenantDefault(int(err.Code)).WithPayload(err)
+		}
+
+		return operator_api.NewListPVCsForTenantOK().WithPayload(payload)
+	})
 }

 func getPVCsResponse(session *models.Principal) (*models.ListPVCsResponse, *models.Error) {
@@ -83,3 +94,46 @@ func getPVCsResponse(session *models.Principal) (*models.ListPVCsResponse, *mode

 	return &PVCsResponse, nil
 }
+
+func getPVCsForTenantResponse(session *models.Principal, params operator_api.ListPVCsForTenantParams) (*models.ListPVCsResponse, *models.Error) {
+	ctx := context.Background()
+	clientset, err := cluster.K8sClient(session.STSSessionToken)
+
+	if err != nil {
+		return nil, prepareError(err)
+	}
+
+	// Filter Tenant PVCs. They keep their v1 tenant annotation
+	listOpts := metav1.ListOptions{
+		LabelSelector: fmt.Sprintf("v1.min.io/tenant=%s", params.Tenant),
+	}
+
+	// List all PVCs
+	listAllPvcs, err2 := clientset.CoreV1().PersistentVolumeClaims(params.Namespace).List(ctx, listOpts)
+
+	if err2 != nil {
+		return nil, prepareError(err2)
+	}
+
+	var ListPVCs []*models.PvcsListResponse
+
+	for _, pvc := range listAllPvcs.Items {
+		pvcResponse := models.PvcsListResponse{
+			Name:         pvc.Name,
+			Age:          pvc.CreationTimestamp.String(),
+			Capacity:     pvc.Status.Capacity.Storage().String(),
+			Namespace:    pvc.Namespace,
+			Status:       string(pvc.Status.Phase),
+			StorageClass: *pvc.Spec.StorageClassName,
+			Volume:       pvc.Spec.VolumeName,
+			Tenant:       pvc.Labels["v1.min.io/tenant"],
+		}
+		ListPVCs = append(ListPVCs, &pvcResponse)
+	}
+
+	PVCsResponse := models.ListPVCsResponse{
+		Pvcs: ListPVCs,
+	}
+
+	return &PVCsResponse, nil
+}
--- a/operatorapi/proxy.go
+++ b/operatorapi/proxy.go
@@ -21,6 +21,7 @@ import (
 	"crypto/sha1"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -85,11 +86,12 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 	nsTenant := fmt.Sprintf("%s/%s", tenant.Namespace, tenant.Name)

 	tenantSchema := "http"
-	tenantPort := ":9090"
-	if tenant.AutoCert() || tenant.ConsoleExternalCert() {
+	tenantPort := fmt.Sprintf(":%d", v2.ConsolePort)
+	if tenant.AutoCert() || tenant.ExternalCert() {
 		tenantSchema = "https"
-		tenantPort = ":9443"
+		tenantPort = fmt.Sprintf(":%d", v2.ConsoleTLSPort)
 	}
+
 	tenantURL := fmt.Sprintf("%s://%s.%s.svc.%s%s", tenantSchema, tenant.ConsoleCIServiceName(), tenant.Namespace, v2.GetClusterDomain(), tenantPort)
 	// for development
 	//tenantURL = "http://localhost:9091"
@@ -111,7 +113,10 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 			return
 		}

-		currentSecret, err := clientSet.CoreV1().Secrets(tenant.Namespace).Get(req.Context(), tenant.Spec.CredsSecret.Name, metav1.GetOptions{})
+		k8sClient := k8sClient{
+			client: clientSet,
+		}
+		tenantConfiguration, err := GetTenantConfiguration(req.Context(), &k8sClient, tenant)
 		if err != nil {
 			log.Println(err)
 			responseWriter.WriteHeader(500)
@@ -119,8 +124,8 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 		}

 		data := map[string]string{
-			"accessKey": string(currentSecret.Data["accesskey"]),
-			"secretKey": string(currentSecret.Data["secretkey"]),
+			"accessKey": string(tenantConfiguration["accesskey"]),
+			"secretKey": string(tenantConfiguration["secretkey"]),
 		}
 		payload, _ := json.Marshal(data)

@@ -132,7 +137,7 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 		}
 		loginReq.Header.Add("Content-Type", "application/json")

-		// FIXME: in the future we should use restapi.GetConsoleSTSClient()
+		// FIXME: in the future we should use restapi.GetConsoleHTTPClient()
 		tr := &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
@@ -145,6 +150,12 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 			return
 		}

+		if loginResp.StatusCode < 200 && loginResp.StatusCode <= 299 {
+			log.Println(fmt.Printf("Status: %d. Couldn't complete login", loginResp.StatusCode))
+			responseWriter.WriteHeader(500)
+			return
+		}
+
 		for _, c := range loginResp.Cookies() {
 			if c.Name == "token" {
 				tenantCookie = c
@@ -162,6 +173,11 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 		}
 		defer loginResp.Body.Close()
 	}
+	if tenantCookie == nil {
+		log.Println(errors.New("couldn't login to tenant and get cookie"))
+		responseWriter.WriteHeader(500)
+		return
+	}

 	targetURL, err := url2.Parse(tenantURL)
 	if err != nil {
@@ -183,7 +199,7 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 	proxyCookieJar.SetCookies(targetURL, []*http.Cookie{proxiedCookie})

 	tr := &http.Transport{
-		// FIXME: use restapi.GetConsoleSTSClient()
+		// FIXME: use restapi.GetConsoleHTTPClient()
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr,
@@ -191,7 +207,8 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		}}
-
+	// copy query params
+	targetURL.RawQuery = req.URL.Query().Encode()
 	proxRequest, err := http.NewRequest(req.Method, targetURL.String(), req.Body)
 	if err != nil {
 		log.Println(err)
--- a/operatorapi/utils.go
+++ b/operatorapi/utils.go
@@ -0,0 +1,65 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package operatorapi
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func GetTenantConfiguration(ctx context.Context, clientSet K8sClientI, tenant *miniov2.Tenant) (map[string]string, error) {
+	if tenant == nil {
+		return nil, errors.New("tenant cannot be nil")
+	}
+	tenantConfiguration := map[string]string{}
+	for _, config := range tenant.GetEnvVars() {
+		tenantConfiguration[config.Name] = config.Value
+	}
+	// legacy support for tenants with tenant.spec.credsSecret
+	if tenant.HasCredsSecret() {
+		minioSecret, err := clientSet.getSecret(ctx, tenant.Namespace, tenant.Spec.CredsSecret.Name, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+		configFromCredsSecret := minioSecret.Data
+		for key, val := range configFromCredsSecret {
+			tenantConfiguration[key] = string(val)
+		}
+	}
+	if tenant.HasConfigurationSecret() {
+		minioConfigurationSecret, err := clientSet.getSecret(ctx, tenant.Namespace, tenant.Spec.Configuration.Name, metav1.GetOptions{})
+		if err == nil {
+			configFromFile := miniov2.ParseRawConfiguration(minioConfigurationSecret.Data["config.env"])
+			for key, val := range configFromFile {
+				tenantConfiguration[key] = string(val)
+			}
+		}
+	}
+	return tenantConfiguration, nil
+}
+
+func GenerateTenantConfigurationFile(configuration map[string]string) string {
+	var rawConfiguration string
+	for key, val := range configuration {
+		rawConfiguration += fmt.Sprintf("export %s=\"%s\"\n", key, val)
+	}
+	return rawConfiguration
+}
--- a/pkg/acl/endpoints.go
+++ b/pkg/acl/endpoints.go
@@ -22,50 +22,49 @@ import (

