DOCS-1273: Operator 6.0.0 Deploy/Upgrade docs, removing Console references (#1284)

Addresses #1273 

# Summary

This pass does three things:

1. Updates all tutorials related to Operator/Tenant deployment for
Kustomize and Helm
2. Removes references to Operator Console + updates to reference
Kustomize/Helm wherever possible
3. Slightly tidies up old or dangling references

This pass does not do these things:

- Link out heavily to Kubernetes docs (for later)
- Clean up organization (singleplat build handles this)
- Addresses OpenShift, Rancher, etc.

---------

Co-authored-by: Andrea Longo <[email protected]>
Co-authored-by: Allan Roger Reid <[email protected]>
Co-authored-by: Daryl White <[email protected]>

Author: 4 people

Makefile

@@ -174,6 +174,7 @@ sync-operator-version:
 	@echo "Retrieving latest Operator version"
 	@$(eval OPERATOR = $(shell curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/operator/releases/latest | sed "s/https:\/\/github.com\/minio\/operator\/releases\/tag\///" | sed "s/v//"))
 	@$(eval kname = $(shell uname -s))
+	@$(eval K8SFLOOR = $(shell curl -sL https://raw.githubusercontent.com/minio/operator/master/testing/kind-config-floor.yaml | grep -F -m 1 'node:v' | awk 'BEGIN { FS = ":" } ; {print $$3}'))
 
 	@echo "Updating Operator to ${OPERATOR}"
 
@@ -182,9 +183,11 @@ sync-operator-version:
 	@case "${kname}" in \
 	"Darwin") \
 		sed -i "" "s|OPERATOR|${OPERATOR}|g" source/conf.py;\
+		sed -i "" "s|K8SFLOOR|${K8SFLOOR}|g" source/conf.py; \
 		;; \
 	*) \
 		sed -i "s|OPERATOR|${OPERATOR}|g" source/conf.py; \
+		sed -i "s|K8SFLOOR|${K8SFLOOR}|g" source/conf.py; \
 		;; \
 	esac
 

source/_static/scss/includes/_misc.scss

@@ -379,4 +379,16 @@ figcaption {
 table thead tr.header {
    background-color: lightgray;
    box-shadow: none;
+}
+
+// --------------------------------------
+// Improving readability of ordered lists
+// --------------------------------------
+
+div.procedure ol.arabic li > p:first-child {
+   font-weight: bold;
+}
+
+div.procedure ol.arabic li ul.simple li p {
+   font-weight: normal; // stupid hack, not sure how else to fix this
 }

source/administration/console/managing-deployment.rst

@@ -18,6 +18,12 @@ You can use the MinIO Console to perform many of the deployment monitoring and m
 - Set up :ref:`site replication <minio-console-site-replication>` to synchronize datacenters for timely access across geographically dispersed workforces or for disaster preparedness.
 - Configure deployment :ref:`settings <minio-console-settings>`.
 
+.. important::
+
+   The MinIO Console is a web-based interface for the MinIO Server.
+
+   It is distinct and independent from the MinIO Kubernetes Operator Console which was deprecated and removed as of Operator 6.0.0.
+
 .. _minio-console-monitoring:
 
 Monitoring
@@ -62,8 +68,6 @@ Audit
 
 The Audit Log section provides an interface for viewing :ref:`audit logs <minio-logging>` collected by a configured PostgreSQL service.
 
