f3bcfc327d
Operator UI - Provide and store License key - New License section in Operator UI will allow user to provide the license key via input form - New License section in Operator UI will allow the user to fetch the license key using subnet credentials - Console backend has to verify provided license is valid - https://godoc.org/github.com/minio/minio/pkg/licverifier#example-package - Console backend has to store the license key in k8s secrets Operator UI - Set license to tenant during provisioning - Check if license key exists in k8s secret during tenant creation - If License is present attach the license-key jwt to the new console tenant via an environment variable Operator UI - Set license for an existing tenant - Tenant view will display information about the current status of the Tenant License - If Tenant doesn't have a License then Operator-UI will allow to attach new license by clicking the Add License button - Console backend will extract the license from the k8s secret and save the license-key jwt in the tenant console environment variable and redeploy
MinIO Console
A graphical user interface for MinIO
| Dashboard | Creating a bucket |
|---|---|
 |
 |
Setup
All console needs is a MinIO user with admin privileges and URL pointing to your MinIO deployment.
Note: We don't recommend using MinIO's Operator Credentials
- Create a user for
consoleusingmc.
$ set +o history
$ mc admin user add myminio console YOURCONSOLESECRET
$ set -o history
- Create a policy for
consolewith access to everything (for testing and debugging)
$ cat > consoleAdmin.json << EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
$ mc admin policy add myminio consoleAdmin consoleAdmin.json
- Set the policy for the new
consoleuser
$ mc admin policy set myminio consoleAdmin user=console
Note
Additionally, you can create policies to limit the privileges for console users, for example, if you want the user to only have access to dashboard, buckets, notifications and watch page, the policy should look like this:
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"admin:ServerInfo"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:ListenBucketNotification",
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:HeadBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
Run Console server
To run the server:
# Salt to encrypt JWT payload
export CONSOLE_PBKDF_PASSPHRASE=SECRET
#required to encrypt jwet payload
export CONSOLE_PBKDF_SALT=SECRET
# MinIO endpoint
export CONSOLE_MINIO_SERVER=http://localhost:9000
./console server
Run Console with TLS enable
Copy your public.crt and private.key to ~/.console/certs, then:
./console server
Additionally, Console has support for multiple certificates, clients can request them using SNI. It expects the following structure:
certs/
│
├─ public.crt
├─ private.key
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
Therefore, we read all filenames in the cert directory and check for each directory whether it contains a public.crt and private.key.
Connect Console to a Minio using TLS and a self-signed certificate
Copy the MinIO ca.crt under ~/.console/certs/CAs, then:
export CONSOLE_MINIO_SERVER=https://localhost:9000
./console server
You can verify that the apis work by doing the request on localhost:9090/api/v1/...
Contribute to console Project
Please follow console Contributor's Guide