 // endpoints definition
 var (
-	configuration               = "/settings"
-	users                       = "/users"
-	usersDetail                 = "/users/:userName+"
-	groups                      = "/groups"
-	iamPolicies                 = "/policies"
-	policiesDetail              = "/policies/:policyName"
-	dashboard                   = "/dashboard"
-	metrics                     = "/metrics"
-	profiling                   = "/profiling"
-	buckets                     = "/buckets"
-	bucketsDetail               = "/buckets/:bucketName"
-	bucketsDetailSummary        = "/buckets/:bucketName/summary"
-	bucketsDetailEvents         = "/buckets/:bucketName/events"
-	bucketsDetailReplication    = "/buckets/:bucketName/replication"
-	bucketsDetailLifecycle      = "/buckets/:bucketName/lifecycle"
-	bucketsDetailAccess         = "/buckets/:bucketName/access"
-	bucketsDetailAccessPolicies = "/buckets/:bucketName/access/policies"
-	bucketsDetailAccessUsers    = "/buckets/:bucketName/access/users"
-	serviceAccounts             = "/account"
-	changePassword              = "/account/change-password"
-	tenants                     = "/tenants"
-	tenantsDetail               = "/namespaces/:tenantNamespace/tenants/:tenantName"
-	tenantHop                   = "/namespaces/:tenantNamespace/tenants/:tenantName/hop"
-	podsDetail                  = "/namespaces/:tenantNamespace/tenants/:tenantName/pods/:podName"
-	tenantsDetailSummary        = "/namespaces/:tenantNamespace/tenants/:tenantName/summary"
-	tenantsDetailMetrics        = "/namespaces/:tenantNamespace/tenants/:tenantName/metrics"
-	tenantsDetailPods           = "/namespaces/:tenantNamespace/tenants/:tenantName/pods"
-	tenantsDetailPools          = "/namespaces/:tenantNamespace/tenants/:tenantName/pools"
-	tenantsDetailLicense        = "/namespaces/:tenantNamespace/tenants/:tenantName/license"
-	tenantsDetailSecurity       = "/namespaces/:tenantNamespace/tenants/:tenantName/security"
-	storage                     = "/storage"
-	storageVolumes              = "/storage/volumes"
-	storageDrives               = "/storage/drives"
-	remoteBuckets               = "/remote-buckets"
-	replication                 = "/replication"
-	objectBrowser               = "/object-browser/:bucket/*"
-	objectBrowserBucket         = "/object-browser/:bucket"
-	mainObjectBrowser           = "/object-browser"
-	license                     = "/license"
-	watch                       = "/watch"
-	heal                        = "/heal"
-	trace                       = "/trace"
-	logs                        = "/logs"
-	healthInfo                  = "/health-info"
+	configuration         = "/settings"
+	users                 = "/users"
+	usersDetail           = "/users/:userName+"
+	groups                = "/groups"
+	iamPolicies           = "/policies"
+	policiesDetail        = "/policies/*"
+	dashboard             = "/dashboard"
+	metrics               = "/metrics"
+	profiling             = "/profiling"
+	buckets               = "/buckets"
+	bucketsGeneral        = "/buckets/*"
+	bucketsAdmin          = "/buckets/:bucketName/admin/*"
+	bucketsAdminMain      = "/buckets/:bucketName/admin"
+	bucketsBrowserMenu    = "/buckets"
+	bucketsBrowserList    = "/buckets/*"
+	bucketsBrowser        = "/buckets/:bucketName/browse/*"
+	bucketsBrowserMain    = "/buckets/:bucketName/browse"
+	serviceAccounts       = "/account"
+	changePassword        = "/account/change-password"
+	tenants               = "/tenants"
+	tenantsAdd            = "/tenants/add"
+	tenantsAddSub         = "/tenants/add/*"
+	tenantsDetail         = "/namespaces/:tenantNamespace/tenants/:tenantName"
+	tenantHop             = "/namespaces/:tenantNamespace/tenants/:tenantName/hop"
+	podsDetail            = "/namespaces/:tenantNamespace/tenants/:tenantName/pods/:podName"
+	tenantsDetailSummary  = "/namespaces/:tenantNamespace/tenants/:tenantName/summary"
+	tenantsDetailMetrics  = "/namespaces/:tenantNamespace/tenants/:tenantName/metrics"
+	tenantsDetailPods     = "/namespaces/:tenantNamespace/tenants/:tenantName/pods"
+	tenantsDetailPools    = "/namespaces/:tenantNamespace/tenants/:tenantName/pools"
+	tenantsDetailVolumes  = "/namespaces/:tenantNamespace/tenants/:tenantName/volumes"
+	tenantsDetailLicense  = "/namespaces/:tenantNamespace/tenants/:tenantName/license"
+	tenantsDetailSecurity = "/namespaces/:tenantNamespace/tenants/:tenantName/security"
+	storage               = "/storage"
+	storageVolumes        = "/storage/volumes"
+	storageDrives         = "/storage/drives"
+	remoteBuckets         = "/remote-buckets"
+	replication           = "/replication"
+	license               = "/license"
+	watch                 = "/watch"
+	heal                  = "/heal"
+	trace                 = "/trace"
+	logs                  = "/logs"
+	healthInfo            = "/health-info"
 )

 type ConfigurationActionSet struct {
@@ -288,48 +287,47 @@ var displayRules = map[string]func() bool{

 // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here
 var endpointRules = map[string]ConfigurationActionSet{
-	configuration:               configurationActionSet,
-	users:                       usersActionSet,
-	usersDetail:                 usersActionSet,
-	groups:                      groupsActionSet,
-	iamPolicies:                 iamPoliciesActionSet,
-	policiesDetail:              iamPoliciesActionSet,
-	dashboard:                   dashboardActionSet,
-	metrics:                     dashboardActionSet,
-	profiling:                   profilingActionSet,
-	buckets:                     bucketsActionSet,
-	bucketsDetail:               bucketsActionSet,
-	bucketsDetailSummary:        bucketsActionSet,
-	bucketsDetailEvents:         bucketsActionSet,
-	bucketsDetailReplication:    bucketsActionSet,
-	bucketsDetailLifecycle:      bucketsActionSet,
-	bucketsDetailAccess:         bucketsActionSet,
-	bucketsDetailAccessPolicies: bucketsActionSet,
-	bucketsDetailAccessUsers:    bucketsActionSet,
-	serviceAccounts:             serviceAccountsActionSet,
-	changePassword:              changePasswordActionSet,
-	remoteBuckets:               remoteBucketsActionSet,
-	replication:                 replicationActionSet,
-	objectBrowser:               objectBrowserActionSet,
-	mainObjectBrowser:           objectBrowserActionSet,
-	objectBrowserBucket:         objectBrowserActionSet,
-	license:                     licenseActionSet,
-	watch:                       watchActionSet,
-	heal:                        healActionSet,
-	trace:                       traceActionSet,
-	logs:                        logsActionSet,
-	healthInfo:                  healthInfoActionSet,
+	configuration:      configurationActionSet,
+	users:              usersActionSet,
+	usersDetail:        usersActionSet,
+	groups:             groupsActionSet,
+	iamPolicies:        iamPoliciesActionSet,
+	policiesDetail:     iamPoliciesActionSet,
+	dashboard:          dashboardActionSet,
+	metrics:            dashboardActionSet,
+	profiling:          profilingActionSet,
+	buckets:            bucketsActionSet,
+	bucketsGeneral:     bucketsActionSet,
+	bucketsAdmin:       bucketsActionSet,
+	bucketsAdminMain:   bucketsActionSet,
+	serviceAccounts:    serviceAccountsActionSet,
+	changePassword:     changePasswordActionSet,
+	remoteBuckets:      remoteBucketsActionSet,
+	replication:        replicationActionSet,
+	bucketsBrowser:     objectBrowserActionSet,
+	bucketsBrowserMenu: objectBrowserActionSet,
+	bucketsBrowserList: objectBrowserActionSet,
+	bucketsBrowserMain: objectBrowserActionSet,
+	license:            licenseActionSet,
+	watch:              watchActionSet,
+	heal:               healActionSet,
+	trace:              traceActionSet,
+	logs:               logsActionSet,
+	healthInfo:         healthInfoActionSet,
 }