-The Audit Logging feature is configured and enabled automatically for MinIO deployments created using the :ref:`MinIO Operator Console <minio-operator-console>`.
-
 Trace
 ~~~~~
 

source/default-conf.py

@@ -331,10 +331,12 @@
 .. |SNSD| replace:: :abbr:`SNSD (Single-Node Single-Drive)`
 .. |SNMD| replace:: :abbr:`SNMD (Single-Node Multi-Drive)`
 .. |MNMD| replace:: :abbr:`MNMD (Multi-Node Multi-Drive)`
-.. |operator-version-stable| replace:: 5.0.15
+
+.. |operator-version-stable| replace:: OPERATOR
 .. |helm-charts| replace:: `Helm Charts <https://github.com/minio/operator/tree/vOPERATOR/helm>`__
 .. |helm-operator-chart| replace:: `Helm Operator Charts <https://github.com/minio/operator/blob/vOPERATOR/helm/operator>`__
 .. |helm-tenant-chart| replace:: `Helm Tenant Charts <https://github.com/minio/operator/tree/vOPERATOR/helm/tenant>`__
+.. |k8s-floor| replace:: K8SFLOOR
 
 .. |cpp-sdk-version| replace:: CPPVERSION
 .. |dotnet-sdk-version| replace:: DOTNETVERSION

source/includes/common/common-install-operator-kustomize.rst

@@ -66,42 +66,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
 
    .. _minio-k8s-deploy-operator-access-console:
 
-#. *(Optional)* Configure access to the Operator Console service
-
-   The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
-   You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access.
-
-   For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:
-
-   .. code-block:: shell
-      :class: copyable
-
-      kubectl patch service -n minio-operator console -p '
-      {
-          "spec": {
-              "ports": [
-                  {
-                      "name": "http",
-                      "port": 9090,
-                      "protocol": "TCP",
-                      "targetPort": 9090,
-                      "nodePort": 30090
-                  },
-                  {
-                      "name": "https",
-                      "port": 9443,
-                      "protocol": "TCP",
-                      "targetPort": 9443,
-                      "nodePort": 30433
-                  }
-              ],
-              "type": "NodePort"
-          }
-      }'
-
-   The patch command should output ``service/console patched``.
-   You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes.
-
 #. Verify the Operator installation
 
    Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully.
@@ -123,7 +87,6 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
       NAME               TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
       service/operator   ClusterIP   10.43.135.241   <none>        4221/TCP                        5m20s
       service/sts        ClusterIP   10.43.117.251   <none>        4223/TCP                        5m20s
-      service/console    NodePort    10.43.235.38    <none>        9090:30090/TCP,9443:30433/TCP   5m20s
 
       NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
       deployment.apps/console          1/1     1            1           5m20s
@@ -133,63 +96,10 @@ The following procedure uses ``kubectl -k`` to install the Operator from the Min
       replicaset.apps/console-56c7d8bd89          1         1         1       5m20s
       replicaset.apps/minio-operator-6c758b8c45   2         2         2       5m20s
 
-#. Retrieve the Operator Console JWT for login
-
-   .. code-block:: shell
-      :class: copyable
-
-      kubectl apply -f - <<EOF
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: console-sa-secret
-        namespace: minio-operator
-        annotations:
-          kubernetes.io/service-account.name: console-sa
-      type: kubernetes.io/service-account-token
-      EOF
-      SA_TOKEN=$(kubectl -n minio-operator  get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode)
-      echo $SA_TOKEN
-
-   The output of this command is the JSON Web Token (JWT) login credential for Operator Console.
-
-#. Log into the MinIO Operator Console
-
-
-   .. tab-set::
-
-      .. tab-item:: NodePort
-         :selected:
-
-         If you configured the service for access through a NodePort, specify the hostname of any worker node in the cluster with that port as ``HOSTNAME:NODEPORT`` to access the Console.
-
-         For example, a deployment configured with a NodePort of 30090 and the following ``InternalIP`` addresses can be accessed at ``http://172.18.0.5:30090``.
-
-         .. code-block:: shell
-            :class: copyable
-
-            kubectl get nodes -o custom-columns=IP:.status.addresses[:]
-            IP
-            map[address:172.18.0.5 type:InternalIP],map[address:k3d-MINIO-agent-3 type:Hostname]
-            map[address:172.18.0.6 type:InternalIP],map[address:k3d-MINIO-agent-2 type:Hostname]
-            map[address:172.18.0.2 type:InternalIP],map[address:k3d-MINIO-server-0 type:Hostname]
-            map[address:172.18.0.4 type:InternalIP],map[address:k3d-MINIO-agent-1 type:Hostname]
-            map[address:172.18.0.3 type:InternalIP],map[address:k3d-MINIO-agent-0 type:Hostname]
-
-      .. tab-item:: Ingress or Load Balancer
-
-         If you configured the ``svc/console`` service for access through ingress or a cluster load balancer, you can access the Console using the configured hostname and port.
-
-      .. tab-item:: Port Forwarding