 // operatorRules contains the mapping between endpoints and ActionSets for operator only mode
 var operatorRules = map[string]ConfigurationActionSet{
 	tenants:               tenantsActionSet,
+	tenantsAdd:            tenantsActionSet,
+	tenantsAddSub:         tenantsActionSet,
 	tenantsDetail:         tenantsActionSet,
 	tenantHop:             tenantsActionSet,
 	tenantsDetailSummary:  tenantsActionSet,
 	tenantsDetailMetrics:  tenantsActionSet,
 	tenantsDetailPods:     tenantsActionSet,
 	tenantsDetailPools:    tenantsActionSet,
+	tenantsDetailVolumes:  tenantsActionSet,
 	tenantsDetailLicense:  tenantsActionSet,
 	tenantsDetailSecurity: tenantsActionSet,
 	podsDetail:            tenantsActionSet,
--- a/pkg/acl/endpoints_test.go
+++ b/pkg/acl/endpoints_test.go
@@ -19,8 +19,6 @@ package acl
 import (
 	"reflect"
 	"testing"
-
-	iampolicy "github.com/minio/pkg/iam/policy"
 )

 type args struct {
@@ -50,7 +48,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			args: args{
 				[]string{"admin:ServerInfo"},
 			},
-			want: 8,
+			want: 9,
 		},
 		{
 			name: "policies endpoint",
@@ -63,7 +61,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:ListUserPolicies",
 				},
 			},
-			want: 8,
+			want: 9,
 		},
 		{
 			name: "all admin endpoints",
@@ -72,7 +70,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:*",
 				},
 			},
-			want: 22,
+			want: 23,
 		},
 		{
 			name: "all s3 endpoints",
@@ -81,7 +79,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 15,
+			want: 9,
 		},
 		{
 			name: "all admin and s3 endpoints",
@@ -91,14 +89,14 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 31,
+			want: 25,
 		},
 		{
 			name: "Console User - default endpoints",
 			args: args{
 				[]string{},
 			},
-			want: 6,
+			want: 7,
 		},
 	}

@@ -111,80 +109,10 @@ func TestOperatorOnlyEndpoints(t *testing.T) {
 	tests := []endpoint{
 		{
 			name: "Operator Only - all admin endpoints",
-			args: args{
-				[]string{
-					"admin:*",
-				},
-			},
-			want: 14,
-		},
-		{
-			name: "Operator Only - all s3 endpoints",
-			args: args{
-				[]string{
-					"s3:*",
-				},
-			},
-			want: 14,
-		},
-		{
-			name: "Operator Only - all admin and s3 endpoints",
-			args: args{
-				[]string{
-					"admin:*",
-					"s3:*",
-				},
-			},
-			want: 14,
-		},
-		{
-			name: "Operator Only - default endpoints",
-			args: args{
-				[]string{},
-			},
-			want: 14,
+			args: args{},
+			want: 17,
 		},
 	}

 	validateEndpoints(t, tests)
 }
-
-func TestGetActionsStringFromPolicy(t *testing.T) {
-	type args struct {
-		policy *iampolicy.Policy
-	}
-	tests := []struct {
-		name string
-		args args
-		want int
-	}{
-		{
-			name: "parse ReadOnly policy",
-			args: args{
-				policy: &iampolicy.ReadOnly,
-			},
-			want: 2,
-		},
-		{
-			name: "parse WriteOnly policy",
-			args: args{
-				policy: &iampolicy.WriteOnly,
-			},
-			want: 1,
-		},
-		{
-			name: "parse AdminDiagnostics policy",
-			args: args{
-				policy: &iampolicy.AdminDiagnostics,
-			},
-			want: 8,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := GetActionsStringFromPolicy(tt.args.policy); !reflect.DeepEqual(len(got), tt.want) {
-				t.Errorf("GetActionsStringFromPolicy() = %v, want %v", len(got), tt.want)
-			}
-		})
-	}
-}
--- a/pkg/auth/idp/oauth2/config.go
+++ b/pkg/auth/idp/oauth2/config.go
@@ -29,49 +29,53 @@ func GetSTSEndpoint() string {
 	return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000"))
 }

-func GetIdpURL() string {
-	return env.Get(ConsoleIdpURL, "")
+func GetIDPURL() string {
+	return env.Get(ConsoleIDPURL, "")
 }

-func GetIdpClientID() string {
-	return env.Get(ConsoleIdpClientID, "")
+func GetIDPClientID() string {
+	return env.Get(ConsoleIDPClientID, "")
 }

-func GetIdpSecret() string {
-	return env.Get(ConsoleIdpSecret, "")
+func GetIDPUserInfo() bool {
+	return env.Get(ConsoleIDPUserInfo, "") == "on"
+}
+
+func GetIDPSecret() string {
+	return env.Get(ConsoleIDPSecret, "")
 }

 // Public endpoint used by the identity oidcProvider when redirecting the user after identity verification
-func GetIdpCallbackURL() string {
-	return env.Get(ConsoleIdpCallbackURL, "")
+func GetIDPCallbackURL() string {
+	return env.Get(ConsoleIDPCallbackURL, "")
 }

-func IsIdpEnabled() bool {
-	return GetIdpURL() != "" &&
-		GetIdpClientID() != "" &&
-		GetIdpCallbackURL() != ""
+func IsIDPEnabled() bool {
+	return GetIDPURL() != "" &&
+		GetIDPClientID() != "" &&
+		GetIDPCallbackURL() != ""
 }

-var defaultPassphraseForIdpHmac = utils.RandomCharString(64)
+var defaultPassphraseForIDPHmac = utils.RandomCharString(64)

-// GetPassphraseForIdpHmac returns passphrase for the pbkdf2 function used to sign the oauth2 state parameter
-func getPassphraseForIdpHmac() string {
-	return env.Get(ConsoleIdpHmacPassphrase, defaultPassphraseForIdpHmac)
+// GetPassphraseForIDPHmac returns passphrase for the pbkdf2 function used to sign the oauth2 state parameter
+func getPassphraseForIDPHmac() string {
+	return env.Get(ConsoleIDPHmacPassphrase, defaultPassphraseForIDPHmac)
 }

-var defaultSaltForIdpHmac = utils.RandomCharString(64)
+var defaultSaltForIDPHmac = utils.RandomCharString(64)