-
-         You can use ``kubectl port forward`` to temporary forward ports for the Console:
-
-         .. code-block:: shell
-            :class: copyable
-
-            kubectl port-forward svc/console -n minio-operator 9090:9090
+#. Next Steps
 
-         You can then use ``http://localhost:9090`` to access the MinIO Operator Console.
+   You can deploy MinIO tenants using the :ref:`MinIO CRD and Kustomize. <minio-k8s-deploy-minio-tenant>`
+   MinIO also provides a :ref:`Helm chart for deploying Tenants <deploy-tenant-helm>`. 
 
-Once you access the Console, use the Console JWT to log in.
-You can now :ref:`deploy and manage MinIO Tenants using the Operator Console <deploy-minio-distributed>`.
+   MinIO recommends using the same method of Tenant deployment and management used to install the Operator.
+   Mixing Kustomize and Helm for Operator or Tenant management may increase operational complexity.

source/includes/common/common-k8s-connect-operator-console-no-plugin.rst

@@ -1,8 +1,6 @@
 The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster.
 Instead, you must configure a network control plane component, such as a load balancer or ingress, to grant external access.
 
-.. cond:: k8s
-
 For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:
 
 .. code-block:: shell

source/includes/k8s/deploy-operator.rst

@@ -31,16 +31,15 @@ While this documentation *may* provide guidance for configuring or deploying Kub
 MinIO Operator Components
 -------------------------
 
-The MinIO Operator exists in its own namespace.
-Within the Operator's namespace, the MinIO Operator utilizes two pods:
+The MinIO Operator exists in its own namespace in which it creates Kubernetes resources.
+Those resources includes pods, services, replicasets, and deployments.
 
-- The Operator pod for the base Operator functions to deploy, manage, modify, and maintain tenants.
-- Console pod for the Operator's Graphical User Interface, the Operator Console.
+The Operator pods monitor all namespaces by default for objects using the MinIO CRD and manages those resources automatically.
 
 When you use the Operator to create a tenant, the tenant *must* have its own namespace.
 Within that namespace, the Operator generates the pods required by the tenant configuration.
 
-Each pod runs three containers:
+Each Tenant pod runs three containers:
 
 - MinIO Container that runs all of the standard MinIO functions, equivalent to basic MinIO installation on baremetal.
   This container stores and retrieves objects in the provided mount points (persistent volumes). 
@@ -51,32 +50,29 @@ Each pod runs three containers:
 - SideCar container that monitors configuration secrets for the tenant and updates them as they change.
   This container also monitors for root credentials and creates an error if it does not find root credentials. 
 
-Starting with v5.0.6, the MinIO Operator supports custom :kube-docs:`init containers <concepts/workloads/pods/init-containers>` for additional pod initialization that may be required for your environment.
-
 The tenant utilizes Persistent Volume Claims to talk to the Persistent Volumes that store the objects.
 
-.. image:: /images/k8s/OperatorsComponent-Diagram.png
-   :width: 600px
-   :alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
-   :align: center
+.. Image references Console pods, need to fix this up
+
+.. .. image:: /images/k8s/OperatorsComponent-Diagram.png
+..    :width: 600px
+..    :alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator.
+..    :align: center
 
 .. _minio-operator-prerequisites:
 
 Prerequisites
 -------------
 
-Kubernetes Version 1.21.0
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. important::
+Kubernetes Version |k8s-floor|
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-   MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__ Kubernetes APIs.
+MinIO tests |operator-version-stable| against a floor of Kubernetes API of |k8s-floor|.
+MinIO **strongly recommends** maintaining Kubernetes infrastructure using `actively maintained Kubernetes API versions <https://kubernetes.io/releases/>`__.
 
-Starting with v5.0.0, MinIO **requires** Kubernetes 1.21.0 or later for both the infrastructure and the ``kubectl`` CLI tool.
 
-.. versionadded:: Operator 5.0.6
+MinIO **strongly recommends** upgrading Kubernetes clusters running with `End-Of-Life API versions <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__
 
-For Kubernetes 1.25.0 and later, MinIO supports deploying in environments with the :kube-docs:`Pod Security admission (PSA) <concepts/security/pod-security-admission>` ``restricted`` policy enabled.
 
 
 Kustomize and ``kubectl``
@@ -100,7 +96,7 @@ Kubernetes TLS Certificate API
    The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API <tasks/tls/managing-tls-in-a-cluster/>` to create signed TLS certificates in the following circumstances:
 
    - When ``autoCert`` is enabled.
-   - For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
+   - For the MinIO Tenant Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``.
    - For :ref:`STS service <minio-security-token-service>` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``.
    - For retrieving the health of the cluster.
 