-// GetSaltForIdpHmac returns salt for the pbkdf2 function used to sign the oauth2 state parameter
-func getSaltForIdpHmac() string {
-	return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
+// GetSaltForIDPHmac returns salt for the pbkdf2 function used to sign the oauth2 state parameter
+func getSaltForIDPHmac() string {
+	return env.Get(ConsoleIDPHmacSalt, defaultSaltForIDPHmac)
 }

-// getIdpScopes return default scopes during the IDP login request
-func getIdpScopes() string {
+// getIDPScopes return default scopes during the IDP login request
+func getIDPScopes() string {
 	return env.Get(ConsoleIDPScopes, "openid,profile,email")
 }

-// getIdpTokenExpiration return default token expiration for access token (in seconds)
-func getIdpTokenExpiration() string {
+// getIDPTokenExpiration return default token expiration for access token (in seconds)
+func getIDPTokenExpiration() string {
 	return env.Get(ConsoleIDPTokenExpiration, "3600")
 }
--- a/pkg/auth/idp/oauth2/const.go
+++ b/pkg/auth/idp/oauth2/const.go
@@ -16,15 +16,16 @@

 package oauth2

+// Environment constants for console IDP/SSO configuration
 const (
-	// const for idp configuration
 	ConsoleMinIOServer        = "CONSOLE_MINIO_SERVER"
-	ConsoleIdpURL             = "CONSOLE_IDP_URL"
-	ConsoleIdpClientID        = "CONSOLE_IDP_CLIENT_ID"
-	ConsoleIdpSecret          = "CONSOLE_IDP_SECRET"
-	ConsoleIdpCallbackURL     = "CONSOLE_IDP_CALLBACK"
-	ConsoleIdpHmacPassphrase  = "CONSOLE_IDP_HMAC_PASSPHRASE"
-	ConsoleIdpHmacSalt        = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleIDPURL             = "CONSOLE_IDP_URL"
+	ConsoleIDPClientID        = "CONSOLE_IDP_CLIENT_ID"
+	ConsoleIDPSecret          = "CONSOLE_IDP_SECRET"
+	ConsoleIDPCallbackURL     = "CONSOLE_IDP_CALLBACK"
+	ConsoleIDPHmacPassphrase  = "CONSOLE_IDP_HMAC_PASSPHRASE"
+	ConsoleIDPHmacSalt        = "CONSOLE_IDP_HMAC_SALT"
 	ConsoleIDPScopes          = "CONSOLE_IDP_SCOPES"
+	ConsoleIDPUserInfo        = "CONSOLE_IDP_USERINFO"
 	ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
 )
--- a/pkg/auth/idp/oauth2/provider.go
+++ b/pkg/auth/idp/oauth2/provider.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"crypto/sha1"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -30,7 +31,6 @@ import (

 	"github.com/minio/minio-go/v7/pkg/credentials"

-	"github.com/coreos/go-oidc"
 	"github.com/minio/console/pkg/auth/utils"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/oauth2"
@@ -49,6 +49,24 @@ type Config struct {
 	xoauth2.Config
 }

+// DiscoveryDoc - parses the output from openid-configuration
+// for example https://accounts.google.com/.well-known/openid-configuration
+type DiscoveryDoc struct {
+	Issuer                           string   `json:"issuer,omitempty"`
+	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
+	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
+	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
+	JwksURI                          string   `json:"jwks_uri,omitempty"`
+	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
+	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
+	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
+	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
+	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
+	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
+	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
+}
+
 func (ac Config) Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error) {
 	return ac.Exchange(ctx, code, opts...)
 }
@@ -88,51 +106,51 @@ type Provider struct {
 	//   often available via site-specific packages, such as
 	//   google.Endpoint or github.Endpoint.
 	// - Scopes specifies optional requested permissions.
-	ClientID       string
+	ClientID string
+	// if enabled means that we need extrace access_token as well
+	UserInfo       bool
 	oauth2Config   Configuration
-	oidcProvider   *oidc.Provider
 	provHTTPClient *http.Client
 }

 // derivedKey is the key used to compute the HMAC for signing the oauth state parameter
 // its derived using pbkdf on CONSOLE_IDP_HMAC_PASSPHRASE with CONSOLE_IDP_HMAC_SALT
 var derivedKey = func() []byte {
-	return pbkdf2.Key([]byte(getPassphraseForIdpHmac()), []byte(getSaltForIdpHmac()), 4096, 32, sha1.New)
+	return pbkdf2.Key([]byte(getPassphraseForIDPHmac()), []byte(getSaltForIDPHmac()), 4096, 32, sha1.New)
 }

 // NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
 // it returns a *Provider object that contains the necessary configuration to initiate an
 // oauth2 authentication flow
-func NewOauth2ProviderClient(ctx context.Context, scopes []string, httpClient *http.Client) (*Provider, error) {
-	customCtx := oidc.ClientContext(ctx, httpClient)
-	provider, err := oidc.NewProvider(customCtx, GetIdpURL())
+func NewOauth2ProviderClient(scopes []string, httpClient *http.Client) (*Provider, error) {
+
+	ddoc, err := parseDiscoveryDoc(GetIDPURL(), httpClient)
 	if err != nil {
 		return nil, err
 	}
-	// if google, change scopes
-	u, err := url.Parse(GetIdpURL())
-	if err != nil {
-		return nil, err
-	}
-	// below verification should not be necessary if the user configure exactly the
-	// scopes he need, will be removed on a future release
-	if u.Host == "google.com" {
-		scopes = []string{oidc.ScopeOpenID}
-	}
+
 	// If provided scopes are empty we use a default list or the user configured list
 	if len(scopes) == 0 {
-		scopes = strings.Split(getIdpScopes(), ",")
+		scopes = strings.Split(getIDPScopes(), ",")
 	}
+
+	// add "openid" scope always.
+	scopes = append(scopes, "openid")
+
 	client := new(Provider)
 	client.oauth2Config = &xoauth2.Config{
-		ClientID:     GetIdpClientID(),
-		ClientSecret: GetIdpSecret(),
-		RedirectURL:  GetIdpCallbackURL(),
-		Endpoint:     provider.Endpoint(),
-		Scopes:       scopes,
+		ClientID:     GetIDPClientID(),
+		ClientSecret: GetIDPSecret(),
+		RedirectURL:  GetIDPCallbackURL(),
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  ddoc.AuthEndpoint,
+			TokenURL: ddoc.TokenEndpoint,
+		},
+		Scopes: scopes,
 	}
-	client.oidcProvider = provider
-	client.ClientID = GetIdpClientID()
+
+	client.ClientID = GetIDPClientID()
+	client.UserInfo = GetIDPUserInfo()
 	client.provHTTPClient = httpClient

 	return client, nil
@@ -184,18 +202,26 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)

 		// check if user configured a hardcoded expiration for console via env variables
 		// and override the incoming expiration
-		userConfiguredExpiration := getIdpTokenExpiration()
+		userConfiguredExpiration := getIDPTokenExpiration()
 		if userConfiguredExpiration != "" {
 			expiration, _ = strconv.Atoi(userConfiguredExpiration)
 		}
 		idToken := oauth2Token.Extra("id_token")
 		if idToken == nil {
-			return nil, errors.New("returned token is missing id_token claim")
+			return nil, errors.New("missing id_token")
 		}
-		return &credentials.WebIdentityToken{
+		token := &credentials.WebIdentityToken{
 			Token:  idToken.(string),
 			Expiry: expiration,
-		}, nil
+		}
+		if client.UserInfo { // look for access_token only if userinfo is requested.
+			accessToken := oauth2Token.Extra("access_token")
+			if accessToken == nil {
+				return nil, errors.New("missing access_token")
+			}
+			token.AccessToken = accessToken.(string)
+		}
+		return token, nil
 	}
 	stsEndpoint := GetSTSEndpoint()
 	sts := credentials.New(&credentials.STSWebIdentity{
@@ -235,6 +261,32 @@ func validateOauth2State(state string) error {
 	return nil
 }

+// parseDiscoveryDoc parses a discovery doc from an OAuth provider
+// into a DiscoveryDoc struct that have the correct endpoints
+func parseDiscoveryDoc(ustr string, httpClient *http.Client) (DiscoveryDoc, error) {
+	d := DiscoveryDoc{}
+	req, err := http.NewRequest(http.MethodGet, ustr, nil)
+	if err != nil {
+		return d, err
+	}
+	clnt := http.Client{
+		Transport: httpClient.Transport,
+	}
+	resp, err := clnt.Do(req)
+	if err != nil {
+		return d, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return d, err
+	}
+	dec := json.NewDecoder(resp.Body)
+	if err = dec.Decode(&d); err != nil {
+		return d, err
+	}
+	return d, nil
+}
+
 // GetRandomStateWithHMAC computes message + hmac(message, pbkdf2(key, salt)) to be used as state during the oauth authorization
 func GetRandomStateWithHMAC(length int) string {
 	state := utils.RandomCharString(length)
--- a/pkg/auth/idp/oauth2/provider_test.go
+++ b/pkg/auth/idp/oauth2/provider_test.go
@@ -21,7 +21,6 @@ import (
 	"net/http"
 	"testing"

-	"github.com/coreos/go-oidc"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/oauth2"
 )
@@ -58,7 +57,6 @@ func TestGenerateLoginURL(t *testing.T) {
 	funcAssert := assert.New(t)
 	oauth2Provider := Provider{
 		oauth2Config: Oauth2configMock{},
-		oidcProvider: &oidc.Provider{},
 	}
 	// Test-1 : GenerateLoginURL() generates URL correctly with provided state
 	oauth2ConfigAuthCodeURLMock = func(state string, opts ...oauth2.AuthCodeOption) string {
--- a/pkg/auth/token.go
+++ b/pkg/auth/token.go
@@ -287,6 +287,7 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 func GetTokenFromRequest(r *http.Request) (string, error) {
 	// Token might come either as a Cookie or as a Header
 	// if not set in cookie, check if it is set on Header.
+
 	tokenCookie, err := r.Cookie("token")
 	if err != nil {
 		return "", ErrNoAuthToken
@@ -295,7 +296,17 @@ func GetTokenFromRequest(r *http.Request) (string, error) {
 	if tokenCookie.Expires.After(currentTime) {
 		return "", errTokenExpired
 	}
-	return strings.TrimSpace(tokenCookie.Value), nil
+
+	mergeToken := strings.TrimSpace(tokenCookie.Value)
+	for _, cookie := range r.Cookies() {
+		// any cookie with token%d structure
+		if cookie.Name != "token" && !strings.HasPrefix(cookie.Name, "token-") && strings.HasPrefix(cookie.Name, "token") {
+			mergeToken = fmt.Sprintf("%s%s", mergeToken, strings.TrimSpace(cookie.Value))
+		}
+	}
+
+	return mergeToken, nil
+
 }

 func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
--- a/pkg/kes/kes.go
+++ b/pkg/kes/kes.go
@@ -130,12 +130,28 @@ type Gcp struct {
 	SecretManager *GcpSecretManager `yaml:"secretmanager,omitempty"`
 }

+type AzureCredentials struct {
+	TenantID     string `yaml:"tenant_id"`
+	ClientID     string `yaml:"client_id"`
+	ClientSecret string `yaml:"client_secret"`
+}
+
+type AzureKeyVault struct {
+	Endpoint    string            `yaml:"endpoint,omitempty"`
+	Credentials *AzureCredentials `yaml:"credentials,omitempty"`
+}
+
+type Azure struct {
+	KeyVault *AzureKeyVault `yaml:"keyvault,omitempty"`
+}
+
 type Keys struct {
 	Fs      *Fs      `yaml:"fs,omitempty"`
 	Vault   *Vault   `yaml:"vault,omitempty"`
 	Aws     *Aws     `yaml:"aws,omitempty"`
 	Gemalto *Gemalto `yaml:"gemalto,omitempty"`
 	Gcp     *Gcp     `yaml:"gcp,omitempty"`
+	Azure   *Azure   `yaml:"azure,omitempty"`
 }

 type ServerConfig struct {
--- a/pkg/subnet/subnet.go
+++ b/pkg/subnet/subnet.go
@@ -150,6 +150,9 @@ func getLicenseFromCredentials(client cluster.HTTPClientI, username, password st
 	if err != nil {
 		return "", err
 	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", fmt.Errorf("subnet served returned status %d code", resp.StatusCode)
+	}
 	userLicense := &subnetLicenseResponse{}
 	// Parse subnet license response
 	err = json.Unmarshal(bodyBytes, userLicense)
--- a/pkg/subnet/subnet_test.go
+++ b/pkg/subnet/subnet_test.go
@@ -144,11 +144,17 @@ func Test_getLicenseFromCredentials(t *testing.T) {
 			mockFunc: func() {
 				HTTPPostMock = func(url, contentType string, body io.Reader) (resp *http.Response, err error) {
 					// returning test jwt token
-					return &http.Response{Body: ioutil.NopCloser(bytes.NewReader([]byte("{\"has_memberships\":true,\"token_info\":{\"access_token\":\"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik4wRXdOa1V5UXpORU1UUkNOekU0UmpSR1JVWkJSa1UxUmtZNE9EY3lOekZHTXpjNU1qZ3hNZyJ9.eyJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vY2xhaW1zL2dyb3VwcyI6W10sImh0dHBzOi8vaWQuc3VibmV0Lm1pbi5pby9jbGFpbXMvcm9sZXMiOltdLCJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vY2xhaW1zL2VtYWlsIjoibGVuaW4rYzFAbWluaW8uaW8iLCJpc3MiOiJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vIiwic3ViIjoiYXV0aDB8NWZjZWFlYTMyNTNhZjEwMDc3NDZkMDM0IiwiYXVkIjoiaHR0cHM6Ly9zdWJuZXQubWluLmlvL2FwaSIsImlhdCI6MTYwODQxNjE5NiwiZXhwIjoxNjExMDA4MTk2LCJhenAiOiI1WTA0eVZlejNiOFgxUFVzRHVqSmxuZXVuY3ExVjZxaiIsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJndHkiOiJwYXNzd29yZCJ9.GC8DRLT0jUEteuBZBmyMXMswLSblCr_89Gu5NcVRUzKSYAaZ5VFW4UFgo1BpiC0sePuWJ0Vykitphx7znTfZfj5B3mZbOw3ejG6kxz7nm9DuYMmySJFYnwroZ9EP02vkW7-n_-YvEg8le1wXfkJ3lTUzO3aWddS4rfQRsZ2YJJUj61GiNyEK_QNP4PrYOuzLyD1wV75NejFqfcFoj7nRkT1K2BM0-89-_f2AFDGTjov6Ig6s1s-zLC9wxcYSmubNwpCJytZmQgPqIepOr065Y6OB4n0n0B5sXguuGuzb8VAkECrHhHPz8ta926fc0jC4XxVCNKdbV1_qC3-1yY7AJA\",\"expires_in\":2592000.0,\"token_type\":\"Bearer\"}}")))}, nil
+					return &http.Response{
+						StatusCode: 200,
+						Body:       ioutil.NopCloser(bytes.NewReader([]byte("{\"has_memberships\":true,\"token_info\":{\"access_token\":\"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik4wRXdOa1V5UXpORU1UUkNOekU0UmpSR1JVWkJSa1UxUmtZNE9EY3lOekZHTXpjNU1qZ3hNZyJ9.eyJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vY2xhaW1zL2dyb3VwcyI6W10sImh0dHBzOi8vaWQuc3VibmV0Lm1pbi5pby9jbGFpbXMvcm9sZXMiOltdLCJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vY2xhaW1zL2VtYWlsIjoibGVuaW4rYzFAbWluaW8uaW8iLCJpc3MiOiJodHRwczovL2lkLnN1Ym5ldC5taW4uaW8vIiwic3ViIjoiYXV0aDB8NWZjZWFlYTMyNTNhZjEwMDc3NDZkMDM0IiwiYXVkIjoiaHR0cHM6Ly9zdWJuZXQubWluLmlvL2FwaSIsImlhdCI6MTYwODQxNjE5NiwiZXhwIjoxNjExMDA4MTk2LCJhenAiOiI1WTA0eVZlejNiOFgxUFVzRHVqSmxuZXVuY3ExVjZxaiIsInNjb3BlIjoib2ZmbGluZV9hY2Nlc3MiLCJndHkiOiJwYXNzd29yZCJ9.GC8DRLT0jUEteuBZBmyMXMswLSblCr_89Gu5NcVRUzKSYAaZ5VFW4UFgo1BpiC0sePuWJ0Vykitphx7znTfZfj5B3mZbOw3ejG6kxz7nm9DuYMmySJFYnwroZ9EP02vkW7-n_-YvEg8le1wXfkJ3lTUzO3aWddS4rfQRsZ2YJJUj61GiNyEK_QNP4PrYOuzLyD1wV75NejFqfcFoj7nRkT1K2BM0-89-_f2AFDGTjov6Ig6s1s-zLC9wxcYSmubNwpCJytZmQgPqIepOr065Y6OB4n0n0B5sXguuGuzb8VAkECrHhHPz8ta926fc0jC4XxVCNKdbV1_qC3-1yY7AJA\",\"expires_in\":2592000.0,\"token_type\":\"Bearer\"}}"))),
+					}, nil
 				}
 				HTTPDoMock = func(req *http.Request) (*http.Response, error) {
 					// returning test jwt license
-					return &http.Response{Body: ioutil.NopCloser(bytes.NewReader([]byte("{\"license\":\"" + license + "\",\"metadata\":{\"email\":\"lenin+c1@minio.io\",\"issuer\":\"subnet@minio.io\",\"accountId\":176,\"teamName\":\"console-customer\",\"serviceType\":\"STANDARD\",\"capacity\":25,\"requestedAt\":\"2020-12-19T22:23:31.609144732Z\",\"expiresAt\":\"2021-12-19T22:23:31.609144732Z\"}}")))}, nil
+					return &http.Response{
+						StatusCode: 200,
+						Body:       ioutil.NopCloser(bytes.NewReader([]byte("{\"license\":\"" + license + "\",\"metadata\":{\"email\":\"lenin+c1@minio.io\",\"issuer\":\"subnet@minio.io\",\"accountId\":176,\"teamName\":\"console-customer\",\"serviceType\":\"STANDARD\",\"capacity\":25,\"requestedAt\":\"2020-12-19T22:23:31.609144732Z\",\"expiresAt\":\"2021-12-19T22:23:31.609144732Z\"}}"))),
+					}, nil
 				}
 			},
 		},
--- a/portal-ui/build/asset-manifest.json
+++ b/portal-ui/build/asset-manifest.json
@@ -1,25 +1,23 @@
 {
  "files": {
-    "main.css": "/static/css/main.8cfac526.chunk.css",
-    "main.js": "/static/js/main.926c7b22.chunk.js",
-    "main.js.map": "/static/js/main.926c7b22.chunk.js.map",
-    "runtime-main.js": "/static/js/runtime-main.43a31377.js",
-    "runtime-main.js.map": "/static/js/runtime-main.43a31377.js.map",
-    "static/css/2.60e04a19.chunk.css": "/static/css/2.60e04a19.chunk.css",
-    "static/js/2.1bafa615.chunk.js": "/static/js/2.1bafa615.chunk.js",
-    "static/js/2.1bafa615.chunk.js.map": "/static/js/2.1bafa615.chunk.js.map",
-    "index.html": "/index.html",
-    "static/css/2.60e04a19.chunk.css.map": "/static/css/2.60e04a19.chunk.css.map",
-    "static/css/main.8cfac526.chunk.css.map": "/static/css/main.8cfac526.chunk.css.map",
-    "static/js/2.1bafa615.chunk.js.LICENSE.txt": "/static/js/2.1bafa615.chunk.js.LICENSE.txt",
-    "static/media/minio_console_logo.0837460e.svg": "/static/media/minio_console_logo.0837460e.svg",
-    "static/media/minio_operator_logo.1312b7c9.svg": "/static/media/minio_operator_logo.1312b7c9.svg"
+    "main.css": "./static/css/main.e33a67ba.chunk.css",
+    "main.js": "./static/js/main.e81f26fe.chunk.js",
+    "main.js.map": "./static/js/main.e81f26fe.chunk.js.map",
+    "runtime-main.js": "./static/js/runtime-main.30f8243a.js",
+    "runtime-main.js.map": "./static/js/runtime-main.30f8243a.js.map",
+    "static/css/2.5b1f144e.chunk.css": "./static/css/2.5b1f144e.chunk.css",
+    "static/js/2.dd760fd2.chunk.js": "./static/js/2.dd760fd2.chunk.js",
+    "static/js/2.dd760fd2.chunk.js.map": "./static/js/2.dd760fd2.chunk.js.map",
+    "index.html": "./index.html",
+    "static/css/2.5b1f144e.chunk.css.map": "./static/css/2.5b1f144e.chunk.css.map",
+    "static/css/main.e33a67ba.chunk.css.map": "./static/css/main.e33a67ba.chunk.css.map",
+    "static/js/2.dd760fd2.chunk.js.LICENSE.txt": "./static/js/2.dd760fd2.chunk.js.LICENSE.txt"
  },
  "entrypoints": [
-    "static/js/runtime-main.43a31377.js",
-    "static/css/2.60e04a19.chunk.css",
-    "static/js/2.1bafa615.chunk.js",
-    "static/css/main.8cfac526.chunk.css",
-    "static/js/main.926c7b22.chunk.js"
+    "static/js/runtime-main.30f8243a.js",
+    "static/css/2.5b1f144e.chunk.css",
+    "static/js/2.dd760fd2.chunk.js",
+    "static/css/main.e33a67ba.chunk.css",
+    "static/js/main.e81f26fe.chunk.js"
  ]
 }
--- a/portal-ui/build/images/object-browser-folder-icn.svg
+++ b/portal-ui/build/images/object-browser-folder-icn.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="28.141" height="23.33" viewBox="0 0 28.141 23.33">
+  <g id="object-browser-folder-icn" transform="translate(3875.698 1391.955)">
+    <g id="Grupo_1541" data-name="Grupo 1541" transform="translate(-3866.02 -1382.94)">
+      <circle id="Elipse_57" data-name="Elipse 57" cx="1.268" cy="1.268" r="1.268" transform="translate(4.275 5.49) rotate(-10.901)"/>
+      <rect id="Rectángulo_805" data-name="Rectángulo 805" width="2.707" height="2.295" rx="1.148" transform="translate(1.601 2.812)"/>
+      <path id="Trazado_365" data-name="Trazado 365" d="M-3848.674-1356.694a.267.267,0,0,0-.463,0l-1,1.735a.267.267,0,0,0,.231.4h2a.267.267,0,0,0,.232-.4Z" transform="translate(3851.773 1363.331)"/>
+      <path id="Trazado_366" data-name="Trazado 366" d="M-3845.066-1368.444a16.588,16.588,0,0,0-.021-1.927,1.119,1.119,0,0,0-.717-1.042,1.734,1.734,0,0,0-.2-.058,4.224,4.224,0,0,0-.807-.073c-.472-.014-.943.015-1.415.013-.945,0-1.889.013-2.834.017h-2.037a.694.694,0,0,0-.693.693v8.874a.694.694,0,0,0,.693.693h7.34a.694.694,0,0,0,.693-.693v-4.421C-3845.065-1367.059-3845.083-1367.754-3845.066-1368.444Zm-.842,5.871a.6.6,0,0,1-.6.6h-5.967a.6.6,0,0,1-.6-.6v-7.621a.6.6,0,0,1,.6-.6h4v1.024a1.52,1.52,0,0,0,1.518,1.518h1.043Zm0-6.34h-1.043a.857.857,0,0,1-.856-.856v-1.024h1.3a.6.6,0,0,1,.6.6Z" transform="translate(3853.792 1371.548)"/>
+    </g>
+    <path id="Trazado_367" data-name="Trazado 367" d="M-3864.516-1389.746c.726,0,1.5,2.076,2.283,2.076h9.68a1.041,1.041,0,0,1,1.038,1.038v.519h-19.748v-2.595h-.026a1.041,1.041,0,0,1,1.038-1.038h5.735m13.674,4.9a1.079,1.079,0,0,1,1.076,1.076l-1.1,11.862a1.079,1.079,0,0,1-1.076,1.076h-19.393a1.079,1.079,0,0,1-1.076-1.076l-1.076-11.862a1.079,1.079,0,0,1,1.076-1.076h21.571m-13.674-7.108h-5.735a3.25,3.25,0,0,0-3.247,3.247,2.22,2.22,0,0,0,.026.339v1.487a3.291,3.291,0,0,0-2.227,3.11c0,.067,0,.133.009.2l1.069,11.788a3.288,3.288,0,0,0,3.282,3.158h19.393a3.288,3.288,0,0,0,3.282-3.155l1.1-11.786c.006-.068.009-.136.009-.2a3.288,3.288,0,0,0-1.749-2.9,3.251,3.251,0,0,0-3.247-3.2h-8.959l-.124-.167a3.694,3.694,0,0,0-2.88-1.909Z" transform="translate(0 0)"/>
+  </g>
+</svg>
--- a/portal-ui/build/images/object-browser-icn.svg
+++ b/portal-ui/build/images/object-browser-icn.svg
@@ -0,0 +1,6 @@
+<svg id="object-browser-icn" xmlns="http://www.w3.org/2000/svg" width="11.502" height="13.542" viewBox="0 0 11.502 13.542">
+  <circle id="Elipse_55" data-name="Elipse 55" cx="1.667" cy="1.667" r="1.667" transform="translate(5.623 7.221) rotate(-10.901)"/>
+  <rect id="Rectángulo_797" data-name="Rectángulo 797" width="3.561" height="3.019" rx="1.51" transform="translate(2.105 3.699)"/>
+  <path id="Trazado_322" data-name="Trazado 322" d="M-4332.738-1202.411a.352.352,0,0,0-.609,0l-1.317,2.282a.352.352,0,0,0,.3.527h2.635a.352.352,0,0,0,.3-.527Z" transform="translate(4336.814 1211.141)"/>
+  <path id="Trazado_323" data-name="Trazado 323" d="M-4328.313-1219.174a22.083,22.083,0,0,0-.027-2.536,1.472,1.472,0,0,0-.943-1.371,2.294,2.294,0,0,0-.266-.077,5.586,5.586,0,0,0-1.063-.095c-.62-.018-1.24.019-1.86.017-1.243-.005-2.486.017-3.729.022h-2.68a.913.913,0,0,0-.912.912v11.674a.913.913,0,0,0,.912.912h9.656a.912.912,0,0,0,.912-.912v-5.816C-4328.312-1217.353-4328.335-1218.266-4328.313-1219.174Zm-1.107,7.722a.788.788,0,0,1-.787.788h-7.849a.787.787,0,0,1-.787-.788v-10.025a.787.787,0,0,1,.787-.788h5.266v1.347a2,2,0,0,0,2,2h1.373Zm0-8.339h-1.373a1.128,1.128,0,0,1-1.126-1.127v-1.347h1.712a.788.788,0,0,1,.787.788Z" transform="translate(4339.792 1223.257)"/>
+</svg>
--- a/portal-ui/build/images/trash-icn.svg
+++ b/portal-ui/build/images/trash-icn.svg
@@ -0,0 +1,6 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="9.836" height="12.646" viewBox="0 0 9.836 12.646">
+  <g id="trash-icn" transform="translate(2222 1227)">
+    <path id="Trazado_359" data-name="Trazado 359" d="M-2212.473-1226.3h-2.5v-.395a.308.308,0,0,0-.308-.308h-3.6a.308.308,0,0,0-.308.308v.395h-2.5a.309.309,0,0,0-.309.309v.787a.309.309,0,0,0,.309.309h9.218a.309.309,0,0,0,.309-.309v-.787A.309.309,0,0,0-2212.473-1226.3Z"/>
+    <path id="Trazado_360" data-name="Trazado 360" d="M-2221-1214.585a1.425,1.425,0,0,0,1.42,1.421h5.59a1.425,1.425,0,0,0,1.42-1.421V-1223H-2221Z" transform="translate(-0.297 -1.19)"/>
+  </g>
+</svg>
--- a/portal-ui/build/index.html
+++ b/portal-ui/build/index.html
@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link href="/styles/root-styles.css" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.60e04a19.chunk.css" rel="stylesheet"><link href="/static/css/main.8cfac526.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"><div id="loader-block"><svg class="loader-svg-container" viewBox="22 22 44 44"><circle class="loader-style MuiCircularProgress-circle MuiCircularProgress-circleIndeterminate" cx="44" cy="44" r="20.2" fill="none" stroke-width="3.6"></circle></svg></div></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.1bafa615.chunk.js"></script><script src="/static/js/main.926c7b22.chunk.js"></script></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#081C42" media="(prefers-color-scheme: light)"/><meta name="theme-color" content="#081C42" media="(prefers-color-scheme: dark)"/><meta name="description" content="MinIO Console"/><link href="./styles/root-styles.css" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="./apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="./favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="./favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="./favicon-16x16.png"/><link rel="manifest" href="./manifest.json"/><link rel="mask-icon" href="./safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="./static/css/2.5b1f144e.chunk.css" rel="stylesheet"><link href="./static/css/main.e33a67ba.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"><div id="loader-block"><svg class="loader-svg-container" viewBox="22 22 44 44"><circle class="loader-style MuiCircularProgress-circle MuiCircularProgress-circleIndeterminate" cx="44" cy="44" r="20.2" fill="none" stroke-width="3.6"></circle></svg></div></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="./";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="./static/js/2.dd760fd2.chunk.js"></script><script src="./static/js/main.e81f26fe.chunk.js"></script></body></html>
--- a/portal-ui/build/static/css/2.5b1f144e.chunk.css
+++ b/portal-ui/build/static/css/2.5b1f144e.chunk.css
@@ -0,0 +1,2 @@
+.ReactVirtualized__Table__headerRow{font-weight:700;text-transform:uppercase}.ReactVirtualized__Table__headerRow,.ReactVirtualized__Table__row{display:flex;flex-direction:row;align-items:center}.ReactVirtualized__Table__headerTruncatedText{display:inline-block;max-width:100%;white-space:nowrap;text-overflow:ellipsis;overflow:hidden}.ReactVirtualized__Table__headerColumn,.ReactVirtualized__Table__rowColumn{margin-right:10px;min-width:0}.ReactVirtualized__Table__rowColumn{text-overflow:ellipsis;white-space:nowrap}.ReactVirtualized__Table__headerColumn:first-of-type,.ReactVirtualized__Table__rowColumn:first-of-type{margin-left:10px}.ReactVirtualized__Table__sortableHeaderColumn{cursor:pointer}.ReactVirtualized__Table__sortableHeaderIconContainer{display:flex;align-items:center}.ReactVirtualized__Table__sortableHeaderIcon{flex:0 0 24px;height:1em;width:1em;fill:currentColor}.react-grid-layout{position:relative;transition:height .2s ease}.react-grid-item{transition:all .2s ease;transition-property:left,top}.react-grid-item img{pointer-events:none;-webkit-user-select:none;-ms-user-select:none;user-select:none}.react-grid-item.cssTransforms{transition-property:-webkit-transform;transition-property:transform;transition-property:transform,-webkit-transform}.react-grid-item.resizing{z-index:1;will-change:width,height}.react-grid-item.react-draggable-dragging{transition:none;z-index:3;will-change:transform}.react-grid-item.dropping{visibility:hidden}.react-grid-item.react-grid-placeholder{background:red;opacity:.2;transition-duration:.1s;z-index:2;-webkit-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.react-grid-item>.react-resizable-handle{position:absolute;width:20px;height:20px}.react-grid-item>.react-resizable-handle:after{content:"";position:absolute;right:3px;bottom:3px;width:5px;height:5px;border-right:2px solid rgba(0,0,0,.4);border-bottom:2px solid rgba(0,0,0,.4)}.react-resizable-hide>.react-resizable-handle{display:none}.react-grid-item>.react-resizable-handle.react-resizable-handle-sw{bottom:0;left:0;cursor:sw-resize;-webkit-transform:rotate(90deg);transform:rotate(90deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-se{bottom:0;right:0;cursor:se-resize}.react-grid-item>.react-resizable-handle.react-resizable-handle-nw{top:0;left:0;cursor:nw-resize;-webkit-transform:rotate(180deg);transform:rotate(180deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-ne{top:0;right:0;cursor:ne-resize;-webkit-transform:rotate(270deg);transform:rotate(270deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-e,.react-grid-item>.react-resizable-handle.react-resizable-handle-w{top:50%;margin-top:-10px;cursor:ew-resize}.react-grid-item>.react-resizable-handle.react-resizable-handle-w{left:0;-webkit-transform:rotate(135deg);transform:rotate(135deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-e{right:0;-webkit-transform:rotate(315deg);transform:rotate(315deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-n,.react-grid-item>.react-resizable-handle.react-resizable-handle-s{left:50%;margin-left:-10px;cursor:ns-resize}.react-grid-item>.react-resizable-handle.react-resizable-handle-n{top:0;-webkit-transform:rotate(225deg);transform:rotate(225deg)}.react-grid-item>.react-resizable-handle.react-resizable-handle-s{bottom:0;-webkit-transform:rotate(45deg);transform:rotate(45deg)}.react-resizable{position:relative}.react-resizable-handle{position:absolute;width:20px;height:20px;background-repeat:no-repeat;background-origin:content-box;box-sizing:border-box;background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmYwMCIgd2lkdGg9IjYiIGhlaWdodD0iNiI+PHBhdGggZD0iTTYgNkgwVjQuMmg0LjJWMEg2djZ6IiBvcGFjaXR5PSIuMzAyIi8+PC9zdmc+");background-position:100% 100%;padding:0 3px 3px 0}.react-resizable-handle-sw{bottom:0;left:0;cursor:sw-resize;-webkit-transform:rotate(90deg);transform:rotate(90deg)}.react-resizable-handle-se{bottom:0;right:0;cursor:se-resize}.react-resizable-handle-nw{top:0;left:0;cursor:nw-resize;-webkit-transform:rotate(180deg);transform:rotate(180deg)}.react-resizable-handle-ne{top:0;right:0;cursor:ne-resize;-webkit-transform:rotate(270deg);transform:rotate(270deg)}.react-resizable-handle-e,.react-resizable-handle-w{top:50%;margin-top:-10px;cursor:ew-resize}.react-resizable-handle-w{left:0;-webkit-transform:rotate(135deg);transform:rotate(135deg)}.react-resizable-handle-e{right:0;-webkit-transform:rotate(315deg);transform:rotate(315deg)}.react-resizable-handle-n,.react-resizable-handle-s{left:50%;margin-left:-10px;cursor:ns-resize}.react-resizable-handle-n{top:0;-webkit-transform:rotate(225deg);transform:rotate(225deg)}.react-resizable-handle-s{bottom:0;-webkit-transform:rotate(45deg);transform:rotate(45deg)}
+/*# sourceMappingURL=2.5b1f144e.chunk.css.map */
--- a/portal-ui/build/static/css/2.5b1f144e.chunk.css.map
+++ b/portal-ui/build/static/css/2.5b1f144e.chunk.css.map
--- a/portal-ui/build/static/css/2.60e04a19.chunk.css
+++ b/portal-ui/build/static/css/2.60e04a19.chunk.css
--- a/portal-ui/build/static/css/2.60e04a19.chunk.css.map
+++ b/portal-ui/build/static/css/2.60e04a19.chunk.css.map
--- a/portal-ui/build/static/css/main.8cfac526.chunk.css.map
+++ b/portal-ui/build/static/css/main.8cfac526.chunk.css.map
--- a/portal-ui/build/static/css/main.e33a67ba.chunk.css
+++ b/portal-ui/build/static/css/main.e33a67ba.chunk.css
--- a/portal-ui/build/static/css/main.e33a67ba.chunk.css.map
+++ b/portal-ui/build/static/css/main.e33a67ba.chunk.css.map
--- a/portal-ui/build/static/js/2.1bafa615.chunk.js
+++ b/portal-ui/build/static/js/2.1bafa615.chunk.js
--- a/portal-ui/build/static/js/2.1bafa615.chunk.js.map
+++ b/portal-ui/build/static/js/2.1bafa615.chunk.js.map
--- a/portal-ui/build/static/js/2.dd760fd2.chunk.js
+++ b/portal-ui/build/static/js/2.dd760fd2.chunk.js
--- a/Show More
+++ b/Show More