source/includes/k8s/steps-configure-keycloak-identity-management.rst

@@ -37,59 +37,11 @@ Set the value to any :ref:`policy <minio-policy>` on the MinIO deployment.
 
 MinIO supports multiple methods for configuring Keycloak authentication:
 
-- Using the MinIO Operator Console
 - Using the MinIO Tenant Console
 - Using a terminal/shell and the :mc:`mc idp openid` command
 
 .. tab-set::
 
-   .. tab-item:: MinIO Operator Console
-
-      You can use the MinIO Operator Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
-      See :ref:`minio-operator-console-connect` for specific instructions.
-
-      Select :guilabel:`Identity Provider` from the left-hand navigation bar, then select :guilabel:`OpenID`.
-      Select :guilabel:`Create Configuration` to create a new configuration.
-
-      Enter the following information into the modal:
-
-      .. list-table::
-         :stub-columns: 1
-         :widths: 30 70
-         :width: 100%
-
-         * - :guilabel:`Name` 
-           - Enter a unique name for the Keycloak instance 
-         
-         * - :guilabel:`Config URL`
-           - Specify the address of the Keycloak OpenID configuration document (|KEYCLOAK_URL|)
-
-             Ensure the ``REALM`` matches the Keycloak realm you want to use for authenticating users to MinIO
-
-         * - :guilabel:`Client ID`
-           - Specify the name of the Keycloak client created in Step 1
-         
-         * - :guilabel:`Client Secret`
-           - Specify the secret credential value for the Keycloak client created in Step 1
-
-         * - :guilabel:`Display Name`
-           - Specify the user-facing name the MinIO Console should display as part of the Single-Sign On (SSO) workflow for the configured Keycloak service
-
-         * - :guilabel:`Scopes` 
-           - Specify the OpenID scopes to include in the JWT, such as ``preferred_username`` or ``email``
-         
-             You can reference these scopes using supported OpenID policy variables for the purpose of programmatic policy configurations
-
-         * - :guilabel:`Redirect URI Dynamic`
-           - Toggle to ``on``
-         
-             Substitutes the MinIO Console address used by the client as part of the Keycloak redirect URI.
-             Keycloak returns authenticated users to the Console using the provided URI.
-             
-             For MinIO Console deployments behind a reverse proxy, load balancer, or similar network control plane, you can instead use the :envvar:`MINIO_BROWSER_REDIRECT_URL` variable to set the redirect address for Keycloak to use.
-
-      Select :guilabel:`Save` to apply the configuration.
-
    .. tab-item:: MinIO Tenant Console
 
       You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.

source/includes/openshift/deploy-minio-on-openshift.rst

@@ -133,7 +133,7 @@ Once installation completes, click :guilabel:`View Operator` to view the MinIO O
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator <security/certificate_types_descriptions/service-ca-certificates.html>`.
-This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants.
+This Operator manages the TLS certificates required to access MinIO Tenants.
 It automatically renews and rotates the certificates 13 months before expiration.
 No additional action is required.
 
@@ -287,29 +287,8 @@ You can find the MinIO Operator Interface from the :guilabel:`Operators` left-ha
 3. Select :guilabel:`MinIO Operators` from the list of installed operators.
    The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface.
 
-5) Access the Operator Console
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.
-
-.. include:: /includes/common/common-k8s-connect-operator-console.rst
-
-You can create a permanent routing rule by creating a :openshift-docs:`Route or Ingress <networking/understanding-networking.html#nw-ne-comparing-ingress-route_understanding-networking>` to allow access from external clients, such as your local computer browser. 
-
-The following steps provides a summary of actions necessary to create a Route.
-
-#. From :guilabel:`Networking`, go to :guilabel:`Routes`
-#. Create a new Route in the MinIO Operator project.
-   Select a recognizable route name, such as ``operator-console-route``.
-#. Set the :guilabel:`Hostname` as per your organizations networking and hostname topology.
-   Omit the hostname to allow OpenShift to generate it automatically
-#. Set the :guilabel:`Service` to :guilabel:`console`
-#. Set the :Guilabel:`Target Port` to  ``9090``
-
-You can then access the Operator Console using the configured Route.
-The Operator Console still requires using the generated JWT token for access, which you can generate at any time using ``oc minio port-forward``.
-
-6) Next Steps
+5) Next Steps
 ~~~~~~~~~~~~~
 
 After deploying the MinIO Operator, you can create a new MinIO Tenant.

source/operations/concepts.rst

@@ -132,7 +132,8 @@ There are several options to manage your MinIO deployments and clusters:
 
 - Use the command line with :mc:`mc` and :mc:`mc admin`
 - The :ref:`MinIO Console <minio-console>` graphical user interface for individual instances
-- In Kubernetes, with the :ref:`MinIO Operator Console <minio-operator-console>`
+
+.. Reference Enterprise Operator Console eventually
 
 .. _minio-rebalance: