From 8da23e130214c81ead37de538b903bdd0f1a1014 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Thu, 13 Jun 2024 15:33:53 -0400 Subject: [PATCH 1/2] Attempting to reduce docs to single platform --- Makefile | 137 +- package-lock.json | 6155 +---------------- source/_static/js/main.js | 2 +- source/_templates/platform-navigation.html | 45 - source/administration/object-management.rst | 12 +- source/default-conf.py | 124 +- source/design.rst | 2 +- source/developers/file-transfer-protocol.rst | 212 +- source/developers/security-token-service.rst | 3 +- ...ploy-minio-on-azure-kubernetes-service.rst | 53 - ...e-ad-ldap-external-identity-management.rst | 155 + ...configure-keycloak-identity-management.rst | 85 + ...re-openid-external-identity-management.rst | 156 + source/includes/common-installation.rst | 2 +- ...k8s-connect-operator-console-no-plugin.rst | 35 - .../common-k8s-connect-operator-console.rst | 60 - source/includes/common/installation.rst | 147 - source/includes/container/common-deploy.rst | 120 - source/includes/container/installation.rst | 96 - source/includes/container/quickstart.rst | 383 - ...configure-keycloak-identity-management.rst | 142 - .../steps-configure-minio-kes-hashicorp.rst | 121 - ...s-deploy-minio-single-node-multi-drive.rst | 162 - ...-deploy-minio-single-node-single-drive.rst | 156 - .../steps-upgrade-minio-deployment.rst | 142 - ...oy-minio-on-elastic-kubernetes-service.rst | 58 - ...ploy-minio-on-google-kubernetes-engine.rst | 56 - .../k8s/file-transfer-protocol-k8s.rst | 230 +- ...e-ad-ldap-external-identity-management.rst | 160 +- ...configure-keycloak-identity-management.rst | 106 +- .../steps-configure-minio-kes-hashicorp.rst | 66 +- ...re-openid-external-identity-management.rst | 200 +- .../linux/file-transfer-protocol-not-k8s.rst | 352 +- ...configure-keycloak-identity-management.rst | 91 - .../steps-configure-minio-kes-hashicorp.rst | 94 +- source/includes/macos/common-installation.rst | 77 - source/includes/macos/quickstart.rst | 148 - .../steps-configure-minio-kes-hashicorp.rst | 65 - ...s-deploy-minio-single-node-multi-drive.rst | 34 - ...-deploy-minio-single-node-single-drive.rst | 34 - .../macos/steps-upgrade-minio-deployment.rst | 78 - source/includes/windows/quickstart.rst | 153 - .../steps-configure-minio-kes-hashicorp.rst | 63 - ...-deploy-minio-single-node-single-drive.rst | 53 - source/index.rst | 269 +- source/operations/checklists/hardware.rst | 264 +- source/operations/checklists/software.rst | 15 +- source/operations/concepts.rst | 16 +- .../recover-after-drive-failure.rst | 2 +- source/operations/deploy-manage-tenants.rst | 50 - .../baremetal-decommission-server-pool.rst} | 0 .../baremetal-deploy-minio-as-a-container.rst | 191 + .../baremetal-deploy-minio-on-macos.rst | 315 + ...baremetal-deploy-minio-on-redhat-linux.rst | 438 ++ ...baremetal-deploy-minio-on-ubuntu-linux.rst | 421 ++ .../baremetal-deploy-minio-on-windows.rst | 210 + .../baremetal-deploy-minio-server.rst | 25 + .../baremetal-expand-minio-deployment.rst} | 14 +- .../baremetal-migrate-fs-gateway.rst} | 8 +- .../baremetal-upgrade-minio-deployment.rst} | 16 +- source/operations/deployments/baremetal.rst | 32 + .../operations/deployments/installation.rst | 101 + ...k8s-delete-minio-tenant-on-kubernetes.rst} | 0 ...ploy-minio-on-azure-kubernetes-service.rst | 262 + ...oy-minio-on-elastic-kubernetes-service.rst | 268 + ...ploy-minio-on-google-kubernetes-engine.rst | 261 + ...8s-deploy-minio-on-kubernetes-upstream.rst | 244 + ...minio-on-red-hat-open-shift-kubernetes.rst | 326 + ...eploy-minio-on-suse-rancher-kubernetes.rst | 265 + ...eploy-minio-tenant-helm-on-kubernetes.rst} | 4 +- .../k8s-deploy-minio-tenant-on-kubernetes.rst | 259 + ...8s-deploy-operator-helm-on-kubernetes.rst} | 0 ...k8s-expand-minio-tenant-on-kubernetes.rst} | 38 +- .../deployments/k8s-minio-operator.rst | 171 + .../deployments/k8s-minio-tenants.rst | 108 + .../k8s-modify-minio-tenant-on-kubernetes.rst | 78 + ...-upgrade-minio-operator-4.5.7-earlier.rst} | 49 +- ...k8s-upgrade-minio-operator-kubernetes.rst} | 0 ...8s-upgrade-minio-tenant-on-kubernetes.rst} | 0 source/operations/deployments/kubernetes.rst | 48 + source/operations/external-iam.rst | 90 +- ...e-ad-ldap-external-identity-management.rst | 277 +- ...configure-keycloak-identity-management.rst | 126 +- ...re-openid-external-identity-management.rst | 276 +- .../deploy-minio-multi-node-multi-drive.rst | 328 - .../deploy-minio-single-node-multi-drive.rst | 67 - .../deploy-minio-single-node-single-drive.rst | 129 - .../deploy-minio-tenant.rst | 443 -- .../minio-operator-console.rst | 127 - .../modify-minio-tenant.rst | 47 - source/operations/installation.rst | 27 - .../manage-existing-deployments.rst | 42 - ...collect-minio-metrics-using-prometheus.rst | 7 +- .../monitoring/metrics-and-alerts.rst | 10 +- .../monitor-and-alert-using-influxdb.rst | 8 +- source/operations/network-encryption.rst | 601 +- .../network-encryption/enable-minio-tls.rst | 256 + .../enable-multiple-domain-minio-tls.rst | 266 + .../multi-site-replication.rst | 6 +- .../configure-minio-kes.rst | 225 +- source/reference/baremetal.rst | 15 + source/reference/kubernetes.rst | 15 + .../minio-mc-admin/mc-admin-update.rst | 2 +- .../minio-mc-admin/mc-admin-user-info.rst | 2 +- source/reference/minio-mc/mc-ilm-rule-ls.rst | 2 +- source/reference/minio-mc/mc-stat.rst | 7 + source/url-excludes.yaml | 235 - stage.sh | 17 + staging.env | 6 + sync-minio-version.sh | 69 + 110 files changed, 6480 insertions(+), 12841 deletions(-) delete mode 100644 source/includes/aks/deploy-minio-on-azure-kubernetes-service.rst create mode 100644 source/includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst create mode 100644 source/includes/baremetal/steps-configure-keycloak-identity-management.rst create mode 100644 source/includes/baremetal/steps-configure-openid-external-identity-management.rst delete mode 100644 source/includes/common/common-k8s-connect-operator-console-no-plugin.rst delete mode 100644 source/includes/common/common-k8s-connect-operator-console.rst delete mode 100644 source/includes/common/installation.rst delete mode 100644 source/includes/container/common-deploy.rst delete mode 100644 source/includes/container/installation.rst delete mode 100644 source/includes/container/quickstart.rst delete mode 100644 source/includes/container/steps-configure-keycloak-identity-management.rst delete mode 100644 source/includes/container/steps-configure-minio-kes-hashicorp.rst delete mode 100644 source/includes/container/steps-deploy-minio-single-node-multi-drive.rst delete mode 100644 source/includes/container/steps-deploy-minio-single-node-single-drive.rst delete mode 100644 source/includes/container/steps-upgrade-minio-deployment.rst delete mode 100644 source/includes/eks/deploy-minio-on-elastic-kubernetes-service.rst delete mode 100644 source/includes/gke/deploy-minio-on-google-kubernetes-engine.rst delete mode 100644 source/includes/linux/steps-configure-keycloak-identity-management.rst delete mode 100644 source/includes/macos/common-installation.rst delete mode 100644 source/includes/macos/quickstart.rst delete mode 100644 source/includes/macos/steps-configure-minio-kes-hashicorp.rst delete mode 100644 source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst delete mode 100644 source/includes/macos/steps-deploy-minio-single-node-single-drive.rst delete mode 100644 source/includes/macos/steps-upgrade-minio-deployment.rst delete mode 100644 source/includes/windows/quickstart.rst delete mode 100644 source/includes/windows/steps-configure-minio-kes-hashicorp.rst delete mode 100644 source/includes/windows/steps-deploy-minio-single-node-single-drive.rst delete mode 100644 source/operations/deploy-manage-tenants.rst rename source/operations/{install-deploy-manage/decommission-server-pool.rst => deployments/baremetal-decommission-server-pool.rst} (100%) create mode 100644 source/operations/deployments/baremetal-deploy-minio-as-a-container.rst create mode 100644 source/operations/deployments/baremetal-deploy-minio-on-macos.rst create mode 100644 source/operations/deployments/baremetal-deploy-minio-on-redhat-linux.rst create mode 100644 source/operations/deployments/baremetal-deploy-minio-on-ubuntu-linux.rst create mode 100644 source/operations/deployments/baremetal-deploy-minio-on-windows.rst create mode 100644 source/operations/deployments/baremetal-deploy-minio-server.rst rename source/operations/{install-deploy-manage/expand-minio-deployment.rst => deployments/baremetal-expand-minio-deployment.rst} (97%) rename source/operations/{install-deploy-manage/migrate-fs-gateway.rst => deployments/baremetal-migrate-fs-gateway.rst} (95%) rename source/operations/{install-deploy-manage/upgrade-minio-deployment.rst => deployments/baremetal-upgrade-minio-deployment.rst} (61%) create mode 100644 source/operations/deployments/baremetal.rst create mode 100644 source/operations/deployments/installation.rst rename source/operations/{install-deploy-manage/delete-minio-tenant.rst => deployments/k8s-delete-minio-tenant-on-kubernetes.rst} (100%) create mode 100644 source/operations/deployments/k8s-deploy-minio-on-azure-kubernetes-service.rst create mode 100644 source/operations/deployments/k8s-deploy-minio-on-elastic-kubernetes-service.rst create mode 100644 source/operations/deployments/k8s-deploy-minio-on-google-kubernetes-engine.rst create mode 100644 source/operations/deployments/k8s-deploy-minio-on-kubernetes-upstream.rst create mode 100644 source/operations/deployments/k8s-deploy-minio-on-red-hat-open-shift-kubernetes.rst create mode 100644 source/operations/deployments/k8s-deploy-minio-on-suse-rancher-kubernetes.rst rename source/operations/{install-deploy-manage/deploy-minio-tenant-helm.rst => deployments/k8s-deploy-minio-tenant-helm-on-kubernetes.rst} (99%) create mode 100644 source/operations/deployments/k8s-deploy-minio-tenant-on-kubernetes.rst rename source/operations/{install-deploy-manage/deploy-operator-helm.rst => deployments/k8s-deploy-operator-helm-on-kubernetes.rst} (100%) rename source/operations/{install-deploy-manage/expand-minio-tenant.rst => deployments/k8s-expand-minio-tenant-on-kubernetes.rst} (73%) create mode 100644 source/operations/deployments/k8s-minio-operator.rst create mode 100644 source/operations/deployments/k8s-minio-tenants.rst create mode 100644 source/operations/deployments/k8s-modify-minio-tenant-on-kubernetes.rst rename source/operations/{install-deploy-manage/upgrade-minio-operator-4.5.7-earlier.rst => deployments/k8s-upgrade-minio-operator-4.5.7-earlier.rst} (94%) rename source/operations/{install-deploy-manage/upgrade-minio-operator.rst => deployments/k8s-upgrade-minio-operator-kubernetes.rst} (100%) rename source/operations/{install-deploy-manage/upgrade-minio-tenant.rst => deployments/k8s-upgrade-minio-tenant-on-kubernetes.rst} (100%) create mode 100644 source/operations/deployments/kubernetes.rst delete mode 100644 source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst delete mode 100644 source/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst delete mode 100644 source/operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst delete mode 100644 source/operations/install-deploy-manage/deploy-minio-tenant.rst delete mode 100644 source/operations/install-deploy-manage/minio-operator-console.rst delete mode 100644 source/operations/install-deploy-manage/modify-minio-tenant.rst delete mode 100644 source/operations/installation.rst delete mode 100644 source/operations/manage-existing-deployments.rst create mode 100644 source/operations/network-encryption/enable-minio-tls.rst create mode 100644 source/operations/network-encryption/enable-multiple-domain-minio-tls.rst rename source/operations/{install-deploy-manage => replication}/multi-site-replication.rst (98%) create mode 100644 source/reference/baremetal.rst create mode 100644 source/reference/kubernetes.rst delete mode 100644 source/url-excludes.yaml create mode 100755 stage.sh create mode 100644 staging.env create mode 100755 sync-minio-version.sh diff --git a/Makefile b/Makefile index 8339c9e03..20854a9a4 100644 --- a/Makefile +++ b/Makefile @@ -34,24 +34,9 @@ stage-%: exit 1; \ fi - @if [ ! $(shell command -v mc) ]; then \ - echo "mc not found on this host, exiting" ; \ - exit 1; \ - fi - @if [ $(shell mc alias list --json docs-staging | jq '.status') = "error" ]; then \ - echo "doc-staging alias not found on for host mc configuration, exiting" ; \ - exit 1; \ - fi + @(./stage.sh) - @if [ $(shell mc stat --json docs-staging/staging | jq '.status') = "error" ]; then \ - echo "docs-staging/staging bucket not found, exiting" ; \ - exit 1; \ - fi - - @echo "Copying contents of $(BUILDDIR)/$(GITDIR)/$*/html/* to docs-staging/staging/$(GITDIR)/$*/" - @mc cp -r $(BUILDDIR)/$(GITDIR)/$*/html/* docs-staging/staging/$(GITDIR)/$*/ - @echo "Copy complete, visit $(STAGINGURL)/$(GITDIR)/$*/index.html" # Commenting out the older method # python -m http.server --directory $(BUILDDIR)/$(GITDIR)/$*/html/ @@ -65,12 +50,14 @@ stage-%: # - Compile SCSS # - Build docs via Sphinx -linux: +mindocs: @echo "--------------------------------------" - @echo "Building for $@ Platform" + @echo " Building for MinIO " @echo "--------------------------------------" @cp source/default-conf.py source/conf.py @make sync-deps + @make sync-operator-version + @make sync-deps ifeq ($(SYNC_SDK),TRUE) @make sync-sdks else @@ -80,91 +67,6 @@ endif @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ @echo -e "Building $@ Complete\n--------------------------------------\n" -windows: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ - @echo -e "Building $@ Complete\n--------------------------------------\n" - -macos: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ - @echo -e "Building $@ Complete\n--------------------------------------\n" - -k8s: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-operator-version - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ - @echo -e "Building $@ Complete\n--------------------------------------\n" - -openshift: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-operator-version - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ -t k8s - @echo -e "Building $@ Complete\n--------------------------------------\n" - -eks: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-operator-version - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ -t k8s - @echo -e "Building $@ Complete\n--------------------------------------\n" - -gke: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-operator-version - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ -t k8s - @echo -e "Building $@ Complete\n--------------------------------------\n" - -aks: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-operator-version - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ -t k8s - @echo -e "Building $@ Complete\n--------------------------------------\n" - -container: - @echo "--------------------------------------" - @echo "Building for $@ Platform" - @echo "--------------------------------------" - @cp source/default-conf.py source/conf.py - @make sync-deps - @npm run build - @$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@ - @echo -e "Building $@ Complete\n--------------------------------------\n" - # Synchronization targets # Note that the @case statements are required to account for differences between Linux and MacOS binaries # Specifically, MacOS does not use GNU utils, so syntax is slightly different for things like sed @@ -213,31 +115,8 @@ sync-minio-server-docs: @(./sync-minio-server-docs.sh) sync-minio-version: - @echo "Retrieving current MinIO version" - $(eval DEB = $(shell curl -s https://min.io/assets/downloads-minio.json | jq '.Linux."MinIO Server".amd64.DEB.download' | sed "s|linux-amd64|linux-amd64/archive|g")) - $(eval RPM = $(shell curl -s https://min.io/assets/downloads-minio.json | jq '.Linux."MinIO Server".amd64.RPM.download' | sed "s|linux-amd64|linux-amd64/archive|g")) - $(eval DEBARM64 = $(shell curl -s https://min.io/assets/downloads-minio.json | jq '.Linux."MinIO Server".arm64.DEB.download' | sed "s|linux-arm64|linux-arm64/archive|g")) - $(eval RPMARM64 = $(shell curl -s https://min.io/assets/downloads-minio.json | jq '.Linux."MinIO Server".arm64.RPM.download' | sed "s|linux-arm64|linux-arm64/archive|g")) - $(eval MINIO = $(shell curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/minio/releases/latest | sed "s/https:\/\/github.com\/minio\/minio\/releases\/tag\///")) - - @$(eval kname = $(shell uname -s)) - - @case "${kname}" in \ - "Darwin") \ - sed -i "" "s|MINIOLATEST|${MINIO}|g" source/conf.py; \ - sed -i "" "s|DEBURL|${DEB}|g" source/conf.py; \ - sed -i "" "s|RPMURL|${RPM}|g" source/conf.py; \ - sed -i "" "s|DEBARM64URL|${DEBARM64}|g" source/conf.py; \ - sed -i "" "s|RPMARM64URL|${RPMARM64}|g" source/conf.py; \ - ;; \ - *) \ - sed -i "s|MINIOLATEST|${MINIO}|g" source/conf.py; \ - sed -i "s|DEBURL|${DEB}|g" source/conf.py; \ - sed -i "s|RPMURL|${RPM}|g" source/conf.py; \ - sed -i "s|DEBARM64URL|${DEBARM64}|g" source/conf.py; \ - sed -i "s|RPMARM64URL|${RPMARM64}|g" source/conf.py; \ - ;; \ - esac + @echo "Retrieving MinIO latest version and download URLs" + @(./sync-minio-version.sh) sync-sdks: @(./sync-docs.sh) @@ -249,7 +128,7 @@ sync-operator-crd: sync-deps: # C++ and Rust repos do not have any releases yet. @echo "Synchronizing all external dependencies" - @make sync-minio-version +# @make sync-minio-version @make sync-kes-version @make sync-minio-server-docs diff --git a/package-lock.json b/package-lock.json index 940f8c97e..2e861ce23 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6143 +1,8 @@ { "name": "minio-documentation", "version": "1.0.0", - "lockfileVersion": 2, + "lockfileVersion": 1, "requires": true, - "packages": { - "": { - "name": "minio-documentation", - "version": "1.0.0", - "license": "Apache-2.0", - "devDependencies": { - "gulp": "^4.0.2", - "gulp-autoprefixer": "^8.0.0", - "gulp-clean-css": "^4.3.0", - "gulp-connect": "^5.7.0", - "gulp-load-plugins": "^2.0.7", - "gulp-rename": "^2.0.0", - "gulp-sass": "^5.1.0", - "gulp-terser": "^2.1.0", - "sass": "^1.49.0" - } - }, - "node_modules/accepts": { - "version": "1.3.7", - "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.7.tgz", - "integrity": "sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==", - "dev": true, - "dependencies": { - "mime-types": "~2.1.24", - "negotiator": "0.6.2" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/ansi-colors": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-1.1.0.tgz", - "integrity": "sha512-SFKX67auSNoVR38N3L+nvsPjOE0bybKTYbkf5tRvushrAPQ9V75huw0ZxBkKVeRU9kqH3d6HA4xTckbwZ4ixmA==", - "dev": true, - "dependencies": { - "ansi-wrap": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/ansi-gray": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/ansi-gray/-/ansi-gray-0.1.1.tgz", - "integrity": "sha1-KWLPVOyXksSFEKPetSRDaGHvclE=", - "dev": true, - "dependencies": { - "ansi-wrap": "0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/ansi-regex": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", - "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/ansi-wrap": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/ansi-wrap/-/ansi-wrap-0.1.0.tgz", - "integrity": "sha1-qCJQ3bABXponyoLoLqYDu/pF768=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-2.0.0.tgz", - "integrity": "sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==", - "dev": true, - "dependencies": { - "micromatch": "^3.1.4", - "normalize-path": "^2.1.1" - } - }, - "node_modules/anymatch/node_modules/braces": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz", - "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/braces/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/fill-range": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", - "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/fill-range/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/micromatch": { - "version": "3.1.10", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz", - "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==", - "dev": true, - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/normalize-path": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.1.1.tgz", - "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=", - "dev": true, - "dependencies": { - "remove-trailing-separator": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/anymatch/node_modules/to-regex-range": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz", - "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/append-buffer": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/append-buffer/-/append-buffer-1.0.2.tgz", - "integrity": "sha1-2CIM9GYIFSXv6lBhTz3mUU36WPE=", - "dev": true, - "dependencies": { - "buffer-equal": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/archy": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/archy/-/archy-1.0.0.tgz", - "integrity": "sha1-+cjBN1fMHde8N5rHeyxipcKGjEA=", - "dev": true - }, - "node_modules/arr-diff": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/arr-diff/-/arr-diff-4.0.0.tgz", - "integrity": "sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-filter": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/arr-filter/-/arr-filter-1.1.2.tgz", - "integrity": "sha1-Q/3d0JHo7xGqTEXZzcGOLf8XEe4=", - "dev": true, - "dependencies": { - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-flatten": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/arr-flatten/-/arr-flatten-1.1.0.tgz", - "integrity": "sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-map": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/arr-map/-/arr-map-2.0.2.tgz", - "integrity": "sha1-Onc0X/wc814qkYJWAfnljy4kysQ=", - "dev": true, - "dependencies": { - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/arr-union": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/arr-union/-/arr-union-3.1.0.tgz", - "integrity": "sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-each": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/array-each/-/array-each-1.0.1.tgz", - "integrity": "sha1-p5SvDAWrF1KEbudTofIRoFugxE8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-initial": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/array-initial/-/array-initial-1.1.0.tgz", - "integrity": "sha1-L6dLJnOTccOUe9enrcc74zSz15U=", - "dev": true, - "dependencies": { - "array-slice": "^1.0.0", - "is-number": "^4.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-initial/node_modules/is-number": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-4.0.0.tgz", - "integrity": "sha512-rSklcAIlf1OmFdyAqbnWTLVelsQ58uvZ66S/ZyawjWqIviTWCjg2PzVGw8WUA+nNuPTqb4wgA+NszrJ+08LlgQ==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-last": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/array-last/-/array-last-1.3.0.tgz", - "integrity": "sha512-eOCut5rXlI6aCOS7Z7kCplKRKyiFQ6dHFBem4PwlwKeNFk2/XxTrhRh5T9PyaEWGy/NHTZWbY+nsZlNFJu9rYg==", - "dev": true, - "dependencies": { - "is-number": "^4.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-last/node_modules/is-number": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-4.0.0.tgz", - "integrity": "sha512-rSklcAIlf1OmFdyAqbnWTLVelsQ58uvZ66S/ZyawjWqIviTWCjg2PzVGw8WUA+nNuPTqb4wgA+NszrJ+08LlgQ==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-slice": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/array-slice/-/array-slice-1.1.0.tgz", - "integrity": "sha512-B1qMD3RBP7O8o0H2KbrXDyB0IccejMF15+87Lvlor12ONPRHP6gTjXMNkt/d3ZuOGbAe66hFmaCfECI24Ufp6w==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-sort": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/array-sort/-/array-sort-1.0.0.tgz", - "integrity": "sha512-ihLeJkonmdiAsD7vpgN3CRcx2J2S0TiYW+IS/5zHBI7mKUq3ySvBdzzBfD236ubDBQFiiyG3SWCPc+msQ9KoYg==", - "dev": true, - "dependencies": { - "default-compare": "^1.0.0", - "get-value": "^2.0.6", - "kind-of": "^5.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/array-unique": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/array-unique/-/array-unique-0.3.2.tgz", - "integrity": "sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/assign-symbols": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/assign-symbols/-/assign-symbols-1.0.0.tgz", - "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/async-done": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/async-done/-/async-done-1.3.2.tgz", - "integrity": "sha512-uYkTP8dw2og1tu1nmza1n1CMW0qb8gWWlwqMmLb7MhBVs4BXrFziT6HXUd+/RlRA/i4H9AkofYloUbs1fwMqlw==", - "dev": true, - "dependencies": { - "end-of-stream": "^1.1.0", - "once": "^1.3.2", - "process-nextick-args": "^2.0.0", - "stream-exhaust": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/async-each": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/async-each/-/async-each-1.0.3.tgz", - "integrity": "sha512-z/WhQ5FPySLdvREByI2vZiTWwCnF0moMJ1hK9YQwDTHKh6I7/uSckMetoRGb5UBZPC1z0jlw+n/XCgjeH7y1AQ==", - "dev": true - }, - "node_modules/async-settle": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/async-settle/-/async-settle-1.0.0.tgz", - "integrity": "sha1-HQqRS7Aldb7IqPOnTlCA9yssDGs=", - "dev": true, - "dependencies": { - "async-done": "^1.2.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/atob": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/atob/-/atob-2.1.2.tgz", - "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==", - "dev": true, - "bin": { - "atob": "bin/atob.js" - }, - "engines": { - "node": ">= 4.5.0" - } - }, - "node_modules/autoprefixer": { - "version": "10.4.2", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.2.tgz", - "integrity": "sha512-9fOPpHKuDW1w/0EKfRmVnxTDt8166MAnLI3mgZ1JCnhNtYWxcJ6Ud5CO/AVOZi/AvFa8DY9RTy3h3+tFBlrrdQ==", - "dev": true, - "dependencies": { - "browserslist": "^4.19.1", - "caniuse-lite": "^1.0.30001297", - "fraction.js": "^4.1.2", - "normalize-range": "^0.1.2", - "picocolors": "^1.0.0", - "postcss-value-parser": "^4.2.0" - }, - "bin": { - "autoprefixer": "bin/autoprefixer" - }, - "engines": { - "node": "^10 || ^12 || >=14" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - "peerDependencies": { - "postcss": "^8.1.0" - } - }, - "node_modules/bach": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/bach/-/bach-1.2.0.tgz", - "integrity": "sha1-Szzpa/JxNPeaG0FKUcFONMO9mIA=", - "dev": true, - "dependencies": { - "arr-filter": "^1.1.1", - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "array-each": "^1.0.0", - "array-initial": "^1.0.0", - "array-last": "^1.1.1", - "async-done": "^1.2.2", - "async-settle": "^1.0.0", - "now-and-later": "^2.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/balanced-match": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", - "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", - "dev": true - }, - "node_modules/base": { - "version": "0.11.2", - "resolved": "https://registry.npmjs.org/base/-/base-0.11.2.tgz", - "integrity": "sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==", - "dev": true, - "dependencies": { - "cache-base": "^1.0.1", - "class-utils": "^0.3.5", - "component-emitter": "^1.2.1", - "define-property": "^1.0.0", - "isobject": "^3.0.1", - "mixin-deep": "^1.2.0", - "pascalcase": "^0.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/base/node_modules/define-property": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz", - "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=", - "dev": true, - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/batch": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/batch/-/batch-0.6.1.tgz", - "integrity": "sha1-3DQxT05nkxgJP8dgJyUl+UvyXBY=", - "dev": true - }, - "node_modules/binary-extensions": { - "version": "1.13.1", - "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.13.1.tgz", - "integrity": "sha512-Un7MIEDdUC5gNpcGDV97op1Ywk748MpHcFTHoYs6qnj1Z3j7I53VG3nwZhKzoBZmbdRNnb6WRdFlwl7tSDuZGw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/bindings": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz", - "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==", - "dev": true, - "optional": true, - "dependencies": { - "file-uri-to-path": "1.0.0" - } - }, - "node_modules/body": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/body/-/body-5.1.0.tgz", - "integrity": "sha1-5LoM5BCkaTYyM2dgnstOZVMSUGk=", - "dev": true, - "dependencies": { - "continuable-cache": "^0.3.1", - "error": "^7.0.0", - "raw-body": "~1.1.0", - "safe-json-parse": "~1.0.1" - } - }, - "node_modules/brace-expansion": { - "version": "1.1.11", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", - "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", - "dev": true, - "dependencies": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" - } - }, - "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", - "dev": true, - "dependencies": { - "fill-range": "^7.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/browserslist": { - "version": "4.19.1", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.19.1.tgz", - "integrity": "sha512-u2tbbG5PdKRTUoctO3NBD8FQ5HdPh1ZXPHzp1rwaa5jTc+RV9/+RlWiAIKmjRPQF+xbGM9Kklj5bZQFa2s/38A==", - "dev": true, - "dependencies": { - "caniuse-lite": "^1.0.30001286", - "electron-to-chromium": "^1.4.17", - "escalade": "^3.1.1", - "node-releases": "^2.0.1", - "picocolors": "^1.0.0" - }, - "bin": { - "browserslist": "cli.js" - }, - "engines": { - "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - } - }, - "node_modules/buffer-equal": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/buffer-equal/-/buffer-equal-1.0.0.tgz", - "integrity": "sha1-WWFrSYME1Var1GaWayLu2j7KX74=", - "dev": true, - "engines": { - "node": ">=0.4.0" - } - }, - "node_modules/buffer-from": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz", - "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==", - "dev": true - }, - "node_modules/bytes": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/bytes/-/bytes-1.0.0.tgz", - "integrity": "sha1-NWnt6Lo0MV+rmcPpLLBMciDeH6g=", - "dev": true - }, - "node_modules/cache-base": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz", - "integrity": "sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==", - "dev": true, - "dependencies": { - "collection-visit": "^1.0.0", - "component-emitter": "^1.2.1", - "get-value": "^2.0.6", - "has-value": "^1.0.0", - "isobject": "^3.0.1", - "set-value": "^2.0.0", - "to-object-path": "^0.3.0", - "union-value": "^1.0.0", - "unset-value": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/call-bind": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz", - "integrity": "sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==", - "dev": true, - "dependencies": { - "function-bind": "^1.1.1", - "get-intrinsic": "^1.0.2" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/camelcase": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-3.0.0.tgz", - "integrity": "sha1-MvxLn82vhF/N9+c7uXysImHwqwo=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/caniuse-lite": { - "version": "1.0.30001304", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001304.tgz", - "integrity": "sha512-bdsfZd6K6ap87AGqSHJP/s1V+U6Z5lyrcbBu3ovbCCf8cSYpwTtGrCBObMpJqwxfTbLW6YTIdbb1jEeTelcpYQ==", - "dev": true, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - } - }, - "node_modules/chokidar": { - "version": "2.1.8", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-2.1.8.tgz", - "integrity": "sha512-ZmZUazfOzf0Nve7duiCKD23PFSCs4JPoYyccjUFF3aQkQadqBhfzhjkwBH2mNOG9cTBwhamM37EIsIkZw3nRgg==", - "deprecated": "Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies", - "dev": true, - "dependencies": { - "anymatch": "^2.0.0", - "async-each": "^1.0.1", - "braces": "^2.3.2", - "glob-parent": "^3.1.0", - "inherits": "^2.0.3", - "is-binary-path": "^1.0.0", - "is-glob": "^4.0.0", - "normalize-path": "^3.0.0", - "path-is-absolute": "^1.0.0", - "readdirp": "^2.2.1", - "upath": "^1.1.1" - }, - "optionalDependencies": { - "fsevents": "^1.2.7" - } - }, - "node_modules/chokidar/node_modules/braces": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz", - "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/fill-range": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", - "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/chokidar/node_modules/to-regex-range": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz", - "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils": { - "version": "0.3.6", - "resolved": "https://registry.npmjs.org/class-utils/-/class-utils-0.3.6.tgz", - "integrity": "sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==", - "dev": true, - "dependencies": { - "arr-union": "^3.1.0", - "define-property": "^0.2.5", - "isobject": "^3.0.0", - "static-extend": "^0.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/define-property": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz", - "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=", - "dev": true, - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz", - "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/is-data-descriptor": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz", - "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/class-utils/node_modules/is-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz", - "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/clean-css": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-4.2.3.tgz", - "integrity": "sha512-VcMWDN54ZN/DS+g58HYL5/n4Zrqe8vHJpGA8KdgUXFU4fuP/aHNw8eld9SyEIyabIMJX/0RaY/fplOo5hYLSFA==", - "dev": true, - "dependencies": { - "source-map": "~0.6.0" - }, - "engines": { - "node": ">= 4.0" - } - }, - "node_modules/clean-css/node_modules/source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/cliui": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/cliui/-/cliui-3.2.0.tgz", - "integrity": "sha1-EgYBU3qRbSmUD5NNo7SNWFo5IT0=", - "dev": true, - "dependencies": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1", - "wrap-ansi": "^2.0.0" - } - }, - "node_modules/cliui/node_modules/ansi-regex": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz", - "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/cliui/node_modules/strip-ansi": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", - "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=", - "dev": true, - "dependencies": { - "ansi-regex": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/clone": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/clone/-/clone-2.1.2.tgz", - "integrity": "sha1-G39Ln1kfHo+DZwQBYANFoCiHQ18=", - "dev": true, - "engines": { - "node": ">=0.8" - } - }, - "node_modules/clone-buffer": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/clone-buffer/-/clone-buffer-1.0.0.tgz", - "integrity": "sha1-4+JbIHrE5wGvch4staFnksrD3Fg=", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/clone-stats": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/clone-stats/-/clone-stats-1.0.0.tgz", - "integrity": "sha1-s3gt/4u1R04Yuba/D9/ngvh3doA=", - "dev": true - }, - "node_modules/cloneable-readable": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/cloneable-readable/-/cloneable-readable-1.1.3.tgz", - "integrity": "sha512-2EF8zTQOxYq70Y4XKtorQupqF0m49MBz2/yf5Bj+MHjvpG3Hy7sImifnqD6UA+TKYxeSV+u6qqQPawN5UvnpKQ==", - "dev": true, - "dependencies": { - "inherits": "^2.0.1", - "process-nextick-args": "^2.0.0", - "readable-stream": "^2.3.5" - } - }, - "node_modules/cloneable-readable/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/cloneable-readable/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/cloneable-readable/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/code-point-at": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz", - "integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/collection-map": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/collection-map/-/collection-map-1.0.0.tgz", - "integrity": "sha1-rqDwb40mx4DCt1SUOFVEsiVa8Yw=", - "dev": true, - "dependencies": { - "arr-map": "^2.0.2", - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/collection-visit": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/collection-visit/-/collection-visit-1.0.0.tgz", - "integrity": "sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=", - "dev": true, - "dependencies": { - "map-visit": "^1.0.0", - "object-visit": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/color-support": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", - "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", - "dev": true, - "bin": { - "color-support": "bin.js" - } - }, - "node_modules/commander": { - "version": "2.20.3", - "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", - "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", - "dev": true - }, - "node_modules/component-emitter": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.3.0.tgz", - "integrity": "sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==", - "dev": true - }, - "node_modules/concat-map": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=", - "dev": true - }, - "node_modules/concat-stream": { - "version": "1.6.2", - "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz", - "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==", - "dev": true, - "engines": [ - "node >= 0.8" - ], - "dependencies": { - "buffer-from": "^1.0.0", - "inherits": "^2.0.3", - "readable-stream": "^2.2.2", - "typedarray": "^0.0.6" - } - }, - "node_modules/concat-stream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/concat-stream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/concat-stream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/connect": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/connect/-/connect-3.7.0.tgz", - "integrity": "sha512-ZqRXc+tZukToSNmh5C2iWMSoV3X1YUcPbqEM4DkEG5tNQXrQUZCNVGGv3IuicnkMtPfGf3Xtp8WCXs295iQ1pQ==", - "dev": true, - "dependencies": { - "debug": "2.6.9", - "finalhandler": "1.1.2", - "parseurl": "~1.3.3", - "utils-merge": "1.0.1" - }, - "engines": { - "node": ">= 0.10.0" - } - }, - "node_modules/connect-livereload": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/connect-livereload/-/connect-livereload-0.6.1.tgz", - "integrity": "sha512-3R0kMOdL7CjJpU66fzAkCe6HNtd3AavCS4m+uW4KtJjrdGPT0SQEZieAYd+cm+lJoBznNQ4lqipYWkhBMgk00g==", - "dev": true, - "engines": { - "node": "*" - } - }, - "node_modules/continuable-cache": { - "version": "0.3.1", - "resolved": "https://registry.npmjs.org/continuable-cache/-/continuable-cache-0.3.1.tgz", - "integrity": "sha1-vXJ6f67XfnH/OYWskzUakSczrQ8=", - "dev": true - }, - "node_modules/convert-source-map": { - "version": "1.8.0", - "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.8.0.tgz", - "integrity": "sha512-+OQdjP49zViI/6i7nIJpA8rAl4sV/JdPfU9nZs3VqOwGIgizICvuN2ru6fMd+4llL0tar18UYJXfZ/TWtmhUjA==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.1" - } - }, - "node_modules/convert-source-map/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/copy-descriptor": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz", - "integrity": "sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/copy-props": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/copy-props/-/copy-props-2.0.5.tgz", - "integrity": "sha512-XBlx8HSqrT0ObQwmSzM7WE5k8FxTV75h1DX1Z3n6NhQ/UYYAvInWYmG06vFt7hQZArE2fuO62aihiWIVQwh1sw==", - "dev": true, - "dependencies": { - "each-props": "^1.3.2", - "is-plain-object": "^5.0.0" - } - }, - "node_modules/copy-props/node_modules/is-plain-object": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", - "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/core-util-is": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", - "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==", - "dev": true - }, - "node_modules/d": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/d/-/d-1.0.1.tgz", - "integrity": "sha512-m62ShEObQ39CfralilEQRjH6oAMtNCV1xJyEx5LpRYUVN+EviphDgUc/F3hnYbADmkiNs67Y+3ylmlG7Lnu+FA==", - "dev": true, - "dependencies": { - "es5-ext": "^0.10.50", - "type": "^1.0.1" - } - }, - "node_modules/debug": { - "version": "2.6.9", - "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", - "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", - "dev": true, - "dependencies": { - "ms": "2.0.0" - } - }, - "node_modules/decamelize": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", - "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/decode-uri-component": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz", - "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=", - "dev": true, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/default-compare": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/default-compare/-/default-compare-1.0.0.tgz", - "integrity": "sha512-QWfXlM0EkAbqOCbD/6HjdwT19j7WCkMyiRhWilc4H9/5h/RzTF9gv5LYh1+CmDV5d1rki6KAWLtQale0xt20eQ==", - "dev": true, - "dependencies": { - "kind-of": "^5.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/default-resolution": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/default-resolution/-/default-resolution-2.0.0.tgz", - "integrity": "sha1-vLgrqnKtebQmp2cy8aga1t8m1oQ=", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/define-properties": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.3.tgz", - "integrity": "sha512-3MqfYKj2lLzdMSf8ZIZE/V+Zuy+BgD6f164e8K2w7dgnpKArBDerGYpM46IYYcjnkdPNMjPk9A6VFB8+3SKlXQ==", - "dev": true, - "dependencies": { - "object-keys": "^1.0.12" - }, - "engines": { - "node": ">= 0.4" - } - }, - "node_modules/define-property": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-2.0.2.tgz", - "integrity": "sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==", - "dev": true, - "dependencies": { - "is-descriptor": "^1.0.2", - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/depd": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", - "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/destroy": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz", - "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA=", - "dev": true - }, - "node_modules/detect-file": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/detect-file/-/detect-file-1.0.0.tgz", - "integrity": "sha1-8NZtA2cqglyxtzvbP+YjEMjlUrc=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/duplexify": { - "version": "3.7.1", - "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-3.7.1.tgz", - "integrity": "sha512-07z8uv2wMyS51kKhD1KsdXJg5WQ6t93RneqRxUHnskXVtlYYkLqM0gqStQZ3pj073g687jPCHrqNfCzawLYh5g==", - "dev": true, - "dependencies": { - "end-of-stream": "^1.0.0", - "inherits": "^2.0.1", - "readable-stream": "^2.0.0", - "stream-shift": "^1.0.0" - } - }, - "node_modules/duplexify/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/duplexify/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/duplexify/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/each-props": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/each-props/-/each-props-1.3.2.tgz", - "integrity": "sha512-vV0Hem3zAGkJAyU7JSjixeU66rwdynTAa1vofCrSA5fEln+m67Az9CcnkVD776/fsN/UjIWmBDoNRS6t6G9RfA==", - "dev": true, - "dependencies": { - "is-plain-object": "^2.0.1", - "object.defaults": "^1.1.0" - } - }, - "node_modules/ee-first": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", - "integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0=", - "dev": true - }, - "node_modules/electron-to-chromium": { - "version": "1.4.57", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.57.tgz", - "integrity": "sha512-FNC+P5K1n6pF+M0zIK+gFCoXcJhhzDViL3DRIGy2Fv5PohuSES1JHR7T+GlwxSxlzx4yYbsuzCZvHxcBSRCIOw==", - "dev": true - }, - "node_modules/encodeurl": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", - "integrity": "sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k=", - "dev": true, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/end-of-stream": { - "version": "1.4.4", - "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz", - "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==", - "dev": true, - "dependencies": { - "once": "^1.4.0" - } - }, - "node_modules/error": { - "version": "7.2.1", - "resolved": "https://registry.npmjs.org/error/-/error-7.2.1.tgz", - "integrity": "sha512-fo9HBvWnx3NGUKMvMwB/CBCMMrfEJgbDTVDEkPygA3Bdd3lM1OyCd+rbQ8BwnpF6GdVeOLDNmyL4N5Bg80ZvdA==", - "dev": true, - "dependencies": { - "string-template": "~0.2.1" - } - }, - "node_modules/error-ex": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz", - "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==", - "dev": true, - "dependencies": { - "is-arrayish": "^0.2.1" - } - }, - "node_modules/es5-ext": { - "version": "0.10.53", - "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.53.tgz", - "integrity": "sha512-Xs2Stw6NiNHWypzRTY1MtaG/uJlwCk8kH81920ma8mvN8Xq1gsfhZvpkImLQArw8AHnv8MT2I45J3c0R8slE+Q==", - "dev": true, - "dependencies": { - "es6-iterator": "~2.0.3", - "es6-symbol": "~3.1.3", - "next-tick": "~1.0.0" - } - }, - "node_modules/es6-iterator": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/es6-iterator/-/es6-iterator-2.0.3.tgz", - "integrity": "sha1-p96IkUGgWpSwhUQDstCg+/qY87c=", - "dev": true, - "dependencies": { - "d": "1", - "es5-ext": "^0.10.35", - "es6-symbol": "^3.1.1" - } - }, - "node_modules/es6-symbol": { - "version": "3.1.3", - "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.3.tgz", - "integrity": "sha512-NJ6Yn3FuDinBaBRWl/q5X/s4koRHBrgKAu+yGI6JCBeiu3qrcbJhwT2GeR/EXVfylRk8dpQVJoLEFhK+Mu31NA==", - "dev": true, - "dependencies": { - "d": "^1.0.1", - "ext": "^1.1.2" - } - }, - "node_modules/es6-weak-map": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/es6-weak-map/-/es6-weak-map-2.0.3.tgz", - "integrity": "sha512-p5um32HOTO1kP+w7PRnB+5lQ43Z6muuMuIMffvDN8ZB4GcnjLBV6zGStpbASIMk4DCAvEaamhe2zhyCb/QXXsA==", - "dev": true, - "dependencies": { - "d": "1", - "es5-ext": "^0.10.46", - "es6-iterator": "^2.0.3", - "es6-symbol": "^3.1.1" - } - }, - "node_modules/escalade": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz", - "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==", - "dev": true, - "engines": { - "node": ">=6" - } - }, - "node_modules/escape-html": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", - "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=", - "dev": true - }, - "node_modules/etag": { - "version": "1.8.1", - "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", - "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/expand-brackets": { - "version": "2.1.4", - "resolved": "https://registry.npmjs.org/expand-brackets/-/expand-brackets-2.1.4.tgz", - "integrity": "sha1-t3c14xXOMPa27/D4OwQVGiJEliI=", - "dev": true, - "dependencies": { - "debug": "^2.3.3", - "define-property": "^0.2.5", - "extend-shallow": "^2.0.1", - "posix-character-classes": "^0.1.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/define-property": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz", - "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=", - "dev": true, - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz", - "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-data-descriptor": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz", - "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz", - "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-brackets/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/expand-tilde": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/expand-tilde/-/expand-tilde-2.0.2.tgz", - "integrity": "sha1-l+gBqgUt8CRU3kawK/YhZCzchQI=", - "dev": true, - "dependencies": { - "homedir-polyfill": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/ext": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/ext/-/ext-1.6.0.tgz", - "integrity": "sha512-sdBImtzkq2HpkdRLtlLWDa6w4DX22ijZLKx8BMPUuKe1c5lbN6xwQDQCxSfxBQnHZ13ls/FH0MQZx/q/gr6FQg==", - "dev": true, - "dependencies": { - "type": "^2.5.0" - } - }, - "node_modules/ext/node_modules/type": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/type/-/type-2.5.0.tgz", - "integrity": "sha512-180WMDQaIMm3+7hGXWf12GtdniDEy7nYcyFMKJn/eZz/6tSLXrUN9V0wKSbMjej0I1WHWbpREDEKHtqPQa9NNw==", - "dev": true - }, - "node_modules/extend": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", - "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==", - "dev": true - }, - "node_modules/extend-shallow": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-3.0.2.tgz", - "integrity": "sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=", - "dev": true, - "dependencies": { - "assign-symbols": "^1.0.0", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/extglob/-/extglob-2.0.4.tgz", - "integrity": "sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==", - "dev": true, - "dependencies": { - "array-unique": "^0.3.2", - "define-property": "^1.0.0", - "expand-brackets": "^2.1.4", - "extend-shallow": "^2.0.1", - "fragment-cache": "^0.2.1", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/define-property": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz", - "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=", - "dev": true, - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/extglob/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/fancy-log": { - "version": "1.3.3", - "resolved": "https://registry.npmjs.org/fancy-log/-/fancy-log-1.3.3.tgz", - "integrity": "sha512-k9oEhlyc0FrVh25qYuSELjr8oxsCoc4/LEZfg2iJJrfEk/tZL9bCoJE47gqAvI2m/AUjluCS4+3I0eTx8n3AEw==", - "dev": true, - "dependencies": { - "ansi-gray": "^0.1.1", - "color-support": "^1.1.3", - "parse-node-version": "^1.0.0", - "time-stamp": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/fast-levenshtein": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-1.1.4.tgz", - "integrity": "sha1-5qdUzI8V5YmHqpy9J69m/W9OWvk=", - "dev": true - }, - "node_modules/faye-websocket": { - "version": "0.10.0", - "resolved": "https://registry.npmjs.org/faye-websocket/-/faye-websocket-0.10.0.tgz", - "integrity": "sha1-TkkvjQTftviQA1B/btvy1QHnxvQ=", - "dev": true, - "dependencies": { - "websocket-driver": ">=0.5.1" - }, - "engines": { - "node": ">=0.4.0" - } - }, - "node_modules/file-uri-to-path": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", - "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==", - "dev": true, - "optional": true - }, - "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", - "dev": true, - "dependencies": { - "to-regex-range": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/finalhandler": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz", - "integrity": "sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==", - "dev": true, - "dependencies": { - "debug": "2.6.9", - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "on-finished": "~2.3.0", - "parseurl": "~1.3.3", - "statuses": "~1.5.0", - "unpipe": "~1.0.0" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/find-up": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/find-up/-/find-up-1.1.2.tgz", - "integrity": "sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=", - "dev": true, - "dependencies": { - "path-exists": "^2.0.0", - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/findup-sync": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-4.0.0.tgz", - "integrity": "sha512-6jvvn/12IC4quLBL1KNokxC7wWTvYncaVUYSoxWw7YykPLuRrnv4qdHcSOywOI5RpkOVGeQRtWM8/q+G6W6qfQ==", - "dev": true, - "dependencies": { - "detect-file": "^1.0.0", - "is-glob": "^4.0.0", - "micromatch": "^4.0.2", - "resolve-dir": "^1.0.1" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/fined": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/fined/-/fined-1.2.0.tgz", - "integrity": "sha512-ZYDqPLGxDkDhDZBjZBb+oD1+j0rA4E0pXY50eplAAOPg2N/gUBSSk5IM1/QhPfyVo19lJ+CvXpqfvk+b2p/8Ng==", - "dev": true, - "dependencies": { - "expand-tilde": "^2.0.2", - "is-plain-object": "^2.0.3", - "object.defaults": "^1.1.0", - "object.pick": "^1.2.0", - "parse-filepath": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/flagged-respawn": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/flagged-respawn/-/flagged-respawn-1.0.1.tgz", - "integrity": "sha512-lNaHNVymajmk0OJMBn8fVUAU1BtDeKIqKoVhk4xAALB57aALg6b4W0MfJ/cUE0g9YBXy5XhSlPIpYIJ7HaY/3Q==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/flush-write-stream": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/flush-write-stream/-/flush-write-stream-1.1.1.tgz", - "integrity": "sha512-3Z4XhFZ3992uIq0XOqb9AreonueSYphE6oYbpt5+3u06JWklbsPkNv3ZKkP9Bz/r+1MWCaMoSQ28P85+1Yc77w==", - "dev": true, - "dependencies": { - "inherits": "^2.0.3", - "readable-stream": "^2.3.6" - } - }, - "node_modules/flush-write-stream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/flush-write-stream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/flush-write-stream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/for-in": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz", - "integrity": "sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/for-own": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/for-own/-/for-own-1.0.0.tgz", - "integrity": "sha1-xjMy9BXO3EsE2/5wz4NklMU8tEs=", - "dev": true, - "dependencies": { - "for-in": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/fraction.js": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.1.2.tgz", - "integrity": "sha512-o2RiJQ6DZaR/5+Si0qJUIy637QMRudSi9kU/FFzx9EZazrIdnBgpU+3sEWCxAVhH2RtxW2Oz+T4p2o8uOPVcgA==", - "dev": true, - "engines": { - "node": "*" - }, - "funding": { - "type": "patreon", - "url": "https://www.patreon.com/infusion" - } - }, - "node_modules/fragment-cache": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/fragment-cache/-/fragment-cache-0.2.1.tgz", - "integrity": "sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=", - "dev": true, - "dependencies": { - "map-cache": "^0.2.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/fresh": { - "version": "0.5.2", - "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz", - "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac=", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/fs-mkdirp-stream": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/fs-mkdirp-stream/-/fs-mkdirp-stream-1.0.0.tgz", - "integrity": "sha1-C3gV/DIBxqaeFNuYzgmMFpNSWes=", - "dev": true, - "dependencies": { - "graceful-fs": "^4.1.11", - "through2": "^2.0.3" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/fs-mkdirp-stream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/fs-mkdirp-stream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/fs-mkdirp-stream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/fs-mkdirp-stream/node_modules/through2": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz", - "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==", - "dev": true, - "dependencies": { - "readable-stream": "~2.3.6", - "xtend": "~4.0.1" - } - }, - "node_modules/fs.realpath": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", - "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=", - "dev": true - }, - "node_modules/fsevents": { - "version": "1.2.13", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.13.tgz", - "integrity": "sha512-oWb1Z6mkHIskLzEJ/XWX0srkpkTQ7vaopMQkyaEIoq0fmtFVxOthb8cCxeT+p3ynTdkk/RZwbgG4brR5BeWECw==", - "deprecated": "fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.", - "dev": true, - "hasInstallScript": true, - "optional": true, - "os": [ - "darwin" - ], - "dependencies": { - "bindings": "^1.5.0", - "nan": "^2.12.1" - }, - "engines": { - "node": ">= 4.0" - } - }, - "node_modules/function-bind": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz", - "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==", - "dev": true - }, - "node_modules/get-caller-file": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-1.0.3.tgz", - "integrity": "sha512-3t6rVToeoZfYSGd8YoLFR2DJkiQrIiUrGcjvFX2mDw3bn6k2OtwHN0TNCLbBO+w8qTvimhDkv+LSscbJY1vE6w==", - "dev": true - }, - "node_modules/get-intrinsic": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.1.1.tgz", - "integrity": "sha512-kWZrnVM42QCiEA2Ig1bG8zjoIMOgxWwYCEeNdwY6Tv/cOSeGpcoX4pXHfKUxNKVoArnrEr2e9srnAxxGIraS9Q==", - "dev": true, - "dependencies": { - "function-bind": "^1.1.1", - "has": "^1.0.3", - "has-symbols": "^1.0.1" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/get-value": { - "version": "2.0.6", - "resolved": "https://registry.npmjs.org/get-value/-/get-value-2.0.6.tgz", - "integrity": "sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/glob": { - "version": "7.2.0", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.0.tgz", - "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==", - "dev": true, - "dependencies": { - "fs.realpath": "^1.0.0", - "inflight": "^1.0.4", - "inherits": "2", - "minimatch": "^3.0.4", - "once": "^1.3.0", - "path-is-absolute": "^1.0.0" - }, - "engines": { - "node": "*" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, - "node_modules/glob-parent": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz", - "integrity": "sha1-nmr2KZ2NO9K9QEMIMr0RPfkGxa4=", - "dev": true, - "dependencies": { - "is-glob": "^3.1.0", - "path-dirname": "^1.0.0" - } - }, - "node_modules/glob-parent/node_modules/is-glob": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-3.1.0.tgz", - "integrity": "sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=", - "dev": true, - "dependencies": { - "is-extglob": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/glob-stream": { - "version": "6.1.0", - "resolved": "https://registry.npmjs.org/glob-stream/-/glob-stream-6.1.0.tgz", - "integrity": "sha1-cEXJlBOz65SIjYOrRtC0BMx73eQ=", - "dev": true, - "dependencies": { - "extend": "^3.0.0", - "glob": "^7.1.1", - "glob-parent": "^3.1.0", - "is-negated-glob": "^1.0.0", - "ordered-read-streams": "^1.0.0", - "pumpify": "^1.3.5", - "readable-stream": "^2.1.5", - "remove-trailing-separator": "^1.0.1", - "to-absolute-glob": "^2.0.0", - "unique-stream": "^2.0.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/glob-stream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/glob-stream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/glob-stream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/glob-watcher": { - "version": "5.0.5", - "resolved": "https://registry.npmjs.org/glob-watcher/-/glob-watcher-5.0.5.tgz", - "integrity": "sha512-zOZgGGEHPklZNjZQaZ9f41i7F2YwE+tS5ZHrDhbBCk3stwahn5vQxnFmBJZHoYdusR6R1bLSXeGUy/BhctwKzw==", - "dev": true, - "dependencies": { - "anymatch": "^2.0.0", - "async-done": "^1.2.0", - "chokidar": "^2.0.0", - "is-negated-glob": "^1.0.0", - "just-debounce": "^1.0.0", - "normalize-path": "^3.0.0", - "object.defaults": "^1.1.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/global-modules": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/global-modules/-/global-modules-1.0.0.tgz", - "integrity": "sha512-sKzpEkf11GpOFuw0Zzjzmt4B4UZwjOcG757PPvrfhxcLFbq0wpsgpOqxpxtxFiCG4DtG93M6XRVbF2oGdev7bg==", - "dev": true, - "dependencies": { - "global-prefix": "^1.0.1", - "is-windows": "^1.0.1", - "resolve-dir": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/global-prefix": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/global-prefix/-/global-prefix-1.0.2.tgz", - "integrity": "sha1-2/dDxsFJklk8ZVVoy2btMsASLr4=", - "dev": true, - "dependencies": { - "expand-tilde": "^2.0.2", - "homedir-polyfill": "^1.0.1", - "ini": "^1.3.4", - "is-windows": "^1.0.1", - "which": "^1.2.14" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/glogg": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/glogg/-/glogg-1.0.2.tgz", - "integrity": "sha512-5mwUoSuBk44Y4EshyiqcH95ZntbDdTQqA3QYSrxmzj28Ai0vXBGMH1ApSANH14j2sIRtqCEyg6PfsuP7ElOEDA==", - "dev": true, - "dependencies": { - "sparkles": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/graceful-fs": { - "version": "4.2.9", - "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.9.tgz", - "integrity": "sha512-NtNxqUcXgpW2iMrfqSfR73Glt39K+BLwWsPs94yR63v45T0Wbej7eRmL5cWfwEgqXnmjQp3zaJTshdRW/qC2ZQ==", - "dev": true - }, - "node_modules/gulp": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", - "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", - "dev": true, - "dependencies": { - "glob-watcher": "^5.0.3", - "gulp-cli": "^2.2.0", - "undertaker": "^1.2.1", - "vinyl-fs": "^3.0.0" - }, - "bin": { - "gulp": "bin/gulp.js" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/gulp-autoprefixer": { - "version": "8.0.0", - "resolved": "https://registry.npmjs.org/gulp-autoprefixer/-/gulp-autoprefixer-8.0.0.tgz", - "integrity": "sha512-sVR++PIaXpa81p52dmmA/jt50bw0egmylK5mjagfgOJ8uLDGaF9tHyzvetkY9Uo0gBZUS5sVqN3kX/GlUKOyog==", - "dev": true, - "dependencies": { - "autoprefixer": "^10.2.6", - "fancy-log": "^1.3.3", - "plugin-error": "^1.0.1", - "postcss": "^8.3.0", - "through2": "^4.0.2", - "vinyl-sourcemaps-apply": "^0.2.1" - }, - "engines": { - "node": ">=12" - }, - "peerDependencies": { - "gulp": ">=4" - }, - "peerDependenciesMeta": { - "gulp": { - "optional": true - } - } - }, - "node_modules/gulp-clean-css": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/gulp-clean-css/-/gulp-clean-css-4.3.0.tgz", - "integrity": "sha512-mGyeT3qqFXTy61j0zOIciS4MkYziF2U594t2Vs9rUnpkEHqfu6aDITMp8xOvZcvdX61Uz3y1mVERRYmjzQF5fg==", - "dev": true, - "dependencies": { - "clean-css": "4.2.3", - "plugin-error": "1.0.1", - "through2": "3.0.1", - "vinyl-sourcemaps-apply": "0.2.1" - } - }, - "node_modules/gulp-clean-css/node_modules/through2": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/through2/-/through2-3.0.1.tgz", - "integrity": "sha512-M96dvTalPT3YbYLaKaCuwu+j06D/8Jfib0o/PxbVt6Amhv3dUAtW6rTV1jPgJSBG83I/e04Y6xkVdVhSRhi0ww==", - "dev": true, - "dependencies": { - "readable-stream": "2 || 3" - } - }, - "node_modules/gulp-cli": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/gulp-cli/-/gulp-cli-2.3.0.tgz", - "integrity": "sha512-zzGBl5fHo0EKSXsHzjspp3y5CONegCm8ErO5Qh0UzFzk2y4tMvzLWhoDokADbarfZRL2pGpRp7yt6gfJX4ph7A==", - "dev": true, - "dependencies": { - "ansi-colors": "^1.0.1", - "archy": "^1.0.0", - "array-sort": "^1.0.0", - "color-support": "^1.1.3", - "concat-stream": "^1.6.0", - "copy-props": "^2.0.1", - "fancy-log": "^1.3.2", - "gulplog": "^1.0.0", - "interpret": "^1.4.0", - "isobject": "^3.0.1", - "liftoff": "^3.1.0", - "matchdep": "^2.0.0", - "mute-stdout": "^1.0.0", - "pretty-hrtime": "^1.0.0", - "replace-homedir": "^1.0.0", - "semver-greatest-satisfied-range": "^1.1.0", - "v8flags": "^3.2.0", - "yargs": "^7.1.0" - }, - "bin": { - "gulp": "bin/gulp.js" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/gulp-connect": { - "version": "5.7.0", - "resolved": "https://registry.npmjs.org/gulp-connect/-/gulp-connect-5.7.0.tgz", - "integrity": "sha512-8tRcC6wgXMLakpPw9M7GRJIhxkYdgZsXwn7n56BA2bQYGLR9NOPhMzx7js+qYDy6vhNkbApGKURjAw1FjY4pNA==", - "dev": true, - "dependencies": { - "ansi-colors": "^2.0.5", - "connect": "^3.6.6", - "connect-livereload": "^0.6.0", - "fancy-log": "^1.3.2", - "map-stream": "^0.0.7", - "send": "^0.16.2", - "serve-index": "^1.9.1", - "serve-static": "^1.13.2", - "tiny-lr": "^1.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/gulp-connect/node_modules/ansi-colors": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-2.0.5.tgz", - "integrity": "sha512-yAdfUZ+c2wetVNIFsNRn44THW+Lty6S5TwMpUfLA/UaGhiXbBv/F8E60/1hMLd0cnF/CDoWH8vzVaI5bAcHCjw==", - "dev": true, - "engines": { - "node": ">=6" - } - }, - "node_modules/gulp-load-plugins": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/gulp-load-plugins/-/gulp-load-plugins-2.0.7.tgz", - "integrity": "sha512-/3nl/p7s9O03Yv6SSEqN2dXEbDE0+JpsKfJl6h/GgCLqqnkZT0bF+JWcz87HzcTBeh/MVzMosAJx4kLDTWrTNQ==", - "dev": true, - "dependencies": { - "array-unique": "^0.3.2", - "fancy-log": "^1.2.0", - "findup-sync": "^4.0.0", - "gulplog": "^1.0.0", - "has-gulplog": "^0.1.0", - "micromatch": "^4.0.2", - "resolve": "^1.17.0" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/gulp-rename": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/gulp-rename/-/gulp-rename-2.0.0.tgz", - "integrity": "sha512-97Vba4KBzbYmR5VBs9mWmK+HwIf5mj+/zioxfZhOKeXtx5ZjBk57KFlePf5nxq9QsTtFl0ejnHE3zTC9MHXqyQ==", - "dev": true, - "engines": { - "node": ">=4" - } - }, - "node_modules/gulp-sass": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/gulp-sass/-/gulp-sass-5.1.0.tgz", - "integrity": "sha512-7VT0uaF+VZCmkNBglfe1b34bxn/AfcssquLKVDYnCDJ3xNBaW7cUuI3p3BQmoKcoKFrs9jdzUxyb+u+NGfL4OQ==", - "dev": true, - "dependencies": { - "lodash.clonedeep": "^4.5.0", - "picocolors": "^1.0.0", - "plugin-error": "^1.0.1", - "replace-ext": "^2.0.0", - "strip-ansi": "^6.0.1", - "vinyl-sourcemaps-apply": "^0.2.1" - }, - "engines": { - "node": ">=12" - } - }, - "node_modules/gulp-terser": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/gulp-terser/-/gulp-terser-2.1.0.tgz", - "integrity": "sha512-lQ3+JUdHDVISAlUIUSZ/G9Dz/rBQHxOiYDQ70IVWFQeh4b33TC1MCIU+K18w07PS3rq/CVc34aQO4SUbdaNMPQ==", - "dev": true, - "dependencies": { - "plugin-error": "^1.0.1", - "terser": "^5.9.0", - "through2": "^4.0.2", - "vinyl-sourcemaps-apply": "^0.2.1" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/gulplog": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/gulplog/-/gulplog-1.0.0.tgz", - "integrity": "sha1-4oxNRdBey77YGDY86PnFkmIp/+U=", - "dev": true, - "dependencies": { - "glogg": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/has": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", - "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==", - "dev": true, - "dependencies": { - "function-bind": "^1.1.1" - }, - "engines": { - "node": ">= 0.4.0" - } - }, - "node_modules/has-gulplog": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/has-gulplog/-/has-gulplog-0.1.0.tgz", - "integrity": "sha1-ZBTIKRNpfaUVkDl9r7EvIpZ4Ec4=", - "dev": true, - "dependencies": { - "sparkles": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/has-symbols": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.2.tgz", - "integrity": "sha512-chXa79rL/UC2KlX17jo3vRGz0azaWEx5tGqZg5pO3NUyEJVB17dMruQlzCCOfUvElghKcm5194+BCRvi2Rv/Gw==", - "dev": true, - "engines": { - "node": ">= 0.4" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/has-value": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/has-value/-/has-value-1.0.0.tgz", - "integrity": "sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=", - "dev": true, - "dependencies": { - "get-value": "^2.0.6", - "has-values": "^1.0.0", - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/has-values": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/has-values/-/has-values-1.0.0.tgz", - "integrity": "sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "kind-of": "^4.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/has-values/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/has-values/node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/has-values/node_modules/kind-of": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz", - "integrity": "sha1-IIE989cSkosgc3hpGkUGb65y3Vc=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/homedir-polyfill": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz", - "integrity": "sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==", - "dev": true, - "dependencies": { - "parse-passwd": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/hosted-git-info": { - "version": "2.8.9", - "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", - "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==", - "dev": true - }, - "node_modules/http-errors": { - "version": "1.6.3", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz", - "integrity": "sha1-i1VoC7S+KDoLW/TqLjhYC+HZMg0=", - "dev": true, - "dependencies": { - "depd": "~1.1.2", - "inherits": "2.0.3", - "setprototypeof": "1.1.0", - "statuses": ">= 1.4.0 < 2" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/http-errors/node_modules/inherits": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz", - "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=", - "dev": true - }, - "node_modules/http-parser-js": { - "version": "0.5.5", - "resolved": "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.5.5.tgz", - "integrity": "sha512-x+JVEkO2PoM8qqpbPbOL3cqHPwerep7OwzK7Ay+sMQjKzaKCqWvjoXm5tqMP9tXWWTnTzAjIhXg+J99XYuPhPA==", - "dev": true - }, - "node_modules/immutable": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.0.0.tgz", - "integrity": "sha512-zIE9hX70qew5qTUjSS7wi1iwj/l7+m54KWU247nhM3v806UdGj1yDndXj+IOYxxtW9zyLI+xqFNZjTuDaLUqFw==", - "dev": true - }, - "node_modules/inflight": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", - "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", - "dev": true, - "dependencies": { - "once": "^1.3.0", - "wrappy": "1" - } - }, - "node_modules/inherits": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", - "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", - "dev": true - }, - "node_modules/ini": { - "version": "1.3.8", - "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", - "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", - "dev": true - }, - "node_modules/interpret": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/interpret/-/interpret-1.4.0.tgz", - "integrity": "sha512-agE4QfB2Lkp9uICn7BAqoscw4SZP9kTE2hxiFI3jBPmXJfdqiahTbUuKGsMoN2GtqL9AxhYioAcVvgsb1HvRbA==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/invert-kv": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/invert-kv/-/invert-kv-1.0.0.tgz", - "integrity": "sha1-EEqOSqym09jNFXqO+L+rLXo//bY=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-absolute": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-absolute/-/is-absolute-1.0.0.tgz", - "integrity": "sha512-dOWoqflvcydARa360Gvv18DZ/gRuHKi2NU/wU5X1ZFzdYfH29nkiNZsF3mp4OJ3H4yo9Mx8A/uAGNzpzPN3yBA==", - "dev": true, - "dependencies": { - "is-relative": "^1.0.0", - "is-windows": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-accessor-descriptor": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-1.0.0.tgz", - "integrity": "sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==", - "dev": true, - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-arrayish": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", - "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=", - "dev": true - }, - "node_modules/is-binary-path": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-1.0.1.tgz", - "integrity": "sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=", - "dev": true, - "dependencies": { - "binary-extensions": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-buffer": { - "version": "1.1.6", - "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.6.tgz", - "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==", - "dev": true - }, - "node_modules/is-core-module": { - "version": "2.8.1", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.8.1.tgz", - "integrity": "sha512-SdNCUs284hr40hFTFP6l0IfZ/RSrMXF3qgoRHd3/79unUTvrFO/JoXwkGm+5J/Oe3E/b5GsnG330uUNgRpu1PA==", - "dev": true, - "dependencies": { - "has": "^1.0.3" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/is-data-descriptor": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-1.0.0.tgz", - "integrity": "sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==", - "dev": true, - "dependencies": { - "kind-of": "^6.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-descriptor": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-1.0.2.tgz", - "integrity": "sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^1.0.0", - "is-data-descriptor": "^1.0.0", - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-descriptor/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-extendable": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz", - "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==", - "dev": true, - "dependencies": { - "is-plain-object": "^2.0.4" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-extglob": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", - "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-fullwidth-code-point": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz", - "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=", - "dev": true, - "dependencies": { - "number-is-nan": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-glob": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", - "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", - "dev": true, - "dependencies": { - "is-extglob": "^2.1.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-negated-glob": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-negated-glob/-/is-negated-glob-1.0.0.tgz", - "integrity": "sha1-aRC8pdqMleeEtXUbl2z1oQ/uNtI=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-number": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", - "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", - "dev": true, - "engines": { - "node": ">=0.12.0" - } - }, - "node_modules/is-plain-object": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz", - "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==", - "dev": true, - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-relative": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-relative/-/is-relative-1.0.0.tgz", - "integrity": "sha512-Kw/ReK0iqwKeu0MITLFuj0jbPAmEiOsIwyIXvvbfa6QfmN9pkD1M+8pdk7Rl/dTKbH34/XBFMbgD4iMJhLQbGA==", - "dev": true, - "dependencies": { - "is-unc-path": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-unc-path": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-unc-path/-/is-unc-path-1.0.0.tgz", - "integrity": "sha512-mrGpVd0fs7WWLfVsStvgF6iEJnbjDFZh9/emhRDcGWTduTfNHd9CHeUwH3gYIjdbwo4On6hunkztwOaAw0yllQ==", - "dev": true, - "dependencies": { - "unc-path-regex": "^0.1.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-utf8": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/is-utf8/-/is-utf8-0.2.1.tgz", - "integrity": "sha1-Sw2hRCEE0bM2NA6AeX6GXPOffXI=", - "dev": true - }, - "node_modules/is-valid-glob": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-valid-glob/-/is-valid-glob-1.0.0.tgz", - "integrity": "sha1-Kb8+/3Ab4tTTFdusw5vDn+j2Aao=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-windows": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-windows/-/is-windows-1.0.2.tgz", - "integrity": "sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/isarray": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", - "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=", - "dev": true - }, - "node_modules/isexe": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", - "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=", - "dev": true - }, - "node_modules/isobject": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/isobject/-/isobject-3.0.1.tgz", - "integrity": "sha1-TkMekrEalzFjaqH5yNHMvP2reN8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/json-stable-stringify-without-jsonify": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz", - "integrity": "sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=", - "dev": true - }, - "node_modules/just-debounce": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/just-debounce/-/just-debounce-1.1.0.tgz", - "integrity": "sha512-qpcRocdkUmf+UTNBYx5w6dexX5J31AKK1OmPwH630a83DdVVUIngk55RSAiIGpQyoH0dlr872VHfPjnQnK1qDQ==", - "dev": true - }, - "node_modules/kind-of": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz", - "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/last-run": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/last-run/-/last-run-1.1.1.tgz", - "integrity": "sha1-RblpQsF7HHnHchmCWbqUO+v4yls=", - "dev": true, - "dependencies": { - "default-resolution": "^2.0.0", - "es6-weak-map": "^2.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/lazystream": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/lazystream/-/lazystream-1.0.1.tgz", - "integrity": "sha512-b94GiNHQNy6JNTrt5w6zNyffMrNkXZb3KTkCZJb2V1xaEGCk093vkZ2jk3tpaeP33/OiXC+WvK9AxUebnf5nbw==", - "dev": true, - "dependencies": { - "readable-stream": "^2.0.5" - }, - "engines": { - "node": ">= 0.6.3" - } - }, - "node_modules/lazystream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/lazystream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/lazystream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/lcid": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/lcid/-/lcid-1.0.0.tgz", - "integrity": "sha1-MIrMr6C8SDo4Z7S28rlQYlHRuDU=", - "dev": true, - "dependencies": { - "invert-kv": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/lead": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/lead/-/lead-1.0.0.tgz", - "integrity": "sha1-bxT5mje+Op3XhPVJVpDlkDRm7kI=", - "dev": true, - "dependencies": { - "flush-write-stream": "^1.0.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/liftoff": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/liftoff/-/liftoff-3.1.0.tgz", - "integrity": "sha512-DlIPlJUkCV0Ips2zf2pJP0unEoT1kwYhiiPUGF3s/jtxTCjziNLoiVVh+jqWOWeFi6mmwQ5fNxvAUyPad4Dfog==", - "dev": true, - "dependencies": { - "extend": "^3.0.0", - "findup-sync": "^3.0.0", - "fined": "^1.0.1", - "flagged-respawn": "^1.0.0", - "is-plain-object": "^2.0.4", - "object.map": "^1.0.0", - "rechoir": "^0.6.2", - "resolve": "^1.1.7" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/liftoff/node_modules/braces": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz", - "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/braces/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/fill-range": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", - "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/fill-range/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/findup-sync": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-3.0.0.tgz", - "integrity": "sha512-YbffarhcicEhOrm4CtrwdKBdCuz576RLdhJDsIfvNtxUuhdRet1qZcsMjqbePtAseKdAnDyM/IyXbu7PRPRLYg==", - "dev": true, - "dependencies": { - "detect-file": "^1.0.0", - "is-glob": "^4.0.0", - "micromatch": "^3.0.4", - "resolve-dir": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/liftoff/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/micromatch": { - "version": "3.1.10", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz", - "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==", - "dev": true, - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/liftoff/node_modules/to-regex-range": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz", - "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/livereload-js": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/livereload-js/-/livereload-js-2.4.0.tgz", - "integrity": "sha512-XPQH8Z2GDP/Hwz2PCDrh2mth4yFejwA1OZ/81Ti3LgKyhDcEjsSsqFWZojHG0va/duGd+WyosY7eXLDoOyqcPw==", - "dev": true - }, - "node_modules/load-json-file": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-1.1.0.tgz", - "integrity": "sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=", - "dev": true, - "dependencies": { - "graceful-fs": "^4.1.2", - "parse-json": "^2.2.0", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0", - "strip-bom": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/lodash.clonedeep": { - "version": "4.5.0", - "resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz", - "integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8=", - "dev": true - }, - "node_modules/make-iterator": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/make-iterator/-/make-iterator-1.0.1.tgz", - "integrity": "sha512-pxiuXh0iVEq7VM7KMIhs5gxsfxCux2URptUQaXo4iZZJxBAzTPOLE2BumO5dbfVYq/hBJFBR/a1mFDmOx5AGmw==", - "dev": true, - "dependencies": { - "kind-of": "^6.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/make-iterator/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/map-cache": { - "version": "0.2.2", - "resolved": "https://registry.npmjs.org/map-cache/-/map-cache-0.2.2.tgz", - "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/map-stream": { - "version": "0.0.7", - "resolved": "https://registry.npmjs.org/map-stream/-/map-stream-0.0.7.tgz", - "integrity": "sha1-ih8HiW2CsQkmvTdEokIACfiJdKg=", - "dev": true - }, - "node_modules/map-visit": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/map-visit/-/map-visit-1.0.0.tgz", - "integrity": "sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=", - "dev": true, - "dependencies": { - "object-visit": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/matchdep/-/matchdep-2.0.0.tgz", - "integrity": "sha1-xvNINKDY28OzfCfui7yyfHd1WC4=", - "dev": true, - "dependencies": { - "findup-sync": "^2.0.0", - "micromatch": "^3.0.4", - "resolve": "^1.4.0", - "stack-trace": "0.0.10" - }, - "engines": { - "node": ">= 0.10.0" - } - }, - "node_modules/matchdep/node_modules/braces": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz", - "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/braces/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/fill-range": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", - "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/fill-range/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/findup-sync": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/findup-sync/-/findup-sync-2.0.0.tgz", - "integrity": "sha1-kyaxSIwi0aYIhlCoaQGy2akKLLw=", - "dev": true, - "dependencies": { - "detect-file": "^1.0.0", - "is-glob": "^3.1.0", - "micromatch": "^3.0.4", - "resolve-dir": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/matchdep/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/is-glob": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-3.1.0.tgz", - "integrity": "sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=", - "dev": true, - "dependencies": { - "is-extglob": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/micromatch": { - "version": "3.1.10", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz", - "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==", - "dev": true, - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/matchdep/node_modules/to-regex-range": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz", - "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/micromatch": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.4.tgz", - "integrity": "sha512-pRmzw/XUcwXGpD9aI9q/0XOwLNygjETJ8y0ao0wdqprrzDa4YnxLcz7fQRZr8voh8V10kGhABbNcHVk5wHgWwg==", - "dev": true, - "dependencies": { - "braces": "^3.0.1", - "picomatch": "^2.2.3" - }, - "engines": { - "node": ">=8.6" - } - }, - "node_modules/mime": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz", - "integrity": "sha512-KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==", - "dev": true, - "bin": { - "mime": "cli.js" - } - }, - "node_modules/mime-db": { - "version": "1.51.0", - "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.51.0.tgz", - "integrity": "sha512-5y8A56jg7XVQx2mbv1lu49NR4dokRnhZYTtL+KGfaa27uq4pSTXkwQkFJl4pkRMyNFz/EtYDSkiiEHx3F7UN6g==", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/mime-types": { - "version": "2.1.34", - "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.34.tgz", - "integrity": "sha512-6cP692WwGIs9XXdOO4++N+7qjqv0rqxxVvJ3VHPh/Sc9mVZcQP+ZGhkKiTvWMQRr2tbHkJP/Yn7Y0npb3ZBs4A==", - "dev": true, - "dependencies": { - "mime-db": "1.51.0" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/minimatch": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", - "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", - "dev": true, - "dependencies": { - "brace-expansion": "^1.1.7" - }, - "engines": { - "node": "*" - } - }, - "node_modules/mixin-deep": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.2.tgz", - "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==", - "dev": true, - "dependencies": { - "for-in": "^1.0.2", - "is-extendable": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/ms": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=", - "dev": true - }, - "node_modules/mute-stdout": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/mute-stdout/-/mute-stdout-1.0.1.tgz", - "integrity": "sha512-kDcwXR4PS7caBpuRYYBUz9iVixUk3anO3f5OYFiIPwK/20vCzKCHyKoulbiDY1S53zD2bxUpxN/IJ+TnXjfvxg==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/nan": { - "version": "2.15.0", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.15.0.tgz", - "integrity": "sha512-8ZtvEnA2c5aYCZYd1cvgdnU6cqwixRoYg70xPLWUws5ORTa/lnw+u4amixRS/Ac5U5mQVgp9pnlSUnbNWFaWZQ==", - "dev": true, - "optional": true - }, - "node_modules/nanoid": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.2.0.tgz", - "integrity": "sha512-fmsZYa9lpn69Ad5eDn7FMcnnSR+8R34W9qJEijxYhTbfOWzr22n1QxCMzXLK+ODyW2973V3Fux959iQoUxzUIA==", - "dev": true, - "bin": { - "nanoid": "bin/nanoid.cjs" - }, - "engines": { - "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" - } - }, - "node_modules/nanomatch": { - "version": "1.2.13", - "resolved": "https://registry.npmjs.org/nanomatch/-/nanomatch-1.2.13.tgz", - "integrity": "sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==", - "dev": true, - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "fragment-cache": "^0.2.1", - "is-windows": "^1.0.2", - "kind-of": "^6.0.2", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/nanomatch/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/negotiator": { - "version": "0.6.2", - "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.2.tgz", - "integrity": "sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw==", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/next-tick": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.0.0.tgz", - "integrity": "sha1-yobR/ogoFpsBICCOPchCS524NCw=", - "dev": true - }, - "node_modules/node-releases": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.1.tgz", - "integrity": "sha512-CqyzN6z7Q6aMeF/ktcMVTzhAHCEpf8SOarwpzpf8pNBY2k5/oM34UHldUwp8VKI7uxct2HxSRdJjBaZeESzcxA==", - "dev": true - }, - "node_modules/normalize-package-data": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", - "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", - "dev": true, - "dependencies": { - "hosted-git-info": "^2.1.4", - "resolve": "^1.10.0", - "semver": "2 || 3 || 4 || 5", - "validate-npm-package-license": "^3.0.1" - } - }, - "node_modules/normalize-path": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", - "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/normalize-range": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz", - "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/now-and-later": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/now-and-later/-/now-and-later-2.0.1.tgz", - "integrity": "sha512-KGvQ0cB70AQfg107Xvs/Fbu+dGmZoTRJp2TaPwcwQm3/7PteUyN2BCgk8KBMPGBUXZdVwyWS8fDCGFygBm19UQ==", - "dev": true, - "dependencies": { - "once": "^1.3.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/number-is-nan": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz", - "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-assign": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", - "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/object-copy/-/object-copy-0.1.0.tgz", - "integrity": "sha1-fn2Fi3gb18mRpBupde04EnVOmYw=", - "dev": true, - "dependencies": { - "copy-descriptor": "^0.1.0", - "define-property": "^0.2.5", - "kind-of": "^3.0.3" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/define-property": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz", - "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=", - "dev": true, - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz", - "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/is-data-descriptor": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz", - "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/is-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz", - "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/is-descriptor/node_modules/kind-of": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz", - "integrity": "sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-copy/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object-inspect": { - "version": "1.12.0", - "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.12.0.tgz", - "integrity": "sha512-Ho2z80bVIvJloH+YzRmpZVQe87+qASmBUKZDWgx9cu+KDrX2ZDH/3tMy+gXbZETVGs2M8YdxObOh7XAtim9Y0g==", - "dev": true, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/object-keys": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz", - "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==", - "dev": true, - "engines": { - "node": ">= 0.4" - } - }, - "node_modules/object-visit": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/object-visit/-/object-visit-1.0.1.tgz", - "integrity": "sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=", - "dev": true, - "dependencies": { - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object.assign": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/object.assign/-/object.assign-4.1.2.tgz", - "integrity": "sha512-ixT2L5THXsApyiUPYKmW+2EHpXXe5Ii3M+f4e+aJFAHao5amFRW6J0OO6c/LU8Be47utCx2GL89hxGB6XSmKuQ==", - "dev": true, - "dependencies": { - "call-bind": "^1.0.0", - "define-properties": "^1.1.3", - "has-symbols": "^1.0.1", - "object-keys": "^1.1.1" - }, - "engines": { - "node": ">= 0.4" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/object.defaults": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/object.defaults/-/object.defaults-1.1.0.tgz", - "integrity": "sha1-On+GgzS0B96gbaFtiNXNKeQ1/s8=", - "dev": true, - "dependencies": { - "array-each": "^1.0.1", - "array-slice": "^1.0.0", - "for-own": "^1.0.0", - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object.map": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/object.map/-/object.map-1.0.1.tgz", - "integrity": "sha1-z4Plncj8wK1fQlDh94s7gb2AHTc=", - "dev": true, - "dependencies": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object.pick": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/object.pick/-/object.pick-1.3.0.tgz", - "integrity": "sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=", - "dev": true, - "dependencies": { - "isobject": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/object.reduce": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/object.reduce/-/object.reduce-1.0.1.tgz", - "integrity": "sha1-b+NI8qx/oPlcpiEiZZkJaCW7A60=", - "dev": true, - "dependencies": { - "for-own": "^1.0.0", - "make-iterator": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/on-finished": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz", - "integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=", - "dev": true, - "dependencies": { - "ee-first": "1.1.1" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=", - "dev": true, - "dependencies": { - "wrappy": "1" - } - }, - "node_modules/ordered-read-streams": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/ordered-read-streams/-/ordered-read-streams-1.0.1.tgz", - "integrity": "sha1-d8DLN8QVJdZBZtmQ/61+xqDhNj4=", - "dev": true, - "dependencies": { - "readable-stream": "^2.0.1" - } - }, - "node_modules/ordered-read-streams/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/ordered-read-streams/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/ordered-read-streams/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/os-locale": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/os-locale/-/os-locale-1.4.0.tgz", - "integrity": "sha1-IPnxeuKe00XoveWDsT0gCYA8FNk=", - "dev": true, - "dependencies": { - "lcid": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/parse-filepath": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/parse-filepath/-/parse-filepath-1.0.2.tgz", - "integrity": "sha1-pjISf1Oq89FYdvWHLz/6x2PWyJE=", - "dev": true, - "dependencies": { - "is-absolute": "^1.0.0", - "map-cache": "^0.2.0", - "path-root": "^0.1.1" - }, - "engines": { - "node": ">=0.8" - } - }, - "node_modules/parse-json": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz", - "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=", - "dev": true, - "dependencies": { - "error-ex": "^1.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/parse-node-version": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/parse-node-version/-/parse-node-version-1.0.1.tgz", - "integrity": "sha512-3YHlOa/JgH6Mnpr05jP9eDG254US9ek25LyIxZlDItp2iJtwyaXQb57lBYLdT3MowkUFYEV2XXNAYIPlESvJlA==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/parse-passwd": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/parse-passwd/-/parse-passwd-1.0.0.tgz", - "integrity": "sha1-bVuTSkVpk7I9N/QKOC1vFmao5cY=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/parseurl": { - "version": "1.3.3", - "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", - "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", - "dev": true, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/pascalcase": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/pascalcase/-/pascalcase-0.1.1.tgz", - "integrity": "sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/path-dirname": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/path-dirname/-/path-dirname-1.0.2.tgz", - "integrity": "sha1-zDPSTVJeCZpTiMAzbG4yuRYGCeA=", - "dev": true - }, - "node_modules/path-exists": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-2.1.0.tgz", - "integrity": "sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=", - "dev": true, - "dependencies": { - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/path-is-absolute": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", - "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/path-parse": { - "version": "1.0.7", - "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", - "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", - "dev": true - }, - "node_modules/path-root": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/path-root/-/path-root-0.1.1.tgz", - "integrity": "sha1-mkpoFMrBwM1zNgqV8yCDyOpHRbc=", - "dev": true, - "dependencies": { - "path-root-regex": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/path-root-regex": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/path-root-regex/-/path-root-regex-0.1.2.tgz", - "integrity": "sha1-v8zcjfWxLcUsi0PsONGNcsBLqW0=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/path-type": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/path-type/-/path-type-1.1.0.tgz", - "integrity": "sha1-WcRPfuSR2nBNpBXaWkBwuk+P5EE=", - "dev": true, - "dependencies": { - "graceful-fs": "^4.1.2", - "pify": "^2.0.0", - "pinkie-promise": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/picocolors": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz", - "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==", - "dev": true - }, - "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", - "dev": true, - "engines": { - "node": ">=8.6" - }, - "funding": { - "url": "https://github.com/sponsors/jonschlinkert" - } - }, - "node_modules/pify": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", - "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/pinkie": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz", - "integrity": "sha1-clVrgM+g1IqXToDnckjoDtT3+HA=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/pinkie-promise": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/pinkie-promise/-/pinkie-promise-2.0.1.tgz", - "integrity": "sha1-ITXW36ejWMBprJsXh3YogihFD/o=", - "dev": true, - "dependencies": { - "pinkie": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/plugin-error": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/plugin-error/-/plugin-error-1.0.1.tgz", - "integrity": "sha512-L1zP0dk7vGweZME2i+EeakvUNqSrdiI3F91TwEoYiGrAfUXmVv6fJIq4g82PAXxNsWOp0J7ZqQy/3Szz0ajTxA==", - "dev": true, - "dependencies": { - "ansi-colors": "^1.0.1", - "arr-diff": "^4.0.0", - "arr-union": "^3.1.0", - "extend-shallow": "^3.0.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/posix-character-classes": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/posix-character-classes/-/posix-character-classes-0.1.1.tgz", - "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/postcss": { - "version": "8.4.5", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.5.tgz", - "integrity": "sha512-jBDboWM8qpaqwkMwItqTQTiFikhs/67OYVvblFFTM7MrZjt6yMKd6r2kgXizEbTTljacm4NldIlZnhbjr84QYg==", - "dev": true, - "dependencies": { - "nanoid": "^3.1.30", - "picocolors": "^1.0.0", - "source-map-js": "^1.0.1" - }, - "engines": { - "node": "^10 || ^12 || >=14" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - } - }, - "node_modules/postcss-value-parser": { - "version": "4.2.0", - "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", - "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", - "dev": true - }, - "node_modules/pretty-hrtime": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/pretty-hrtime/-/pretty-hrtime-1.0.3.tgz", - "integrity": "sha1-t+PqQkNaTJsnWdmeDyAesZWALuE=", - "dev": true, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/process-nextick-args": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", - "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==", - "dev": true - }, - "node_modules/pump": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/pump/-/pump-2.0.1.tgz", - "integrity": "sha512-ruPMNRkN3MHP1cWJc9OWr+T/xDP0jhXYCLfJcBuX54hhfIBnaQmAUMfDcG4DM5UMWByBbJY69QSphm3jtDKIkA==", - "dev": true, - "dependencies": { - "end-of-stream": "^1.1.0", - "once": "^1.3.1" - } - }, - "node_modules/pumpify": { - "version": "1.5.1", - "resolved": "https://registry.npmjs.org/pumpify/-/pumpify-1.5.1.tgz", - "integrity": "sha512-oClZI37HvuUJJxSKKrC17bZ9Cu0ZYhEAGPsPUy9KlMUmv9dKX2o77RUmq7f3XjIxbwyGwYzbzQ1L2Ks8sIradQ==", - "dev": true, - "dependencies": { - "duplexify": "^3.6.0", - "inherits": "^2.0.3", - "pump": "^2.0.0" - } - }, - "node_modules/qs": { - "version": "6.10.3", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.10.3.tgz", - "integrity": "sha512-wr7M2E0OFRfIfJZjKGieI8lBKb7fRCH4Fv5KNPEs7gJ8jadvotdsS08PzOKR7opXhZ/Xkjtt3WF9g38drmyRqQ==", - "dev": true, - "dependencies": { - "side-channel": "^1.0.4" - }, - "engines": { - "node": ">=0.6" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/range-parser": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", - "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/raw-body": { - "version": "1.1.7", - "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-1.1.7.tgz", - "integrity": "sha1-HQJ8K/oRasxmI7yo8AAWVyqH1CU=", - "dev": true, - "dependencies": { - "bytes": "1", - "string_decoder": "0.10" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/raw-body/node_modules/string_decoder": { - "version": "0.10.31", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-0.10.31.tgz", - "integrity": "sha1-YuIDvEF2bGwoyfyEMB2rHFMQ+pQ=", - "dev": true - }, - "node_modules/read-pkg": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-1.1.0.tgz", - "integrity": "sha1-9f+qXs0pyzHAR0vKfXVra7KePyg=", - "dev": true, - "dependencies": { - "load-json-file": "^1.0.0", - "normalize-package-data": "^2.3.2", - "path-type": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/read-pkg-up": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-1.0.1.tgz", - "integrity": "sha1-nWPBMnbAZZGNV/ACpX9AobZD+wI=", - "dev": true, - "dependencies": { - "find-up": "^1.0.0", - "read-pkg": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readable-stream": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz", - "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==", - "dev": true, - "dependencies": { - "inherits": "^2.0.3", - "string_decoder": "^1.1.1", - "util-deprecate": "^1.0.1" - }, - "engines": { - "node": ">= 6" - } - }, - "node_modules/readdirp": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-2.2.1.tgz", - "integrity": "sha512-1JU/8q+VgFZyxwrJ+SVIOsh+KywWGpds3NTqikiKpDMZWScmAYyKIgqkO+ARvNWJfXeXR1zxz7aHF4u4CyH6vQ==", - "dev": true, - "dependencies": { - "graceful-fs": "^4.1.11", - "micromatch": "^3.1.10", - "readable-stream": "^2.0.2" - }, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/readdirp/node_modules/braces": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz", - "integrity": "sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.1.0", - "array-unique": "^0.3.2", - "extend-shallow": "^2.0.1", - "fill-range": "^4.0.0", - "isobject": "^3.0.1", - "repeat-element": "^1.1.2", - "snapdragon": "^0.8.1", - "snapdragon-node": "^2.0.1", - "split-string": "^3.0.2", - "to-regex": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/braces/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/fill-range": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz", - "integrity": "sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-number": "^3.0.0", - "repeat-string": "^1.6.1", - "to-regex-range": "^2.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/fill-range/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-number": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-3.0.0.tgz", - "integrity": "sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/is-number/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/kind-of": { - "version": "6.0.3", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz", - "integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/micromatch": { - "version": "3.1.10", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz", - "integrity": "sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==", - "dev": true, - "dependencies": { - "arr-diff": "^4.0.0", - "array-unique": "^0.3.2", - "braces": "^2.3.1", - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "extglob": "^2.0.4", - "fragment-cache": "^0.2.1", - "kind-of": "^6.0.2", - "nanomatch": "^1.2.9", - "object.pick": "^1.3.0", - "regex-not": "^1.0.0", - "snapdragon": "^0.8.1", - "to-regex": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/readdirp/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/readdirp/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/readdirp/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/readdirp/node_modules/to-regex-range": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz", - "integrity": "sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=", - "dev": true, - "dependencies": { - "is-number": "^3.0.0", - "repeat-string": "^1.6.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/rechoir": { - "version": "0.6.2", - "resolved": "https://registry.npmjs.org/rechoir/-/rechoir-0.6.2.tgz", - "integrity": "sha1-hSBLVNuoLVdC4oyWdW70OvUOM4Q=", - "dev": true, - "dependencies": { - "resolve": "^1.1.6" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/regex-not": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/regex-not/-/regex-not-1.0.2.tgz", - "integrity": "sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==", - "dev": true, - "dependencies": { - "extend-shallow": "^3.0.2", - "safe-regex": "^1.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/remove-bom-buffer": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/remove-bom-buffer/-/remove-bom-buffer-3.0.0.tgz", - "integrity": "sha512-8v2rWhaakv18qcvNeli2mZ/TMTL2nEyAKRvzo1WtnZBl15SHyEhrCu2/xKlJyUFKHiHgfXIyuY6g2dObJJycXQ==", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5", - "is-utf8": "^0.2.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/remove-bom-stream": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/remove-bom-stream/-/remove-bom-stream-1.2.0.tgz", - "integrity": "sha1-BfGlk/FuQuH7kOv1nejlaVJflSM=", - "dev": true, - "dependencies": { - "remove-bom-buffer": "^3.0.0", - "safe-buffer": "^5.1.0", - "through2": "^2.0.3" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/remove-bom-stream/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/remove-bom-stream/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/remove-bom-stream/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/remove-bom-stream/node_modules/through2": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz", - "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==", - "dev": true, - "dependencies": { - "readable-stream": "~2.3.6", - "xtend": "~4.0.1" - } - }, - "node_modules/remove-trailing-separator": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/remove-trailing-separator/-/remove-trailing-separator-1.1.0.tgz", - "integrity": "sha1-wkvOKig62tW8P1jg1IJJuSN52O8=", - "dev": true - }, - "node_modules/repeat-element": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/repeat-element/-/repeat-element-1.1.4.tgz", - "integrity": "sha512-LFiNfRcSu7KK3evMyYOuCzv3L10TW7yC1G2/+StMjK8Y6Vqd2MG7r/Qjw4ghtuCOjFvlnms/iMmLqpvW/ES/WQ==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/repeat-string": { - "version": "1.6.1", - "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz", - "integrity": "sha1-jcrkcOHIirwtYA//Sndihtp15jc=", - "dev": true, - "engines": { - "node": ">=0.10" - } - }, - "node_modules/replace-ext": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz", - "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==", - "dev": true, - "engines": { - "node": ">= 10" - } - }, - "node_modules/replace-homedir": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/replace-homedir/-/replace-homedir-1.0.0.tgz", - "integrity": "sha1-6H9tUTuSjd6AgmDBK+f+xv9ueYw=", - "dev": true, - "dependencies": { - "homedir-polyfill": "^1.0.1", - "is-absolute": "^1.0.0", - "remove-trailing-separator": "^1.1.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/require-directory": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", - "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/require-main-filename": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-1.0.1.tgz", - "integrity": "sha1-l/cXtp1IeE9fUmpsWqj/3aBVpNE=", - "dev": true - }, - "node_modules/resolve": { - "version": "1.22.0", - "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.0.tgz", - "integrity": "sha512-Hhtrw0nLeSrFQ7phPp4OOcVjLPIeMnRlr5mcnVuMe7M/7eBn98A3hmFRLoFo3DLZkivSYwhRUJTyPyWAk56WLw==", - "dev": true, - "dependencies": { - "is-core-module": "^2.8.1", - "path-parse": "^1.0.7", - "supports-preserve-symlinks-flag": "^1.0.0" - }, - "bin": { - "resolve": "bin/resolve" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/resolve-dir": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/resolve-dir/-/resolve-dir-1.0.1.tgz", - "integrity": "sha1-eaQGRMNivoLybv/nOcm7U4IEb0M=", - "dev": true, - "dependencies": { - "expand-tilde": "^2.0.0", - "global-modules": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/resolve-options": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/resolve-options/-/resolve-options-1.1.0.tgz", - "integrity": "sha1-MrueOcBtZzONyTeMDW1gdFZq0TE=", - "dev": true, - "dependencies": { - "value-or-function": "^3.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/resolve-url": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/resolve-url/-/resolve-url-0.2.1.tgz", - "integrity": "sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=", - "deprecated": "https://github.com/lydell/resolve-url#deprecated", - "dev": true - }, - "node_modules/ret": { - "version": "0.1.15", - "resolved": "https://registry.npmjs.org/ret/-/ret-0.1.15.tgz", - "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==", - "dev": true, - "engines": { - "node": ">=0.12" - } - }, - "node_modules/safe-buffer": { - "version": "5.2.1", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", - "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ] - }, - "node_modules/safe-json-parse": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/safe-json-parse/-/safe-json-parse-1.0.1.tgz", - "integrity": "sha1-PnZyPjjf3aE8mx0poeB//uSzC1c=", - "dev": true - }, - "node_modules/safe-regex": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/safe-regex/-/safe-regex-1.1.0.tgz", - "integrity": "sha1-QKNmnzsHfR6UPURinhV91IAjvy4=", - "dev": true, - "dependencies": { - "ret": "~0.1.10" - } - }, - "node_modules/sass": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/sass/-/sass-1.49.0.tgz", - "integrity": "sha512-TVwVdNDj6p6b4QymJtNtRS2YtLJ/CqZriGg0eIAbAKMlN8Xy6kbv33FsEZSF7FufFFM705SQviHjjThfaQ4VNw==", - "dev": true, - "dependencies": { - "chokidar": ">=3.0.0 <4.0.0", - "immutable": "^4.0.0", - "source-map-js": ">=0.6.2 <2.0.0" - }, - "bin": { - "sass": "sass.js" - }, - "engines": { - "node": ">=8.9.0" - } - }, - "node_modules/sass/node_modules/anymatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.2.tgz", - "integrity": "sha512-P43ePfOAIupkguHUycrc4qJ9kz8ZiuOUijaETwX7THt0Y/GNK7v0aa8rY816xWjZ7rJdA5XdMcpVFTKMq+RvWg==", - "dev": true, - "dependencies": { - "normalize-path": "^3.0.0", - "picomatch": "^2.0.4" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/sass/node_modules/binary-extensions": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz", - "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==", - "dev": true, - "engines": { - "node": ">=8" - } - }, - "node_modules/sass/node_modules/chokidar": { - "version": "3.5.3", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz", - "integrity": "sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==", - "dev": true, - "funding": [ - { - "type": "individual", - "url": "https://paulmillr.com/funding/" - } - ], - "dependencies": { - "anymatch": "~3.1.2", - "braces": "~3.0.2", - "glob-parent": "~5.1.2", - "is-binary-path": "~2.1.0", - "is-glob": "~4.0.1", - "normalize-path": "~3.0.0", - "readdirp": "~3.6.0" - }, - "engines": { - "node": ">= 8.10.0" - }, - "optionalDependencies": { - "fsevents": "~2.3.2" - } - }, - "node_modules/sass/node_modules/fsevents": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", - "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", - "dev": true, - "hasInstallScript": true, - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^8.16.0 || ^10.6.0 || >=11.0.0" - } - }, - "node_modules/sass/node_modules/glob-parent": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", - "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", - "dev": true, - "dependencies": { - "is-glob": "^4.0.1" - }, - "engines": { - "node": ">= 6" - } - }, - "node_modules/sass/node_modules/is-binary-path": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", - "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", - "dev": true, - "dependencies": { - "binary-extensions": "^2.0.0" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/sass/node_modules/readdirp": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", - "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", - "dev": true, - "dependencies": { - "picomatch": "^2.2.1" - }, - "engines": { - "node": ">=8.10.0" - } - }, - "node_modules/semver": { - "version": "5.7.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz", - "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==", - "dev": true, - "bin": { - "semver": "bin/semver" - } - }, - "node_modules/semver-greatest-satisfied-range": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/semver-greatest-satisfied-range/-/semver-greatest-satisfied-range-1.1.0.tgz", - "integrity": "sha1-E+jCZYq5aRywzXEJMkAoDTb3els=", - "dev": true, - "dependencies": { - "sver-compat": "^1.5.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/send": { - "version": "0.16.2", - "resolved": "https://registry.npmjs.org/send/-/send-0.16.2.tgz", - "integrity": "sha512-E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==", - "dev": true, - "dependencies": { - "debug": "2.6.9", - "depd": "~1.1.2", - "destroy": "~1.0.4", - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "etag": "~1.8.1", - "fresh": "0.5.2", - "http-errors": "~1.6.2", - "mime": "1.4.1", - "ms": "2.0.0", - "on-finished": "~2.3.0", - "range-parser": "~1.2.0", - "statuses": "~1.4.0" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/send/node_modules/statuses": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz", - "integrity": "sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/serve-index": { - "version": "1.9.1", - "resolved": "https://registry.npmjs.org/serve-index/-/serve-index-1.9.1.tgz", - "integrity": "sha1-03aNabHn2C5c4FD/9bRTvqEqkjk=", - "dev": true, - "dependencies": { - "accepts": "~1.3.4", - "batch": "0.6.1", - "debug": "2.6.9", - "escape-html": "~1.0.3", - "http-errors": "~1.6.2", - "mime-types": "~2.1.17", - "parseurl": "~1.3.2" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/serve-static": { - "version": "1.14.2", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.14.2.tgz", - "integrity": "sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ==", - "dev": true, - "dependencies": { - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "parseurl": "~1.3.3", - "send": "0.17.2" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/serve-static/node_modules/http-errors": { - "version": "1.8.1", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz", - "integrity": "sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g==", - "dev": true, - "dependencies": { - "depd": "~1.1.2", - "inherits": "2.0.4", - "setprototypeof": "1.2.0", - "statuses": ">= 1.5.0 < 2", - "toidentifier": "1.0.1" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/serve-static/node_modules/mime": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz", - "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==", - "dev": true, - "bin": { - "mime": "cli.js" - }, - "engines": { - "node": ">=4" - } - }, - "node_modules/serve-static/node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", - "dev": true - }, - "node_modules/serve-static/node_modules/send": { - "version": "0.17.2", - "resolved": "https://registry.npmjs.org/send/-/send-0.17.2.tgz", - "integrity": "sha512-UJYB6wFSJE3G00nEivR5rgWp8c2xXvJ3OPWPhmuteU0IKj8nKbG3DrjiOmLwpnHGYWAVwA69zmTm++YG0Hmwww==", - "dev": true, - "dependencies": { - "debug": "2.6.9", - "depd": "~1.1.2", - "destroy": "~1.0.4", - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "etag": "~1.8.1", - "fresh": "0.5.2", - "http-errors": "1.8.1", - "mime": "1.6.0", - "ms": "2.1.3", - "on-finished": "~2.3.0", - "range-parser": "~1.2.1", - "statuses": "~1.5.0" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/serve-static/node_modules/setprototypeof": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", - "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", - "dev": true - }, - "node_modules/set-blocking": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", - "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", - "dev": true - }, - "node_modules/set-value": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz", - "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==", - "dev": true, - "dependencies": { - "extend-shallow": "^2.0.1", - "is-extendable": "^0.1.1", - "is-plain-object": "^2.0.3", - "split-string": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/set-value/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/set-value/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/setprototypeof": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz", - "integrity": "sha512-BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==", - "dev": true - }, - "node_modules/side-channel": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz", - "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==", - "dev": true, - "dependencies": { - "call-bind": "^1.0.0", - "get-intrinsic": "^1.0.2", - "object-inspect": "^1.9.0" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/snapdragon": { - "version": "0.8.2", - "resolved": "https://registry.npmjs.org/snapdragon/-/snapdragon-0.8.2.tgz", - "integrity": "sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==", - "dev": true, - "dependencies": { - "base": "^0.11.1", - "debug": "^2.2.0", - "define-property": "^0.2.5", - "extend-shallow": "^2.0.1", - "map-cache": "^0.2.2", - "source-map": "^0.5.6", - "source-map-resolve": "^0.5.0", - "use": "^3.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/snapdragon-node/-/snapdragon-node-2.1.1.tgz", - "integrity": "sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==", - "dev": true, - "dependencies": { - "define-property": "^1.0.0", - "isobject": "^3.0.0", - "snapdragon-util": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-node/node_modules/define-property": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-1.0.0.tgz", - "integrity": "sha1-dp66rz9KY6rTr56NMEybvnm/sOY=", - "dev": true, - "dependencies": { - "is-descriptor": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-util": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/snapdragon-util/-/snapdragon-util-3.0.1.tgz", - "integrity": "sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==", - "dev": true, - "dependencies": { - "kind-of": "^3.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon-util/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/define-property": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz", - "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=", - "dev": true, - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/extend-shallow": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-2.0.1.tgz", - "integrity": "sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=", - "dev": true, - "dependencies": { - "is-extendable": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz", - "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-data-descriptor": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz", - "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz", - "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/snapdragon/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/source-map": { - "version": "0.5.7", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", - "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/source-map-js": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz", - "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/source-map-resolve": { - "version": "0.5.3", - "resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.5.3.tgz", - "integrity": "sha512-Htz+RnsXWk5+P2slx5Jh3Q66vhQj1Cllm0zvnaY98+NFx+Dv2CF/f5O/t8x+KaNdrdIAsruNzoh/KpialbqAnw==", - "deprecated": "See https://github.com/lydell/source-map-resolve#deprecated", - "dev": true, - "dependencies": { - "atob": "^2.1.2", - "decode-uri-component": "^0.2.0", - "resolve-url": "^0.2.1", - "source-map-url": "^0.4.0", - "urix": "^0.1.0" - } - }, - "node_modules/source-map-support": { - "version": "0.5.21", - "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.21.tgz", - "integrity": "sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==", - "dev": true, - "dependencies": { - "buffer-from": "^1.0.0", - "source-map": "^0.6.0" - } - }, - "node_modules/source-map-support/node_modules/source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/source-map-url": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/source-map-url/-/source-map-url-0.4.1.tgz", - "integrity": "sha512-cPiFOTLUKvJFIg4SKVScy4ilPPW6rFgMgfuZJPNoDuMs3nC1HbMUycBoJw77xFIp6z1UJQJOfx6C9GMH80DiTw==", - "deprecated": "See https://github.com/lydell/source-map-url#deprecated", - "dev": true - }, - "node_modules/sparkles": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/sparkles/-/sparkles-1.0.1.tgz", - "integrity": "sha512-dSO0DDYUahUt/0/pD/Is3VIm5TGJjludZ0HVymmhYF6eNA53PVLhnUk0znSYbH8IYBuJdCE+1luR22jNLMaQdw==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/spdx-correct": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.1.1.tgz", - "integrity": "sha512-cOYcUWwhCuHCXi49RhFRCyJEK3iPj1Ziz9DpViV3tbZOwXD49QzIN3MpOLJNxh2qwq2lJJZaKMVw9qNi4jTC0w==", - "dev": true, - "dependencies": { - "spdx-expression-parse": "^3.0.0", - "spdx-license-ids": "^3.0.0" - } - }, - "node_modules/spdx-exceptions": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.3.0.tgz", - "integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A==", - "dev": true - }, - "node_modules/spdx-expression-parse": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", - "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", - "dev": true, - "dependencies": { - "spdx-exceptions": "^2.1.0", - "spdx-license-ids": "^3.0.0" - } - }, - "node_modules/spdx-license-ids": { - "version": "3.0.11", - "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.11.tgz", - "integrity": "sha512-Ctl2BrFiM0X3MANYgj3CkygxhRmr9mi6xhejbdO960nF6EDJApTYpn0BQnDKlnNBULKiCN1n3w9EBkHK8ZWg+g==", - "dev": true - }, - "node_modules/split-string": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/split-string/-/split-string-3.1.0.tgz", - "integrity": "sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==", - "dev": true, - "dependencies": { - "extend-shallow": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/stack-trace": { - "version": "0.0.10", - "resolved": "https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.10.tgz", - "integrity": "sha1-VHxws0fo0ytOEI6hoqFZ5f3eGcA=", - "dev": true, - "engines": { - "node": "*" - } - }, - "node_modules/static-extend": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/static-extend/-/static-extend-0.1.2.tgz", - "integrity": "sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=", - "dev": true, - "dependencies": { - "define-property": "^0.2.5", - "object-copy": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/define-property": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/define-property/-/define-property-0.2.5.tgz", - "integrity": "sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=", - "dev": true, - "dependencies": { - "is-descriptor": "^0.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/is-accessor-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz", - "integrity": "sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/is-accessor-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/is-data-descriptor": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/is-data-descriptor/-/is-data-descriptor-0.1.4.tgz", - "integrity": "sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/is-data-descriptor/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/static-extend/node_modules/is-descriptor": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/is-descriptor/-/is-descriptor-0.1.6.tgz", - "integrity": "sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==", - "dev": true, - "dependencies": { - "is-accessor-descriptor": "^0.1.6", - "is-data-descriptor": "^0.1.4", - "kind-of": "^5.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/statuses": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz", - "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=", - "dev": true, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/stream-exhaust": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/stream-exhaust/-/stream-exhaust-1.0.2.tgz", - "integrity": "sha512-b/qaq/GlBK5xaq1yrK9/zFcyRSTNxmcZwFLGSTG0mXgZl/4Z6GgiyYOXOvY7N3eEvFRAG1bkDRz5EPGSvPYQlw==", - "dev": true - }, - "node_modules/stream-shift": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.1.tgz", - "integrity": "sha512-AiisoFqQ0vbGcZgQPY1cdP2I76glaVA/RauYR4G4thNFgkTqr90yXTo4LYX60Jl+sIlPNHHdGSwo01AvbKUSVQ==", - "dev": true - }, - "node_modules/string_decoder": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", - "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.2.0" - } - }, - "node_modules/string-template": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/string-template/-/string-template-0.2.1.tgz", - "integrity": "sha1-QpMuWYo1LQH8IuwzZ9nYTuxsmt0=", - "dev": true - }, - "node_modules/string-width": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz", - "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=", - "dev": true, - "dependencies": { - "code-point-at": "^1.0.0", - "is-fullwidth-code-point": "^1.0.0", - "strip-ansi": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/string-width/node_modules/ansi-regex": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz", - "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/string-width/node_modules/strip-ansi": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", - "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=", - "dev": true, - "dependencies": { - "ansi-regex": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/strip-ansi": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", - "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, - "dependencies": { - "ansi-regex": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/strip-bom": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-2.0.0.tgz", - "integrity": "sha1-YhmoVhZSBJHzV4i9vxRHqZx+aw4=", - "dev": true, - "dependencies": { - "is-utf8": "^0.2.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/supports-preserve-symlinks-flag": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", - "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", - "dev": true, - "engines": { - "node": ">= 0.4" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/sver-compat": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/sver-compat/-/sver-compat-1.5.0.tgz", - "integrity": "sha1-PPh9/rTQe0o/FIJ7wYaz/QxkXNg=", - "dev": true, - "dependencies": { - "es6-iterator": "^2.0.1", - "es6-symbol": "^3.1.1" - } - }, - "node_modules/terser": { - "version": "5.10.0", - "resolved": "https://registry.npmjs.org/terser/-/terser-5.10.0.tgz", - "integrity": "sha512-AMmF99DMfEDiRJfxfY5jj5wNH/bYO09cniSqhfoyxc8sFoYIgkJy86G04UoZU5VjlpnplVu0K6Tx6E9b5+DlHA==", - "dev": true, - "dependencies": { - "commander": "^2.20.0", - "source-map": "~0.7.2", - "source-map-support": "~0.5.20" - }, - "bin": { - "terser": "bin/terser" - }, - "engines": { - "node": ">=10" - }, - "peerDependencies": { - "acorn": "^8.5.0" - }, - "peerDependenciesMeta": { - "acorn": { - "optional": true - } - } - }, - "node_modules/terser/node_modules/source-map": { - "version": "0.7.3", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.3.tgz", - "integrity": "sha512-CkCj6giN3S+n9qrYiBTX5gystlENnRW5jZeNLHpe6aue+SrHcG5VYwujhW9s4dY31mEGsxBDrHR6oI69fTXsaQ==", - "dev": true, - "engines": { - "node": ">= 8" - } - }, - "node_modules/through2": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/through2/-/through2-4.0.2.tgz", - "integrity": "sha512-iOqSav00cVxEEICeD7TjLB1sueEL+81Wpzp2bY17uZjZN0pWZPuo4suZ/61VujxmqSGFfgOcNuTZ85QJwNZQpw==", - "dev": true, - "dependencies": { - "readable-stream": "3" - } - }, - "node_modules/through2-filter": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/through2-filter/-/through2-filter-3.0.0.tgz", - "integrity": "sha512-jaRjI2WxN3W1V8/FMZ9HKIBXixtiqs3SQSX4/YGIiP3gL6djW48VoZq9tDqeCWs3MT8YY5wb/zli8VW8snY1CA==", - "dev": true, - "dependencies": { - "through2": "~2.0.0", - "xtend": "~4.0.0" - } - }, - "node_modules/through2-filter/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/through2-filter/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/through2-filter/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/through2-filter/node_modules/through2": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz", - "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==", - "dev": true, - "dependencies": { - "readable-stream": "~2.3.6", - "xtend": "~4.0.1" - } - }, - "node_modules/time-stamp": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/time-stamp/-/time-stamp-1.1.0.tgz", - "integrity": "sha1-dkpaEa9QVhkhsTPztE5hhofg9cM=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/tiny-lr": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/tiny-lr/-/tiny-lr-1.1.1.tgz", - "integrity": "sha512-44yhA3tsaRoMOjQQ+5v5mVdqef+kH6Qze9jTpqtVufgYjYt08zyZAwNwwVBj3i1rJMnR52IxOW0LK0vBzgAkuA==", - "dev": true, - "dependencies": { - "body": "^5.1.0", - "debug": "^3.1.0", - "faye-websocket": "~0.10.0", - "livereload-js": "^2.3.0", - "object-assign": "^4.1.0", - "qs": "^6.4.0" - } - }, - "node_modules/tiny-lr/node_modules/debug": { - "version": "3.2.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz", - "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==", - "dev": true, - "dependencies": { - "ms": "^2.1.1" - } - }, - "node_modules/tiny-lr/node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", - "dev": true - }, - "node_modules/to-absolute-glob": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/to-absolute-glob/-/to-absolute-glob-2.0.2.tgz", - "integrity": "sha1-GGX0PZ50sIItufFFt4z/fQ98hJs=", - "dev": true, - "dependencies": { - "is-absolute": "^1.0.0", - "is-negated-glob": "^1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-object-path": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/to-object-path/-/to-object-path-0.3.0.tgz", - "integrity": "sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=", - "dev": true, - "dependencies": { - "kind-of": "^3.0.2" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-object-path/node_modules/kind-of": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz", - "integrity": "sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=", - "dev": true, - "dependencies": { - "is-buffer": "^1.1.5" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/to-regex/-/to-regex-3.0.2.tgz", - "integrity": "sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==", - "dev": true, - "dependencies": { - "define-property": "^2.0.2", - "extend-shallow": "^3.0.2", - "regex-not": "^1.0.2", - "safe-regex": "^1.1.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/to-regex-range": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", - "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", - "dev": true, - "dependencies": { - "is-number": "^7.0.0" - }, - "engines": { - "node": ">=8.0" - } - }, - "node_modules/to-through": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/to-through/-/to-through-2.0.0.tgz", - "integrity": "sha1-/JKtq6ByZHvAtn1rA2ZKoZUJOvY=", - "dev": true, - "dependencies": { - "through2": "^2.0.3" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/to-through/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/to-through/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/to-through/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/to-through/node_modules/through2": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz", - "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==", - "dev": true, - "dependencies": { - "readable-stream": "~2.3.6", - "xtend": "~4.0.1" - } - }, - "node_modules/toidentifier": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", - "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", - "dev": true, - "engines": { - "node": ">=0.6" - } - }, - "node_modules/type": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/type/-/type-1.2.0.tgz", - "integrity": "sha512-+5nt5AAniqsCnu2cEQQdpzCAh33kVx8n0VoFidKpB1dVVLAN/F+bgVOqOJqOnEnrhp222clB5p3vUlD+1QAnfg==", - "dev": true - }, - "node_modules/typedarray": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", - "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=", - "dev": true - }, - "node_modules/unc-path-regex": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/unc-path-regex/-/unc-path-regex-0.1.2.tgz", - "integrity": "sha1-5z3T17DXxe2G+6xrCufYxqadUPo=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/undertaker": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/undertaker/-/undertaker-1.3.0.tgz", - "integrity": "sha512-/RXwi5m/Mu3H6IHQGww3GNt1PNXlbeCuclF2QYR14L/2CHPz3DFZkvB5hZ0N/QUkiXWCACML2jXViIQEQc2MLg==", - "dev": true, - "dependencies": { - "arr-flatten": "^1.0.1", - "arr-map": "^2.0.0", - "bach": "^1.0.0", - "collection-map": "^1.0.0", - "es6-weak-map": "^2.0.1", - "fast-levenshtein": "^1.0.0", - "last-run": "^1.1.0", - "object.defaults": "^1.0.0", - "object.reduce": "^1.0.0", - "undertaker-registry": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/undertaker-registry": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/undertaker-registry/-/undertaker-registry-1.0.1.tgz", - "integrity": "sha1-XkvaMI5KiirlhPm5pDWaSZglzFA=", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/union-value": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.1.tgz", - "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==", - "dev": true, - "dependencies": { - "arr-union": "^3.1.0", - "get-value": "^2.0.6", - "is-extendable": "^0.1.1", - "set-value": "^2.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/union-value/node_modules/is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unique-stream": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/unique-stream/-/unique-stream-2.3.1.tgz", - "integrity": "sha512-2nY4TnBE70yoxHkDli7DMazpWiP7xMdCYqU2nBRO0UB+ZpEkGsSija7MvmvnZFUeC+mrgiUfcHSr3LmRFIg4+A==", - "dev": true, - "dependencies": { - "json-stable-stringify-without-jsonify": "^1.0.1", - "through2-filter": "^3.0.0" - } - }, - "node_modules/unpipe": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", - "integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw=", - "dev": true, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/unset-value": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/unset-value/-/unset-value-1.0.0.tgz", - "integrity": "sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=", - "dev": true, - "dependencies": { - "has-value": "^0.3.1", - "isobject": "^3.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-value": { - "version": "0.3.1", - "resolved": "https://registry.npmjs.org/has-value/-/has-value-0.3.1.tgz", - "integrity": "sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=", - "dev": true, - "dependencies": { - "get-value": "^2.0.3", - "has-values": "^0.1.4", - "isobject": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-value/node_modules/isobject": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/isobject/-/isobject-2.1.0.tgz", - "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=", - "dev": true, - "dependencies": { - "isarray": "1.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/unset-value/node_modules/has-values": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/has-values/-/has-values-0.1.4.tgz", - "integrity": "sha1-bWHeldkd/Km5oCCJrThL/49it3E=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/upath": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/upath/-/upath-1.2.0.tgz", - "integrity": "sha512-aZwGpamFO61g3OlfT7OQCHqhGnW43ieH9WZeP7QxN/G/jS4jfqUkZxoryvJgVPEcrl5NL/ggHsSmLMHuH64Lhg==", - "dev": true, - "engines": { - "node": ">=4", - "yarn": "*" - } - }, - "node_modules/urix": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/urix/-/urix-0.1.0.tgz", - "integrity": "sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=", - "deprecated": "Please see https://github.com/lydell/urix#deprecated", - "dev": true - }, - "node_modules/use": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/use/-/use-3.1.1.tgz", - "integrity": "sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/util-deprecate": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", - "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=", - "dev": true - }, - "node_modules/utils-merge": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz", - "integrity": "sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=", - "dev": true, - "engines": { - "node": ">= 0.4.0" - } - }, - "node_modules/v8flags": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/v8flags/-/v8flags-3.2.0.tgz", - "integrity": "sha512-mH8etigqMfiGWdeXpaaqGfs6BndypxusHHcv2qSHyZkGEznCd/qAXCWWRzeowtL54147cktFOC4P5y+kl8d8Jg==", - "dev": true, - "dependencies": { - "homedir-polyfill": "^1.0.1" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/validate-npm-package-license": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", - "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", - "dev": true, - "dependencies": { - "spdx-correct": "^3.0.0", - "spdx-expression-parse": "^3.0.0" - } - }, - "node_modules/value-or-function": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/value-or-function/-/value-or-function-3.0.0.tgz", - "integrity": "sha1-HCQ6ULWVwb5Up1S/7OhWO5/42BM=", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/vinyl": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-2.2.1.tgz", - "integrity": "sha512-LII3bXRFBZLlezoG5FfZVcXflZgWP/4dCwKtxd5ky9+LOtM4CS3bIRQsmR1KMnMW07jpE8fqR2lcxPZ+8sJIcw==", - "dev": true, - "dependencies": { - "clone": "^2.1.1", - "clone-buffer": "^1.0.0", - "clone-stats": "^1.0.0", - "cloneable-readable": "^1.0.0", - "remove-trailing-separator": "^1.0.1", - "replace-ext": "^1.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/vinyl-fs": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/vinyl-fs/-/vinyl-fs-3.0.3.tgz", - "integrity": "sha512-vIu34EkyNyJxmP0jscNzWBSygh7VWhqun6RmqVfXePrOwi9lhvRs//dOaGOTRUQr4tx7/zd26Tk5WeSVZitgng==", - "dev": true, - "dependencies": { - "fs-mkdirp-stream": "^1.0.0", - "glob-stream": "^6.1.0", - "graceful-fs": "^4.0.0", - "is-valid-glob": "^1.0.0", - "lazystream": "^1.0.0", - "lead": "^1.0.0", - "object.assign": "^4.0.4", - "pumpify": "^1.3.5", - "readable-stream": "^2.3.3", - "remove-bom-buffer": "^3.0.0", - "remove-bom-stream": "^1.2.0", - "resolve-options": "^1.1.0", - "through2": "^2.0.0", - "to-through": "^2.0.0", - "value-or-function": "^3.0.0", - "vinyl": "^2.0.0", - "vinyl-sourcemap": "^1.1.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/vinyl-fs/node_modules/readable-stream": { - "version": "2.3.7", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", - "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", - "dev": true, - "dependencies": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "node_modules/vinyl-fs/node_modules/safe-buffer": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", - "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==", - "dev": true - }, - "node_modules/vinyl-fs/node_modules/string_decoder": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", - "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", - "dev": true, - "dependencies": { - "safe-buffer": "~5.1.0" - } - }, - "node_modules/vinyl-fs/node_modules/through2": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz", - "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==", - "dev": true, - "dependencies": { - "readable-stream": "~2.3.6", - "xtend": "~4.0.1" - } - }, - "node_modules/vinyl-sourcemap": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/vinyl-sourcemap/-/vinyl-sourcemap-1.1.0.tgz", - "integrity": "sha1-kqgAWTo4cDqM2xHYswCtS+Y7PhY=", - "dev": true, - "dependencies": { - "append-buffer": "^1.0.2", - "convert-source-map": "^1.5.0", - "graceful-fs": "^4.1.6", - "normalize-path": "^2.1.1", - "now-and-later": "^2.0.0", - "remove-bom-buffer": "^3.0.0", - "vinyl": "^2.0.0" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/vinyl-sourcemap/node_modules/normalize-path": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.1.1.tgz", - "integrity": "sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=", - "dev": true, - "dependencies": { - "remove-trailing-separator": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/vinyl-sourcemaps-apply": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/vinyl-sourcemaps-apply/-/vinyl-sourcemaps-apply-0.2.1.tgz", - "integrity": "sha1-q2VJ1h0XLCsbh75cUI0jnI74dwU=", - "dev": true, - "dependencies": { - "source-map": "^0.5.1" - } - }, - "node_modules/vinyl/node_modules/replace-ext": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-1.0.1.tgz", - "integrity": "sha512-yD5BHCe7quCgBph4rMQ+0KkIRKwWCrHDOX1p1Gp6HwjPM5kVoCdKGNhN7ydqqsX6lJEnQDKZ/tFMiEdQ1dvPEw==", - "dev": true, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/websocket-driver": { - "version": "0.7.4", - "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", - "integrity": "sha512-b17KeDIQVjvb0ssuSDF2cYXSg2iztliJ4B9WdsuB6J952qCPKmnVq4DyW5motImXHDC1cBT/1UezrJVsKw5zjg==", - "dev": true, - "dependencies": { - "http-parser-js": ">=0.5.1", - "safe-buffer": ">=5.1.0", - "websocket-extensions": ">=0.1.1" - }, - "engines": { - "node": ">=0.8.0" - } - }, - "node_modules/websocket-extensions": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.4.tgz", - "integrity": "sha512-OqedPIGOfsDlo31UNwYbCFMSaO9m9G/0faIHj5/dZFDMFqPTcx6UwqyOy3COEaEOg/9VsGIpdqn62W5KhoKSpg==", - "dev": true, - "engines": { - "node": ">=0.8.0" - } - }, - "node_modules/which": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz", - "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==", - "dev": true, - "dependencies": { - "isexe": "^2.0.0" - }, - "bin": { - "which": "bin/which" - } - }, - "node_modules/which-module": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/which-module/-/which-module-1.0.0.tgz", - "integrity": "sha1-u6Y8qGGUiZT/MHc2CJ47lgJsKk8=", - "dev": true - }, - "node_modules/wrap-ansi": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-2.1.0.tgz", - "integrity": "sha1-2Pw9KE3QV5T+hJc8rs3Rz4JP3YU=", - "dev": true, - "dependencies": { - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/wrap-ansi/node_modules/ansi-regex": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz", - "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/wrap-ansi/node_modules/strip-ansi": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", - "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=", - "dev": true, - "dependencies": { - "ansi-regex": "^2.0.0" - }, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=", - "dev": true - }, - "node_modules/xtend": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", - "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==", - "dev": true, - "engines": { - "node": ">=0.4" - } - }, - "node_modules/y18n": { - "version": "3.2.2", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.2.tgz", - "integrity": "sha512-uGZHXkHnhF0XeeAPgnKfPv1bgKAYyVvmNL1xlKsPYZPaIHxGti2hHqvOCQv71XMsLxu1QjergkqogUnms5D3YQ==", - "dev": true - }, - "node_modules/yargs": { - "version": "7.1.2", - "resolved": "https://registry.npmjs.org/yargs/-/yargs-7.1.2.tgz", - "integrity": "sha512-ZEjj/dQYQy0Zx0lgLMLR8QuaqTihnxirir7EwUHp1Axq4e3+k8jXU5K0VLbNvedv1f4EWtBonDIZm0NUr+jCcA==", - "dev": true, - "dependencies": { - "camelcase": "^3.0.0", - "cliui": "^3.2.0", - "decamelize": "^1.1.1", - "get-caller-file": "^1.0.1", - "os-locale": "^1.4.0", - "read-pkg-up": "^1.0.1", - "require-directory": "^2.1.1", - "require-main-filename": "^1.0.1", - "set-blocking": "^2.0.0", - "string-width": "^1.0.2", - "which-module": "^1.0.0", - "y18n": "^3.2.1", - "yargs-parser": "^5.0.1" - } - }, - "node_modules/yargs-parser": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.1.tgz", - "integrity": "sha512-wpav5XYiddjXxirPoCTUPbqM0PXvJ9hiBMvuJgInvo4/lAOTZzUprArw17q2O1P2+GHhbBr18/iQwjL5Z9BqfA==", - "dev": true, - "dependencies": { - "camelcase": "^3.0.0", - "object.assign": "^4.1.0" - } - } - }, "dependencies": { "accepts": { "version": "1.3.7", @@ -10460,15 +4325,6 @@ "integrity": "sha512-AiisoFqQ0vbGcZgQPY1cdP2I76glaVA/RauYR4G4thNFgkTqr90yXTo4LYX60Jl+sIlPNHHdGSwo01AvbKUSVQ==", "dev": true }, - "string_decoder": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", - "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", - "dev": true, - "requires": { - "safe-buffer": "~5.2.0" - } - }, "string-template": { "version": "0.2.1", "resolved": "https://registry.npmjs.org/string-template/-/string-template-0.2.1.tgz", @@ -10503,6 +4359,15 @@ } } }, + "string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "dev": true, + "requires": { + "safe-buffer": "~5.2.0" + } + }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", diff --git a/source/_static/js/main.js b/source/_static/js/main.js index ecbf1553b..69fe4a9b3 100644 --- a/source/_static/js/main.js +++ b/source/_static/js/main.js @@ -320,7 +320,7 @@ window.addEventListener("DOMContentLoaded", (event) => { else if (page_title === "Software Development Kits (SDK)") { list[i].insertAdjacentElement('beforebegin',developerPersona); } - else if (page_title === "MinIO Client") { + else if (page_title === "Kubernetes Reference") { list[i].insertAdjacentElement('beforebegin',referencePersona); } } diff --git a/source/_templates/platform-navigation.html b/source/_templates/platform-navigation.html index 4a81a0edb..4807c1871 100644 --- a/source/_templates/platform-navigation.html +++ b/source/_templates/platform-navigation.html @@ -1,37 +1,6 @@
-
{%- if pagename != "search" %} {%- endif %}
- - {%- if doc_platform == 'k8s' or doc_platform == 'openshift' or doc_platform == 'eks' or doc_platform == 'gke' or doc_platform == 'aks' -%} -
-
- -
-
- {%- endif -%}
diff --git a/source/administration/object-management.rst b/source/administration/object-management.rst index 59f7d9526..13520495b 100644 --- a/source/administration/object-management.rst +++ b/source/administration/object-management.rst @@ -97,11 +97,6 @@ Administrators typically control the creation and configuration of buckets. Client applications can then use :ref:`S3-compatible SDKs ` to create, list, retrieve, and :ref:`delete ` objects on the MinIO deployment. Clients therefore drive the overall hierarchy of data within a given bucket or prefix, where Administrators can exercise control using :ref:`policies ` to grant or deny access to an action or resource. -.. cond:: windows - - MinIO does not support the ``\`` or ``:`` characters in object names, regardless of support for those characters in Windows filesystems. - Use ``/`` as a delimiter in object names to have MinIO automatically create a folder structure using :term:`prefixes `. - MinIO has no hard :ref:`thresholds ` on the number of buckets, objects, or prefixes on a given deployment. The relative performance of the hardware and networking underlying the MinIO deployment may create a practical limit to the number of objects in a given prefix or bucket. Specifically, hardware using slower drives or network infrastructures tend to exhibit poor performance in buckets or prefixes with a flat hierarchy of objects. @@ -117,8 +112,13 @@ Consider the following points as general guidance for client applications worklo For a deeper discussion on the benefits of limiting prefix contents, see the article on :s3-docs:`optimizing S3 performance `. +.. note:: + + MinIO does not support the ``\`` or ``:`` characters in object names, regardless of support for those characters in Windows filesystems. + Use ``/`` as a delimiter in object names to have MinIO automatically create a folder structure using :term:`prefixes `. + Object Versioning ------------------ +----------------- .. image:: /images/retention/minio-versioning-multiple-versions.svg :alt: Object with Multiple Versions diff --git a/source/default-conf.py b/source/default-conf.py index a4f530b9a..3979461c9 100644 --- a/source/default-conf.py +++ b/source/default-conf.py @@ -72,6 +72,7 @@ 'eks-docs' : ('https://docs.aws.amazon.com/eks/latest/userguide/%s', None), 'minio-web' : ('https://min.io/%s?ref=docs', None), 'minio-docs' : ('https://min.io/docs/%s?ref=docs-internal', None), + 'minio-blog' : ('https://blog.min.io/%s?ref=docs', None), 'gke-docs' : ('https://cloud.google.com/kubernetes-engine/docs/%s', None), 'gcp-docs' : ('https://cloud.google.com/compute/docs/%s', None), 'gcs-docs' : ('https://cloud.google.com/storage/docs/%s', None), @@ -107,78 +108,6 @@ excludes = [] -if tags.has("linux"): - html_baseurl = 'https://min.io/docs/minio/linux/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'linux': - excludes = i['excludes'] - break - -elif tags.has("macos"): - html_baseurl = 'https://min.io/docs/minio/macos/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'macos': - excludes = i['excludes'] - break - -elif tags.has("windows"): - # html_baseurl is used for generating the sitemap.xml for each platform. These are combined in a sitemapindex.xml. - html_baseurl = 'https://min.io/docs/minio/windows/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'windows': - excludes = i['excludes'] - break - -elif tags.has("container"): - html_baseurl = 'https://min.io/docs/minio/container/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'container': - excludes = i['excludes'] - break - -elif tags.has("k8s") and not (tags.has("openshift") or tags.has("eks") or tags.has("gke") or tags.has("aks")): - html_baseurl = 'https://min.io/docs/minio/kubernetes/upstream/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'k8s': - excludes = i['excludes'] - break - -elif tags.has("openshift"): - html_baseurl = 'https://min.io/docs/minio/kubernetes/openshift/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'openshift': - excludes = i['excludes'] - break - -elif tags.has("eks"): - html_baseurl = 'https://min.io/docs/minio/kubernetes/eks/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'eks': - excludes = i['excludes'] - break - -elif tags.has("gke"): - html_baseurl = 'https://min.io/docs/minio/kubernetes/gke/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'gke': - excludes = i['excludes'] - break - -elif tags.has("aks"): - html_baseurl = 'https://min.io/docs/minio/kubernetes/aks/' - with open('url-excludes.yaml','r') as f: - for i in (yaml.safe_load_all(f)): - if i['tag'] == 'aks': - excludes = i['excludes'] - break exclude_patterns.extend(excludes) @@ -247,39 +176,21 @@ # Add https://www.min.io/robots.txt to html_extra_path list once available. html_extra_path = [ 'extra'] -# -- Project information ----------------------------------------------------- - -# We assume a single tag, since we control the builder - -platform = list(tags.tags.keys())[0] +html_baseurl = 'https://min.io/docs/minio/' -platform_fmt = "" +# -- Project information ----------------------------------------------------- -if platform == "k8s": - platform_fmt = "Kubernetes" -elif platform == "macos": - platform_fmt = "MacOS" -elif platform == "openshift": - platform_fmt = "OpenShift" -elif platform == "eks": - platform_fmt = "Elastic Kubernetes Service" -elif platform == "gke": - platform_fmt = "Google Kubernetes Engine" -elif platform == "aks": - platform_fmt = "Azure Kubernetes Service" -else: - platform_fmt = platform.capitalize() -project = 'MinIO Documentation for ' + platform_fmt +project = 'Documentation for MinIO Object Storage' copyright = '2020-Present, MinIO, Inc. ' author = 'MinIO Documentation Team' -html_title = 'MinIO Object Storage for ' + platform_fmt -html_short_title = 'MinIO Object Storage for ' + platform_fmt +html_title = 'MinIO Object Storage (AGPLv3)' +html_short_title = 'MinIO Object Storage' html_permalinks_icon = '' html_context = { - 'doc_platform': platform.lower(), + 'doc_platform': 'k8s', 'docs': [ # The first item has to be the current docs site # { @@ -307,14 +218,9 @@ # k8s is temporary until integrating the references here -intersphinx_mapping = { - 'linux' : ('https://min.io/docs/minio/linux/', None), - 'kubernetes' : ('https://min.io/docs/minio/kubernetes/upstream/',None) -} - rst_prolog = """ -.. |platform| replace:: %s +.. |platform| replace:: 'foo' .. |podman| replace:: `Podman `__ @@ -324,8 +230,16 @@ .. |minio-latest| replace:: MINIOLATEST .. |minio-rpm| replace:: RPMURL .. |minio-deb| replace:: DEBURL -.. |minio-rpmarm64| replace:: RPMARM64URL -.. |minio-debarm64| replace:: DEBARM64URL +.. |minio-binary| replace:: MINIOURL +.. |minio-rpm-arm64| replace:: RPMARM64URL +.. |minio-deb-arm64| replace:: DEBARM64URL +.. |minio-binary-arm64| replace:: MINIOARM64URL +.. |minio-rpm-ppc64le| replace:: RPMPPC64LEURL +.. |minio-deb-ppc64le| replace:: DEBPPC64LEURL +.. |minio-binary-ppc64le| replace:: MINIOPPC64LEURL +.. |minio-rpms-390x| replace:: RPMS390XURL +.. |minio-debs-390x| replace:: DEBS390XURL +.. |minio-binarys-390x| replace:: MINIOS390XURL .. |subnet| replace:: `MinIO SUBNET `__ .. |subnet-short| replace:: `SUBNET `__ .. |SNSD| replace:: :abbr:`SNSD (Single-Node Single-Drive)` @@ -349,4 +263,4 @@ .. |rust-sdk-version| replace:: RUSTVERSION -""" % platform_fmt +""" diff --git a/source/design.rst b/source/design.rst index 9f09e8889..4e472589d 100644 --- a/source/design.rst +++ b/source/design.rst @@ -219,7 +219,7 @@ Grids Header 1 -------- -.. cond:: linux +.. cond:: mindocs .. include:: /includes/common/common-design.rst diff --git a/source/developers/file-transfer-protocol.rst b/source/developers/file-transfer-protocol.rst index 3148cc9d0..ea4a89413 100644 --- a/source/developers/file-transfer-protocol.rst +++ b/source/developers/file-transfer-protocol.rst @@ -12,13 +12,215 @@ File Transfer Protocol (FTP/SFTP) .. contents:: Table of Contents :local: - :depth: 1 + :depth: 2 -.. cond:: not k8s +.. tab-set:: + :class: parent - .. include:: /includes/linux/file-transfer-protocol-not-k8s.rst + .. tab-item:: Kubernetes + :sync: k8s -.. cond:: k8s and not (openshift or eks or gke or aks) + Starting with Operator 5.0.7 and :minio-release:`MinIO Server RELEASE.2023-04-20T17-56-55Z `, you can use the SSH File Transfer Protocol (SFTP) to interact with the objects on a MinIO Operator Tenant deployment. - .. include:: /includes/k8s/file-transfer-protocol-k8s.rst + SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0. + It allows file transfer over SSH for use with :ref:`Transport Layer Security (TLS) ` and virtual private network (VPN) applications. + + Enabling SFTP does not affect other MinIO features. + + .. tab-item:: Baremetal + :sync: baremetal + + Starting with :minio-release:`MinIO Server RELEASE.2023-04-20T17-56-55Z `, you can use the File Transfer Protocol (FTP) to interact with the objects on a MinIO deployment. + + You must specifically enable FTP or SFTP when starting the server. + Enabling either server type does not affect other MinIO features. + + This page uses the abbreviation FTP throughout, but you can use any of the supported FTP protocols described below. + +Supported Protocols +------------------- + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + The MinIO Operator only supports configuring SSH File Transfer Protocol (SFTP). + + .. tab-item:: Baremetal + :sync: baremetal + + When enabled, MinIO supports FTP access over the following protocols: + + - SSH File Transfer Protocol (SFTP) + + SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0. + SFTP allows file transfer over SSH for use with :ref:`Transport Layer Security (TLS) ` and virtual private network (VPN) applications. + + Your FTP client must support SFTP. + + - File Transfer Protocol over SSL/TLS (FTPS) + + FTPS allows for encrypted FTP communication with TLS certificates over the standard FTP communication channel. + FTPS should not be confused with SFTP, as FTPS does not communicate over a Secure Shell (SSH). + + Your FTP client must support FTPS. + + - File Transfer Protocol (FTP) + + Unencrypted file transfer. + + MinIO does **not** recommend using unencrypted FTP for file transfer. + +Supported Commands +------------------ + +When enabled, MinIO supports the following SFTP operations: + +- ``get`` +- ``put`` +- ``ls`` +- ``mkdir`` +- ``rmdir`` +- ``delete`` + +MinIO does not support either ``append`` or ``rename`` operations. + +Considerations +-------------- + +Versioning +~~~~~~~~~~ + +SFTP clients can only operate on the :ref:`latest version ` of an object. +Specifically: + +- For read operations, MinIO only returns the latest version of the requested object(s) to the SFTP client. +- For write operations, MinIO applies normal versioning behavior and creates a new object version at the specified namespace. + ``rm`` and ``rmdir`` operations create ``DeleteMarker`` objects. + +Authentication and Access +~~~~~~~~~~~~~~~~~~~~~~~~~ + +SFTP access requires the same authentication as any other S3 client. +MinIO supports the following authentication providers: + +- :ref:`MinIO IDP ` users and their service accounts +- :ref:`Active Directory/LDAP ` users and their service accounts +- :ref:`OpenID/OIDC ` service accounts + +:ref:`STS ` credentials **cannot** access buckets or objects over SFTP. + +Authenticated users can access buckets and objects based on the :ref:`policies ` assigned to the user or parent user account. + +The SFTP protocol does not require any of the ``admin:*`` :ref:`permissions `. +You may not perform other MinIO admin actions with SFTP. + +Prerequisites +------------- + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + - MinIO Operator v5.0.7 or later. + - Enable an SFTP port (8022) for the server. + - A port to use for the SFTP commands and a range of ports to allow the SFTP server to request to use for the data transfer. + + .. tab-item:: Baremetal + :sync: baremetal + + - MinIO RELEASE.2023-04-20T17-56-55Z or later. + - Enable an FTP or SFTP port for the server. + - A port to use for the FTP commands and a range of ports to allow the FTP server to request to use for the data transfer. + +Procedure +--------- + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + .. include:: /includes/k8s/file-transfer-protocol-k8s.rst + + .. tab-item:: Baremetal + :sync: baremetal + + .. include:: /includes/linux/file-transfer-protocol-not-k8s.rst + +.. _minio-certificate-key-file-sftp-k8s: + +Connect to MinIO Using SFTP with a Certificate Key File +------------------------------------------------------- + +.. versionadded:: RELEASE.2024-05-07T06-41-25Z + + +MinIO supports mutual TLS (mTLS) certificate-based authentication on SFTP, where both the server and the client verify the authenticity of each other. + +This type of authentication requires the following: + +1. Public key file for the trusted certificate authority +2. Public key file for the MinIO Server minted and signed by the trusted certificate authority +3. Public key file for the user minted and signed by the trusted certificate authority for the client connecting by SFTP and located in the user's ``.ssh`` folder (or equivalent for the operating system) + +The keys must include a `principals list `__ of the user(s) that can authenticate with the key: + +.. code-block:: console + :class: copyable + + ssh-keygen -s ~/.ssh/ca_user_key -I miniouser -n miniouser -V +1h -z 1 miniouser1.pub + +- ``-s`` specifies the path to the certificate authority public key to use for generating this key. + The specified public key must have a ``principals`` list that includes this user. +- ``-I`` specifies the key identity for the public key. +- ``-n`` creates the ``user principals`` list for which this key is valid. + You must include the user for which this key is valid, and the user must match the username in MinIO. +- ``-V`` limits the duration for which the generated key is valid. + In this example, the key is valid for one hour. + Adjust the duration for your requirements. +- ``-z`` adds a serial number to the key to distinguish this generated public key from other keys signed by the same certificate authority public key. + +MinIO requires specifying the Certificate Authority used to sign the certificates for SFTP access. +Start or restart the MinIO Server and specify the path to the trusted certificate authority's public key using an ``--sftp="trusted-user-ca-key=PATH"`` flag: + + .. code-block:: console + :class: copyable + + minio server {path-to-server} --sftp="trusted-user-ca-key=/path/to/.ssh/ca_user_key.pub" {...other flags} + +When connecting to the MinIO Server with SFTP, the client verifies the MinIO Server's certificate. +The client then passes its own certificate to the MinIO Server. +The MinIO Server verifies the key created above by comparing its value to the the known public key from the certificate authority provided at server startup. + +Once the MinIO Server verifies the client's certificate, the user can connect to the MinIO server over SFTP: + +.. code-block:: bash + :class: copyable: + + sftp -P + +Require service account or LDAP for authentication +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To force authentication to SFTP using LDAP or service account credentials, append a suffix to the username. +Valid suffixes are either ``=ldap`` or ``=svc``. + +.. code-block:: console + + > sftp -P 8022 my-ldap-user=ldap@[minio@localhost]:/bucket + + +.. code-block:: console + + > sftp -P 8022 my-ldap-user=svc@[minio@localhost]:/bucket + + +- Replace ``my-ldap-user`` with the username to use. +- Replace ``[minio@localhost]`` with the address of the MinIO server. diff --git a/source/developers/security-token-service.rst b/source/developers/security-token-service.rst index 17c53d155..dcd5bfb1d 100644 --- a/source/developers/security-token-service.rst +++ b/source/developers/security-token-service.rst @@ -45,4 +45,5 @@ MinIO supports the following STS API endpoints: :hidden: :glob: - /developers/security-token-service/* \ No newline at end of file + /developers/security-token-service/* + /developers/sts-for-operator diff --git a/source/includes/aks/deploy-minio-on-azure-kubernetes-service.rst b/source/includes/aks/deploy-minio-on-azure-kubernetes-service.rst deleted file mode 100644 index 9502f6014..000000000 --- a/source/includes/aks/deploy-minio-on-azure-kubernetes-service.rst +++ /dev/null @@ -1,53 +0,0 @@ - -.. _deploy-operator-gke: - -================================================= -Deploy MinIO Operator on Azure Kubernetes Service -================================================= - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -Overview --------- - -`Azure Kubernetes Engine `__ (AKS) is a highly available, secure, and fully managed Kubernetes service from Microsoft Azure. -The MinIO Kubernetes Operator supports deploying MinIO Tenants onto AKS infrastructure using the MinIO Operator Console or `kustomize `__ for :minio-git:`YAML-defined deployments `. - -:minio-web:`Through the AKS Marketplace ` - MinIO maintains an `AKS Marketplace listing `__ through which you can register your AKS cluster with |subnet|. - Any MinIO tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 access to MinIO engineers. - -This page documents deploying the MinIO Operator through the CLI using Kustomize. -For instructions on deploying the MinIO Operator through the AKS Marketplace, see :minio-web:`Deploy MinIO through AKS ` - -This documentation assumes familiarity with all referenced Kubernetes and Azure Kubernetes Service concepts, utilities, and procedures. -While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Azure Kubernetes Service-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. - -Prerequisites -------------- - -Existing AKS Cluster -~~~~~~~~~~~~~~~~~~~~ - -This procedure assumes an existing :abbr:`AKS (Azure Kubernetes Service)` cluster onto which you can deploy the MinIO Operator. - -The Operator by default deploys pods and services with two replicas each and pod anti-affinity. -The AKS cluster should therefore have at least two nodes available for scheduling Operator pods and services. -While these nodes *may* be the same nodes intended for use by MinIO Tenants, co-locating Operator and Tenant pods may increase the risk of service interruptions due to the loss of any one node. - -``kubectl`` Access to the AKS Cluster -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Ensure your host machine has a ``kubectl`` installation compatible with the target AKS cluster. -For guidance on connecting ``kubectl`` to AKS, see :aks-docs:`Install kubectl and configure cluster access `. - -Procedure ---------- - -The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. - -.. include:: /includes/common/common-install-operator-kustomize.rst diff --git a/source/includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst b/source/includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst new file mode 100644 index 000000000..48f5992d7 --- /dev/null +++ b/source/includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst @@ -0,0 +1,155 @@ +1. Set the Active Directory / LDAP Configuration Settings + + Configure the AD/LDAP provider using one of the following: + + * MinIO Client + * Environment variables + * MinIO Console + + All methods require starting/restarting the MinIO deployment to apply changes. + + The following tabs provide a quick reference for the available configuration methods: + + .. tab-set:: + + .. tab-item:: MinIO Client + + MinIO supports specifying the AD/LDAP provider settings using :mc:`mc idp ldap` commands. + + For distributed deployments, the :mc:`mc idp ldap` command applies the configuration to all nodes in the deployment. + + The following example code sets *all* configuration settings related to configuring an AD/LDAP provider for external identity management. + The minimum *required* settings are: + + - :mc-conf:`server_addr ` + - :mc-conf:`lookup_bind_dn ` + - :mc-conf:`lookup_bind_password ` + - :mc-conf:`user_dn_search_base_dn ` + - :mc-conf:`user_dn_search_filter ` + + .. code-block:: shell + :class: copyable + + mc idp ldap add ALIAS \ + server_addr="ldaps.example.net:636" \ + lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" \ + lookup_bind_password="xxxxxxxx" \ + user_dn_search_base_dn="DC=example,DC=net" \ + user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))" \ + group_search_filter= "(&(objectClass=group)(member=%d))" \ + group_search_base_dn="ou=MinIO Users,dc=example,dc=net" \ + enabled="true" \ + tls_skip_verify="off" \ + server_insecure=off \ + server_starttls="off" \ + srv_record_name="" \ + comment="Test LDAP server" + + For more complete documentation on these settings, see :mc:`mc idp ldap`. + + .. admonition:: :mc:`mc idp ldap` recommended + :class: note + + :mc:`mc idp ldap` offers additional features and improved validation over :mc-cmd:`mc admin config set` runtime configuration settings. + :mc:`mc idp ldap` supports the same settings as :mc:`mc admin config` and the :mc-conf:`identity_ldap` configuration key. + + The :mc-conf:`identity_ldap` configuration key remains available for existing scripts and tools. + + .. tab-item:: Environment Variables + + MinIO supports specifying the AD/LDAP provider settings using :ref:`environment variables `. + The :mc:`minio server` process applies the specified settings on its next startup. + For distributed deployments, specify these settings across all nodes in the deployment using the *same* values. + Any differences in server configurations between nodes will result in startup or configuration failures. + + The following example code sets *all* environment variables related to configuring an AD/LDAP provider for external identity management. The minimum *required* variable are: + + - :envvar:`MINIO_IDENTITY_LDAP_SERVER_ADDR` + - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN` + - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD` + - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN` + - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` + + .. code-block:: shell + :class: copyable + + export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636" + export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" + export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net" + export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))" + export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx" + export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))" + export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net" + export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off" + export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off" + export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off" + export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME="" + export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server" + + For complete documentation on these variables, see :ref:`minio-server-envvar-external-identity-management-ad-ldap` + + .. tab-item:: MinIO Console + + MinIO supports specifying the AD/LDAP provider settings using the :ref:`MinIO Console `. + For distributed deployments, configuring AD/LDAP from the Console applies the configuration to all nodes in the deployment. + + .. include:: /includes/common-minio-external-auth.rst + :start-after: start-minio-ad-ldap-console-enable + :end-before: end-minio-ad-ldap-console-enable + +#. Restart the MinIO Deployment + + You must restart the MinIO deployment to apply the configuration changes. + + If you configured AD/LDAP from the MinIO Console, no additional action is required. + The MinIO Console automatically restarts the deployment after saving the new AD/LDAP configuration. + + For MinIO Client and environment variable configuration, use the :mc-cmd:`mc admin service restart` command to restart the deployment: + + .. code-block:: shell + :class: copyable + + mc admin service restart ALIAS + + Replace ``ALIAS`` with the :ref:`alias ` of the deployment to restart. + +#. Use the MinIO Console to Log In with AD/LDAP Credentials + + The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. + + You can access the Console by opening the root URL for the MinIO cluster. For example, ``https://minio.example.net:9000``. + + Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. + + You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. + Access Keys are long-lived credentials which inherit their privileges from the parent user. + The parent user can further restrict those privileges while creating the service account. + +#. Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials + + MinIO requires clients to authenticate using :s3-api:`AWS Signature Version 4 protocol ` with support for the deprecated Signature Version 2 protocol. + Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as ``PUT``, ``GET``, and ``DELETE`` operations. + + Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint and AD/LDAP user credentials. + MinIO provides an example Go application :minio-git:`ldap.go ` that manages this workflow. + + .. code-block:: shell + + POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity + &LDAPUsername=USERNAME + &LDAPPassword=PASSWORD + &Version=2011-06-15 + &Policy={} + + - Replace the ``LDAPUsername`` with the username of the AD/LDAP user. + + - Replace the ``LDAPPassword`` with the password of the AD/LDAP user. + + - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + + Omit to use the :ref:`policy whose name matches ` the Distinguished Name (DN) of the AD/LDAP user. + + The API response consists of an XML document containing the access key, secret key, session token, and expiration date. + Applications can use the access key and secret key to access and perform operations on MinIO. + + See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation. \ No newline at end of file diff --git a/source/includes/baremetal/steps-configure-keycloak-identity-management.rst b/source/includes/baremetal/steps-configure-keycloak-identity-management.rst new file mode 100644 index 000000000..7c78c69e7 --- /dev/null +++ b/source/includes/baremetal/steps-configure-keycloak-identity-management.rst @@ -0,0 +1,85 @@ +.. |KEYCLOAK_URL| replace:: keycloak-url.example.net:8080 +.. |MINIO_S3_URL| replace:: minio-url.example.net:9000 +.. |MINIO_CONSOLE_URL| replace:: minio-url.example.net:9001 + +#. Configure or Create a Client for Accessing Keycloak + + Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`. + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-client + :end-before: end-configure-keycloak-client + +#. Create Client Scope for MinIO Client + + Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. + This allows MinIO to reference those attributes when assigning policies to the user. + This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication. + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-client-scope + :end-before: end-configure-keycloak-client-scope + +#. Apply the Necessary Attribute to Keycloak Users/Groups + + You must assign an attribute named ``policy`` to the Keycloak Users or Groups. + Set the value to any :ref:`policy ` on the MinIO deployment. + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-user-group-attributes + :end-before: end-configure-keycloak-user-group-attributes + +#. Configure MinIO for Keycloak Authentication + + MinIO supports multiple methods for configuring Keycloak authentication: + + - Using the MinIO Console + - Using a terminal/shell and the :mc:`mc idp openid` command + - Using environment variables set prior to starting MinIO + + .. tab-set:: + + .. tab-item:: MinIO Console + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-console + :end-before: end-configure-keycloak-minio-console + + .. tab-item:: CLI + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-cli + :end-before: end-configure-keycloak-minio-cli + + .. tab-item:: Environment Variables + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-envvar + :end-before: end-configure-keycloak-minio-envvar + + Restart the MinIO deployment for the changes to apply. + + Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration. + + If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`. + + Specify a configured user and attempt to log in. + MinIO should automatically redirect you to the Keycloak login entry. + Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL *or* the :guilabel:`Redirect URI` if configured. + +#. Generate Application Credentials using the Security Token Service (STS) + + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-sts + :end-before: end-configure-keycloak-sts + +#. Next Steps + + Applications should implement the :ref:`STS AssumeRoleWithWebIdentity ` flow using their :ref:`SDK ` of choice. + When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations. + + Alternatively, users can generate :ref:`access keys ` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials. + + + + diff --git a/source/includes/baremetal/steps-configure-openid-external-identity-management.rst b/source/includes/baremetal/steps-configure-openid-external-identity-management.rst new file mode 100644 index 000000000..5507ed18b --- /dev/null +++ b/source/includes/baremetal/steps-configure-openid-external-identity-management.rst @@ -0,0 +1,156 @@ +1. Set the OpenID Configuration Settings + + You can configure the :abbr:`OIDC (OpenID Connect)` provider using either + environment variables *or* server runtime configuration settings. Both + methods require starting/restarting the MinIO deployment to apply changes. The + following tabs provide a quick reference of all required and optional + environment variables and configuration settings respectively: + + .. tab-set:: + + .. tab-item:: Environment Variables + + MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider + settings using :ref:`environment variables + `. The + :mc:`minio server` process applies the specified settings on its next + startup. For distributed deployments, specify these settings across all + nodes in the deployment using the *same* values consistently. + + The following example code sets *all* environment variables related to + configuring an :abbr:`OIDC (OpenID Connect)` provider for external + identity management. The minimum *required* variable is + :envvar:`MINIO_IDENTITY_OPENID_CONFIG_URL`: + + .. code-block:: shell + :class: copyable + + export MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration" + export MINIO_IDENTITY_OPENID_CLIENT_ID="" + export MINIO_IDENTITY_OPENID_CLIENT_SECRET="" + export MINIO_IDENTITY_OPENID_CLAIM_NAME="" + export MINIO_IDENTITY_OPENID_CLAIM_PREFIX="" + export MINIO_IDENTITY_OPENID_SCOPES="" + export MINIO_IDENTITY_OPENID_REDIRECT_URI="" + export MINIO_IDENTITY_OPENID_COMMENT="" + + Replace the ``MINIO_IDENTITY_OPENID_CONFIG_URL`` with the URL endpoint of + the :abbr:`OIDC (OpenID Connect)` provider discovery document. + + For complete documentation on these variables, see + :ref:`minio-server-envvar-external-identity-management-openid` + + .. tab-item:: Configuration Settings + + MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider + settings using :mc-conf:`configuration settings `. The + :mc:`minio server` process applies the specified settings on its next + startup. For distributed deployments, the :mc:`mc admin config` + command applies the configuration to all nodes in the deployment. + + The following example code sets *all* configuration settings related to + configuring an :abbr:`OIDC (OpenID Connect)` provider for external + identity management. The minimum *required* setting is + :mc-conf:`identity_openid config_url `: + + .. code-block:: shell + :class: copyable + + mc admin config set ALIAS/ identity_openid \ + config_url="https://openid-provider.example.net/.well-known/openid-configuration" \ + client_id="" \ + client_secret="" \ + claim_name="" \ + claim_prefix="" \ + scopes="" \ + redirect_uri="" \ + comment="" + + Replace the ``config_url`` with the URL endpoint of the + :abbr:`OIDC (OpenID Connect)` provider discovery document. + + For more complete documentation on these settings, see + :mc-conf:`identity_openid`. + +#. Restart the MinIO Deployment + + You must restart the MinIO deployment to apply the configuration changes. + Use the :mc-cmd:`mc admin service restart` command to restart the deployment. + + .. code-block:: shell + :class: copyable + + mc admin service restart ALIAS + + Replace ``ALIAS`` with the :ref:`alias ` of the deployment to + restart. + +#. Use the MinIO Console to Log In with OIDC Credentials + + The MinIO Console supports the full workflow of authenticating to the + :abbr:`OIDC (OpenID Connect)` provider, generating temporary credentials using + the MinIO :ref:`minio-sts-assumerolewithwebidentity` Security Token Service + (STS) endpoint, and logging the user into the MinIO deployment. + + Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is + embedded in the MinIO server. You can access the Console by opening the root URL + for the MinIO cluster. For example, ``https://minio.example.net:9000``. + + From the Console, click :guilabel:`BUTTON` to begin the OpenID authentication + flow. + + Once logged in, you can perform any action for which the authenticated + user is :ref:`authorized + `. + + You can also create :ref:`access keys ` for + supporting applications which must perform operations on MinIO. Access Keys + are long-lived credentials which inherit their privileges from the parent user. + The parent user can further restrict those privileges while creating the service + account. + +#. Generate S3-Compatible Temporary Credentials using OIDC Credentials + + MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4 + protocol ` with support for the deprecated + Signature Version 2 protocol. Specifically, clients must present a valid access + key and secret key to access any S3 or MinIO administrative API, such as + ``PUT``, ``GET``, and ``DELETE`` operations. + + Applications can generate temporary access credentials as-needed using the + :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) + API endpoint and the JSON Web Token (JWT) returned by the + :abbr:`OIDC (OpenID Connect)` provider. + + The application must provide a workflow for logging into the + :abbr:`OIDC (OpenID Connect)` provider and retrieving the + JSON Web Token (JWT) associated to the authentication session. Defer to the + provider documentation for obtaining and parsing the JWT token after successful + authentication. MinIO provides an example Go application + :minio-git:`web-identity.go ` with + an example of managing this workflow. + + Once the application retrieves the JWT token, use the + ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials: + + .. code-block:: shell + :class: copyable + + POST https://minio.example.net?Action=AssumeRoleWithWebIdentity + &WebIdentityToken=TOKEN + &Version=2011-06-15 + &DurationSeconds=86400 + &Policy=Policy + + - Replace the ``TOKEN`` with the JWT token returned in the previous step. + - Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours. + - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + + Omit to use the policy associated to the OpenID user :ref:`policy claim `. + + The API response consists of an XML document containing the + access key, secret key, session token, and expiration date. Applications + can use the access key and secret key to access and perform operations on + MinIO. + + See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation. \ No newline at end of file diff --git a/source/includes/common-installation.rst b/source/includes/common-installation.rst index ce51a039c..a0eadf402 100644 --- a/source/includes/common-installation.rst +++ b/source/includes/common-installation.rst @@ -3,7 +3,7 @@ The following tabs provide examples of installing MinIO onto 64-bit Linux operating systems using RPM, DEB, or binary. The RPM and DEB packages automatically install MinIO to the necessary system paths and create a ``minio`` service for ``systemctl``. MinIO strongly recommends using the RPM or DEB installation routes. -To update deployments managed using ``systemctl``, see :ref:`minio-upgrade-systemctl`. +To update deployments managed using ``systemctl``, see :ref:`minio-upgrade`. .. tab-set:: diff --git a/source/includes/common/common-k8s-connect-operator-console-no-plugin.rst b/source/includes/common/common-k8s-connect-operator-console-no-plugin.rst deleted file mode 100644 index 64c2bff9a..000000000 --- a/source/includes/common/common-k8s-connect-operator-console-no-plugin.rst +++ /dev/null @@ -1,35 +0,0 @@ -The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. -Instead, you must configure a network control plane component, such as a load balancer or ingress, to grant external access. - -For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: - -.. code-block:: shell - :class: copyable - - kubectl patch service -n minio-operator console -p ' - { - "spec": { - "ports": [ - { - "name": "http", - "port": 9090, - "protocol": "TCP", - "targetPort": 9090, - "nodePort": 30090 - }, - { - "name": "https", - "port": 9443, - "protocol": "TCP", - "targetPort": 9443, - "nodePort": 30433 - } - ], - "type": "NodePort" - } - }' - -After applying the path, you can access the service through port ``30433`` on any of the Kubernetes worker nodes. - -Append the ``nodePort`` value to the externally-accessible IP address of a worker node in your Kubernetes cluster. -Use the appropriate ``http`` or ``https`` port depending on whether you deployed Operator Console with TLS. diff --git a/source/includes/common/common-k8s-connect-operator-console.rst b/source/includes/common/common-k8s-connect-operator-console.rst deleted file mode 100644 index b8c50dca2..000000000 --- a/source/includes/common/common-k8s-connect-operator-console.rst +++ /dev/null @@ -1,60 +0,0 @@ -.. dropdown:: Port Forwarding - :open: - - The :ref:`Operator Console service ` does not automatically bind or expose itself for external access on the Kubernetes cluster. - Instead, configure a network control plane component, such as a load balancer or ingress, to grant external access. - - .. cond:: k8s and not openshift - - For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: - - .. code-block:: shell - :class: copyable - - kubectl patch service -n minio-operator console -p ' - { - "spec": { - "ports": [ - { - "name": "http", - "port": 9090, - "protocol": "TCP", - "targetPort": 9090, - "nodePort": 30090 - }, - { - "name": "https", - "port": 9443, - "protocol": "TCP", - "targetPort": 9443, - "nodePort": 30433 - } - ], - "type": "NodePort" - } - }' - - The patch command should output ``service/console patched``. - You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. - - For example, a Kubernetes cluster with the following Operator nodes might be accessed at ``https://172.18.0.2:30443``: - - .. code-block:: shell - - kubectl get nodes -o custom-columns=IP:.status.addresses[:] - IP - map[address:172.18.0.5 type:InternalIP],map[address:k3d-MINIO-agent-3 type:Hostname] - map[address:172.18.0.6 type:InternalIP],map[address:k3d-MINIO-agent-2 type:Hostname] - map[address:172.18.0.2 type:InternalIP],map[address:k3d-MINIO-server-0 type:Hostname] - map[address:172.18.0.4 type:InternalIP],map[address:k3d-MINIO-agent-1 type:Hostname] - map[address:172.18.0.3 type:InternalIP],map[address:k3d-MINIO-agent-0 type:Hostname] - - Use the following command to retrieve the JWT token necessary for logging into the Operator Console: - - .. code-block:: shell - :class: copyable - - kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r '.data.token' | base64 -d - - If your local host does not have the ``jq`` utility installed, you can run the ``kubectl`` part of this command (before ``| jq``) and locate the ``data.token`` section of the output. - diff --git a/source/includes/common/installation.rst b/source/includes/common/installation.rst deleted file mode 100644 index 815448d67..000000000 --- a/source/includes/common/installation.rst +++ /dev/null @@ -1,147 +0,0 @@ -.. _minio-installation: - -======================== -Install and Deploy MinIO -======================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -.. meta:: - :description: MinIO Deployment Topologies and Installation Instructions - :keywords: MinIO, Deploy, Architecture, Topology, Distributed, Replication, Install - -.. container:: extlinks-video - - - `Installing and Running MinIO on Linux `__ - - - `Object Storage Essentials `__ - - - `How to Connect to MinIO with JavaScript `__ - -MinIO is a software-defined high performance distributed object storage server. -You can run MinIO on consumer or enterprise-grade hardware and a variety -of operating systems and architectures. - -All MinIO deployments implement :ref:`Erasure Coding ` backends. -You can deploy MinIO using one of the following topologies: - -.. _minio-installation-comparison: - -:ref:`Single-Node Single-Drive ` (SNSD or "Standalone") - Local development and evaluation with no/limited reliability - -:ref:`Single-Node Multi-Drive ` (SNMD or "Standalone Multi-Drive") - Workloads with lower performance, scale, and capacity requirements - - Drive-level reliability with configurable tolerance for loss of up to 1/2 all drives - - Evaluation of multi-drive topologies and failover behavior. - -:ref:`Multi-Node Multi-Drive ` (MNMD or "Distributed") - Enterprise-grade high-performance object storage - - Multi Node/Drive level reliability with configurable tolerance for loss of up to 1/2 all nodes/drives - - Primary storage for AI/ML, Distributed Query, Analytics, and other Data Lake components - - Scalable for Petabyte+ workloads - both storage capacity and performance - -.. cond:: macos or windows - - .. note:: - - Use |platform|-based MinIO deployments for early development and evaluation. - MinIO provides no guarantee of support for :abbr:`SNMD (Single-Node Multi-Drive)` or :abbr:`MNMD (Multi-Node Multi-Drive)` topologies on |platform|. - - MinIO strongly recommends :minio-docs:`Linux (RHEL, Ubuntu) ` or :minio-docs:`Kubernetes (Upstream, OpenShift) ` for long-term development and production environments. - -Site Replication ----------------- - -Site replication expands the features of bucket replication to include IAM, security tokens, access keys, and bucket features the same across all sites. - -:ref:`Site replication ` links multiple MinIO deployments together and keeps the buckets, objects, and Identity and Access Management (IAM) settings in sync across all connected sites. - -.. include:: /includes/common-replication.rst - :start-after: start-mc-admin-replicate-what-replicates - :end-before: end-mc-admin-replicate-what-replicates - -.. cond:: macos or windows - - MinIO does not recommend using |platform| hosts for site replication outside of early development, evaluation, or general experimentation. - For production, use :minio-docs:`Linux ` or :minio-docs:`Kubernetes `. - -What Does Not Replicate? -~~~~~~~~~~~~~~~~~~~~~~~~ - -Not everything replicates across sites. - -.. include:: /includes/common-replication.rst - :start-after: start-mc-admin-replicate-what-does-not-replicate - :end-before: end-mc-admin-replicate-what-does-not-replicate - -.. _minio-installation-platform-support: - -Platform Support ----------------- - -.. cond:: linux - - MinIO provides builds of the MinIO server (:mc:`minio`) and the - MinIO :abbr:`CLI (Command Line Interface)` (:mc:`mc`) for the following - platforms. - - - Red Hat Enterprise Linux 8.5+ (including all binary-compatible RHEL alternatives) - - Ubuntu 18.04+ - - MinIO provides builds for the following architectures: - - - AMD64 - - ARM64 - - PowerPC 64 LE - - S390X - -.. cond:: macos - - MinIO recommends non-EOL macOS versions (10.14+). - -For unlisted platforms or architectures, please reach out to MinIO at -hello@min.io for additional support and guidance. You can build MinIO from -:minio-git:`source ` and -`cross-compile -`__ -for your platform and architecture combo. MinIO generally does not recommend -source-based installations in production environments. - -.. cond:: linux - - .. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-single-node-single-drive - /operations/install-deploy-manage/deploy-minio-single-node-multi-drive - /operations/install-deploy-manage/deploy-minio-multi-node-multi-drive - /operations/install-deploy-manage/multi-site-replication - -.. cond:: windows - - .. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-single-node-single-drive - -.. cond:: macos - - .. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-single-node-single-drive - /operations/install-deploy-manage/deploy-minio-single-node-multi-drive - /operations/install-deploy-manage/multi-site-replication \ No newline at end of file diff --git a/source/includes/container/common-deploy.rst b/source/includes/container/common-deploy.rst deleted file mode 100644 index 0134ab59c..000000000 --- a/source/includes/container/common-deploy.rst +++ /dev/null @@ -1,120 +0,0 @@ -.. start-common-deploy-pull-latest-minio-image - -Select the tab for either Podman or Docker to see instructions for pulling the MinIO container image. -The instructions include examples for both quay.io and DockerHub: - -.. tab-set:: - - .. tab-item:: Podman - - quay.io - .. code-block:: shell - :class: copyable - - podman pull quay.io/minio/minio - - DockerHub - .. code-block:: shell - :class: copyable - - podman pull docker://minio/minio - - .. tab-item:: Docker - - quay.io - .. code-block:: shell - :class: copyable - - docker pull quay.io/minio/minio - - DockerHub - .. code-block:: shell - :class: copyable - - docker pull docker://minio/minio - -.. end-common-deploy-pull-latest-minio-image - -.. start-common-deploy-validate-container-status - -.. tab-set:: - - .. tab-item:: Podman - - Run the following command to retrieve logs from the container. - Replace the container name with the value specified to ``--name`` in the previous step. - - .. code-block:: shell - :class: copyable - - podman logs minio - - The command should return output similar to the following: - - .. tab-item:: Docker - - Run the following command to retrieve logs from the container. - Replace the container name with the value specified to ``--name`` in the previous step. - - .. code-block:: shell - :class: copyable - - docker logs minio - - The command should return output similar to the following: - -.. end-common-deploy-validate-container-status - -.. start-common-deploy-connect-to-minio-service - -.. tab-set:: - - .. tab-item:: MinIO Web Console - - You can access the MinIO Web Console by entering http://localhost:9001 in your preferred browser. - Any traffic to the MinIO Console port on the local host redirects to the container. - - Log in with the :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD` configured in the environment file specified to the container. - - .. image:: /images/minio-console/console-bucket-none.png - :width: 600px - :alt: MinIO Console displaying Buckets view in a fresh installation. - :align: center - - You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. Each MinIO server includes its own embedded MinIO Console. - - If your local host firewall permits external access to the Console port, other hosts on the same network can access the Console using the IP or hostname for your local host. - - .. tab-item:: MinIO CLI (mc) - - You can access the MinIO deployment over a Terminal or Shell using the :ref:`MinIO Client ` (:mc:`mc`). - See :ref:`MinIO Client Installation Quickstart ` for instructions on installing :mc:`mc`. - - Create a new :mc:`alias ` corresponding to the MinIO deployment. - Use a hostname or IP address for your local machine along with the S3 API port ``9000`` to access the MinIO deployment. - Any traffic to that port on the local host redirects to the container. - - .. code-block:: shell - :class: copyable - - mc alias set minio-alias http://localhost:9000 myminioadmin minio-secret-key-change-me - - - Replace ``minio-alias`` with the alias name to create for this deployment. - - - Replace ``myminioadmin`` and ``minio-secret-key-change-me`` with the :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD` values in the environment file specified to the container. - - The command should return success if the container is running and accessible at the specified port. - - You can then interact with the container using any :mc:`mc` command. - If your local host firewall permits external access to the MinIO S3 API port, other hosts on the same network can access the MinIO deployment using the IP or hostname for your local host. - -.. end-common-deploy-connect-to-minio-service - -.. start-common-prereq-container-management-interface - -This procedure assumes you have a working `Podman `_ installation configured to run in "Rootfull" mode. - -"Rootless" modes may not provide sufficient permissions to run KES with the necessary security settings. -See the relevant :podman-git:`"rootless" documentation ` for more information. - -.. end-common-prereq-container-management-interface \ No newline at end of file diff --git a/source/includes/container/installation.rst b/source/includes/container/installation.rst deleted file mode 100644 index 1af9050ae..000000000 --- a/source/includes/container/installation.rst +++ /dev/null @@ -1,96 +0,0 @@ -.. _minio-installation: - -======================== -Install and Deploy MinIO -======================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -.. container:: extlinks-video - - - `Installing and Running MinIO: Overview `__ - - `Installing and Running MinIO: Installation Lab `__ - - `Installing and Running MinIO: Docker Compose Overview `__ - - `Installing and Running MinIO: Docker Compose Lab: `__ - -MinIO is a software-defined high performance distributed object storage server. -You can run MinIO on consumer or enterprise-grade hardware and a variety of operating systems and architectures. - -MinIO supports three deployment topologies: - -Single-Node Single-Drive (SNSD or "Standalone") - A single MinIO server with a single storage volume or folder. - |SNSD| deployment provides failover protections. Drive-level reliability and failover depends on the underlying storage volume. - - |SNSD| deployments are best suited for evaluation and initial development of applications using MinIO for object storage. - - |SNSD| deployments implement a zero-parity erasure coding backend and include support for the following erasure-coding dependent features: - - - :ref:`Versioning ` - - :ref:`Object Locking / Retention ` - -Single-Node Multi-Drive (SNMD or "Standalone Multi-Drive") - A single MinIO server with four or more storage volumes. - |SNMD| deployments provide drive-level reliability and failover only. - -Multi-Node Multi-Drive (MNMD or "Distributed") - Multiple MinIO servers with at least four drives across all servers. - The distributed |MNMD| topology supports production-grade object storage with drive and node-level availability and resiliency. - -.. note:: - - This documentation provides instructions for |SNSD| and |SNMD| for supporting local development and evaluation of MinIO on a single host machine **only**. - For |MNMD| deployments, use the MinIO Kubernetes Operator to :minio-docs:`deploy and manage MinIO tenants in a containerized and orchestrated environment `. - -Site Replication ----------------- - -:ref:`Site replication ` links multiple MinIO deployments together and keeps the buckets, objects, and Identity and Access Management (IAM) settings in sync across all connected sites. - -.. include:: /includes/common-replication.rst - :start-after: start-mc-admin-replicate-what-replicates - :end-before: end-mc-admin-replicate-what-replicates - -.. important:: - - MinIO does not recommend using |platform| hosts for site replication outside of early development, evaluation, or general experimentation. - For production, use :minio-docs:`Kubernetes ` for an orchestrated container environment. - -What Does Not Replicate? -~~~~~~~~~~~~~~~~~~~~~~~~ - -Not everything replicates across sites. - -.. include:: /includes/common-replication.rst - :start-after: start-mc-admin-replicate-what-does-not-replicate - :end-before: end-mc-admin-replicate-what-does-not-replicate - -.. _minio-installation-platform-support: - -Platform Support ----------------- - -MinIO provides container images at the following repositories: - -- https://hub.docker.com/r/minio/minio -- https://quay.io/repository/minio/minio?tab=info - -.. versionchanged:: RELEASE.2022-12-02T19-19-22Z - - These images include the :ref:`MinIO Client ` command line tool built in for container-level debugging. - However, to regularly interact with a container MinIO install, :ref:`install the MinIO Client ` on your computer and define an :mc:`alias ` to the container instead. - -Use of MinIO images from any other repository, host, or organization is at your own risk. - -The :ref:`Single-Node Single-Drive ` and :ref:`Single-Node Multi-Drive ` tutorials provide instructions for the `Docker `__ and :podman-docs:`Podman <>` container managers. - -.. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-single-node-single-drive - /operations/install-deploy-manage/deploy-minio-single-node-multi-drive diff --git a/source/includes/container/quickstart.rst b/source/includes/container/quickstart.rst deleted file mode 100644 index 64ad306a7..000000000 --- a/source/includes/container/quickstart.rst +++ /dev/null @@ -1,383 +0,0 @@ -.. _quickstart-container: - -========================= -Quickstart for Containers -========================= - -.. default-domain:: minio - -.. container:: extlinks-video - - - `Installing and Running MinIO on Docker: Overview `__ - - `Installing and Running MinIO on Docker: Installation Lab `__ - - `Object Storage Essentials `__ - - - `How to Connect to MinIO with JavaScript `__ - -.. |OS| replace:: Docker or Podman - -This procedure deploys a :ref:`Single-Node Single-Drive ` MinIO server onto |OS| for early development and evaluation of MinIO Object Storage and its S3-compatible API layer. - -For instructions on deploying to production environments, see :ref:`deploy-minio-distributed`. - -Prerequisites -------------- - -- `Podman `_ or `Docker `_ installed. -- Read, write, and delete access to the folder or drive used for the persistent volume. - -Procedure ---------- - -#. Start the container - - Select a container type to view instructions to create the container. - Instructions are available for either GNU/Linux and MacOS or for Windows. - - .. dropdown:: Podman (Rootfull or Rootless) - :name: podman-root-rootless - - These steps work for both rootfull and rootless containers. - - .. tab-set:: - - .. tab-item:: GNU/Linux or MacOS - - .. code-block:: shell - :class: copyable - - mkdir -p ~/minio/data - - podman run \ - -p 9000:9000 \ - -p 9001:9001 \ - -v ~/minio/data:/data \ - -e "MINIO_ROOT_USER=ROOTNAME" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``podman run`` starts the container. - The process is attached to the terminal session and ends when exiting the terminal. - - ``-p`` binds a local port to a container port. - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data mirrors to the local path ``~/minio/data``, allowing it to persist between container restarts. - You can set any file path to which the user has read, write, and delete permissions to use. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - - .. tab-item:: Windows - - .. code-block:: shell - :class: copyable - - podman run \ - -p 9000:9000 \ - -p 9001:9001 \ - -v D:\minio\data:/data \ - -e "MINIO_ROOT_USER=ROOTNAME" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``podman run`` starts the container. - - ``-p`` binds a local port to a container port. - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data mirrors to the local path ``D:\minio\data``, allowing it to persist between container restarts. - You can set any file path to which the user has read, write, and delete permissions to use. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - - .. dropdown:: Docker (Rootfull) - :name: docker-rootfull - - .. tab-set:: - - .. tab-item:: GNU/Linux or MacOS - - .. code-block:: shell - :class: copyable - - mkdir -p ~/minio/data - - docker run \ - -p 9000:9000 \ - -p 9001:9001 \ - --name minio \ - -v ~/minio/data:/data \ - -e "MINIO_ROOT_USER=ROOTNAME" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``mkdir`` creates a new local directory at ``~/minio/data`` in your home directory. - - ``docker run`` starts the MinIO container. - - ``-p`` binds a local port to a container port. - - ``-name`` creates a name for the container. - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data mirrors to the local path ``~/minio/data``, allowing it to persist between container restarts. - You can replace ``~/minio/data`` with another local file location to which the user has read, write, and delete access. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - - .. tab-item:: Windows - - .. code-block:: shell - :class: copyable - - docker run \ - -p 9000:9000 \ - -p 9001:9001 \ - --name minio1 \ - -v D:\minio\data:/data \ - -e "MINIO_ROOT_USER=ROOTUSER" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``docker run`` starts the MinIO container. - - ``-p`` binds a local port to a container port. - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data mirrors to the local path ``D:\minio\data``, allowing it to persist between container restarts. - You can replace ``D:\minio\data`` with another local file location to which the user has read, write, and delete access. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - - .. dropdown:: Docker (Rootless) - :name: docker-rootless - - .. tab-set:: - - .. tab-item:: GNU/Linux or MacOS - - .. code-block:: shell - :class: copyable - - mkdir -p ${HOME}/minio/data - - docker run \ - -p 9000:9000 \ - -p 9001:9001 \ - --user $(id -u):$(id -g) \ - --name minio1 \ - -e "MINIO_ROOT_USER=ROOTUSER" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - -v ${HOME}/minio/data:/data \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``mkdir`` creates a new local directory at ``~/minio/data`` in your home directory. - - ``docker run`` starts the MinIO container. - - ``-p`` binds a local port to a container port. - - ``-user`` sets the username for the container to the policies for the current user and user group. - - ``-name`` creates a name for the container. - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data actually writes to the local path ``~/minio/data`` where it can persist between container restarts. - You can replace ``${HOME}/minio/data`` with another location in the user's home directory to which the user has read, write, and delete access. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - - .. tab-item:: Windows - - Prerequisite: - - - Windows `Group Managed Service Account `_ already defined. - - .. code-block:: shell - :class: copyable - - docker run \ - -p 9000:9000 \ - -p 9001:9001 \ - --name minio1 \ - --security-opt "credentialspec=file://path/to/file.json" - -e "MINIO_ROOT_USER=ROOTUSER" \ - -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ - -v D:\data:/data \ - quay.io/minio/minio server /data --console-address ":9001" - - The example above works this way: - - - ``docker run`` starts the MinIO container. - - ``-p`` binds a local port to a container port. - - ``-name`` creates a name for the container. - - ``--security-opt`` grants access to the container via a ``credentialspec`` file for a `Group Managed Service Account (gMSA) `_ - - ``-v`` sets a file path as a persistent volume location for the container to use. - When MinIO writes data to ``/data``, that data actually writes to the local path ``D:\data`` where it can persist between container restarts. - You can replace ``D:\data`` with another local file location to which the user has read, write, and delete access. - - ``-e`` sets the environment variables :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD`, respectively. - These set the :ref:`root user credentials `. - Change the example values to use for your container. - -#. Connect your Browser to the MinIO Server - - Access the :ref:`minio-console` by going to a browser and going to ``http://127.0.0.1:9000`` or one of the Console addresses specified in the :mc:`minio server` command's output. - For example, :guilabel:`Console: http://192.0.2.10:9001 http://127.0.0.1:9001` in the example output indicates two possible addresses to use for connecting to the Console. - - While port ``9000`` is used for connecting to the API, MinIO automatically redirects browser access to the MinIO Console. - - Log in to the Console with the credentials you defined in the :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD` environment variables. - - .. image:: /images/minio-console/console-login.png - :width: 600px - :alt: MinIO Console displaying login screen - :align: center - - You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. - Each MinIO server includes its own embedded MinIO Console. - - .. image:: /images/minio-console/minio-console.png - :width: 600px - :alt: MinIO Console displaying bucket start screen - :align: center - - For more information, see the :ref:`minio-console` documentation. - -#. `(Optional)` Install the MinIO Client - - The :ref:`MinIO Client ` allows you to work with your MinIO volume from the commandline. - - Select your operating system for instructions. - - .. dropdown:: GNU/Linux - - The :ref:`MinIO Client ` allows you to work with your MinIO server from the commandline. - - Download the :mc:`mc` client and install it to a location on your system ``PATH`` such as - ``/usr/local/bin``. You can alternatively run the binary from the download location. - - .. code-block:: shell - :class: copyable - - wget https://dl.min.io/client/mc/release/linux-amd64/mc - chmod +x mc - sudo mv mc /usr/local/bin/mc - - Use :mc:`mc alias set` to create a new alias associated to your local deployment. - You can run :mc:`mc` commands against this alias: - - .. code-block:: shell - :class: copyable - - mc alias set local http://127.0.0.1:9000 {MINIO_ROOT_USER} {MINIO_ROOT_PASSWORD} - mc admin info local - - Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags. - - The :mc:`mc alias set` takes four arguments: - - - The name of the alias - - The hostname or IP address and port of the MinIO server - - The Access Key for a MinIO :ref:`user ` - - The Secret Key for a MinIO :ref:`user ` - - For additional details about this command, see :ref:`alias`. - - .. dropdown:: MacOS - - The :ref:`MinIO Client ` allows you to work with your MinIO volume from the commandline. - - .. tab-set:: - - .. tab-item:: Homebrew - - Run the following command to install the latest stable MinIO Client package using `Homebrew `_. - - .. code-block:: shell - :class: copyable - - brew install minio/stable/mc - - .. tab-item:: Binary (arm64) - - Run the following commands to install the latest stable MinIO Client package using a binary package for Apple chips. - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/client/mc/release/darwin-arm64/mc - chmod +x mc - sudo mv mc /usr/local/bin/mc - - .. tab-item:: Binary (amd64) - - Run the following commands to install the latest stable MinIO Client package using a binary package for Intel chips. - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/client/mc/release/darwin-amd64/mc - chmod +x mc - sudo mv mc /usr/local/bin/mc - - Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment. - - .. code-block:: shell - :class: copyable - - mc alias set local http://127.0.0.1:9000 {MINIO_ROOT_USER} {MINIO_ROOT_PASSWORD} - mc admin info local - - Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags. - - The :mc:`mc alias set` takes four arguments: - - - The name of the alias - - The hostname or IP address and port of the MinIO server - - The Access Key for a MinIO :ref:`user ` - - The Secret Key for a MinIO :ref:`user ` - - For additional details about this command, see :ref:`alias`. - - .. dropdown:: Windows - - Download the standalone MinIO server for Windows from the following link: - - https://dl.min.io/client/mc/release/windows-amd64/mc.exe - - Double click on the file to run it. - Or, run the following in the Command Prompt or PowerShell. - - .. code-block:: - :class: copyable - - \path\to\mc.exe --help - - Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment. - - .. code-block:: shell - :class: copyable - - mc.exe alias set local http://127.0.0.1:9000 {MINIO_ROOT_USER} {MINIO_ROOT_PASSWORD} - mc.exe admin info local - - Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags. - - The :mc:`mc alias set` takes four arguments: - - - The name of the alias - - The hostname or IP address and port of the MinIO server - - The Access Key for a MinIO :ref:`user ` - - The Secret Key for a MinIO :ref:`user ` - - For additional details about this command, see :ref:`alias`. - -.. rst-class:: section-next-steps - -Next Steps ----------- - -- :ref:`Connect your applications to MinIO ` -- :ref:`Configure Object Retention ` -- :ref:`Configure Security ` -- :ref:`Deploy MinIO in a Distributed Environment ` diff --git a/source/includes/container/steps-configure-keycloak-identity-management.rst b/source/includes/container/steps-configure-keycloak-identity-management.rst deleted file mode 100644 index 712d81918..000000000 --- a/source/includes/container/steps-configure-keycloak-identity-management.rst +++ /dev/null @@ -1,142 +0,0 @@ -.. |KEYCLOAK_URL| replace:: localhost:8080 -.. |MINIO_S3_URL| replace:: localhost:9000 -.. |MINIO_CONSOLE_URL| replace:: localhost:9001 - -1) Create the Podman Pod -~~~~~~~~~~~~~~~~~~~~~~~~ - -Create a Podman Pod to deploy the Keycloak and MinIO containers in a Pod with shared networking. -This ensures both containers can communicate normally. - -.. code-block:: shell - :class: copyable - - podman pod create \ - -p 9000:9000 -p 9001:9001 -p 8080:8080 \ - -v ~/minio-keycloak/minio:/mnt/minio \ - -n minio-keycloak - -Replace ``~/minio-keycloak/minio`` with a path to an empty folder in which the MinIO container stores data. - -You can alternatively deploy the Containers as Root to allow access to the host network for the purpose of inter-container networking. - -Deploying via Docker Compose is out of scope for this tutorial. - -2) Start the Keycloak Container -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Follow the instructions for running `Keycloak in a container `__. -The `Try Keycloak in development mode `__ steps are sufficient for this procedure. - -.. code-block:: shell - :class: copyable - - podman run -dt \ - --name keycloak \ - --pod minio-keycloak \ - -e KEYCLOAK_ADMIN=keycloakadmin \ - -e KEYCLOAK_ADMIN_PASSWORD=keycloakadmin123 \ - quay.io/keycloak/keycloak:latest start-dev - -Go to ``localhost:8080`` to access the Keycloak container. - -3) Configure or Create a Client for Accessing Keycloak -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client - :end-before: end-configure-keycloak-client - -4) Create Client Scope for MinIO Client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. -This allows MinIO to reference those attributes when assigning policies to the user. -This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client-scope - :end-before: end-configure-keycloak-client-scope - -5) Apply the Necessary Attribute to Keycloak Users/Groups -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You must assign an attribute named ``policy`` to the Keycloak Users or Groups. -Set the value to any :ref:`policy ` on the MinIO deployment. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-user-group-attributes - :end-before: end-configure-keycloak-user-group-attributes - -6) Start the MinIO Container -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following command starts the MinIO Container and attaches it to the ``minio-keycloak`` pod. - -.. code-block:: shell - :class: copyable - - podman run -dt \ - --name minio-server \ - --pod minio-keycloak \ - quay.io/minio/minio:RELEASE.2023-02-22T18-23-45Z server /mnt/data --console-address :9001 - -Go to ``localhost:9001`` to access the MinIO Console. -Log in using the default credentials ``minioadmin:minioadmin``. - -7) Configure MinIO for Keycloak Authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -MinIO supports multiple methods for configuring Keycloak authentication: - -- Using the MinIO Console -- Using a terminal/shell and the :mc:`mc idp openid` command -- Using environment variables set prior to starting MinIO - -.. tab-set:: - - .. tab-item:: MinIO Console - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-console - :end-before: end-configure-keycloak-minio-console - - .. tab-item:: CLI - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-cli - :end-before: end-configure-keycloak-minio-cli - - .. tab-item:: Environment Variables - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-envvar - :end-before: end-configure-keycloak-minio-envvar - - -You must restart the MinIO deployment for the changes to apply. - -Check the :ref:`MinIO server logs ` and verify that startup succeeded with no errors related to the Keycloak configuration. - -If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`. - -Specify a configured user and attempt to log in. -MinIO should automatically redirect you to the Keycloak login entry. -Upon successful authentication, Keycloak should redirect you back to the MinIO Console. - -8) Generate Application Credentials using the Security Token Service (STS) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-sts - :end-before: end-configure-keycloak-sts - -Next Steps -~~~~~~~~~~~~~ - -Applications should implement the :ref:`STS ` flow using their :ref:`SDK ` of choice. -When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations. - -Alternatively, users can generate :ref:`access keys ` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials. diff --git a/source/includes/container/steps-configure-minio-kes-hashicorp.rst b/source/includes/container/steps-configure-minio-kes-hashicorp.rst deleted file mode 100644 index 630272db5..000000000 --- a/source/includes/container/steps-configure-minio-kes-hashicorp.rst +++ /dev/null @@ -1,121 +0,0 @@ -Deploy MinIO and KES with Server-Side Encryption ------------------------------------------------- - -Prior to starting these steps, create the following folders: - -.. code-block:: shell - :class: copyable - :substitutions: - - mkdir -P |kescertpath| - mkdir -P |kesconfigpath| - mkdir -P |miniodatapath| - -For Windows hosts, substitute the paths with Windows-style paths, e.g. ``C:\minio-kes-vault\``. - - -Prerequisite -~~~~~~~~~~~~ - -Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA). -Defer to the client documentation for instructions on trusting a third-party CA. - -1) Create the KES and MinIO Configurations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -a. Create the KES Configuration File - - Create the configuration file using your preferred text editor. - The following example uses ``nano``: - - .. code-block:: shell - :substitutions: - - nano |kesconfigpath|/kes-config.yaml - - .. include:: /includes/common/common-minio-kes-hashicorp.rst - :start-after: start-kes-configuration-hashicorp-vault-desc - :end-before: end-kes-configuration-hashicorp-vault-desc - - - Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate. - - The following command computes the necessary hash: - - .. code-block:: shell - :class: copyable - :substitutions: - - podman run --rm \ - -v |kescertpath|/certs:/certs \ - kes:|kes-stable| tool identity of /certs/minio-kes.cert - - - Refer to the instructions for setting up KES for your :kes-docs:`supported KMS solution <#kes-supported-targets>` for additional variables to define specific to your chosen KMS target. - -b. Create the MinIO Environment File - - Create the environment file using your preferred text editor. - The following example uses ``nano``: - - .. code-block:: shell - :substitutions: - - nano |minioconfigpath|/minio - - .. include:: /includes/container/common-minio-kes.rst - :start-after: start-kes-configuration-minio-desc - :end-before: end-kes-configuration-minio-desc - -2) Create Pod and Containers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-minio-kes.rst - :start-after: start-common-deploy-create-pod-and-containers - :end-before: end-common-deploy-create-pod-and-containers - -3) Generate a New Encryption Key -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-minio-kes.rst - :start-after: start-kes-generate-key-desc - :end-before: end-kes-generate-key-desc - -4) Enable SSE-KMS for a Bucket -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You can use either the MinIO Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key: - -.. tab-set:: - - .. tab-item:: MinIO Console - - Open the MinIO Console by navigating to http://127.0.0.1:9001 in your preferred browser and logging in with the root credentials specified to the MinIO container. - - Once logged in, create a new Bucket and name it to your preference. - Select the Gear :octicon:`gear` icon to open the management view. - - Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme. - - Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step. - - Once you save your changes, try to upload a file to the bucket. - When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object. - This indicates the successful encrypted state of the object. - - .. tab-item:: MinIO CLI - - The following commands: - - - Create a new :ref:`alias ` for the MinIO deployment - - Create a new bucket for storing encrypted data - - Enable SSE-KMS encryption on that bucket - - .. code-block:: shell - :class: copyable - - mc alias set local http://127.0.0.1:9000 ROOTUSER ROOTPASSWORD - - mc mb local/encryptedbucket - mc encrypt set SSE-KMS encrypted-bucket-key ALIAS/encryptedbucket - - Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function. - You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata. diff --git a/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst b/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst deleted file mode 100644 index 7483b690b..000000000 --- a/source/includes/container/steps-deploy-minio-single-node-multi-drive.rst +++ /dev/null @@ -1,162 +0,0 @@ -1) Pull the Latest Stable Image of MinIO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-pull-latest-minio-image - :end-before: end-common-deploy-pull-latest-minio-image - -2) Create the Environment Variable File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-environment-file-multi-drive - :end-before: end-common-deploy-create-environment-file-multi-drive - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-unique-root-credentials - :end-before: end-common-deploy-create-unique-root-credentials - -3) Create and Run the Container -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Select the container management interface of your choice for the relevant command syntax. - -.. tab-set:: - - .. tab-item:: Podman - - Copy the command to a text file for further modification. - - .. code-block:: shell - :class: copyable - - podman run -dt \ - -p 9000:9000 -p 9001:9001 \ - -v PATH1:/data-1 \ - -v PATH2:/data-2 \ - -v PATH3:/data-3 \ - -v PATH4:/data-4 \ - -v /etc/default/minio:/etc/config.env \ - -e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \ - --name "minio_local" \ - minio server --console-address ":9001" - - Specify any other :podman-docs:`options ` to ``podman run`` as necessary for your local environment. - - .. tab-item:: Docker - - Copy the command to a text file for further modification. - - .. code-block:: shell - :class: copyable - - docker run -dt \ - -p 9000:9000 -p 9001:9001 \ - -v PATH1:/data-1 \ - -v PATH2:/data-2 \ - -v PATH3:/data-3 \ - -v PATH4:/data-4 \ - -v /etc/default/minio:/etc/config.env \ - -e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \ - --name "minio_local" \ - minio server --console-address ":9001" - - Specify any other `options `__ to ``docker run`` as necessary for your local environment. - - For running Docker in Rootless mode, you may need to set the following additional Docker CLI options: - - Linux - ``--user $(id -u):$(id -g)`` - directs the container to run as the currently logged in user. - - Windows - ``--security-opt "credentialspec=file://path/to/file.json"`` - directs the container to run using a Windows `Group Managed Service Account `_. - -The following table describes each line of the command and provides additional configuration instructions: - -.. list-table:: - :header-rows: 1 - :widths: 40 60 - :width: 100% - - * - Line - - Description - - * - | ``podman run -dt`` - | ``docker run -dt`` - - - Directs Podman/Docker to create and start the container as a detached (``-d``) background process with a pseudo-TTY (``-t``). - This allows the container to run in the background with an open TTY for bash-like access. - - * - ``-p 9000:9000 -p 9001:9001`` - - Binds the ports ``9000`` and ``9090`` on the local machine to the same ports on the container. - This allows access to the container through the local machine. - - * - ``-v PATHx:/mnt/data-x`` - - Binds the storage volume ``PATH`` on the local machine to the ``/mnt/data-x`` path on the container. - Replace this value with the full path to each sequential storage volume or folder on the local machine. - For example: - - Linux or MacOS - ``/mnt/data-1/`` - - Windows - ``D:\data\`` - - Include additional ``-v`` parameters such that one mount exists for each drive specified to the :envvar:`MINIO_VOLUMES` value in the environment file. - - * - ``-v /etc/default/minio:/etc/config.env`` - - Mounts the environment file created in the previous step to the ``/etc/config.env`` path on the Container. - For Windows hosts, specify the Windows-style path ``-v C:\minio\config:/etc/config.env``. - - The MinIO Server uses this environment file for configuration. - - * - ``-e "MINIO_CONFIG_ENV_FILE=/etc/config.env"`` - - Sets a MinIO environment variable pointing to the container-mounted path of the environment file. - - * - ``--name "minio_local"`` - - Sets a custom name for the container. - Omit this value to allow Podman/Docker to automatically generate a container name. - You can replace this value to best reflect your requirements. - - * - ``minio server --console-address ":9001"`` - - Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step. - The :mc-cmd:`minio server --console-address ":9001" ` option directs the server to set a static port for the MinIO Console Web Interface. - This option is *required* for containerized environments. - - If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container. - -4) Validate the Container Status -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-validate-container-status - :end-before: end-common-deploy-validate-container-status - -.. code-block:: none - - Status: 1 Online, 0 Offline. - API: http://10.0.2.100:9000 http://127.0.0.1:9000 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - Console: http://10.0.2.100:9001 http://127.0.0.1:9001 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - - Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html - $ mc alias set myminio http://10.0.2.100:9000 myminioadmin minio-secret-key-change-me - - Documentation: https://min.io/docs/minio/container/index.html - -.. admonition:: Container Networks May Not Be Accessible Outside of the Host - - The ``API`` and ``CONSOLE`` blocks may include the network interfaces for the container. - Clients outside of the container network cannot access the MinIO API or Console using these addresses. - - External access requires using a network address for the container host machine and assumes the host firewall allows access to the related ports (``9000`` and ``9090`` in the examples). - -5) Connect to the MinIO Service -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-connect-to-minio-service - :end-before: end-common-deploy-connect-to-minio-service diff --git a/source/includes/container/steps-deploy-minio-single-node-single-drive.rst b/source/includes/container/steps-deploy-minio-single-node-single-drive.rst deleted file mode 100644 index 21a69ce11..000000000 --- a/source/includes/container/steps-deploy-minio-single-node-single-drive.rst +++ /dev/null @@ -1,156 +0,0 @@ -1) Pull the Latest Stable Image of MinIO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-pull-latest-minio-image - :end-before: end-common-deploy-pull-latest-minio-image - -2) Create the Environment Variable File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-environment-file-single-drive - :end-before: end-common-deploy-create-environment-file-single-drive - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-unique-root-credentials - :end-before: end-common-deploy-create-unique-root-credentials - -3) Create and Run the Container -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Select the container management interface of your choice for the relevant command syntax. - -.. tab-set:: - - .. tab-item:: Podman - - Copy the command to a text file for further modification. - - .. code-block:: shell - :class: copyable - - podman run -dt \ - -p 9000:9000 -p 9001:9001 \ - -v PATH:/mnt/data \ - -v /etc/default/minio:/etc/config.env \ - -e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \ - --name "minio_local" \ - minio server --console-address ":9001" - - Specify any other :podman-docs:`options ` to ``podman run`` as necessary for your local environment. - - .. tab-item:: Docker - - Copy the command to a text file for further modification. - - .. code-block:: shell - :class: copyable - - docker run -dt \ - -p 9000:9000 -p 9001:9001 \ - -v PATH:/mnt/data \ - -v /etc/default/minio:/etc/config.env \ - -e "MINIO_CONFIG_ENV_FILE=/etc/config.env" \ - --name "minio_local" \ - minio server --console-address ":9001" - - Specify any other `options `__ to ``docker run`` as necessary for your local environment. - - For running Docker in Rootless mode, you may need to set the following additional Docker CLI options: - - Linux - ``--user $(id -u):$(id -g)`` - directs the container to run as the currently logged in user. - - Windows - ``--security-opt "credentialspec=file://path/to/file.json"`` - directs the container to run using a Windows `Group Managed Service Account `_. - -The following table describes each line of the command and provides additional configuration instructions: - -.. list-table:: - :header-rows: 1 - :widths: 40 60 - :width: 100% - - * - Line - - Description - - * - | ``podman run -dt`` - | ``docker run -dt`` - - Directs Podman/Docker to create and start the container as a detached (``-d``) background process with a pseudo-TTY (``-t``). - This allows the container to run in the background with an open TTY for bash-like access. - - * - ``-p 9000:9000 -p 9001:9001`` - - Binds the ports ``9000`` and ``9090`` on the local machine to the same ports on the container. - This allows access to the container through the local machine. - - * - ``-v PATH:/data/minio`` - - Binds the storage volume ``PATH`` on the local machine to the ``/data`` path on the container. - Replace this value with the full path to a storage volume or folder on the local machine. - For example: - - Linux or macOS - ``~/minio/data/`` - - Windows - ``C:\minio\data`` - - * - ``-v /etc/default/minio:/etc/config.env`` - - Mounts the environment file created in the previous step to the ``/etc/config.env`` path on the Container. - For Windows hosts, specify the Windows-style path ``-v C:\minio\config:/etc/config.env``. - - The MinIO Server uses this environment file for configuration. - - * - ``-e "MINIO_CONFIG_ENV_FILE=/etc/config.env"`` - - Sets a MinIO environment variable pointing to the container-mounted path of the environment file. - - * - ``--name "minio_local"`` - - Sets a custom name for the container. - Omit this value to allow Podman/Docker to automatically generate a container name. - You can replace this value to best reflect your requirements. - - * - ``minio server --console-address ":9001"`` - - Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step. - The :mc-cmd:`minio server --console-address ":9001" ` option directs the server to set a static port for the MinIO Console Web Interface. - This option is *required* for containerized environments. - - If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container. - -Once you have applied any further customizations to the command, run it in your preferred terminal or shell environment. -The command should return a unique ID for the created container. - -4) Validate the Container Status -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-validate-container-status - :end-before: end-common-deploy-validate-container-status - -.. code-block:: shell - - Status: 1 Online, 0 Offline. - API: http://10.0.2.100:9000 http://127.0.0.1:9000 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - Console: http://10.0.2.100:9001 http://127.0.0.1:9001 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - - Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html - $ mc alias set myminio http://10.0.2.100:9000 myminioadmin minio-secret-key-change-me - - Documentation: https://min.io/docs/minio/container/index.html - -.. admonition:: Container Networks May Not Be Accessible Outside of the Host - - The ``API`` and ``CONSOLE`` blocks may include the network interfaces for the container. - Clients outside of the container network cannot access the MinIO API or Console using these addresses. - - External access requires using a network address for the container host machine and assumes the host firewall allows access to the related ports (``9000`` and ``9090`` in the examples). - -5) Connect to the MinIO Service -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/container/common-deploy.rst - :start-after: start-common-deploy-connect-to-minio-service - :end-before: end-common-deploy-connect-to-minio-service diff --git a/source/includes/container/steps-upgrade-minio-deployment.rst b/source/includes/container/steps-upgrade-minio-deployment.rst deleted file mode 100644 index 9d09e4a4a..000000000 --- a/source/includes/container/steps-upgrade-minio-deployment.rst +++ /dev/null @@ -1,142 +0,0 @@ -MinIO uses an update-then-restart methodology for upgrading a deployment to a newer release: - -1. Update the container MinIO image with the newer release. -2. Restart the container. - -This procedure does not require taking downtime and is non-disruptive to ongoing operations. - -Considerations --------------- - -Upgrades Are Non-Disruptive -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -MinIO's upgrade-then-restart procedure does *not* require taking downtime or scheduling a maintenance period. -MinIO restarts are fast, such that restarting all server processes in parallel typically completes in a few seconds. -MinIO operations are atomic and strictly consistent, such that applications using MinIO or S3 SDKs can rely on the built-in :aws-docs:`transparent retry ` without further client-side logic. -This ensures upgrades are non-disruptive to ongoing operations. - -Check Release Notes -~~~~~~~~~~~~~~~~~~~ - -MinIO publishes :minio-git:`Release Notes ` for your reference as part of identifying the changes applied in each release. -Review the associated release notes between your current MinIO version and the newer release so you have a complete view of any changes. - -Pay particular attention to any releases that are *not* backwards compatible. -You cannot trivially downgrade from any such release. - -Procedure ---------- - -You can run the ``podman container inspect`` or ``docker inspect`` command to inspect the container and validate the current container image: - -.. code-block:: shell - :class: copyable - - # For docker, use docker inspect - podman container inspect --format='{{.Config.Image}}' CONTAINER_NAME - -The following output indicates the container was created using the most recent stable image tag: - -.. code-block:: shell - - quay.io/minio/minio:latest - -Use the :ref:`minio-upgrade-latest-tag` steps to upgrade your container. - -The following output indicates the container was created using a specific image tag: - -.. code-block:: shell - - quay.io/minio/minio:RELEASE.2023-07-21T21-12-44Z - -Use the :ref:`minio-upgrade-specific-tag` steps to upgrade your container. - -.. _minio-upgrade-latest-tag: - -Upgrade Containers using Latest Image Tag -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -1. Update your image registry - - Pull the latest stable MinIO image for the configured image repository: - - .. code-block:: shell - :class: copyable - - # For docker, use docker pull - podman pull quay.io/minio/minio:latest - -#. Restart the container - - You must restart the container to load the new image binary for use by MinIO: - - .. code-block:: shell - :class: copyable - - # For docker, use docker restart - podman container restart CONTAINER_NAME - -#. Validate the Upgrade - - Use the :mc:`mc admin info` command to check that the MinIO container is online, operational, and reflects the installed MinIO version. - -#. Update MinIO Client - - You should upgrade your :mc:`mc` binary to match or closely follow the MinIO server release. - You can use the :mc:`mc update` command to update the binary to the latest stable release: - - .. code-block:: shell - :class: copyable - - mc update - -.. _minio-upgrade-specific-tag: - -Upgrade Containers using Specific Image Tag -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -1. Update your local image registry - - Pull the desired image you want to use for updating the container. - The following example uses the latest stable version of MinIO: - - .. code-block:: shell - :class: copyable - :substitutions: - - # For docker, use docker pull - podman pull quay.io/minio/minio:|minio-tag| - -#. Modify the container start script or configuration - - Specify the new MinIO tag to the container start script or configuration. - For Docker, this might be the Compose file used to start MinIO. - For Podman, this might be a YAML file used to create the container or pod. - - Ensure the ``image: `` matches the newly pulled image tag. - -#. Restart or re-create the container - - If you started the container using CLI commands, you may need to completely stop, remove, and re-create the container. - Use a script to perform this procedure to minimize potential downtime. - - For Docker, this might require running ``docker compose restart``. - -#. Validate the Upgrade - - Use the :mc:`mc admin info` command to check that the MinIO container is online, operational, and reflects the installed MinIO version. - -#. Update MinIO Client - - You should upgrade your :mc:`mc` binary to match or closely follow the MinIO server release. - You can use the :mc:`mc update` command to update the binary to the latest stable release: - - .. code-block:: shell - :class: copyable - - mc update - - - - diff --git a/source/includes/eks/deploy-minio-on-elastic-kubernetes-service.rst b/source/includes/eks/deploy-minio-on-elastic-kubernetes-service.rst deleted file mode 100644 index 0fbefc5d9..000000000 --- a/source/includes/eks/deploy-minio-on-elastic-kubernetes-service.rst +++ /dev/null @@ -1,58 +0,0 @@ -.. _deploy-operator-eks: - -========================================================== -Deploy MinIO Operator on Amazon Elastic Kubernetes Service -========================================================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -Overview --------- - -:eks-docs:`Amazon® Elastic Kubernetes Service® ` (EKS) is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. -The MinIO Kubernetes Operator supports deploying MinIO Tenants onto EKS infrastructure using the MinIO Operator Console or by using `kustomize `__ for :minio-git:`YAML-defined deployments `. - -MinIO supports the following methods for installing the MinIO Operator onto your :abbr:`EKS (Elastic Kubernetes Service)` clusters: - -:minio-web:`Through the AWS Marketplace ` - MinIO maintains an `AWS Marketplace listing `__ through which you can register your EKS cluster with |subnet|. - Any tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 direct access to MinIO engineers. - -This page documents deploying the MinIO Operator through the CLI using Kustomize. -For instructions on deploying the MinIO Operator through the AWS Marketplace, see :minio-web:`Deploy MinIO through EKS ` - -This documentation assumes familiarity with all referenced Kubernetes and Elastic Kubernetes Service concepts, utilities, and procedures. -While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Elastic Kubernetes Service-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. - -Prerequisites -------------- - -Existing EKS Cluster -~~~~~~~~~~~~~~~~~~~~ - -This procedure assumes an existing :abbr:`EKS (Elastic Kubernetes Service)` cluster onto which you can deploy the MinIO Operator. - -The Operator by default deploys pods and services with two replicas each and pod anti-affinity. -The GKE cluster should therefore have at least two nodes available for scheduling Operator pods and services. -While these nodes *may* be the same nodes intended for use by MinIO Tenants, co-locating Operator and Tenant pods may increase the risk of service interruptions due to the loss of any one node. - -``kubectl`` Access to the EKS Cluster -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Ensure your host machine has a ``kubectl`` installation compatible with the target EKS cluster. -For guidance on connecting ``kubectl`` to EKS, see :aws-docs:`Creating or updating a kubeconfig file for an Amazon EKS cluster `. - -Your ``kubectl`` configuration must include authentication as a user with the correct permissions. -MinIO provides an example IAM policy for Marketplace-based installations in the MinIO Operator :minio-git:`github repository `. -You can use this policy as a baseline for manual Operator installations. - -Procedure ---------- - -The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. - -.. include:: /includes/common/common-install-operator-kustomize.rst diff --git a/source/includes/gke/deploy-minio-on-google-kubernetes-engine.rst b/source/includes/gke/deploy-minio-on-google-kubernetes-engine.rst deleted file mode 100644 index 2a0ecd2d9..000000000 --- a/source/includes/gke/deploy-minio-on-google-kubernetes-engine.rst +++ /dev/null @@ -1,56 +0,0 @@ -.. _deploy-operator-gke: - -================================================= -Deploy MinIO Operator on Google Kubernetes Engine -================================================= - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -Overview --------- - -`Google Kubernetes Engine `__ (GKE) offers a highly automated secure and fully managed Kubernetes platform. -The MinIO Kubernetes Operator supports deploying MinIO Tenants onto GKE infrastructure using the MinIO Operator Console or `kustomize `__ for :minio-git:`YAML-defined deployments `. - -:minio-web:`Through the GKE Marketplace ` - MinIO maintains an `GKE Marketplace listing `__ through which you can register your GKE cluster with |subnet|. - Any MinIO tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 direct access to MinIO engineers. - -Using the MinIO ``kubectl`` Plugin - MinIO provides a ``kubectl`` plugin for installing and managing the MinIO Operator and Tenants through a terminal or shell (CLI) environment. - You can manually register these tenants with |subnet| at any time. - -This page documents deploying the MinIO Operator through the CLI using Kustomize. -For instructions on deploying the MinIO Operator through the GKE Marketplace, see :minio-web:`Deploy MinIO through GKE ` - -This documentation assumes familiarity with all referenced Kubernetes and Google Kubernetes Engine concepts, utilities, and procedures. -While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Google Kubernetes Engine-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. - -Prerequisites -------------- - -Existing GKE Cluster -~~~~~~~~~~~~~~~~~~~~ - -This procedure assumes an existing :abbr:`GKE (Google Kubernetes Engine)` cluster onto which you can deploy the MinIO Operator. - -The Operator by default deploys pods and services with two replicas each and pod anti-affinity. -The GKE cluster should therefore have at least two nodes available for scheduling Operator pods and services. -While these nodes *may* be the same nodes intended for use by MinIO Tenants, co-locating Operator and Tenant pods may increase the risk of service interruptions due to the loss of any one node. - -``kubectl`` Access to the GKE Cluster -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Ensure your host machine has a ``kubectl`` installation compatible with the target GKE cluster. -For guidance on connecting ``kubectl`` to GKE, see :gke-docs:`Install kubectl and configure cluster access `. - -Procedure ---------- - -The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. - -.. include:: /includes/common/common-install-operator-kustomize.rst diff --git a/source/includes/k8s/file-transfer-protocol-k8s.rst b/source/includes/k8s/file-transfer-protocol-k8s.rst index 6096eebc5..f4010cb28 100644 --- a/source/includes/k8s/file-transfer-protocol-k8s.rst +++ b/source/includes/k8s/file-transfer-protocol-k8s.rst @@ -1,119 +1,51 @@ -.. versionadded:: Operator v5.0.7 - -Overview --------- - -Starting with Operator 5.0.7 and :minio-release:`MinIO Server RELEASE.2023-04-20T17-56-55Z `, you can use the SSH File Transfer Protocol (SFTP) to interact with the objects on a MinIO Operator Tenant deployment. - -SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0. -It allows file transfer over SSH for use with :ref:`Transport Layer Security (TLS) ` and virtual private network (VPN) applications. - -Enabling SFTP does not affect other MinIO features. - - -Supported Commands -~~~~~~~~~~~~~~~~~~ - -When enabled, MinIO supports the following SFTP operations: - -- ``get`` -- ``put`` -- ``ls`` -- ``mkdir`` -- ``rmdir`` -- ``delete`` - -MinIO does not support either ``append`` or ``rename`` operations. - -MinIO Operator only supports the SFTP file transfer protocol. -Other protocols, such as FTP, are not supported for accessing Tenants. - - -Considerations --------------- - - -Versioning -~~~~~~~~~~ - -SFTP clients can only operate on the :ref:`latest version ` of an object. -Specifically: - -- For read operations, MinIO only returns the latest version of the requested object(s) to the SFTP client. -- For write operations, MinIO applies normal versioning behavior and creates a new object version at the specified namespace. - ``rm`` and ``rmdir`` operations create ``DeleteMarker`` objects. - - -Authentication and Access -~~~~~~~~~~~~~~~~~~~~~~~~~ - -SFTP access requires the same authentication as any other S3 client. -MinIO supports the following authentication providers: - -- :ref:`MinIO IDP ` users and their service accounts -- :ref:`Active Directory/LDAP ` users and their service accounts -- :ref:`OpenID/OIDC ` service accounts -- :ref:`Certificate Key File ` - -:ref:`STS ` credentials **cannot** access buckets or objects over SFTP. - -Authenticated users can access buckets and objects based on the :ref:`policies ` assigned to the user or parent user account. - -The SFTP protocol does not require any of the ``admin:*`` :ref:`permissions `. -You may not perform other MinIO admin actions with SFTP. - +#. Enable SFTP for the desired Tenant: -Prerequisites -------------- + Use the following Kubectl command to edit the Tenant YAML configuration: -- MinIO Operator v5.0.7 or later. -- Enable an SFTP port (8022) for the server. -- A port to use for the SFTP commands and a range of ports to allow the SFTP server to request to use for the data transfer. + .. code-block:: yaml + kubectl edit tenants/my-tenant -n my-tenant-ns -Procedure ---------- + Replace ``my-tenant`` and ``my-tenant-ns`` with the desired Tenant and namespace. -#. Enable SFTP for the desired Tenant: + In the ``features:`` section, set the value of ``enableSFTP`` to ``true``: - .. tab-set:: + .. code-block:: yaml - .. tab-item:: Operator Console + spec: + configuration: + name: my-tenant-env-configuration + credsSecret: + name: my-tenant-secret + exposeServices: + console: true + minio: true + features: + enableSFTP: true - - In the Operator Console, click on the Tenant for which to enable SFTP. - - In the :guilabel:`Configuration` tab, toggle :guilabel:`SFTP` to :guilabel:`Enabled`. - - Click :guilabel:`Save`. - - Click :guilabel:`Restart` to restart MinIO and apply your changes. + Kubectl restarts MinIO to apply the change. - .. tab-item:: Kubectl - - Use the following Kubectl command to edit the Tenant YAML configuration: + You may also set ``enableSFTP`` in your `Helm chart `__ or `Kustomize configuration `__ to enable SFTP for newly created Tenants. + - .. code-block:: yaml +#. If needed, configure ingress for the SFTP port according to your local policies. - kubectl edit tenants/my-tenant -n my-tenant-ns +#. Validate the configuration - Replace ``my-tenant`` and ``my-tenant-ns`` with the desired Tenant and namespace. + The following ``kubectl get`` command uses `yq `__ to display the value of ``enableSFTP``, indicating whether SFTP is enabled: - In the ``features:`` section, set the value of ``enableSFTP`` to ``true``: + .. code-block:: console + :class: copyable - .. code-block:: yaml + kubectl get tenants/my-tenant -n my-tenant-ns -o yaml | yq '.spec.features' - spec: - configuration: - name: my-tenant-env-configuration - exposeServices: - console: true - minio: true - features: - enableSFTP: true + Replace ``my-tenant`` and ``my-tenant-ns`` with the desired Tenant and namespace. - Kubectl restarts MinIO to apply the change. + If SFTP is enabled, the output resembles the following: - You may also set ``enableSFTP`` in your `Helm chart `__ or `Kustomize configuration `__ to enable SFTP for newly created Tenants. - + .. code-block:: console -#. If needed, configure ingress for the SFTP port according to your local policies. + enableSFTP: true #. Use your preferred SFTP client to connect to the MinIO deployment. You must connect as a user whose :ref:`policies ` allow access to the desired buckets and objects. @@ -121,33 +53,15 @@ Procedure The specifics of connecting to the MinIO deployment depend on your SFTP client. Refer to the documentation for your client. + The following example connects to the MinIO Tenant SFTP server forwarded to the local host system, and lists the contents of a bucket named ``runner``. -Examples --------- - -The following examples use the `SFTP CLI client `__ on a Linux system. + .. code-block:: console -Connect to MinIO Using SFTP -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following example connects to an SFTP server, lists the contents of a bucket named ``test-bucket``, and downloads an object. - -.. code-block:: console - - sftp -P 8022 my-access-key@localhost - my-access-key@localhost's password: - Connected to localhost. - sftp> ls - test-bucket - sftp> ls test-bucket - test-bucket/test-file.txt - sftp> get test-bucket/test-file.txt - Fetching /test-bucket/test-file.txt to test-file.txt - test-file.txt 100% 6 1.3KB/s 00:00 - - -Check if SFTP is Enabled for a Tenant -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + > sftp -P 8022 minio@localhost + minio@localhost's password: + Connected to localhost. + sftp> ls runner/ + chunkdocs testdir The following ``kubectl get`` command uses `yq `__ to display the value of ``enableSFTP``, indicating whether SFTP is enabled: @@ -164,73 +78,3 @@ If SFTP is enabled, the output resembles the following: enableSFTP: true -.. _minio-certificate-key-file-sftp-k8s: - -Connect to MinIO Using SFTP with a Certificate Key File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. versionadded:: RELEASE.2024-05-07T06-41-25Z - - -MinIO supports mutual TLS (mTLS) certificate-based authentication on SFTP, where both the server and the client verify the authenticity of each other. - -This type of authentication requires the following: - -1. Public key file for the trusted certificate authority -2. Public key file for the MinIO Server minted and signed by the trusted certificate authority -3. Public key file for the user minted and signed by the trusted certificate authority for the client connecting by SFTP and located in the user's ``.ssh`` folder (or equivalent for the operating system) - -The keys must include a `principals list `__ of the user(s) that can authenticate with the key: - -.. code-block:: console - :class: copyable - - ssh-keygen -s ~/.ssh/ca_user_key -I miniouser -n miniouser -V +1h -z 1 miniouser1.pub - -- ``-s`` specifies the path to the certificate authority public key to use for generating this key. - The specified public key must have a ``principals`` list that includes this user. -- ``-I`` specifies the key identity for the public key. -- ``-n`` creates the ``user principals`` list for which this key is valid. - You must include the user for which this key is valid, and the user must match the username in MinIO. -- ``-V`` limits the duration for which the generated key is valid. - In this example, the key is valid for one hour. - Adjust the duration for your requirements. -- ``-z`` adds a serial number to the key to distinguish this generated public key from other keys signed by the same certificate authority public key. - -MinIO requires specifying the Certificate Authority used to sign the certificates for SFTP access. -Start or restart the MinIO Server and specify the path to the trusted certificate authority's public key using an ``--sftp="trusted-user-ca-key=PATH"`` flag: - - .. code-block:: console - :class: copyable - - minio server {path-to-server} --sftp="trusted-user-ca-key=/path/to/.ssh/ca_user_key.pub" {...other flags} - -When connecting to the MinIO Server with SFTP, the client verifies the MinIO Server's certificate. -The client then passes its own certificate to the MinIO Server. -The MinIO Server verifies the key created above by comparing its value to the the known public key from the certificate authority provided at server startup. - -Once the MinIO Server verifies the client's certificate, the user can connect to the MinIO server over SFTP: - -.. code-block:: bash - :class: copyable: - - sftp -P - -Require service account or LDAP for authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To force authentication to SFTP using LDAP or service account credentials, append a suffix to the username. -Valid suffixes are either ``=ldap`` or ``=svc``. - -.. code-block:: console - - > sftp -P 8022 my-ldap-user=ldap@[minio@localhost]:/bucket - - -.. code-block:: console - - > sftp -P 8022 my-ldap-user=svc@[minio@localhost]:/bucket - - -- Replace ``my-ldap-user`` with the username to use. -- Replace ``[minio@localhost]`` with the address of the MinIO server. \ No newline at end of file diff --git a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst index 7765f01bf..349c2ed05 100644 --- a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst +++ b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst @@ -1,126 +1,118 @@ -Deploy MinIO Tenant with Active Directory / LDAP Identity Management --------------------------------------------------------------------- +#. Access the Operator Console -1) Access the Operator Console -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. + For instructions, see :ref:`Configure access to the Operator Console service `. -Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. -For instructions, see :ref:`Configure access to the Operator Console service `. + Open your browser to the temporary URL and enter the JWT Token into the login page. + You should see the :guilabel:`Tenants` page: -Open your browser to the temporary URL and enter the JWT Token into the login page. -You should see the :guilabel:`Tenants` page: + .. image:: /images/k8s/operator-dashboard.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: MinIO Operator Console -.. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console + To deploy a new MinIO Tenant with AD/LDAP external identity management, select the :guilabel:`+ Create Tenant` button. -Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant. + To configure an existing MinIO Tenant with AD/LDAP external identity management select that Tenant from the displayed list. + The following steps reference the necessary sections and configuration settings for existing Tenants. -If you are modifying an existing Tenant, select that Tenant from the list. -The following steps reference the necessary sections and configuration settings for existing Tenants. +#. Complete the :guilabel:`Identity Provider` Section -2) Complete the :guilabel:`Identity Provider` Section -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + To enable external identity management with an Active Directory / LDAP provider, select the :guilabel:`Identity Provider` section. + You can then change the radio button to :guilabel:`Active Directory` to display the configuration settings. -To enable external identity management with an Active Directory / LDAP provider, select the :guilabel:`Identity Provider` section. -You can then change the radio button to :guilabel:`Active Directory` to display the configuration settings. + .. image:: /images/k8s/operator-create-tenant-identity-provider-adldap.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP -.. image:: /images/k8s/operator-create-tenant-identity-provider-adldap.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP + An asterisk ``*`` marks required fields. + The following table provides general guidance for those fields: -An asterisk ``*`` marks required fields. -The following table provides general guidance for those fields: + .. list-table:: + :header-rows: 1 + :widths: 40 60 + :width: 100% -.. list-table:: - :header-rows: 1 - :widths: 40 60 - :width: 100% + * - Field + - Description - * - Field - - Description + * - LDAP Server Address + - The hostname of the Active Directory or LDAP server. - * - LDAP Server Address - - The hostname of the Active Directory or LDAP server. + * - Lookup Bind DN + - The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server. - * - Lookup Bind DN - - The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server. + See :ref:`minio-external-identity-management-ad-ldap-lookup-bind` for more information. - See :ref:`minio-external-identity-management-ad-ldap-lookup-bind` for more information. + * - List of user DNs (Distinguished Names) to be Tenant Administrators + - Specify a user :abbr:`DNs (Distinguished Names)` which MinIO assigns a :ref:`policy ` with administrative permissions for the Tenant. + You can specify multiple :abbr:`DNs (Distinguished Names)` by selecting the plus :octicon:`plus-circle` icon. + You can delete a DN by selecting the trash can :octicon:`trash` icon for that DN. - * - List of user DNs (Distinguished Names) to be Tenant Administrators - - Specify a user :abbr:`DNs (Distinguished Names)` which MinIO assigns a :ref:`policy ` with administrative permissions for the Tenant. - You can specify multiple :abbr:`DNs (Distinguished Names)` by selecting the plus :octicon:`plus-circle` icon. - You can delete a DN by selecting the trash can :octicon:`trash` icon for that DN. + Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment `. -Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment `. +#. Assign Policies to AD/LDAP Users -3) Assign Policies to AD/LDAP Users -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + MinIO by default assigns no :ref:`policies ` to AD/LDAP users or groups. + You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment. -MinIO by default assigns no :ref:`policies ` to AD/LDAP users or groups. -You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment. + The following example assumes an existing :ref:`alias ` configured for the MinIO Tenant. -The following example assumes an existing :ref:`alias ` configured for the MinIO Tenant. + Use the :mc:`mc idp ldap policy attach` command to assign a user or group DN to an existing MinIO Policy: -Use the :mc:`mc idp ldap policy attach` command to assign a user or group DN to an existing MinIO Policy: + .. code-block:: shell + :class: copyable -.. code-block:: shell - :class: copyable + mc idp ldap policy attach minio-tenant POLICY --user='uid=primary,cn=applications,dc=domain,dc=com' + mc idp ldap policy attach minio-tenant POLICY --group='cn=applications,ou=groups,dc=domain,dc=com' - mc idp ldap policy attach minio-tenant POLICY --user='uid=primary,cn=applications,dc=domain,dc=com' - mc idp ldap policy attach minio-tenant POLICY --group='cn=applications,ou=groups,dc=domain,dc=com' + Replace ``POLICY`` with the name of the MinIO policy to assign to the user or group DN. -Replace ``POLICY`` with the name of the MinIO policy to assign to the user or group DN. + See :ref:`minio-external-identity-management-ad-ldap-access-control` for more information on access control with AD/LDAP users and groups. -See :ref:`minio-external-identity-management-ad-ldap-access-control` for more information on access control with AD/LDAP users and groups. +#. Use the MinIO Tenant Console to Log In with AD/LDAP Credential -4) Use the MinIO Tenant Console to Log In with AD/LDAP Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. -The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. + See :ref:`Deploy MinIO Tenant: Connect to the Tenant ` for additonal information about accessing the Tenant Console. -See :ref:`Deploy MinIO Tenant: Connect to the Tenant ` for additonal information about accessing the Tenant Console. + If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials. -If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials. + Enter the user's AD/LDAP credentials and log in to access the Console. -Enter the user's AD/LDAP credentials and log in to access the Console. + Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. -Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. + You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. + Access Keys are long-lived credentials which inherit their privileges from the parent user. + The parent user can further restrict those privileges while creating the access keys. -You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. -Access Keys are long-lived credentials which inherit their privileges from the parent user. -The parent user can further restrict those privileges while creating the access keys. +#. Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials -5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint. + MinIO provides an example Go application :minio-git:`ldap.go ` with an example of managing this workflow. -Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint. -MinIO provides an example Go application :minio-git:`ldap.go ` with an example of managing this workflow. + .. code-block:: shell -.. code-block:: shell + POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity + &LDAPUsername=USERNAME + &LDAPPassword=PASSWORD + &Version=2011-06-15 + &Policy={} - POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity - &LDAPUsername=USERNAME - &LDAPPassword=PASSWORD - &Version=2011-06-15 - &Policy={} + - Replace ``minio.example.net`` with the hostname or URL for the MinIO Tenant service. -- Replace ``minio.example.net`` with the hostname or URL for the MinIO Tenant service. + - Replace the ``LDAPUsername`` with the username of the AD/LDAP user. -- Replace the ``LDAPUsername`` with the username of the AD/LDAP user. + - Replace the ``LDAPPassword`` with the password of the AD/LDAP user. -- Replace the ``LDAPPassword`` with the password of the AD/LDAP user. + - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. -- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + Omit to use the :ref:`policy whose name matches ` the Distinguished Name (DN) of the AD/LDAP user. - Omit to use the :ref:`policy whose name matches ` the Distinguished Name (DN) of the AD/LDAP user. + The API response consists of an XML document containing the access key, secret key, session token, and expiration date. + Applications can use the access key and secret key to access and perform operations on MinIO. -The API response consists of an XML document containing the access key, secret key, session token, and expiration date. -Applications can use the access key and secret key to access and perform operations on MinIO. - -See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation. + See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation. diff --git a/source/includes/k8s/steps-configure-keycloak-identity-management.rst b/source/includes/k8s/steps-configure-keycloak-identity-management.rst index bbe349297..41b82f042 100644 --- a/source/includes/k8s/steps-configure-keycloak-identity-management.rst +++ b/source/includes/k8s/steps-configure-keycloak-identity-management.rst @@ -2,92 +2,86 @@ .. |MINIO_S3_URL| replace:: minio.minio-tenant.svc.cluster-domain.example .. |MINIO_CONSOLE_URL| replace:: minio-console.minio-tenant.svc.cluster-domain.example -1) Configure or Create a Client for Accessing Keycloak -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Configure or Create a Client for Accessing Keycloak -Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`. + Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`. -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client - :end-before: end-configure-keycloak-client + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-client + :end-before: end-configure-keycloak-client -2) Create Client Scope for MinIO Client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Create Client Scope for MinIO Client -Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. -This allows MinIO to reference those attributes when assigning policies to the user. -This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication. + Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. + This allows MinIO to reference those attributes when assigning policies to the user. + This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication. -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client-scope - :end-before: end-configure-keycloak-client-scope + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-client-scope + :end-before: end-configure-keycloak-client-scope -3) Apply the Necessary Attribute to Keycloak Users/Groups -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Apply the Necessary Attribute to Keycloak Users/Groups -You must assign an attribute named ``policy`` to the Keycloak Users or Groups. -Set the value to any :ref:`policy ` on the MinIO deployment. + You must assign an attribute named ``policy`` to the Keycloak Users or Groups. + Set the value to any :ref:`policy ` on the MinIO deployment. -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-user-group-attributes - :end-before: end-configure-keycloak-user-group-attributes + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-user-group-attributes + :end-before: end-configure-keycloak-user-group-attributes -4) Configure MinIO for Keycloak Authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Configure MinIO for Keycloak Authentication -MinIO supports multiple methods for configuring Keycloak authentication: + MinIO supports multiple methods for configuring Keycloak authentication: -- Using the MinIO Tenant Console -- Using a terminal/shell and the :mc:`mc idp openid` command + - Using the MinIO Tenant Console + - Using a terminal/shell and the :mc:`mc idp openid` command -.. tab-set:: + .. tab-set:: - .. tab-item:: MinIO Tenant Console + .. tab-item:: MinIO Tenant Console - You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant. + You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant. - Access the Console service using the NodePort, Ingress, or Load Balancer endpoint. - You can use the following command to review the Console configuration: + Access the Console service using the NodePort, Ingress, or Load Balancer endpoint. + You can use the following command to review the Console configuration: - .. code-block:: shell - :class: copyable + .. code-block:: shell + :class: copyable - kubectl describe svc/TENANT_NAME-console -n TENANT_NAMESPACE + kubectl describe svc/TENANT_NAME-console -n TENANT_NAMESPACE - Replace ``TENANT_NAME`` and ``TENANT_NAMESPACE`` with the name of the MinIO Tenant and it's Namespace, respectively. + Replace ``TENANT_NAME`` and ``TENANT_NAMESPACE`` with the name of the MinIO Tenant and it's Namespace, respectively. - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-console - :end-before: end-configure-keycloak-minio-console + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-console + :end-before: end-configure-keycloak-minio-console - Select :guilabel:`Save` to apply the configuration. + Select :guilabel:`Save` to apply the configuration. - .. tab-item:: CLI + .. tab-item:: CLI - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-cli - :end-before: end-configure-keycloak-minio-cli + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-cli + :end-before: end-configure-keycloak-minio-cli -Restart the MinIO deployment for the changes to apply. + Restart the MinIO deployment for the changes to apply. -Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration. + Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration. -If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`. + If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`. -Specify a configured user and attempt to log in. -MinIO should automatically redirect you to the Keycloak login entry. -Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL *or* the :guilabel:`Redirect URI` if configured. + Specify a configured user and attempt to log in. + MinIO should automatically redirect you to the Keycloak login entry. + Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL *or* the :guilabel:`Redirect URI` if configured. -5) Generate Application Credentials using the Security Token Service (STS) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Generate Application Credentials using the Security Token Service (STS) + .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-sts + :end-before: end-configure-keycloak-sts -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-sts - :end-before: end-configure-keycloak-sts +#. Next Steps -Next Steps -~~~~~~~~~~ Applications should implement the :ref:`STS AssumeRoleWithWebIdentity ` flow using their :ref:`SDK ` of choice. When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations. diff --git a/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst b/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst index e1f94c989..f105fe96f 100644 --- a/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst +++ b/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst @@ -1,53 +1,41 @@ -Deploy MinIO Tenant with Server-Side Encryption ------------------------------------------------ +#. Review the Tenant CRD -1) Access the Operator Console -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Review the :ref:`Tenant CRD ` ``TenantSpec.kes`` object, the ``TenantSpec.configuration`` object, and the :minio-docs:`KES Configuration reference`. -Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. -For instructions, see :ref:`Configure access to the Operator Console service `. + You must prepare all necessary configurations associated to your external Key Management Service of choice before proceeding. -Open your browser to the temporary URL and enter the JWT Token into the login page. -You should see the :guilabel:`Tenants` page: +#. Create or Modify your Tenant YAML to set the values of ``KesConfig`` as necessary: -.. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console + You must modify your Tenant YAML or ``Kustomize`` templates to reflect the necessary KES configuration. + The following example is taken from the :minio-git:`MinIO Operator Kustomize examples ` -Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant. + .. code-block:: yaml -2) Complete the :guilabel:`Encryption` Section -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + kes: + image: "" # minio/kes:2024-06-17T15-47-05Z + env: [ ] + replicas: 2 + kesSecret: + name: kes-configuration + imagePullPolicy: "IfNotPresent" -Reference the :ref:`Deploy a MinIO Tenant ` procedure for complete documentation of other Tenant settings. + The ``kes-configuration`` secret must reference a Kubernetes Opaque Secret which contains a ``stringData`` object with the full KES configuration as ``server-config.yaml``. + The ``keystore`` field must contain the full configuration associated with your preferred Key Management System. -To enable |SSE| with a :kes-docs:`supported KMS target <#supported-kms-targets>` during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. -You can then select the Radio button for the chosen KMS provider to display configuration settings for that provider. + Reference :minio-git:`the Kustomize example ` for additional guidance. -.. image:: /images/k8s/operator-create-tenant-encryption.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - Create a Tenant - Encryption Section +#. Create or Modify your Tenant YAML to set the values of ``TenantSpec.configuration`` as necessary. -An asterisk ``*`` marks required fields. + TODO -Refer to the Configuration References section of the tutorial for your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` for more information on the configuration options for your KMS. +#. Generate a New Encryption Key -Once you have completed the configuration, you can finish any remaining sections of :ref:`Tenant Deployment `. + .. include:: /includes/k8s/common-minio-kes.rst + :start-after: start-kes-generate-key-desc + :end-before: end-kes-generate-key-desc -3) Generate a New Encryption Key -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Enable SSE-KMS for a Bucket -.. include:: /includes/k8s/common-minio-kes.rst - :start-after: start-kes-generate-key-desc - :end-before: end-kes-generate-key-desc - -4) Enable SSE-KMS for a Bucket -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/k8s/common-minio-kes.rst - :start-after: start-kes-enable-sse-kms-desc - :end-before: end-kes-enable-sse-kms-desc + .. include:: /includes/k8s/common-minio-kes.rst + :start-after: start-kes-enable-sse-kms-desc + :end-before: end-kes-enable-sse-kms-desc diff --git a/source/includes/k8s/steps-configure-openid-external-identity-management.rst b/source/includes/k8s/steps-configure-openid-external-identity-management.rst index 6363a05c9..23f33da4b 100644 --- a/source/includes/k8s/steps-configure-openid-external-identity-management.rst +++ b/source/includes/k8s/steps-configure-openid-external-identity-management.rst @@ -1,148 +1,140 @@ -Deploy MinIO Tenant with OpenID Connect Identity Management ------------------------------------------------------------ +1. Access the Operator Console -1) Access the Operator Console -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. + For instructions, see :ref:`Configure access to the Operator Console service `. -Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. -For instructions, see :ref:`Configure access to the Operator Console service `. + Open your browser to the temporary URL and enter the JWT Token into the login page. + You should see the :guilabel:`Tenants` page: -Open your browser to the temporary URL and enter the JWT Token into the login page. -You should see the :guilabel:`Tenants` page: + .. image:: /images/k8s/operator-dashboard.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: MinIO Operator Console -.. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console + To deploy a new MinIO Tenant with OIDC external identity management, select the :guilabel:`+ Create Tenant` button. -Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant. + TO configure an existing MinIO Tenant with OIDC external identity management select that Tenant from the displayed list. + The following steps reference the necessary sections and configuration settings for existing Tenants. -If you are modifying an existing Tenant, select that Tenant from the list. -The following steps reference the necessary sections and configuration settings for existing Tenants. +#. Complete the :guilabel:`Identity Provider` Section -2) Complete the :guilabel:`Identity Provider` Section -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + To enable external identity management with an OIDC select the :guilabel:`Identity Provider` section. + You can then change the radio button to :guilabel:`OIDC` to display the configuration settings. -To enable external identity management with an OIDC select the :guilabel:`Identity Provider` section. -You can then change the radio button to :guilabel:`OIDC` to display the configuration settings. + .. image:: /images/k8s/operator-create-tenant-identity-provider-openid.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID -.. image:: /images/k8s/operator-create-tenant-identity-provider-openid.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID + An asterisk ``*`` marks required fields. + The following table provides general guidance for those fields: -An asterisk ``*`` marks required fields. -The following table provides general guidance for those fields: + .. list-table:: + :header-rows: 1 + :widths: 40 60 + :width: 100% -.. list-table:: - :header-rows: 1 - :widths: 40 60 - :width: 100% + * - Field + - Description - * - Field - - Description + * - Configuration URL + - The hostname of the OpenID ``.well-known/openid-configuration`` file. - * - Configuration URL - - The hostname of the OpenID ``.well-known/openid-configuration`` file. + * - | Client ID + | Secret ID + - The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service. - * - | Client ID - | Secret ID - - The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service. + * - Claim Name + - The OIDC Claim MinIO uses for identifying the :ref:`policies ` to attach to the authenticated user. - * - Claim Name - - The OIDC Claim MinIO uses for identifying the :ref:`policies ` to attach to the authenticated user. + Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment `. -Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment `. +#. Assign Policies to OIDC Users -3) Assign Policies to OIDC Users -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + MinIO by default assigns no :ref:`policies ` to OIDC users. + MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user. + If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant. -MinIO by default assigns no :ref:`policies ` to OIDC users. -MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user. -If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant. + The following example assumes an existing :ref:`alias ` configured for the MinIO Tenant. -The following example assumes an existing :ref:`alias ` configured for the MinIO Tenant. + Consider the following example policy that grants general S3 API access on only the ``data`` bucket: -Consider the following example policy that grants general S3 API access on only the ``data`` bucket: + .. code-block:: json + :class: copyable -.. code-block:: json - :class: copyable + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::data", + "arn:aws:s3:::data/*" + ] + } + ] + } - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::data", - "arn:aws:s3:::data/*" - ] - } - ] - } + Use the :mc:`mc admin policy create` command to create a policy for use by an OIDC user: -Use the :mc:`mc admin policy create` command to create a policy for use by an OIDC user: + .. code-block:: shell + :class: copyable -.. code-block:: shell - :class: copyable + mc admin policy create minio-tenant datareadonly /path/to/datareadonly.json - mc admin policy create minio-tenant datareadonly /path/to/datareadonly.json + MinIO attaches the ``datareadonly`` policy to any authenticated OIDC user with ``datareadonly`` included in the configured claim. -MinIO attaches the ``datareadonly`` policy to any authenticated OIDC user with ``datareadonly`` included in the configured claim. + See :ref:`minio-external-identity-management-openid-access-control` for more information on access control with OIDC users and groups. -See :ref:`minio-external-identity-management-openid-access-control` for more information on access control with OIDC users and groups. +#. Use the MinIO Tenant Console to Log In with OIDC Credentials -4) Use the MinIO Tenant Console to Log In with OIDC Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. -The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. + See :ref:`Deploy MinIO Tenant: Connect to the Tenant ` for additonal information about accessing the Tenant Console. -See :ref:`Deploy MinIO Tenant: Connect to the Tenant ` for additonal information about accessing the Tenant Console. + If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials. -If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials. + Enter the user's OIDC credentials and log in to access the Console. -Enter the user's OIDC credentials and log in to access the Console. + Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. -Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. + You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. + Access Keys are long-lived credentials which inherit their privileges from the parent user. + The parent user can further restrict those privileges while creating the access keys. -You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. -Access Keys are long-lived credentials which inherit their privileges from the parent user. -The parent user can further restrict those privileges while creating the access keys. +#. Generate S3-Compatible Temporary Credentials using OIDC Credentials -5) Generate S3-Compatible Temporary Credentials using OIDC Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider. -Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider. + The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session. + Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. + MinIO provides an example Go application :minio-git:`web-identity.go ` with an example of managing this workflow. -The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session. -Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. -MinIO provides an example Go application :minio-git:`web-identity.go ` with an example of managing this workflow. + Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials: -Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials: + .. code-block:: shell + :class: copyable -.. code-block:: shell - :class: copyable + POST https://minio.example.net?Action=AssumeRoleWithWebIdentity + &WebIdentityToken=TOKEN + &Version=2011-06-15 + &DurationSeconds=86400 + &Policy=Policy - POST https://minio.example.net?Action=AssumeRoleWithWebIdentity - &WebIdentityToken=TOKEN - &Version=2011-06-15 - &DurationSeconds=86400 - &Policy=Policy + - Replace ``minio.example.net`` with the hostname or URL of the MinIO Tenant service. + - Replace the ``TOKEN`` with the JWT token returned in the previous step. + - Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours. + - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. -- Replace ``minio.example.net`` with the hostname or URL of the MinIO Tenant service. -- Replace the ``TOKEN`` with the JWT token returned in the previous step. -- Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours. -- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + Omit to use the policy associated to the OpenID user :ref:`policy claim `. - Omit to use the policy associated to the OpenID user :ref:`policy claim `. + The API response consists of an XML document containing the access key, secret key, session token, and expiration date. + Applications can use the access key and secret key to access and perform operations on MinIO. -The API response consists of an XML document containing the access key, secret key, session token, and expiration date. -Applications can use the access key and secret key to access and perform operations on MinIO. - -See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation. + See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation. diff --git a/source/includes/linux/file-transfer-protocol-not-k8s.rst b/source/includes/linux/file-transfer-protocol-not-k8s.rst index 99b3bd5c1..ae165aff5 100644 --- a/source/includes/linux/file-transfer-protocol-not-k8s.rst +++ b/source/includes/linux/file-transfer-protocol-not-k8s.rst @@ -1,123 +1,49 @@ -.. versionadded:: MinIO RELEASE.2023-04-20T17-56-55Z - -Overview --------- - -Starting with :minio-release:`MinIO Server RELEASE.2023-04-20T17-56-55Z `, you can use the File Transfer Protocol (FTP) or SSH File Transfer Protocol (SFTP) to interact with the objects on a MinIO deployment. - -You must specifically enable FTP or SFTP when starting the server. -Enabling either server type does not affect other MinIO features. - -This page uses the abbreviation FTP throughout, but you can use any of the supported FTP protocols described below. - -Supported Protocols -~~~~~~~~~~~~~~~~~~~ - -When enabled, MinIO supports FTP access over the following protocols: - -- SSH File Transfer Protocol (SFTP) - - SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0. - SFTP allows file transfer over SSH for use with :ref:`Transport Layer Security (TLS) ` and virtual private network (VPN) applications. - - Your FTP client must support SFTP. - -- File Transfer Protocol over SSL/TLS (FTPS) - - FTPS allows for encrypted FTP communication with TLS certificates over the standard FTP communication channel. - FTPS should not be confused with SFTP, as FTPS does not communicate over a Secure Shell (SSH). - - Your FTP client must support FTPS. - -- File Transfer Protocol (FTP) - - Unencrypted file transfer. - - MinIO does **not** recommend using unencrypted FTP for file transfer. - -.. admonition:: MinIO Operator Tenants only support SFTP - :class: note - - MinIO Tenants deployed with Operator only support SFTP. - For details, see `File Transfer Protocol for Tenants `__. - - -Supported Commands -~~~~~~~~~~~~~~~~~~ - -When enabled, MinIO supports the following FTP operations: - -- ``get`` -- ``put`` -- ``ls`` -- ``mkdir`` -- ``rmdir`` -- ``delete`` - -MinIO does not support either ``append`` or ``rename`` operations. - -Considerations --------------- - -Versioning -~~~~~~~~~~ - -SFTP clients can only operate on the :ref:`latest version ` of an object. -Specifically: - -- For read operations, MinIO only returns the latest version of the requested object(s) to the FTP client. -- For write operations, MinIO applies normal versioning behavior and creates a new object version at the specified namespace. - ``delete`` and ``rmdir`` operations create ``DeleteMarker`` objects. - - -Authentication and Access -~~~~~~~~~~~~~~~~~~~~~~~~~ - -FTP access requires the same authentication as any other S3 client. -MinIO supports the following authentication providers: +1. Start MinIO with an FTP and/or SFTP port enabled. -- :ref:`MinIO IDP ` users and their service accounts -- :ref:`Active Directory/LDAP ` users and their service accounts -- :ref:`OpenID/OIDC ` service accounts + .. tab-set:: -:ref:`STS ` credentials **cannot** access buckets or objects over FTP. + .. tab-item:: FTPS + :sync: ftps -Authenticated users can access buckets and objects based on the :ref:`policies ` assigned to the user or parent user account. + The following example starts MinIO with FTPS enabled. -The FTP protocol does not require any of the ``admin:*`` :ref:`permissions `. -The FTP protocols do not support any of the MinIO admin actions. + .. code-block:: shell + :class: copyable -Prerequisites -------------- + minio server http://server{1...4}/disk{1...4} \ + --ftp="address=:8021" \ + --ftp="passive-port-range=30000-40000" \ + --ftp="tls-private-key=path/to/private.key" \ + --ftp="tls-public-cert=path/to/public.crt" \ + ... -- MinIO RELEASE.2023-04-20T17-56-55Z or later. -- Enable an FTP or SFTP port for the server. -- A port to use for the FTP commands and a range of ports to allow the FTP server to request to use for the data transfer. + .. note:: -Procedure ---------- + Omit ``tls-private-key`` and ``tls-public-cert`` to use the MinIO default TLS keys for FTPS. + For more information, see the :ref:`TLS on MinIO documentation `. -1. Start MinIO with an FTP and/or SFTP port enabled. + .. tab-item:: SFTP/FTP + :sync: sftp - .. code-block:: shell - :class: copyable + .. code-block:: shell + :class: copyable - minio server http://server{1...4}/disk{1...4} \ - --ftp="address=:8021" \ - --ftp="passive-port-range=30000-40000" \ - --sftp="address=:8022" \ - --sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \ - ... + minio server http://server{1...4}/disk{1...4} \ + --ftp="address=:8021" \ + --ftp="passive-port-range=30000-40000" \ + --sftp="address=:8022" \ + --sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \ + ... - See the :mc-cmd:`minio server --ftp` and :mc-cmd:`minio server --sftp` for details on using these flags to start the MinIO service. - To connect to the an FTP port with TLS (FTPS), pass the ``tls-private-key`` and ``tls-public-cert`` keys and values, as well, unless using the MinIO default TLS keys. + See the :mc-cmd:`minio server --ftp` and :mc-cmd:`minio server --sftp` for details on using these flags to start the MinIO service. + To connect to the an FTP port with TLS (FTPS), pass the ``tls-private-key`` and ``tls-public-cert`` keys and values, as well, unless using the MinIO default TLS keys. - The output of the command should return a response that resembles the following: + The output of the command should return a response that resembles the following: - .. code-block:: shell + .. code-block:: shell - MinIO FTP Server listening on :8021 - MinIO SFTP Server listening on :8022 + MinIO FTP Server listening on :8021 + MinIO SFTP Server listening on :8022 2. Use your preferred FTP client to connect to the MinIO deployment. You must connect as a user whose :ref:`policies ` allow access to the desired buckets and objects. @@ -127,167 +53,97 @@ Procedure To connect over TLS or through SSH, you must use a client that supports the desired protocol. -Examples --------- - -The following examples use the `FTP CLI client `__ on a Linux system. - - -Connect to MinIO Using FTP -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following example connects to a server using ``minio`` credentials to list contents in a bucket named ``runner`` - -.. code-block:: shell - - > ftp localhost -P 8021 - Connected to localhost. - 220 Welcome to MinIO FTP Server - Name (localhost:user): minio - 331 User name ok, password required - Password: - 230 Password ok, continue - Remote system type is UNIX. - Using binary mode to transfer files. - ftp> ls runner/ - 229 Entering Extended Passive Mode (|||39155|) - 150 Opening ASCII mode data connection for file list - drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 chunkdocs/ - drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 testdir/ - ... - -Start MinIO with FTP over TLS (FTPS) Enabled -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following example starts MinIO with FTPS enabled. - -.. code-block:: shell - :class: copyable - - minio server http://server{1...4}/disk{1...4} \ - --ftp="address=:8021" \ - --ftp="passive-port-range=30000-40000" \ - --ftp="tls-private-key=path/to/private.key" \ - --ftp="tls-public-cert=path/to/public.crt" \ - ... - -.. note:: - - Omit ``tls-private-key`` and ``tls-public-cert`` to use the MinIO default TLS keys for FTPS. - For more information, see the :ref:`TLS on MinIO documentation `. - -Download an Object over FTP -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This example lists items in a bucket, then downloads the contents of the bucket. - -.. code-block:: console - - > ftp localhost -P 8021 - Connected to localhost. - 220 Welcome to MinIO FTP Server - Name (localhost:user): minio - 331 User name ok, password required - Password: - 230 Password ok, continue - Remote system type is UNIX. - Using binary mode to transfer files.ftp> ls runner/chunkdocs/metadata - 229 Entering Extended Passive Mode (|||44269|) - 150 Opening ASCII mode data connection for file list - -rwxrwxrwx 1 nobody nobody 45 Apr 1 06:13 chunkdocs/metadata - 226 Closing data connection, sent 75 bytes - ftp> get - (remote-file) runner/chunkdocs/metadata - (local-file) test - local: test remote: runner/chunkdocs/metadata - 229 Entering Extended Passive Mode (|||37785|) - 150 Data transfer starting 45 bytes - 45 3.58 KiB/s - 226 Closing data connection, sent 45 bytes - 45 bytes received in 00:00 (3.55 KiB/s) - ... - -Connect to MinIO Using SFTP -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following example connects to an SFTP server, lists the contents of a bucket named ``runner``, and downloads an object. - -.. code-block:: console - - > sftp -P 8022 minio@localhost - minio@localhost's password: - Connected to localhost. - sftp> ls runner/ - chunkdocs testdir - sftp> get runner/chunkdocs/metadata metadata - Fetching /runner/chunkdocs/metadata to metadata - metadata 100% 226 16.6KB/s 00:00 - -Connect to MinIO Using SFTP with a Certificate Key File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. versionadded:: RELEASE.2024-05-07T06-41-25Z +3. Connect to MinIO + .. tab-set:: -MinIO supports mutual TLS (mTLS) certificate-based authentication on SFTP, where both the server and the client verify the authenticity of each other. + .. tab-item:: SFTP/FTP + :sync: sftp -This type of authentication requires the following: -1. Public key file for the trusted certificate authority -2. Public key file for the MinIO Server minted and signed by the trusted certificate authority -3. Public key file for the user minted and signed by the trusted certificate authority for the client connecting by SFTP and located in the user's ``.ssh`` folder (or equivalent for the operating system) - -The keys must include a `principals list `__ of the user(s) that can authenticate with the key: + The following example connects to an SFTP server, and lists the contents of a bucket named ``runner``. -.. code-block:: console - :class: copyable + .. code-block:: console - ssh-keygen -s ~/.ssh/ca_user_key -I miniouser -n miniouser -V +1h -z 1 miniouser1.pub + > sftp -P 8022 minio@localhost + minio@localhost's password: + Connected to localhost. + sftp> ls runner/ + chunkdocs testdir -- ``-s`` specifies the path to the certificate authority public key to use for generating this key. - The specified public key must have a ``principals`` list that includes this user. -- ``-I`` specifies the key identity for the public key. -- ``-n`` creates the ``user principals`` list for which this key is valid. - You must include the user for which this key is valid, and the user must match the username in MinIO. -- ``-V`` limits the duration for which the generated key is valid. - In this example, the key is valid for one hour. - Adjust the duration for your requirements. -- ``-z`` adds a serial number to the key to distinguish this generated public key from other keys signed by the same certificate authority public key. -MinIO requires specifying the Certificate Authority used to sign the certificates for SFTP access. -Start or restart the MinIO Server and specify the path to the trusted certificate authority's public key using an ``--sftp="trusted-user-ca-key=PATH"`` flag: + .. tab-item:: FTPS + :sync: ftps - .. code-block:: console - :class: copyable + The following uses the Linux uses the `FTP CLI client `__ to connect to the MinIO server using ``minio`` credentials to list contents in a bucket named ``runner`` - minio server {path-to-server} --sftp="trusted-user-ca-key=/path/to/.ssh/ca_user_key.pub" {...other flags} + .. code-block:: shell -When connecting to the MinIO Server with SFTP, the client verifies the MinIO Server's certificate. -The client then passes its own certificate to the MinIO Server. -The MinIO Server verifies the key created above by comparing its value to the the known public key from the certificate authority provided at server startup. + > ftp localhost -P 8021 + Connected to localhost. + 220 Welcome to MinIO FTP Server + Name (localhost:user): minio + 331 User name ok, password required + Password: + 230 Password ok, continue + Remote system type is UNIX. + Using binary mode to transfer files. + ftp> ls runner/ + 229 Entering Extended Passive Mode (|||39155|) + 150 Opening ASCII mode data connection for file list + drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 chunkdocs/ + drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 testdir/ + ... -Once the MinIO Server verifies the client's certificate, the user can connect to the MinIO server over SFTP: -.. code-block:: bash - :class: copyable: - - sftp -P +4. Download an Object -Require service account or LDAP for authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + .. tab-set:: -To force authentication to SFTP using LDAP or service account credentials, append a suffix to the username. -Valid suffixes are either ``=ldap`` or ``=svc``. + .. tab-item:: SFTP/FTP + :sync: sftp -.. code-block:: console + This example lists items in a bucket, then downloads the contents of the bucket. - > sftp -P 8022 my-ldap-user=ldap@[minio@localhost]:/bucket + .. code-block:: console + > sftp -P 8022 minio@localhost + minio@localhost's password: + Connected to localhost. + sftp> ls runner/ + chunkdocs testdir + sftp> get runner/chunkdocs/metadata metadata + Fetching /runner/chunkdocs/metadata to metadata + metadata 100% 226 16.6KB/s 00:00 + sftp> -.. code-block:: console + .. tab-item:: FTPS + :sync: ftps - > sftp -P 8022 my-ldap-user=svc@[minio@localhost]:/bucket + This example lists items in a bucket, then downloads the contents of the bucket. + .. code-block:: console -- Replace ``my-ldap-user`` with the username to use. -- Replace ``[minio@localhost]`` with the address of the MinIO server. + > ftp localhost -P 8021 + Connected to localhost. + 220 Welcome to MinIO FTP Server + Name (localhost:user): minio + 331 User name ok, password required + Password: + 230 Password ok, continue + Remote system type is UNIX. + Using binary mode to transfer files.ftp> ls runner/chunkdocs/metadata + 229 Entering Extended Passive Mode (|||44269|) + 150 Opening ASCII mode data connection for file list + -rwxrwxrwx 1 nobody nobody 45 Apr 1 06:13 chunkdocs/metadata + 226 Closing data connection, sent 75 bytes + ftp> get + (remote-file) runner/chunkdocs/metadata + (local-file) test + local: test remote: runner/chunkdocs/metadata + 229 Entering Extended Passive Mode (|||37785|) + 150 Data transfer starting 45 bytes + 45 3.58 KiB/s + 226 Closing data connection, sent 45 bytes + 45 bytes received in 00:00 (3.55 KiB/s) + ... diff --git a/source/includes/linux/steps-configure-keycloak-identity-management.rst b/source/includes/linux/steps-configure-keycloak-identity-management.rst deleted file mode 100644 index 3fbd07444..000000000 --- a/source/includes/linux/steps-configure-keycloak-identity-management.rst +++ /dev/null @@ -1,91 +0,0 @@ -.. |KEYCLOAK_URL| replace:: keycloak-url.example.net:8080 -.. |MINIO_S3_URL| replace:: minio-url.example.net:9000 -.. |MINIO_CONSOLE_URL| replace:: minio-url.example.net:9001 - -1) Configure or Create a Client for Accessing Keycloak -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client - :end-before: end-configure-keycloak-client - -2) Create Client Scope for MinIO Client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. -This allows MinIO to reference those attributes when assigning policies to the user. -This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-client-scope - :end-before: end-configure-keycloak-client-scope - -3) Apply the Necessary Attribute to Keycloak Users/Groups -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You must assign an attribute named ``policy`` to the Keycloak Users or Groups. -Set the value to any :ref:`policy ` on the MinIO deployment. - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-user-group-attributes - :end-before: end-configure-keycloak-user-group-attributes - -4) Configure MinIO for Keycloak Authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -MinIO supports multiple methods for configuring Keycloak authentication: - -- Using the MinIO Console -- Using a terminal/shell and the :mc:`mc idp openid` command -- Using environment variables set prior to starting MinIO - -.. tab-set:: - - .. tab-item:: MinIO Console - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-console - :end-before: end-configure-keycloak-minio-console - - .. tab-item:: CLI - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-cli - :end-before: end-configure-keycloak-minio-cli - - .. tab-item:: Environment Variables - - .. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-minio-envvar - :end-before: end-configure-keycloak-minio-envvar - -Restart the MinIO deployment for the changes to apply. - -Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration. - -If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`. - -Specify a configured user and attempt to log in. -MinIO should automatically redirect you to the Keycloak login entry. -Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL *or* the :guilabel:`Redirect URI` if configured. - -5) Generate Application Credentials using the Security Token Service (STS) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-configure-keycloak-identity-management.rst - :start-after: start-configure-keycloak-sts - :end-before: end-configure-keycloak-sts - -Next Steps -~~~~~~~~~~ - -Applications should implement the :ref:`STS AssumeRoleWithWebIdentity ` flow using their :ref:`SDK ` of choice. -When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations. - -Alternatively, users can generate :ref:`access keys ` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials. - - - - diff --git a/source/includes/linux/steps-configure-minio-kes-hashicorp.rst b/source/includes/linux/steps-configure-minio-kes-hashicorp.rst index 32fe355f8..3302f1c9b 100644 --- a/source/includes/linux/steps-configure-minio-kes-hashicorp.rst +++ b/source/includes/linux/steps-configure-minio-kes-hashicorp.rst @@ -1,79 +1,53 @@ -Procedure ---------- +#. Generate a KES API Key for use by MinIO -This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected `supported KMS solution `__ in production environments. -Specifically, this procedure assumes the following: + Use the :kes-docs:`kes identity new ` command to generate a new API key for use by the MinIO Server: -- An existing production-grade KMS target -- One or more KES servers connected to the KMS target -- One or more hosts for a new or existing MinIO deployment + .. code-block:: shell + :class: copyable -Prerequisite -~~~~~~~~~~~~ + kes identity new -Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA). -Defer to the client documentation for instructions on trusting a third-party CA. + The output includes both the API Key for use with MinIO and the Identity hash for use with the :kes-docs:`KES Policy configuration `. -1) Generate a KES API Key for use by MinIO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#. Configure the MinIO Environment File -Starting with KES version :minio-git:`2023-02-15T14-54-37Z `, you can generate an API key to use for authenticating to the KES server. + Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables: -Use the :kes-docs:`kes identity new ` command to generate a new API key for use by the MinIO Server: + .. include:: /includes/common/common-minio-kes.rst + :start-after: start-kes-configuration-minio-desc + :end-before: end-kes-configuration-minio-desc -.. code-block:: shell - :class: copyable + MinIO defaults to expecting this file at ``/etc/default/minio``. + If you modified your deployment to use a different location for the environment file, modify the file at that location. - kes identity new +#. Start MinIO -The output includes both the API Key for use with MinIO and the Identity hash for use with the :kes-docs:`KES Policy configuration `. + .. admonition:: KES Operations Requires Unsealed Vault + :class: important -2) Create the MinIO Configurations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Depending on your selected KMS solution, you may need to unseal the key instance to allow normal cryptographic operations, including key creation or retrieval. + KES requires an unsealed key target to perform its operations. + + Refer to the :kes-docs:`documentation for your chosen KMS solution <#supported-kms-targets>` for information regarding whether sealing and unsealing the instance is required for operations. -Configure the MinIO Environment File + You must start KES *before* starting MinIO. + The MinIO deployment requires access to KES as part of its startup. -Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables: + You can use the :mc:`mc admin service restart` command to restart MinIO: -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-configuration-minio-desc - :end-before: end-kes-configuration-minio-desc + .. code-block:: shell + :class: copyable -MinIO defaults to expecting this file at ``/etc/default/minio``. -If you modified your deployment to use a different location for the environment file, modify the file at that location. + mc admin service restart ALIAS -3) Start MinIO -~~~~~~~~~~~~~~ +#. Generate a New Encryption Key -.. admonition:: KES Operations Requires Unsealed Vault - :class: important + .. include:: /includes/common/common-minio-kes.rst + :start-after: start-kes-generate-key-desc + :end-before: end-kes-generate-key-desc - Depending on your selected KMS solution, you may need to unseal the key instance to allow normal cryptographic operations, including key creation or retrieval. - KES requires an unsealed key target to perform its operations. - - Refer to the :kes-docs:`documentation for your chosen KMS solution <#supported-kms-targets>` for information regarding whether sealing and unsealing the instance is required for operations. +#. Enable SSE-KMS for a Bucket - You must start KES *before* starting MinIO. - The MinIO deployment requires access to KES as part of its startup. - -This step uses ``systemd`` for starting and managing the MinIO server processes: - -Start the MinIO Server - -.. include:: /includes/linux/common-minio-kes.rst - :start-after: start-kes-minio-start-service-desc - :end-before: end-kes-minio-start-service-desc - -4) Generate a New Encryption Key -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-generate-key-desc - :end-before: end-kes-generate-key-desc - -5) Enable SSE-KMS for a Bucket -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-enable-sse-kms-desc - :end-before: end-kes-enable-sse-kms-desc + .. include:: /includes/common/common-minio-kes.rst + :start-after: start-kes-enable-sse-kms-desc + :end-before: end-kes-enable-sse-kms-desc diff --git a/source/includes/macos/common-installation.rst b/source/includes/macos/common-installation.rst deleted file mode 100644 index 33826c5ca..000000000 --- a/source/includes/macos/common-installation.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. start-install-minio-binary-desc - -.. tab-set:: - - .. tab-item:: Homebrew - - Open a Terminal and run the following command to install the latest stable MinIO package using `Homebrew `_. - - .. code-block:: shell - :class: copyable - - brew install minio/stable/minio - - .. important:: - - If you previously installed the MinIO server using ``brew install minio``, then we recommend that you reinstall from ``minio/stable/minio`` instead. - - .. code-block:: shell - :class: copyable - - brew uninstall minio - brew install minio/stable/minio - - .. tab-item:: Binary - arm64 - - Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/server/minio/release/darwin-arm64/minio - chmod +x ./minio - sudo mv ./minio /usr/local/bin/ - - .. tab-item:: Binary - amd64 - - Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/server/minio/release/darwin-amd64/minio - chmod +x ./minio - sudo mv ./minio /usr/local/bin/ - -.. end-install-minio-binary-desc - -.. start-run-minio-binary-desc - -From the Terminal, use the :mc:`minio server` to start a local MinIO instance in the ``~/data`` folder. -If desired, you can replace ``~/data`` with another location to which the user has read, write, and delete access for the MinIO instance. - -.. code-block:: shell - :class: copyable - - export MINIO_CONFIG_ENV_FILE=/etc/default/minio - minio server --console-address :9001 - -.. code-block:: shell - - Status: 1 Online, 0 Offline. - API: http://192.168.2.100:9000 http://127.0.0.1:9000 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - Console: http://192.168.2.100:9001 http://127.0.0.1:9001 - RootUser: myminioadmin - RootPass: minio-secret-key-change-me - - Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html - $ mc alias set myminio http://10.0.2.100:9000 myminioadmin minio-secret-key-change-me - - Documentation: https://min.io/docs/minio/linux/index.html - -The ``API`` block lists the network interfaces and port on which clients can access the MinIO S3 API. -The ``Console`` block lists the network interfaces and port on which clients can access the MinIO Web Console. - -.. end-run-minio-binary-desc \ No newline at end of file diff --git a/source/includes/macos/quickstart.rst b/source/includes/macos/quickstart.rst deleted file mode 100644 index f4be612ee..000000000 --- a/source/includes/macos/quickstart.rst +++ /dev/null @@ -1,148 +0,0 @@ -.. _quickstart-macos: - -============================= -Quickstart: MinIO for Mac OSX -============================= - -.. default-domain:: minio - -.. container:: extlinks-video - - - `Object Storage Essentials `__ - - - `How to Connect to MinIO with JavaScript `__ - -.. |OS| replace:: MacOS - -This procedure deploys a :ref:`Single-Node Single-Drive ` MinIO server onto |OS| for early development and evaluation of MinIO Object Storage and its S3-compatible API layer. - -For instructions on deploying to production environments, see :ref:`deploy-minio-distributed`. - -Prerequisites -------------- - -- Read, write, and execute permissions for the user's home directory -- Familiarity with using the Terminal - -Procedure ---------- - -#. **Install the MinIO Server** - - .. include:: /includes/macos/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - - -#. **Launch the MinIO Server** - - .. include:: /includes/macos/common-installation.rst - :start-after: start-run-minio-binary-desc - :end-before: end-run-minio-binary-desc - -#. **Connect your Browser to the MinIO Server** - - Access the :ref:`minio-console` by going to a browser (such as Safari) and going to ``https://127.0.0.1:9000`` or one of the Console addresses specified in the :mc:`minio server` command's output. - For example, :guilabel:`Console: http://192.0.2.10:9001 http://127.0.0.1:9001` in the example output indicates two possible addresses to use for connecting to the Console. - - While port ``9000`` is used for connecting to the API, MinIO automatically redirects browser access to the MinIO Console. - - Log in to the Console with the ``RootUser`` and ``RootPass`` user credentials displayed in the output. - These default to ``minioadmin | minioadmin``. - - .. image:: /images/minio-console/console-login.png - :width: 600px - :alt: MinIO Console displaying login screen - :align: center - - You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. - Each MinIO server includes its own embedded MinIO Console. - - .. image:: /images/minio-console/minio-console.png - :width: 600px - :alt: MinIO Console displaying bucket start screen - :align: center - - For more information, see the :ref:`minio-console` documentation. - -#. `(Optional)` Install the MinIO Client - - The :ref:`MinIO Client ` allows you to work with your MinIO volume from the commandline. - - .. tab-set:: - - .. tab-item:: Homebrew - - Run the following commands to install the latest stable MinIO Client package using `Homebrew `_. - - .. code-block:: shell - :class: copyable - - brew install minio/stable/mc - - To use the command, run - - .. code-block:: - - mc {command} {flag} - - .. tab-item:: Binary (arm64) - - Download the standalone MinIO server for MacOS and make it executable. - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/client/mc/release/darwin-arm64/mc - chmod +x mc - sudo mv mc /usr/local/bin/mc - - To use the command, run - - .. code-block:: shell - - mc {command} {flag} - - .. tab-item:: Binary (amd64) - - Download the standalone MinIO server for MacOS and make it executable. - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/client/mc/release/darwin-amd64/mc - chmod +x mc - sudo mv mc /usr/local/bin/mc - - To use the command, run - - .. code-block:: shell - - mc {command} {flag} - - Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment. - - .. code-block:: shell - :class: copyable - - mc alias set local http://127.0.0.1:9000 minioadmin minioadmin - mc admin info local - - The :mc:`mc alias set` takes four arguments: - - - The name of the alias - - The hostname or IP address and port of the MinIO server - - The Access Key for a MinIO :ref:`user ` - - The Secret Key for a MinIO :ref:`user ` - - For additional details about this command, see :ref:`alias`. - -.. rst-class:: section-next-steps - -Next Steps ----------- - -- :ref:`Connect your applications to MinIO ` -- :ref:`Configure Object Retention ` -- :ref:`Configure Security ` -- :ref:`Deploy MinIO for Production Environments ` diff --git a/source/includes/macos/steps-configure-minio-kes-hashicorp.rst b/source/includes/macos/steps-configure-minio-kes-hashicorp.rst deleted file mode 100644 index b10039177..000000000 --- a/source/includes/macos/steps-configure-minio-kes-hashicorp.rst +++ /dev/null @@ -1,65 +0,0 @@ -Deploy MinIO and KES with Server-Side Encryption ------------------------------------------------- - -Prior to starting these steps, create the following folders: - -.. code-block:: shell - :class: copyable - :substitutions: - - mkdir -P |kescertpath| - mkdir -P |kesconfigpath| - mkdir -P |miniodatapath| - -Prerequisite -~~~~~~~~~~~~ - -Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA). -Defer to the client documentation for instructions on trusting a third-party CA. - -1) Create the MinIO Configurations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Create the MinIO Environment File - -Create the environment file using your preferred text editor. -The following example uses ``nano``: - -.. code-block:: shell - :substitutions: - - nano |minioconfigpath|/minio - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-configuration-minio-desc - :end-before: end-kes-configuration-minio-desc - -3) Start the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - - You **must** start KES *before* starting MinIO. - The MinIO deployment requires access to KES as part of its startup. - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-minio-start-server-desc - :end-before: end-kes-minio-start-server-desc - -Foreground processes depend on the shell or terminal in which they run. -Exiting or terminating the shell/terminal instance also kills the attached process. -Defer to your operating system best practices for running processes in the background. - -4) Generate a New Encryption Key -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-generate-key-desc - :end-before: end-kes-generate-key-desc - -5) Enable SSE-KMS for a Bucket -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-enable-sse-kms-desc - :end-before: end-kes-enable-sse-kms-desc diff --git a/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst b/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst deleted file mode 100644 index f189a219d..000000000 --- a/source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst +++ /dev/null @@ -1,34 +0,0 @@ -1) Download the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/macos/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - -2) Create the Environment Variable File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-environment-file-multi-drive - :end-before: end-common-deploy-create-environment-file-multi-drive - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-unique-root-credentials - :end-before: end-common-deploy-create-unique-root-credentials - -3) Start the MinIO Deployment -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Issue the following command on the local host to start the MinIO |SNSD| deployment as a foreground process. -You must keep the shell or terminal session open to keep the process running. - -.. include:: /includes/macos/common-installation.rst - :start-after: start-run-minio-binary-desc - :end-before: end-run-minio-binary-desc - -4) Connect to the MinIO Deployment -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-connect-to-minio-deployment - :end-before: end-common-deploy-connect-to-minio-deployment \ No newline at end of file diff --git a/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst b/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst deleted file mode 100644 index e1ed2f0b5..000000000 --- a/source/includes/macos/steps-deploy-minio-single-node-single-drive.rst +++ /dev/null @@ -1,34 +0,0 @@ -1) Download the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/macos/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - -2) Create the Environment Variable File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-environment-file-single-drive - :end-before: end-common-deploy-create-environment-file-single-drive - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-create-unique-root-credentials - :end-before: end-common-deploy-create-unique-root-credentials - -3) Start the MinIO Deployment -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Issue the following command on the local host to start the MinIO |SNSD| deployment as a foreground process. -You must keep the shell or terminal session open to keep the process running. - -.. include:: /includes/macos/common-installation.rst - :start-after: start-run-minio-binary-desc - :end-before: end-run-minio-binary-desc - -4) Connect to the MinIO Deployment -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-connect-to-minio-deployment - :end-before: end-common-deploy-connect-to-minio-deployment diff --git a/source/includes/macos/steps-upgrade-minio-deployment.rst b/source/includes/macos/steps-upgrade-minio-deployment.rst deleted file mode 100644 index 8da021960..000000000 --- a/source/includes/macos/steps-upgrade-minio-deployment.rst +++ /dev/null @@ -1,78 +0,0 @@ -MinIO uses an update-then-restart methodology for upgrading a deployment to a newer release: - -1. Update the MinIO binary with the newer release. -2. Restart the deployment using :mc-cmd:`mc admin service restart`. - -This procedure does not require taking downtime and is non-disruptive to ongoing operations. - -This page documents methods for upgrading using the update-then-restart method for both ``systemctl`` and user-managed MinIO deployments. -Deployments using Ansible, Terraform, or other management tools can use the procedures here as guidance for implementation within the existing automation framework. - -Considerations --------------- - -Upgrades Are Non-Disruptive -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -MinIO's upgrade-then-restart procedure does *not* require taking downtime or scheduling a maintenance period. -MinIO restarts are fast, such that restarting all server processes in parallel typically completes in a few seconds. -MinIO operations are atomic and strictly consistent, such that applications using MinIO or S3 SDKs can rely on the built-in :aws-docs:`transparent retry ` without further client-side logic. -This ensures upgrades are non-disruptive to ongoing operations. - -"Rolling" or serial "one-at-a-time" upgrade methods do not provide any advantage over the recommended "parallel" procedure, and can introduce unnecessary complexity to the upgrade procedure. -For virtualized environments which *require* rolling updates, you should modify the recommended procedure as follows: - -1. Update the MinIO Binary in the virtual machine or container one at a time. -2. Restart the MinIO deployment using :mc-cmd:`mc admin service restart`. -3. Update the virtual machine/container configuration to use the matching newer MinIO image. -4. Perform the rolling restart of each machine/container with the updated image. - -Check Release Notes -~~~~~~~~~~~~~~~~~~~ - -MinIO publishes :minio-git:`Release Notes ` for your reference as part of identifying the changes applied in each release. -Review the associated release notes between your current MinIO version and the newer release so you have a complete view of any changes. - -Pay particular attention to any releases that are *not* backwards compatible. -You cannot trivially downgrade from any such release. - -Update Using Homebrew ---------------------- - -For Homebrew installations, you can use homebrew to update the cask: - -.. code-block:: shell - :class: copyable - - brew upgrade minio/stable/minio - -Restart the MinIO process to complete the update. - -Update using Binary Replacement -------------------------------- - -.. tab-set:: - - .. tab-item:: Binary - arm64 - - Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/server/minio/release/darwin-arm64/minio - chmod +x ./minio - sudo mv ./minio /usr/local/bin/ - - .. tab-item:: Binary - amd64 - - Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: - - .. code-block:: shell - :class: copyable - - curl -O https://dl.min.io/server/minio/release/darwin-amd64/minio - chmod +x ./minio - sudo mv ./minio /usr/local/bin/ - -Restart the MinIO process to complete the update. \ No newline at end of file diff --git a/source/includes/windows/quickstart.rst b/source/includes/windows/quickstart.rst deleted file mode 100644 index 6cef00106..000000000 --- a/source/includes/windows/quickstart.rst +++ /dev/null @@ -1,153 +0,0 @@ -.. _quickstart-windows: - -============================= -Quickstart: MinIO for Windows -============================= - -.. default-domain:: minio - -.. container:: extlinks-video - - - `Object Storage Essentials `__ - - - `How to Connect to MinIO with JavaScript `__ - - -.. |OS| replace:: Windows - -This procedure deploys a :ref:`Single-Node Single-Drive ` MinIO server onto |OS| for early development and evaluation of MinIO Object Storage and its S3-compatible API layer. - -.. note:: - - This documentation only covers Single-Node Single-Drive deployments. - Due to NTFS behaviors and limitations, MinIO does not recommend multi-node multi-drive deployments on Windows hosts. - - Use :minio-docs:`Linux hosts ` or :minio-docs:`Kubernetes ` for deploying production-ready distributed MinIO deployments. - -Use Windows-based MinIO deployments for early development and evaluation. -MinIO strongly recommends Linux (RHEL, Ubuntu) systems for long-term development and production environments. - -MinIO supports non-EOL Windows versions (Windows 10, Windows Server 2016+). - -Prerequisites -------------- - -- Read, write, and execute permissions for the preferred local directory or file path -- Familiarity with using the Command Prompt or PowerShell - -Procedure ---------- - -#. Install the MinIO Server - - Download the MinIO executable from the following URL: - - .. code-block:: shell - :class: copyable - - https://dl.min.io/server/minio/release/windows-amd64/minio.exe - - The next step includes instructions for running the executable. - You cannot run the executable from the Explorer or by double clicking the file. - Instead, you call the executable to launch the server. - -#. Launch the :mc:`minio server` - - In PowerShell or the Command Prompt, navigate to the location of the executable or add the path of the ``minio.exe`` file to the system ``$PATH``. - - Use this command to start a local MinIO instance in the ``C:\minio`` folder. - You can replace ``C:\minio`` with another drive or folder path on the local computer. - - .. code-block:: - :class: copyable - - .\minio.exe server C:\minio --console-address :9001 - - The :mc:`minio server` process prints its output to the system console, similar to the following: - - .. code-block:: shell - - API: http://192.0.2.10:9000 http://127.0.0.1:9000 - RootUser: minioadmin - RootPass: minioadmin - - Console: http://192.0.2.10:9001 http://127.0.0.1:9001 - RootUser: minioadmin - RootPass: minioadmin - - Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html - $ mc alias set myminio http://192.0.2.10:9000 minioadmin minioadmin - - Documentation: https://min.io/docs/minio/linux/index.html - - WARNING: Detected default credentials 'minioadmin:minioadmin', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables. - - The process is tied to the current PowerShell or Command Prompt window. - Closing the window stops the server and ends the process. - -#. Connect your Browser to the MinIO Server - - Access the :ref:`minio-console` by going to a browser (such as Microsoft Edge) and going to ``http://127.0.0.1:9001`` or one of the Console addresses specified in the :mc:`minio server` command's output. - For example, ``Console: http://192.0.2.10:9001 http://127.0.0.1:9001`` in the example output indicates two possible addresses to use for connecting to the Console. - - While port ``9000`` is used for connecting to the API, MinIO automatically redirects browser access to the MinIO Console. - - Log in to the Console with the ``RootUser`` and ``RootPass`` user credentials displayed in the output. - These default to ``minioadmin | minioadmin``. - - .. image:: /images/minio-console/console-login.png - :width: 600px - :alt: MinIO Console displaying login screen - :align: center - - You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. - Each MinIO server includes its own embedded MinIO Console. - - .. image:: /images/minio-console/minio-console.png - :width: 600px - :alt: MinIO Console displaying bucket start screen - :align: center - - For more information, see the :ref:`minio-console` documentation. - -#. `(Optional)` Install the MinIO Client - - The :ref:`MinIO Client ` allows you to work with your MinIO volume from the commandline. - - Download the standalone MinIO server for Windows from the following link: - - https://dl.min.io/client/mc/release/windows-amd64/mc.exe - - Double click on the file to run it. - Or, run the following in the Command Prompt or PowerShell. - - .. code-block:: - :class: copyable - - \path\to\mc.exe --help - - Use :mc:`mc.exe alias set ` to quickly authenticate and connect to the MinIO deployment. - - .. code-block:: shell - :class: copyable - - mc.exe alias set local http://127.0.0.1:9000 minioadmin minioadmin - mc.exe admin info local - - The :mc:`mc.exe alias set ` takes four arguments: - - - The name of the alias - - The hostname or IP address and port of the MinIO server - - The Access Key for a MinIO :ref:`user ` - - The Secret Key for a MinIO :ref:`user ` - - For additional details about this command, see :ref:`alias`. - -.. rst-class:: section-next-steps - -Next Steps ----------- - -- :ref:`Connect your applications to MinIO ` -- :ref:`Configure Object Retention ` -- :ref:`Configure Security ` diff --git a/source/includes/windows/steps-configure-minio-kes-hashicorp.rst b/source/includes/windows/steps-configure-minio-kes-hashicorp.rst deleted file mode 100644 index 6ac6bbcd1..000000000 --- a/source/includes/windows/steps-configure-minio-kes-hashicorp.rst +++ /dev/null @@ -1,63 +0,0 @@ -Deploy MinIO and KES with Server-Side Encryption ------------------------------------------------- - -Prior to starting these steps, create the following folders: - -.. code-block:: powershell - :class: copyable - :substitutions: - - New-Item -Path "|kescertpath|" -ItemType "directory" - New-Item -Path "|kesconfigpath|" -ItemType "directory" - New-Item -Path "|miniodatapath|" -ItemType "directory" - -Prerequisite -~~~~~~~~~~~~ - -Depending on your chosen :kes-docs:`supported KMS target <#supported-kms-targets>` configuration, you may need to pass the ``kes-server.cert`` as a trusted Certificate Authority (CA). -Defer to the client documentation for instructions on trusting a third-party CA. - -1) Create the MinIO Configurations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Create the MinIO Environment File - -Create the environment file using your preferred text editor. -The following example uses the Windows Notepad program: - -.. code-block:: powershell - :substitutions: - - notepad |minioconfigpath|\minio - -.. include:: /includes/windows/common-minio-kes.rst - :start-after: start-kes-configuration-minio-desc - :end-before: end-kes-configuration-minio-desc - -2) Start the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - - You **must** start KES *before* starting MinIO. - The MinIO deployment requires access to KES as part of its startup. - -Start the MinIO Server - -.. include:: /includes/windows/common-minio-kes.rst - :start-after: start-kes-minio-start-server-desc - :end-before: end-kes-minio-start-server-desc - -3) Generate a New Encryption Key -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/windows/common-minio-kes.rst - :start-after: start-kes-generate-key-desc - :end-before: end-kes-generate-key-desc - -4) Enable SSE-KMS for a Bucket -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-enable-sse-kms-desc - :end-before: end-kes-enable-sse-kms-desc diff --git a/source/includes/windows/steps-deploy-minio-single-node-single-drive.rst b/source/includes/windows/steps-deploy-minio-single-node-single-drive.rst deleted file mode 100644 index eced268c3..000000000 --- a/source/includes/windows/steps-deploy-minio-single-node-single-drive.rst +++ /dev/null @@ -1,53 +0,0 @@ -1) Download the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Download the MinIO executable from the following URL: - - .. code-block:: shell - :class: copyable - - https://dl.min.io/server/minio/release/windows-amd64/minio.exe - - The next step includes instructions for running the executable. - You cannot run the executable from the Explorer or by double clicking the file. - Instead, you call the executable to launch the server. - -2) Prepare the Data Path for MinIO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Ensure the data path is empty and contains no existing files, including any hidden or Windows system files. - -If specifying a drive not dedicated for use by MinIO, consider creating a dedicated folder for storing MinIO data such as ``D:/Minio``. - -3) Start the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Open the Command Prompt or PowerShell and issue the following command to start the MinIO |SNSD| deployment in that session: - -.. code-block:: shell - :class: copyable - - minio.exe server D:/minio --console-address ":9001" - -The output should resemble the following: - -.. code-block:: shell - - Status: 1 Online, 0 Offline. - API: http://192.168.2.100:9000 http://127.0.0.1:9000 - Console: http://192.168.2.100:9001 http://127.0.0.1:9001 - - Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html - $ mc alias set myminio http://10.0.2.100:9000 minioadmin minioadmin - - Documentation: https://min.io/docs/minio/linux/index.html - -The ``API`` block lists the network interfaces and port on which clients can access the MinIO S3 API. -The ``Console`` block lists the network interfaces and port on which clients can access the MinIO Web Console. - -4) Connect to the MinIO Server -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common/common-deploy.rst - :start-after: start-common-deploy-connect-to-minio-deployment - :end-before: end-common-deploy-connect-to-minio-deployment diff --git a/source/index.rst b/source/index.rst index 4b9706933..01e1b5a85 100644 --- a/source/index.rst +++ b/source/index.rst @@ -1,6 +1,6 @@ -================================================================================ -MinIO Object Storage for |platform| -================================================================================ +===================================== +MinIO High Performance Object Storage +===================================== .. default-domain:: minio @@ -8,219 +8,144 @@ MinIO Object Storage for |platform| :local: :depth: 2 -MinIO is an object storage solution that provides an Amazon Web Services S3-compatible API and supports all core S3 features. -MinIO is built to deploy anywhere - public or private cloud, baremetal infrastructure, orchestrated environments, and edge infrastructure. +MinIO is a Kubernetes-native S3-compatible object storage solution designed to deploy wherever your applications are - on premises, in the private cloud, in the public cloud, and edge infrastructure. +MinIO is designed to support modern application workload patterns where high performance distributed computing meets petabyte-scale storage requirements. -.. cond:: linux +MinIO is available under two server editions, each with their own distinct license: - This site documents Operations, Administration, and Development of MinIO deployments on Linux platforms for the latest stable version of MinIO: |minio-tag|. +.. grid:: 2 -.. cond:: windows + .. grid-item-card:: MinIO Object Store (MinIO) - This site documents Operations, Administration, and Development of MinIO deployments on Windows platforms for the latest stable version of MinIO: |minio-tag|. + MinIO Object Store (MinIO) is licensed under `GNU Affero General Public License v3.0 `__. + + MinIO features are available to the community as a stream of active development. -.. cond:: macos + MinIO is community-focused, with best-effort support through the MinIO Community Slack Channel and the MinIO Github repository. - This site documents Operations, Administration, and Development of MinIO deployments on macOS platforms for the latest stable version of MinIO: |minio-tag|. + .. grid-item-card:: MinIO Enterprise Object Store (MinEOS) -.. cond:: container + MinIO Enterprise Object Store (MinEOS) is licensed under the `MinIO Commercial License `__. + + MinEOS is available to |SUBNET| Enterprise-Lite and Enterprise-Plus customers and includes exclusive support for the :minio-blog:`Enterprise Object Store feature suite `. - This site documents Operations, Administration, and Development of MinIO deployments on Containers for the latest stable version of MinIO: |minio-tag|. + MinEOS include |SUBNET| access for 24/7 L1 support from MinIO Engineering, with 4 or 1 hour SLAs available based on deployment size. -.. cond:: k8s and not (openshift or eks or gke or aks) +This site documents Operations, Administration, and Development of MinIO deployments on supported platforms for |minio-tag|. +MinIO Enterprise Object Storage (MinEOS) deployments can use this documentation as a baseline of features available in a current or upcoming release. - This site documents Operations, Administration, and Development of MinIO deployments on Kubernetes platform for the latest stable version of the MinIO Operator: |operator-version-stable|. +.. todo: More marketing/SEO below? -.. cond:: openshift +MinIO officially supports the following platforms: - This site documents Operations, Administration, and Development of MinIO deployments on OpenShift 4.7+ through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.7+ ` for the latest stable version of the MinIO Operator: |operator-version-stable|. +- :ref:`Kubernetes (Upstream) ` +- :ref:`RedHat Openshift ` +- :ref:`SUSE Rancher ` +- :ref:`Elastic Kubernetes Service ` +- :ref:`Google Kubernetes Engine ` +- :ref:`Azure Kubernetes Service ` +- :ref:`Red Hat Enterprise Linux ` +- :ref:`Ubuntu Linux ` +- :ref:`MacOS ` +- :ref:`Container ` +- :ref:`Windows ` -.. cond:: eks +Quickstart +---------- - This site documents Operations, Administration, and Development of MinIO deployments on `Amazon Elastic Kubernetes Service `__ for the latest stable version of the MinIO Operator: |operator-version-stable|. +.. tab-set:: -.. cond:: gke + .. tab-item:: Sandbox - This site documents Operations, Administration, and Development of MinIO deployments on `Google Kubernetes Engine `__ for the latest stable version of the MinIO Operator: |operator-version-stable|. + MinIO maintains a sandbox instance of the community server at https://play.min.io. + You can use this instance for experimenting or evaluating the MinIO product on your local system. -.. cond:: aks + Follow the :mc:`mc` CLI :ref:`installation guide ` to install the utility on your local host. - This site documents Operations, Administration, and Development of MinIO deployments on `Azure Kubernetes Engine `__ for the latest stable version of the MinIO Operator: |operator-version-stable|. + :mc:`mc` includes a pre-configured ``play`` alias for connecting to the sandbox. + For example, you can use the following commands to create a bucket and copy objects to ``play``: -.. cond:: not (eks or aks or gke) + .. code-block:: shell + :class: copyable - MinIO is released under dual license `GNU Affero General Public License v3.0 `__ and `MinIO Commercial License `__. - Deployments registered through |SUBNET| use the commercial license and include access to 24/7 MinIO support. + mc mb play/mynewbucket -.. cond:: eks + mc cp /path/to/file play/mynewbucket/prefix/filename.extension - MinIO is released under dual license `GNU Affero General Public License v3.0 `__ and `MinIO Commercial License `__. - Deploying MinIO through the :minio-web:`AWS Marketplace ` includes the commercial license and access to 24/7 MinIO support through |SUBNET|. + mc stat play/mynewbucket/prefix/filename.extension -.. cond:: gke + .. important:: - MinIO is released under dual license `GNU Affero General Public License v3.0 `__ and `MinIO Commercial License `__. - Deploying MinIO through the :minio-web:`GKE Marketplace ` includes the commercial license and access to 24/7 MinIO support through |SUBNET|. + MinIO's Play sandbox is an ephemeral public-facing deployment with well-known access credentials. + Any private, confidential, internal, secured, or other important data uploaded to Play is effectively made public. + Exercise caution and discretion in any data you upload to Play. -.. cond:: aks + .. tab-item:: Baremetal - MinIO is released under dual license `GNU Affero General Public License v3.0 `__ and `MinIO Commercial License `__. - Deploying MinIO through the :minio-web:`AKS Marketplace ` includes the commercial license and access to 24/7 MinIO support through |SUBNET|. + 1. Download the MinIO Server Process for your Operating System -You can get started exploring MinIO features using the :ref:`minio-console` and our ``play`` server at https://play.min.io. -``play`` is a *public* MinIO cluster running the latest stable MinIO server. -Any file uploaded to ``play`` should be considered public and non-protected. -For more about connecting to ``play``, see :ref:`MinIO Console play Login `. + Follow the instructions on the `MinIO Download Page ` for your operating system to download and install the :mc:`minio server` process. -.. cond:: linux + 2. Create a folder for use with MinIO - .. include:: /includes/linux/quickstart.rst + For example, create a folder ``~/minio`` in Linux/MacOS or ``C:\minio`` in Windows. -.. cond:: macos + 3. Start the MinIO Server - .. include:: /includes/macos/quickstart.rst + Run the :mc:`minio server` specifying the path to the directory and the :mc:`~minio server --console-address` parameter to set a static console listen path: -.. cond:: windows + .. code-block:: shell + :class: copyable - .. include:: /includes/windows/quickstart.rst + minio server ~/minio --console-address :9001 + # For windows, use minio.exe server ~/minio --console-address :9001` -.. cond:: k8s + The output includes connection instructions for both :mc:`mc` and connecting to the Console using your browser. - .. include:: /includes/k8s/quickstart.rst + .. tab-item:: Kubernetes -.. cond:: container + Download `minio-dev.yaml `__ to your host machine: - .. include:: /includes/container/quickstart.rst + .. code-block:: shell + :class: copyable -.. cond:: k8s + curl https://raw.githubusercontent.com/minio/docs/master/source/extra/examples/minio-dev.yaml -O - .. toctree:: - :titlesonly: - :hidden: + The file describes two Kubernetes resources: - /operations/installation - /operations/install-deploy-manage/upgrade-minio-operator - /operations/deploy-manage-tenants - /operations/concepts - /operations/monitoring - /operations/external-iam - /operations/server-side-encryption - /operations/network-encryption - /operations/cert-manager - /operations/checklists - /operations/data-recovery - /operations/troubleshooting - /administration/minio-console - /administration/object-management - /administration/monitoring - /administration/identity-access-management - /administration/server-side-encryption - /administration/bucket-replication - /administration/batch-framework - /administration/concepts + - A new namespace ``minio-dev``, and + - A MinIO pod using a drive or volume on the Worker Node for serving data -.. cond:: windows - - .. toctree:: - :titlesonly: - :hidden: - - /operations/installation - /operations/concepts - /operations/monitoring - /operations/external-iam - /operations/server-side-encryption - /operations/network-encryption - /operations/checklists - /operations/data-recovery - /operations/troubleshooting - /administration/minio-console - /administration/object-management - /administration/monitoring - /administration/identity-access-management - /administration/server-side-encryption - /administration/bucket-replication - /administration/batch-framework - /administration/concepts - -.. cond:: linux or macos or container - - .. toctree:: - :titlesonly: - :hidden: - - /operations/installation - /operations/manage-existing-deployments - /operations/concepts - /operations/monitoring - /operations/external-iam - /operations/server-side-encryption - /operations/network-encryption - /operations/checklists - /operations/data-recovery - /operations/troubleshooting - /administration/minio-console - /administration/object-management - /administration/monitoring - /administration/identity-access-management - /administration/server-side-encryption - /administration/bucket-replication - /administration/batch-framework - /administration/concepts - -.. cond:: not (linux or k8s) - - .. toctree:: - :titlesonly: - :hidden: - - Software Development Kits (SDK) - Security Token Service (STS) - Object Lambda - File Transfer Protocol - MinIO Client - MinIO Admin Client - S3 API Compatibility - Integrations - -.. cond:: linux - - .. toctree:: - :titlesonly: - :hidden: - - /developers/minio-drivers - /developers/security-token-service - /developers/transforms-with-object-lambda - /developers/file-transfer-protocol - /reference/minio-mc - /reference/minio-mc-admin - /reference/minio-mc-deprecated - /reference/minio-server/minio-server - /reference/s3-api-compatibility - /integrations/integrations - -.. cond:: k8s - - .. toctree:: - :titlesonly: - :hidden: - - Software Development Kits (SDK) - /developers/sts-for-operator - Object Lambda - /developers/file-transfer-protocol - MinIO Client - MinIO Admin Client - S3 API Compatibility - Integrations - /reference/operator-crd - /reference/operator-chart-values - /reference/tenant-chart-values - /reference/operator-environment-variables + Use ``kubectl port-forward`` to access the Pod, or create a service for the pod for which you can configure Ingress, Load Balancing, or similar Kubernetes-level networking. .. toctree:: :titlesonly: :hidden: + /operations/deployments/installation + /operations/replication/multi-site-replication + /operations/concepts + /operations/monitoring + /operations/external-iam + /operations/server-side-encryption + /operations/network-encryption + /operations/checklists + /operations/data-recovery + /operations/troubleshooting + /administration/minio-console + /administration/object-management + /administration/monitoring + /administration/identity-access-management + /administration/server-side-encryption + /administration/bucket-replication + /administration/batch-framework + /administration/concepts + /developers/minio-drivers + /developers/security-token-service + /developers/transforms-with-object-lambda + /developers/file-transfer-protocol + /reference/kubernetes + /reference/baremetal + /reference/s3-api-compatibility /glossary + /integrations/integrations \ No newline at end of file diff --git a/source/operations/checklists/hardware.rst b/source/operations/checklists/hardware.rst index 94f4664c7..906d1e78e 100644 --- a/source/operations/checklists/hardware.rst +++ b/source/operations/checklists/hardware.rst @@ -43,17 +43,22 @@ Workloads that benefit from storing aged data on lower-cost hardware should inst See our `Reference Hardware `__ page for a curated selection of servers and storage components from our hardware partners. -.. cond:: k8s +.. tab-set:: + :class: parent - .. include:: /includes/common/common-checklist.rst - :start-after: start-k8s-hardware-checklist - :end-before: end-k8s-hardware-checklist + .. tab-item:: Kubernetes + :sync: k8s -.. cond:: not k8s + .. include:: /includes/common/common-checklist.rst + :start-after: start-k8s-hardware-checklist + :end-before: end-k8s-hardware-checklist - .. include:: /includes/common/common-checklist.rst - :start-after: start-linux-hardware-checklist - :end-before: end-linux-hardware-checklist + .. tab-item:: Baremetal + :sync: baremetal + + .. include:: /includes/common/common-checklist.rst + :start-after: start-linux-hardware-checklist + :end-before: end-linux-hardware-checklist .. important:: @@ -202,142 +207,193 @@ Storage :start-after: start-exclusive-drive-access :end-before: end-exclusive-drive-access -.. cond:: k8s +Recommended Storage Mediums ++++++++++++++++++++++++++++ - MinIO recommends provisioning a storage class for each MinIO Tenant that meets the performance objectives for that tenant. +.. tab-set:: + :class: hidden - Where possible, configure the Storage Class, CSI, or other provisioner underlying the PV to format volumes as XFS to ensure best performance. + .. tab-item:: Kubernetes + :sync: k8s - Ensure a consistent underlying storage type (NVMe, SSD, HDD) for all PVs provisioned in a Tenant. - - Ensure the same presented capacity of each PV across all nodes in each Tenant :ref:`server pool `. - MinIO limits the maximum usable size per PV to the smallest PV in the pool. - For example, if a pool has 15 10TB PVs and 1 1TB PV, MinIO limits the per-PV capacity to 1TB. + MinIO recommends provisioning a storage class for each MinIO Tenant that meets the performance objectives for that tenant. -.. cond:: not k8s + Where possible, configure the Storage Class, CSI, or other provisioner underlying the PV to format volumes as XFS to ensure best performance. - Recommended Storage Mediums - +++++++++++++++++++++++++++ + Ensure a consistent underlying storage type (NVMe, SSD, HDD) for all PVs provisioned in a Tenant. + + Ensure the same presented capacity of each PV across all nodes in each Tenant :ref:`server pool `. + MinIO limits the maximum usable size per PV to the smallest PV in the pool. + For example, if a pool has 15 10TB PVs and 1 1TB PV, MinIO limits the per-PV capacity to 1TB. - MinIO recommends using flash-based storage (NVMe or SSD) for all workload types and scales. - Workloads that require high performance should prefer NVMe over SSD. + .. tab-item:: Baremetal + :sync: baremetal - MinIO deployments using HDD-based storage are best suited as cold-tier targets for :ref:`Object Transition ("Tiering") ` of aged data. - HDD storage typically does not provide the necessary performance to meet the expectations of modern workloads, and any cost efficiencies at scale are offset by the performance constraints of the medium. + MinIO recommends using flash-based storage (NVMe or SSD) for all workload types and scales. + Workloads that require high performance should prefer NVMe over SSD. - Use Direct-Attached "Local" Storage (DAS) - +++++++++++++++++++++++++++++++++++++++++ + MinIO does not recommends HDD storage for production environments. + HDD storage typically does not provide the necessary performance to meet the expectations of modern workloads, and any cost efficiencies at scale are offset by the performance constraints of the medium. - :abbr:`DAS (Direct-Attached Storage)`, such as locally-attached JBOD (Just a Bunch of Disks) arrays, provide significant performance and consistency advantages over networked (NAS, SAN, NFS) storage. +Prefer Direct-Attached "Local" Storage (DAS) +++++++++++++++++++++++++++++++++++++++++++++ - .. dropdown:: Network File System Volumes Break Consistency Guarantees - :class-title: note +:abbr:`DAS (Direct-Attached Storage)`, such as locally-attached JBOD (Just a Bunch of Disks) arrays, provide significant performance and consistency advantages over networked (NAS, SAN, NFS) storage. - MinIO's strict **read-after-write** and **list-after-write** consistency model requires local drive filesystems. - MinIO cannot provide consistency guarantees if the underlying storage volumes are NFS or a similar network-attached storage volume. +.. tab-set:: + :class: hidden - Use XFS-Formatted Drives with Labels - ++++++++++++++++++++++++++++++++++++ + .. tab-item:: Kubernetes + :sync: k8s - Format drives as XFS and present them to MinIO as a :abbr:`JBOD (Just a Bunch of Disks)` array with no RAID or other pooling configurations. - Using any other type of backing storage (SAN/NAS, ext4, RAID, LVM) typically results in a reduction in performance, reliability, predictability, and consistency. + While MinIO Tenants can make use of remote Persistent Volume (PV) resources, the cost of performing I/O over the network typically constrains overall performance. - When formatting XFS drives, apply a unique label per drive. - For example, the following command formats four drives as XFS and applies a corresponding drive label. + MinIO strongly recommends using CSIs which can provision storage attached to the worker node on which Kubernetes schedules your MinIO pods, such as :minio-docs:`MinIO DirectPV `. - .. code-block:: shell + For all other cases, make every effort possible to select a CSI which presents the storage to MinIO as if it were a locally-attached filesystem. + CSIs which add layers of software or translations between MinIO and the OS-level storage access APIs necessarily increase the complexity of the syste and can contribute to unexpected or undesired behavior. - mkfs.xfs /dev/sdb -L MINIODRIVE1 - mkfs.xfs /dev/sdc -L MINIODRIVE2 - mkfs.xfs /dev/sdd -L MINIODRIVE3 - mkfs.xfs /dev/sde -L MINIODRIVE4 + .. tab-item:: Baremetal + :sync: baremetal - Mount Drives using ``/etc/fstab`` - +++++++++++++++++++++++++++++++++ + Configure the JBOD arrays without any RAID, pooling, or similar software-level layers, such that the storage is presented directly to MinIO. - MinIO **requires** that drives maintain their ordering at the mounted position across restarts. - MinIO **does not** support arbitrary migration of a drive with existing MinIO data to a new mount position, whether intentional or as the result of OS-level behavior. + For virtual machines or systems that require provising storage as a virtual volume, MinIO recommends using thick LUNs only. - You **must** use ``/etc/fstab`` or a similar mount control system to mount drives at a consistent path. - For example: +.. dropdown:: Network File System Volumes Break Consistency Guarantees + :class-title: note - .. code-block:: shell - :class: copyable + MinIO's strict **read-after-write** and **list-after-write** consistency model requires local drive filesystems. + MinIO cannot provide consistency guarantees if the underlying storage volumes are NFS or a similar network-attached storage volume. - $ nano /etc/fstab - # - LABEL=MINIODRIVE1 /mnt/drive-1 xfs defaults,noatime 0 2 - LABEL=MINIODRIVE2 /mnt/drive-2 xfs defaults,noatime 0 2 - LABEL=MINIODRIVE3 /mnt/drive-3 xfs defaults,noatime 0 2 - LABEL=MINIODRIVE4 /mnt/drive-4 xfs defaults,noatime 0 2 +Use XFS-Formatted Drives with Consistent Mounting ++++++++++++++++++++++++++++++++++++++++++++++++++ - You can use ``mount -a`` to mount those drives at those paths during initial setup. - The Operating System should otherwise mount these drives as part of the node startup process. +.. tab-set:: - MinIO **strongly recommends** using label-based mounting rules over UUID-based rules. - Label-based rules allow swapping an unhealthy or non-working drive with a replacement that has matching format and label. - UUID-based rules require editing the ``/etc/fstab`` file to replace mappings with the new drive UUID. + .. tab-item:: Kubernetes + :sync: k8s - .. note:: + MinIO recommends formatting the drives underlying MinIO Persistent Volumes as ``xfs``. - Cloud environment instances which depend on mounted external storage may encounter boot failure if one or more of the remote file mounts return errors or failure. - For example, an AWS ECS instance with mounted persistent EBS volumes may not boot with the standard ``/etc/fstab`` configuration if one or more EBS volumes fail to mount. + If using a CSI, review the documentation for that CSI and ensure it supports specifying the ``xfs`` filesystem. + MinIO strongly recommends avoiding any CSI which formats drives as ``ext4``, ``btrfs`` or other filesystems. - You can set the ``nofail`` option to silence error reporting at boot and allow the instance to boot with one or more mount issues. - - You should not use this option on systems with locally attached disks, as silencing drive errors prevents both MinIO and the OS from responding to those errors in a normal fashion. + MinIO expects all provisioned Persistent Volumes (PV) to be intended for its exclusive use, where the underlying storage medium guarantees access to the stored data at the assigned mount path. + Modifications to the underlying storage medium, including but not limited to external or third-party applications or the arbitrary re-mounting of locally-attached storage, may result in unexpected behavior or data loss. - Disable XFS Retry On Error - ++++++++++++++++++++++++++ + .. tab-item:: Baremetal + :sync: baremetal - MinIO **strongly recommends** disabling `retry-on-error `__ behavior using the ``max_retries`` configuration for the following error classes: - - - ``EIO`` Error when reading or writing - - ``ENOSPC`` Error no space left on device - - ``default`` All other errors + Format drives as XFS and present them to MinIO as a :abbr:`JBOD (Just a Bunch of Disks)` array with no RAID or other pooling configurations. + Using any other type of backing storage (SAN/NAS, ext4, RAID, LVM) typically results in a reduction in performance, reliability, predictability, and consistency. - The default ``max_retries`` setting typically directs the filesystem to retry-on-error indefinitely instead of propagating the error. - MinIO can handle XFS errors appropriately, such that the retry-on-error behavior introduces at most unnecessary latency or performance degradation. + When formatting XFS drives, apply a unique label per drive. + For example, the following command formats four drives as XFS and applies a corresponding drive label. - The following script iterates through all drives at the specified mount path and sets the XFS ``max_retries`` setting to ``0`` or "fail immediately on error" for the recommended error classes. - The script ignores any drives not mounted, either manually or through ``/etc/fstab``. - Modify the ``/mnt/drive`` line to match the pattern used for your MinIO drives. + .. code-block:: shell - .. code-block:: bash - :class: copyable + mkfs.xfs /dev/sdb -L MINIODRIVE1 + mkfs.xfs /dev/sdc -L MINIODRIVE2 + mkfs.xfs /dev/sdd -L MINIODRIVE3 + mkfs.xfs /dev/sde -L MINIODRIVE4 - #!/bin/bash + MinIO **requires** that drives maintain their ordering at the mounted position across restarts. + MinIO **does not** support arbitrary migration of a drive with existing MinIO data to a new mount position, whether intentional or as the result of OS-level behavior. - for i in $(df -h | grep /mnt/drive | awk '{ print $1 }'); do - mountPath="$(df -h | grep $i | awk '{ print $6 }')" - deviceName="$(basename $i)" - echo "Modifying xfs max_retries and retry_timeout_seconds for drive $i mounted at $mountPath" - echo 0 > /sys/fs/xfs/$deviceName/error/metadata/EIO/max_retries - echo 0 > /sys/fs/xfs/$deviceName/error/metadata/ENOSPC/max_retries - echo 0 > /sys/fs/xfs/$deviceName/error/metadata/default/max_retries - done - exit 0 + You **must** use ``/etc/fstab`` or a similar mount control system to mount drives at a consistent path. + For example: - You must run this script on all MinIO nodes and configure the script to re-run on reboot, as Linux Operating Systems do not typically persist these changes. - You can use a ``cron`` job with the ``@reboot`` timing to run the above script whenever the node restarts and ensure all drives have retry-on-error disabled. - Use ``crontab -e`` to create the following job, modifying the script path to match that on each node: + .. code-block:: shell + :class: copyable - .. code-block:: shell - :class: copyable + $ nano /etc/fstab + + # + LABEL=MINIODRIVE1 /mnt/drive-1 xfs defaults,noatime 0 2 + LABEL=MINIODRIVE2 /mnt/drive-2 xfs defaults,noatime 0 2 + LABEL=MINIODRIVE3 /mnt/drive-3 xfs defaults,noatime 0 2 + LABEL=MINIODRIVE4 /mnt/drive-4 xfs defaults,noatime 0 2 + + You can use ``mount -a`` to mount those drives at those paths during initial setup. + The Operating System should otherwise mount these drives as part of the node startup process. + + MinIO **strongly recommends** using label-based mounting rules over UUID-based rules. + Label-based rules allow swapping an unhealthy or non-working drive with a replacement that has matching format and label. + UUID-based rules require editing the ``/etc/fstab`` file to replace mappings with the new drive UUID. + + .. note:: + + Cloud environment instances which depend on mounted external storage may encounter boot failure if one or more of the remote file mounts return errors or failure. + For example, an AWS ECS instance with mounted persistent EBS volumes may not boot with the standard ``/etc/fstab`` configuration if one or more EBS volumes fail to mount. + + You can set the ``nofail`` option to silence error reporting at boot and allow the instance to boot with one or more mount issues. + + You should not use this option on systems with locally attached disks, as silencing drive errors prevents both MinIO and the OS from responding to those errors in a normal fashion. + +Disable XFS Retry On Error +++++++++++++++++++++++++++ + +MinIO **strongly recommends** disabling `retry-on-error `__ behavior using the ``max_retries`` configuration for the following error classes: + +- ``EIO`` Error when reading or writing +- ``ENOSPC`` Error no space left on device +- ``default`` All other errors + +The default ``max_retries`` setting typically directs the filesystem to retry-on-error indefinitely instead of propagating the error. +MinIO can handle XFS errors appropriately, such that the retry-on-error behavior introduces at most unnecessary latency or performance degradation. + + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + Defer to the documentation for your preferred CSI or StorageClass on options for configuring filesystem-level settings. + + .. tab-item:: Baremetal + :sync: baremetal + + The following script iterates through all drives at the specified mount path and sets the XFS ``max_retries`` setting to ``0`` or "fail immediately on error" for the recommended error classes. + The script ignores any drives not mounted, either manually or through ``/etc/fstab``. + Modify the ``/mnt/drive`` line to match the pattern used for your MinIO drives. + + .. code-block:: bash + :class: copyable + + #!/bin/bash + + for i in $(df -h | grep /mnt/drive | awk '{ print $1 }'); do + mountPath="$(df -h | grep $i | awk '{ print $6 }')" + deviceName="$(basename $i)" + echo "Modifying xfs max_retries and retry_timeout_seconds for drive $i mounted at $mountPath" + echo 0 > /sys/fs/xfs/$deviceName/error/metadata/EIO/max_retries + echo 0 > /sys/fs/xfs/$deviceName/error/metadata/ENOSPC/max_retries + echo 0 > /sys/fs/xfs/$deviceName/error/metadata/default/max_retries + done + exit 0 + + You must run this script on all MinIO nodes and configure the script to re-run on reboot, as Linux Operating Systems do not typically persist these changes. + You can use a ``cron`` job with the ``@reboot`` timing to run the above script whenever the node restarts and ensure all drives have retry-on-error disabled. + Use ``crontab -e`` to create the following job, modifying the script path to match that on each node: + + .. code-block:: shell + :class: copyable - @reboot /opt/minio/xfs-retry-settings.sh + @reboot /opt/minio/xfs-retry-settings.sh - Use Consistent Drive Type and Capacity - ++++++++++++++++++++++++++++++++++++++ +Use Consistent Drive Type and Capacity +++++++++++++++++++++++++++++++++++++++ - Ensure a consistent drive type (NVMe, SSD, HDD) for the underlying storage in a MinIO deployment. - MinIO does not distinguish between storage types and does not support configuring "hot" or "warm" drives within a single deployment. - Mixing drive types typically results in performance degradation, as the slowest drives in the deployment become a bottleneck regardless of the capabilities of the faster drives. +Ensure a consistent drive type (NVMe, SSD, HDD) for the underlying storage in a MinIO deployment. +MinIO does not distinguish between storage types and does not support configuring "hot" or "warm" drives within a single deployment. +Mixing drive types typically results in performance degradation, as the slowest drives in the deployment become a bottleneck regardless of the capabilities of the faster drives. - Use the same capacity and type of drive across all nodes in each MinIO :ref:`server pool `. - MinIO limits the maximum usable size per drive to the smallest size in the deployment. - For example, if a deployment has 15 10TB drives and 1 1TB drive, MinIO limits the per-drive capacity to 1TB. +Use the same capacity and type of drive across all nodes in each MinIO :ref:`server pool `. +MinIO limits the maximum usable size per drive to the smallest size in the deployment. +For example, if a deployment has 15 10TB drives and 1 1TB drive, MinIO limits the per-drive capacity to 1TB. Recommended Hardware Tests -------------------------- diff --git a/source/operations/checklists/software.rst b/source/operations/checklists/software.rst index 2201329ba..80020f45e 100644 --- a/source/operations/checklists/software.rst +++ b/source/operations/checklists/software.rst @@ -68,20 +68,7 @@ MinIO Pre-requisites MinIO Install ------------- -Install the MinIO server binary across all nodes, ensuring that each node uses the same version of that binary. - -.. cond:: linux - - See the :ref:`Multi Node Multi Drive deployment guide ` for more information. - -.. cond:: container or macos or windows - - See the :ref:`Single Node Single Drive deployment guide ` for more information. - -.. cond:: k8s - - See the :ref:`Deploy MinIO Operator ` and :ref:`Minio Tenant deployment guide ` for more information. - +Install a matching version of MinIO across all nodes in the deployment. Post Install Tasks ------------------ diff --git a/source/operations/concepts.rst b/source/operations/concepts.rst index 45f0ce7bc..6c2f1ba31 100644 --- a/source/operations/concepts.rst +++ b/source/operations/concepts.rst @@ -37,13 +37,9 @@ MinIO can deploy to three types of topologies: #. :ref:`Multi Node Multi Drive `, multiple MinIO servers with multiple mounted drives or volumes for data - .. cond:: linux + For Baremetal infrastructure, you can install and manage distributed MinIO deployments using Ansible, Terraform, or manual processes - For example, a production deployment using Ansible, Terraform, or manual processes - - .. cond:: k8s - - For example, a production deployment using Kubernetes to manage and deploy pods and their associated persistent volume claims. + For Kubernetes infrastructure, use the MinIO Operator to manage and deploy distributed MinIO Tenants. How does a distributed MinIO deployment work? --------------------------------------------- @@ -109,13 +105,7 @@ Expansion consists of adding one or more :ref:`server pools ` for more information - -.. cond:: k8s - - See :ref:`Expand a MinIO Tenant ` for more information. +See :ref:`Baremetal: Expand a MinIO deployment ` and :ref:`Kubernetes: Expand a MinIO Tenant ` for more information on expansion in Baremetal and Kubernetes infrastructures respectively. For deployments which have multiple server pools, you can :ref:`decommission ` the older pools and migrate that data to the newer pools in the deployment. Once started, decommissioning cannot be stopped. diff --git a/source/operations/data-recovery/recover-after-drive-failure.rst b/source/operations/data-recovery/recover-after-drive-failure.rst index 483b041e4..6578699c5 100644 --- a/source/operations/data-recovery/recover-after-drive-failure.rst +++ b/source/operations/data-recovery/recover-after-drive-failure.rst @@ -39,7 +39,7 @@ command unmounts the drive at ``/dev/sdb``: Remove the failed drive(s) from the node hardware and replace it with known healthy drive(s). Replacement drives *must* meet the following requirements: -- :ref:`XFS formatted ` and empty. +- :ref:`XFS formatted ` and empty. - Same drive type (e.g. HDD, SSD, NVMe). - Equal or greater performance. - Equal or greater capacity. diff --git a/source/operations/deploy-manage-tenants.rst b/source/operations/deploy-manage-tenants.rst deleted file mode 100644 index ed8ec7a7f..000000000 --- a/source/operations/deploy-manage-tenants.rst +++ /dev/null @@ -1,50 +0,0 @@ -.. _minio-installation: - -=============================== -Deploy and Manage MinIO Tenants -=============================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -The MinIO Kubernetes Operator supports deploying and managing MinIO Tenants onto your Kubernetes cluster through the Operator Console web interface. - - -The following tutorials provide steps for tenant management via the Operator Console and Kustomize: - -.. list-table:: - :stub-columns: 1 - :widths: 40 60 - :width: 100% - - * - :ref:`minio-k8s-deploy-minio-tenant` - - Deploy a new MinIO Tenant onto the Kubernetes cluster. - - * - :ref:`minio-k8s-modify-minio-tenant` - - Modify the configuration or topology settings of a MinIO Tenant. - - * - :ref:`minio-k8s-upgrade-minio-tenant` - - Upgrade the MinIO Server version used by a MinIO Tenant. - - * - :ref:`minio-k8s-expand-minio-tenant` - - Increase the available storage capacity of an existing MinIO Tenant. - - * - :ref:`minio-k8s-delete-minio-tenant` - - Delete an existing MinIO Tenant. - - * - :ref:`minio-site-replication-overview` - - Configure two or more MinIO Tenants as peers for MinIO Site Replication - -.. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-tenant - /operations/install-deploy-manage/modify-minio-tenant - /operations/install-deploy-manage/upgrade-minio-tenant - /operations/install-deploy-manage/expand-minio-tenant - /operations/install-deploy-manage/delete-minio-tenant - /operations/install-deploy-manage/multi-site-replication diff --git a/source/operations/install-deploy-manage/decommission-server-pool.rst b/source/operations/deployments/baremetal-decommission-server-pool.rst similarity index 100% rename from source/operations/install-deploy-manage/decommission-server-pool.rst rename to source/operations/deployments/baremetal-decommission-server-pool.rst diff --git a/source/operations/deployments/baremetal-deploy-minio-as-a-container.rst b/source/operations/deployments/baremetal-deploy-minio-as-a-container.rst new file mode 100644 index 000000000..9d4855b8d --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-as-a-container.rst @@ -0,0 +1,191 @@ +.. _deploy-minio-container: + +=========================== +Deploy MinIO as a Container +=========================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +This page documents deploying MinIO as a Container onto any operating system that supports containerized processes. + +This documentation assumes installation of Docker, Podman, or a similar runtime which supports the standard container image format. +MinIO images use `Red Hat Universal Base Image 9 Micro `__. + +Functionality and performance of the MinIO container may be constrained by the base OS. + +The procedure includes guidance for deploying Single-Node Multi-Drive (SNMD) and Single-Node Single-Drive (SNSD) topologies in support of early development and evaluation environments. + +.. important:: + + MinIO officially supports containerized Multi-Node Multi-Drive (MNMD) "Distributed" configurations on Kubernetes infrastructures through the MinIO Kubernetes Operator. + + MinIO does not support nor provide instruction for deploying distributed clusters using Docker Swarm, Docker Compose, or any other orchestrated container environment. + +Considerations +-------------- + +Review Checklists +~~~~~~~~~~~~~~~~~ + +Ensure you have reviewed our published Hardware, Software, and Security checklists before attempting this procedure. + +Erasure Coding Parity +~~~~~~~~~~~~~~~~~~~~~ + +MinIO automatically determines the default :ref:`erasure coding ` configuration for the cluster based on the total number of nodes and drives in the topology. +You can configure the per-object :term:`parity` setting when you set up the cluster *or* let MinIO select the default (``EC:4`` for production-grade clusters). + +Parity controls the relationship between object availability and storage on disk. +Use the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. + +While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. + +Container Storage +~~~~~~~~~~~~~~~~~ + +This procedure assumes you mount one or more dedicated storage devices to the container to act as persistent storage for MinIO. + +Data stored on ephemeral container paths is lost when the container restarts or is deleted. +Use any such paths at your own risk. + +Procedure +--------- + +1. Start the Container + +This procedure provides instructions for Podman and Docker in rootfull mode. +For rootless deployments, defer to documentation by each runtime for configuration and container startup. + +For all other container runtimes, follow the documentation for that runtime and specify the equivalent options, parameters, or configurations. + +.. tab-set:: + + .. tab-item:: Podman + + The following command creates a folder in your home directory, then starts the MinIO container using Podman: + + .. code-block:: shell + :class: copyable + + mkdir -p ~/minio/data + + podman run \ + -p 9000:9000 \ + -p 9001:9001 \ + --name minio \ + -v ~/minio/data:/data \ + -e "MINIO_ROOT_USER=ROOTNAME" \ + -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ + quay.io/minio/minio server /data --console-address ":9001" + + The command binds ports ``9000`` and ``9001`` to the MinIO S3 API and Web Console respectively. + + The local drive ``~/minio/data`` is mounted to the ``/data`` folder on the container. + You can modify the :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD` variables to change the root login as needed. + + For multi-drive deployments, bind each local drive or folder it's on sequentially-numbered path on the remote. + You can then modify the :mc:`minio server` startup to specify those paths: + + .. code-block:: shell + :class: copyable + + mkdir -p ~/minio/data-{1..4} + + podman run \ + -p 9000:9000 \ + -p 9001:9001 \ + --name minio \ + -v /mnt/drive-1:/mnt/drive-1 \ + -v /mnt/drive-2:/mnt/drive-2 \ + -v /mnt/drive-3:/mnt/drive-3 \ + -v /mnt/drive-4:/mnt/drive-4 \ + -e "MINIO_ROOT_USER=ROOTNAME" \ + -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ + quay.io/minio/minio server http://localhost:9000/mnt/drive-{1...4} --console-address ":9001" + + For Windows hosts, specify the local folder path using Windows filesystem semantics ``C:\minio\:/data``. + + .. tab-item:: Docker + + The following command creates a folder in your home directory, then starts the MinIO container using Docker: + + .. code-block:: shell + :class: copyable + + mkdir -p ~/minio/data + + docker run \ + -p 9000:9000 \ + -p 9001:9001 \ + --name minio \ + -v ~/minio/data:/data \ + -e "MINIO_ROOT_USER=ROOTNAME" \ + -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ + quay.io/minio/minio server /data --console-address ":9001" + + The command binds ports ``9000`` and ``9001`` to the MinIO S3 API and Web Console respectively. + + The local drive ``~/minio/data`` is mounted to the ``/data`` folder on the container. + You can modify the :envvar:`MINIO_ROOT_USER` and :envvar:`MINIO_ROOT_PASSWORD` variables to change the root login as needed. + + For multi-drive deployments, bind each local drive or folder it's on sequentially-numbered path on the remote. + You can then modify the :mc:`minio server` startup to specify those paths: + + .. code-block:: shell + :class: copyable + + mkdir -p ~/minio/data-{1..4} + + docker run \ + -p 9000:9000 \ + -p 9001:9001 \ + --name minio \ + -v /mnt/drive-1:/mnt/drive-1 \ + -v /mnt/drive-2:/mnt/drive-2 \ + -v /mnt/drive-3:/mnt/drive-3 \ + -v /mnt/drive-4:/mnt/drive-4 \ + -e "MINIO_ROOT_USER=ROOTNAME" \ + -e "MINIO_ROOT_PASSWORD=CHANGEME123" \ + quay.io/minio/minio server http://localhost:9000/mnt/drive-{1...4} --console-address ":9001" + + For Windows hosts, specify the local folder path using Windows filesystem semantics ``C:\minio\:/data``. + +2. Connect to the Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + + .. tab-item:: Console + + Open your browser to http://localhost:9000 to open the :ref:`MinIO Console ` login page. + + Log in with the :guilabel:`MINIO_ROOT_USER` and :guilabel:`MINIO_ROOT_PASSWORD` + from the previous step. + + .. image:: /images/minio-console/console-login.png + :width: 600px + :alt: MinIO Console Login Page + :align: center + + You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. + Each MinIO server includes its own embedded MinIO Console. + + .. tab-item:: CLI + + Follow the :ref:`installation instructions ` for ``mc`` on your local host. + Run ``mc --version`` to verify the installation. + + Once installed, create an alias for the MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc alias set myminio http://localhost:9000 USERNAME PASSWORD + + Change the hostname, username, and password to reflect your deployment. + + diff --git a/source/operations/deployments/baremetal-deploy-minio-on-macos.rst b/source/operations/deployments/baremetal-deploy-minio-on-macos.rst new file mode 100644 index 000000000..41be24e54 --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-on-macos.rst @@ -0,0 +1,315 @@ +.. _deploy-minio-macos: + +===================== +Deploy MinIO on MacOS +===================== + +.. default-domain:: minio + +.. container:: extlinks-video + + - `Object Storage Essentials `__ + + - `How to Connect to MinIO with JavaScript `__ + +This page documents deploying MinIO onto Apple MacOS hosts. + +MinIO officially supports MacOS operating systems in service status, which is typically 3 years from initial release. +At the time of writing, that includes: + +- macOS 14 (Sonoma) (**Recommended**) +- macOS 13 (Ventura) +- macOS 12 (Monterey) + +MinIO *may* run on older or out-of-support macOS releases, with limited support or troubleshooting from either MinIO or RedHat. + +MinIO supports both Intel and ARM-based macOS hardware and provides distinct binaries for each architecture. +Ensure you download the correct binary as per the documentation for your host system. + +The procedure includes guidance for deploying Single-Node Multi-Drive (SNMD) and Single-Node Single-Drive (SNSD) topologies in support of early development and evaluation environments. + +MinIO does not officially support Multi-Node Multi-Drive (MNMD) "Distributed" configurations on MacOS hosts. + +Considerations +-------------- + +Review Checklists +~~~~~~~~~~~~~~~~~ + +Ensure you have reviewed our published Hardware, Software, and Security checklists before attempting this procedure. + +Erasure Coding Parity +~~~~~~~~~~~~~~~~~~~~~ + +MinIO automatically determines the default :ref:`erasure coding ` configuration for the cluster based on the total number of nodes and drives in the topology. +You can configure the per-object :term:`parity` setting when you set up the cluster *or* let MinIO select the default (``EC:4`` for production-grade clusters). + +Parity controls the relationship between object availability and storage on disk. +Use the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. + +While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. + +Procedure +--------- + +1. Download the MinIO Binary +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + + .. tab-item:: Homebrew + + Open a Terminal and run the following command to install the latest stable MinIO package using `Homebrew `_. + + .. code-block:: shell + :class: copyable + + brew install minio/stable/minio + + .. important:: + + If you previously installed the MinIO server using ``brew install minio``, then we recommend that you reinstall from ``minio/stable/minio`` instead. + + .. code-block:: shell + :class: copyable + + brew uninstall minio + brew install minio/stable/minio + + .. tab-item:: Binary - arm64 + + Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: + + .. code-block:: shell + :class: copyable + + curl -O https://dl.min.io/server/minio/release/darwin-arm64/minio + chmod +x ./minio + sudo mv ./minio /usr/local/bin/ + + .. tab-item:: Binary - amd64 + + Open a Terminal, then use the following commands to download the latest stable MinIO binary, set it to executable, and install it to the system ``$PATH``: + + .. code-block:: shell + :class: copyable + + curl -O https://dl.min.io/server/minio/release/darwin-amd64/minio + chmod +x ./minio + sudo mv ./minio /usr/local/bin/ + +2. Enable TLS Connectivity +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can skip this step to deploy without TLS enabled. +MinIO strongly recommends *against* non-TLS deployments outside of early development. + +Create or provide :ref:`Transport Layer Security (TLS) ` certificates to MinIO to automatically enable HTTPS-secured connections between the server and clients. + +MinIO expects the default certificate names of ``private.key`` and ``public.crt`` for the private and public keys respectively. +Place the certificates in a dedicated directory: + +.. code-block:: shell + :class: copyable + + mkdir -P /opt/minio/certs + + cp private.key /opt/minio/certs + cp public.crt /opt/minio/certs + + +MinIO verifies client certificates against the OS/System's default list of trusted Certificate Authorities. +To enable verification of third-party or internally-signed certificates, place the CA file in the ``/opt/minio/certs/CAs`` folder. +The CA file should include the full chain of trust from leaf to root to ensure successful verification. + +For more specific guidance on configuring MinIO for TLS, including multi-domain support via Server Name Indication (SNI), see :ref:`minio-tls`. + +.. dropdown:: Certificates for Early Development + + For local testing or development environments, you can use the MinIO :minio-git:`certgen ` to mint self-signed certificates. + For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + + .. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + + Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. + Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. + +3. Create the MinIO Environment File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create an environment file at ``/etc/default/minio``. +The MinIO service uses this file as the source of all :ref:`environment variables ` used by MinIO *and* the ``minio.service`` file. + +Modify the example to reflect your deployment topology. + +.. tab-set:: + + .. tab-item:: Single-Node Multi-Drive + + Use Single-Node Multi-Drive deployments in development and evaluation environments. + You can also use them for smaller storage workloads which can tolerate data loss or unavailability due to node downtime. + + .. code-block:: shell + :class: copyable + + # Set the volumes MinIO uses at startup + # The command uses MinIO expansion notation {x...y} to denote a + # sequential series. + # + # The following specifies a single host with 4 drives at the specified location + # + # The command includes the port that the MinIO server listens on + # (default 9000). + # If you run without TLS, change https -> http + + MINIO_VOLUMES="https://minio1.example.net:9000/mnt/drive{1...4}/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + + .. tab-item:: Single-Node Single-Drive + + Use Single-Node Single-Drive ("Standalone") deployments in early development and evaluation environments. + MinIO does not recommend Standalone deployments in production, as the loss of the node or its storage medium results in data loss. + + .. code-block:: shell + :class: copyable + + # Set the volume MinIO uses at startup + # + # The following specifies the drive or folder path + + MINIO_VOLUMES="/mnt/drive1/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + +Specify any other :ref:`environment variables ` or server command-line options as required by your deployment. + +4. Start the MinIO Server +~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following command starts the MinIO Server attached to the current terminal/shell window: + +.. code-block:: shell + :class: copyable + + export MINIO_CONFIG_ENV_FILE=/etc/default/minio + minio server --console-address :9001 + +The command output resembles the following: + +.. code-block:: shell + +.. code-block:: shell + + MinIO Object Storage Server + Copyright: 2015-2024 MinIO, Inc. + License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html + Version: RELEASE.2024-06-07T16-42-07Z (go1.22.4 linux/amd64) + + API: https://minio-1.example.net:9000 https://203.0.113.10:9000 https://127.0.0.1:9000 + RootUser: minioadmin + RootPass: minioadmin + + WebUI: https://minio-1.example.net:9001 https://203.0.113.10:9001 https://127.0.0.1:9001 + RootUser: minioadmin + RootPass: minioadmin + + CLI: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart + $ mc alias set 'myminio' 'https://minio-1.example.net:9000' 'minioadmin' 'minioadmin' + + Docs: https://min.io/docs/minio/linux/index.html + Status: 1 Online, 0 Offline. + +The ``API`` block lists the network interfaces and port on which clients can access the MinIO S3 API. +The ``Console`` block lists the network interfaces and port on which clients can access the MinIO Web Console. + +To run the MinIO server process in the background or as a daemon, defer to your MacOS OS documentation for best practices and procedures. + +5. Connect to the Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + + .. tab-item:: Console + + Open your browser and access any of the MinIO hostnames at port ``:9001`` to open the :ref:`MinIO Console ` login page. + For example, ``https://minio1.example.com:9001``. + + Log in with the :guilabel:`MINIO_ROOT_USER` and :guilabel:`MINIO_ROOT_PASSWORD` + from the previous step. + + .. image:: /images/minio-console/console-login.png + :width: 600px + :alt: MinIO Console Login Page + :align: center + + You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. + Each MinIO server includes its own embedded MinIO Console. + + .. tab-item:: CLI + + Follow the :ref:`installation instructions ` for ``mc`` on your local host. + Run ``mc --version`` to verify the installation. + + If your MinIO deployment uses third-party or self-signed TLS certificates, copy the :abbr:`CA (Certificate Authority)` files to ``~/.mc/certs/CAs`` to allow ``mc`` + + + Once installed, create an alias for the MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://minio-1.example.net:9000 USERNAME PASSWORD + + Change the hostname, username, and password to reflect your deployment. + The hostname can be any MinIO node in the deployment. + You can also specify the hostname load balancer, reverse proxy, or similar network control plane that handles connections to the deployment. + +6. Next Steps +~~~~~~~~~~~~~ + +TODO \ No newline at end of file diff --git a/source/operations/deployments/baremetal-deploy-minio-on-redhat-linux.rst b/source/operations/deployments/baremetal-deploy-minio-on-redhat-linux.rst new file mode 100644 index 000000000..51c98ca8d --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-on-redhat-linux.rst @@ -0,0 +1,438 @@ +.. _deploy-minio-rhel: + +============================ +Deploy MinIO on RedHat Linux +============================ + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +This page documents deploying MinIO on RedHat Linux operating systems, including distributions that are binary-compatible with RHEL. +This page makes no distinction or special remarks between RHEL and those distributions, and guidance given for RHEL can typically be applied to those distributions. + +MinIO strongly recommends that production deployments use RHEL versions in the **Full Support** or **Maintenance Support** phases of the Red Hat life cycle. +At the time of writing, that includes: + +- RHEL 9.5+ (**Recommended**) +- RHEL 8.10+ + +Your organization should have the necessary service contracts with Red Hat to ensure end-to-end supportability of your deployments. + +MinIO *may* run on versions of RHEL no longer supported by Red Hat Linux, with limited support or troubleshooting from either MinIO or RedHat. + +The procedure focuses on production-grade Multi-Node Multi-Drive (MNMD) "Distributed" configurations. +|MNMD| deployments provide enterprise-grade performance, availability, and scalability and are the recommended topology for all production workloads. + +The procedure includes guidance for deploying Single-Node Multi-Drive (SNMD) and Single-Node Single-Drive (SNSD) topologies in support of early development and evaluation environments. + +Considerations +-------------- + +Review Checklists +~~~~~~~~~~~~~~~~~ + +Ensure you have reviewed our published Hardware, Software, and Security checklists before attempting this procedure. + + +Erasure Coding Parity +~~~~~~~~~~~~~~~~~~~~~ + +MinIO automatically determines the default :ref:`erasure coding ` configuration for the cluster based on the total number of nodes and drives in the topology. +You can configure the per-object :term:`parity` setting when you set up the cluster *or* let MinIO select the default (``EC:4`` for production-grade clusters). + +Parity controls the relationship between object availability and storage on disk. +Use the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. + +While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. + +Capacity-Based Planning +~~~~~~~~~~~~~~~~~~~~~~~ + +MinIO recommends planning storage capacity sufficient to store **at least** 2 years of data before reaching 70% usage. +Performing :ref:`server pool expansion ` more frequently or on a "just-in-time" basis generally indicates an architecture or planning issue. + +For example, consider an application suite expected to produce at least 100 TiB of data per year and a 3 year target before expansion. +By ensuring the deployment has ~500TiB of usable storage up front, the cluster can safely meet the 70% threshold with additional buffer for growth in data storage output per year. + +Consider using the MinIO `Erasure Code Calculator `__ for guidance in planning capacity around specific erasure code settings. + +Procedure +--------- + +1. Download the MinIO RPM +~~~~~~~~~~~~~~~~~~~~~~~~~ + +MinIO provides builds for the following architectures: + +- AMD64 +- ARM64 +- PowerPC 64 LE +- S390X + +Use the following commands to download the latest stable MinIO RPM for your host architecture and install it. + +.. tab-set:: + + .. tab-item:: AMD64 + + .. code-block:: shell + :class: copyable + :substitutions: + + wget |minio-rpm| -O minio.rpm + sudo dnf install minio.rpm + + .. tab-item:: ARM64 + + .. code-block:: shell + :class: copyable + :substitutions: + + wget |minio-rpm-arm64| -O minio.rpm + sudo dnf install minio.rpm + + .. tab-item:: PPC64LE + + .. code-block:: shell + :class: copyable + :substitutions: + + wget |minio-rpm-ppc64le| -O minio.rpm + sudo dnf install minio.rpm + + + +2. Review the ``systemd`` Service File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``.rpm`` package install the following `systemd `__ service file to ``/usr/lib/systemd/system/minio.service``: + +.. code-block:: shell + :class: copyable + + [Unit] + Description=MinIO + Documentation=https://min.io/docs/minio/linux/index.html + Wants=network-online.target + After=network-online.target + AssertFileIsExecutable=/usr/local/bin/minio + + [Service] + WorkingDirectory=/usr/local + + User=minio-user + Group=minio-user + ProtectProc=invisible + + EnvironmentFile=-/etc/default/minio + ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi" + ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES + + # MinIO RELEASE.2023-05-04T21-44-30Z adds support for Type=notify (https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type=) + # This may improve systemctl setups where other services use `After=minio.server` + # Uncomment the line to enable the functionality + # Type=notify + + # Let systemd restart this service always + Restart=always + + # Specifies the maximum file descriptor number that can be opened by this process + LimitNOFILE=65536 + + # Specifies the maximum number of threads this process can create + TasksMax=infinity + + # Disable timeout logic and wait until process is stopped + TimeoutStopSec=infinity + SendSIGKILL=no + + [Install] + WantedBy=multi-user.target + + # Built for ${project.name}-${project.version} (${project.name}) + +3. Create a User and Group for MinIO +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``minio.service`` file runs as the ``minio-user`` User and Group by default. +You can create the user and group using the ``groupadd`` and ``useradd`` commands. +The following example creates the user, group, and sets permissions to access the folder paths intended for use by MinIO. +These commands typically require root (``sudo``) permissions. + +.. code-block:: shell + :class: copyable + + groupadd -r minio-user + useradd -M -r -g minio-user minio-user + +The command above creates the user **without** a home directory, as is typical for system service accounts. + +You **must** ``chown`` the drive paths you intend to use with MinIO. +If the ``minio-user`` user or group cannot read, write, or list contents of any drive, the MinIO process returns errors on startup. + +For example, the following command sets ``minio-user:minio-user`` as the user-group owner of all drives at ``/mnt/drives-n`` where ``n`` is between 1 and 16 inclusive: + +.. code-block:: shell + :class: copyable + + chown -R minio-user:minio-user /mnt/drives-{1...16} + +4. Enable TLS Connectivity +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create or provide :ref:`Transport Layer Security (TLS) ` certificates to MinIO to automatically enable HTTPS-secured connections between the server and clients. + +Place the certificates in a directory accessible by the ``minio-user`` user/group: + +.. code-block:: shell + :class: copyable + + mkdir -P /opt/minio/certs + chown -R minio-user:minio-user /opt/minio/certs + + cp private.key /opt/minio/certs + cp public.crt /opt/minio/certs + +For local testing or development environments, you can use the MinIO :minio-git:`certgen ` to mint self-signed certificates. +For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + +.. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + +Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. +Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. + +When MinIO runs with TLS enabled, it also verifies connecting client certificates against the OS list of trusted Certificate Authorities. +To enable verification of third-party or internally-signed certificates, place the CA file in the ``/opt/minio/certs/CAs`` folder. +The CA file should include the full chain of trust from leaf to root to ensure successful verification. + +For more specific guidance on configuring MinIO for TLS, including multi-domain support via Server Name Indication (SNI), see :ref:`minio-tls`. +You can optionally skip this step to deploy without TLS enabled. MinIO strongly recommends *against* non-TLS deployments outside of early development. + +5. Create the MinIO Environment File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create an environment file at ``/etc/default/minio``. +The MinIO service uses this file as the source of all :ref:`environment variables ` used by MinIO *and* the ``minio.service`` file. + +Modify the example to reflect your deployment topology. + +.. tab-set:: + + .. tab-item:: Multi-Node Multi-Drive + + Use Multi-Node Multi-Drive ("Distributed") deployment topologies in production environments. + + .. code-block:: shell + :class: copyable + + # Set the hosts and volumes MinIO uses at startup + # The command uses MinIO expansion notation {x...y} to denote a + # sequential series. + # + # The following example covers four MinIO hosts + # with 4 drives each at the specified hostname and drive locations. + # + # The command includes the port that each MinIO server listens on + # (default 9000). + # If you run without TLS, change https -> http + + MINIO_VOLUMES="https://minio{1...4}.example.net:9000/mnt/disk{1...4}/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + + .. tab-item:: Single-Node Multi-Drive + + Use Single-Node Multi-Drive deployments in development and evaluation environments. + You can also use them for smaller storage workloads which can tolerate data loss or unavailability due to node downtime. + + .. code-block:: shell + :class: copyable + + # Set the volumes MinIO uses at startup + # The command uses MinIO expansion notation {x...y} to denote a + # sequential series. + # + # The following specifies a single host with 4 drives at the specified location + # + # The command includes the port that the MinIO server listens on + # (default 9000). + # If you run without TLS, change https -> http + + MINIO_VOLUMES="https://minio1.example.net:9000/mnt/drive{1...4}/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + + .. tab-item:: Single-Node Single-Drive + + Use Single-Node Single-Drive ("Standalone") deployments in early development and evaluation environments. + MinIO does not recommend Standalone deployments in production, as the loss of the node or its storage medium results in data loss. + + .. code-block:: shell + :class: copyable + + # Set the volume MinIO uses at startup + # + # The following specifies the drive or folder path + + MINIO_VOLUMES="/mnt/drive1/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + +Specify any other :ref:`environment variables ` or server command-line options as required by your deployment. + +For distributed deployments, all nodes **must** have matching ``/etc/default/minio`` environment files. +Use a utility such as ``shasum -a 256 /etc/default/minio`` on each node to verify an exact match across all nodes. + +6. Start the MinIO Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Use ``systemctl start minio`` to start each node in the deployment. + +You can track the status of the startup using ``journalctl -u minio`` on each node. + +On successful startup, the MinIO process emits a summary of the deployment that resembles the following output: + +.. code-block:: shell + + MinIO Object Storage Server + Copyright: 2015-2024 MinIO, Inc. + License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html + Version: RELEASE.2024-06-07T16-42-07Z (go1.22.4 linux/amd64) + + API: https://minio-1.example.net:9000 https://203.0.113.10:9000 https://127.0.0.1:9000 + RootUser: minioadmin + RootPass: minioadmin + + WebUI: https://minio-1.example.net:9001 https://203.0.113.10:9001 https://127.0.0.1:9001 + RootUser: minioadmin + RootPass: minioadmin + + CLI: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart + $ mc alias set 'myminio' 'https://minio-1.example.net:9000' 'minioadmin' 'minioadmin' + + Docs: https://min.io/docs/minio/linux/index.html + Status: 16 Online, 0 Offline. + +You may see increased log churn as the cluster starts up and synchronizes. + +Common reasons for startup failure include: + +- The MinIO process does not have read-write-list access to the specified drives +- The drives are not empty or contain non-MinIO data +- The drives are not formatted or mounted properly +- One or more hosts are not reachable over the network + +Following our checklists typically mitigates the risk of encountering those or similar issues. + +7. Connect to the Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + + .. tab-item:: Console + + Open your browser and access any of the MinIO hostnames at port ``:9001`` to open the :ref:`MinIO Console ` login page. + For example, ``https://minio1.example.com:9001``. + + Log in with the :guilabel:`MINIO_ROOT_USER` and :guilabel:`MINIO_ROOT_PASSWORD` + from the previous step. + + .. image:: /images/minio-console/console-login.png + :width: 600px + :alt: MinIO Console Login Page + :align: center + + You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. + Each MinIO server includes its own embedded MinIO Console. + + .. tab-item:: CLI + + Follow the :ref:`installation instructions ` for ``mc`` on your local host. + Run ``mc --version`` to verify the installation. + + If your MinIO deployment uses third-party or self-signed TLS certificates, copy the :abbr:`CA (Certificate Authority)` files to ``~/.mc/certs/CAs`` to allow ``mc`` + + + Once installed, create an alias for the MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://minio-1.example.net:9000 USERNAME PASSWORD + + Change the hostname, username, and password to reflect your deployment. + The hostname can be any MinIO node in the deployment. + You can also specify the hostname load balancer, reverse proxy, or similar network control plane that handles connections to the deployment. + +8. Next Steps +~~~~~~~~~~~~~ + +TODO \ No newline at end of file diff --git a/source/operations/deployments/baremetal-deploy-minio-on-ubuntu-linux.rst b/source/operations/deployments/baremetal-deploy-minio-on-ubuntu-linux.rst new file mode 100644 index 000000000..da65e8fea --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-on-ubuntu-linux.rst @@ -0,0 +1,421 @@ +.. _deploy-minio-ubuntu: + +============================ +Deploy MinIO on Ubuntu Linux +============================ + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +.. container:: extlinks-video + + - `Object Storage Essentials `__ + + - `How to Connect to MinIO with JavaScript `__ + +This page documents deploying MinIO on Ubuntu Linux operating systems. + +MinIO officially supports Ubuntu Long Term Support (LTS) releases in the **Standard** or **Ubuntu Pro** support phases of the Ubuntu life cycle. +MinIO strongly recommends only those releases that include the Linux 5.X kernel and above for best performance. +At the time of writing, that includes: + +- Ubuntu 24.04+ LTS (Noble Numbat) (**Recommended**) +- Ubuntu 22.04+ LTS (Jammy Jellyfish) +- Ubuntu 20.04+ LTS (Focal Fossa) +- Ubuntu 18.04.5 LTS (Bionic Beaver) (**Ubuntu Pro Only**) + +The above list assumes your organization has the necessary service contracts with Ubuntu to ensure end-to-end supportability throughout the release's lifespan. + +MinIO *may* run on versions of Ubuntu that use older kernels, are out of support, or are in legacy support phases, with limited support or troubleshooting from either MinIO or RedHat. + +The procedure focuses on production-grade Multi-Node Multi-Drive (MNMD) "Distributed" configurations. +|MNMD| deployments provide enterprise-grade performance, availability, and scalability and are the recommended topology for all production workloads. + +The procedure includes guidance for deploying Single-Node Multi-Drive (SNMD) and Single-Node Single-Drive (SNSD) topologies in support of early development and evaluation environments. + +Considerations +-------------- + +Review Checklists +~~~~~~~~~~~~~~~~~ + +Ensure you have reviewed our published Hardware, Software, and Security checklists before attempting this procedure. + + +Erasure Coding Parity +~~~~~~~~~~~~~~~~~~~~~ + +MinIO automatically determines the default :ref:`erasure coding ` configuration for the cluster based on the total number of nodes and drives in the topology. +You can configure the per-object :term:`parity` setting when you set up the cluster *or* let MinIO select the default (``EC:4`` for production-grade clusters). + +Parity controls the relationship between object availability and storage on disk. +Use the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. + +While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. + +Capacity-Based Planning +~~~~~~~~~~~~~~~~~~~~~~~ + +MinIO recommends planning storage capacity sufficient to store **at least** 2 years of data before reaching 70% usage. +Performing :ref:`server pool expansion ` more frequently or on a "just-in-time" basis generally indicates an architecture or planning issue. + +For example, consider an application suite expected to produce at least 100 TiB of data per year and a 3 year target before expansion. +By ensuring the deployment has ~500TiB of usable storage up front, the cluster can safely meet the 70% threshold with additional buffer for growth in data storage output per year. + +Consider using the MinIO `Erasure Code Calculator `__ for guidance in planning capacity around specific erasure code settings. + +Procedure +--------- + +1. Download the MinIO RPM +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Use the following commands to download the latest stable MinIO DEB and install it. + +.. code-block:: shell + :class: copyable + :substitutions: + + wget |minio-deb| -O minio.deb + sudo dpkg -i minio.deb + +2. Review the ``systemd`` Service File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``.deb`` package install the following `systemd `__ service file to ``/usr/lib/systemd/system/minio.service``: + +.. code-block:: shell + :class: copyable + + [Unit] + Description=MinIO + Documentation=https://min.io/docs/minio/linux/index.html + Wants=network-online.target + After=network-online.target + AssertFileIsExecutable=/usr/local/bin/minio + + [Service] + WorkingDirectory=/usr/local + + User=minio-user + Group=minio-user + ProtectProc=invisible + + EnvironmentFile=-/etc/default/minio + ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi" + ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES + + # MinIO RELEASE.2023-05-04T21-44-30Z adds support for Type=notify (https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type=) + # This may improve systemctl setups where other services use `After=minio.server` + # Uncomment the line to enable the functionality + # Type=notify + + # Let systemd restart this service always + Restart=always + + # Specifies the maximum file descriptor number that can be opened by this process + LimitNOFILE=65536 + + # Specifies the maximum number of threads this process can create + TasksMax=infinity + + # Disable timeout logic and wait until process is stopped + TimeoutStopSec=infinity + SendSIGKILL=no + + [Install] + WantedBy=multi-user.target + + # Built for ${project.name}-${project.version} (${project.name}) + +3. Create a User and Group for MinIO +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``minio.service`` file runs as the ``minio-user`` User and Group by default. +You can create the user and group using the ``groupadd`` and ``useradd`` commands. +The following example creates the user, group, and sets permissions to access the folder paths intended for use by MinIO. +These commands typically require root (``sudo``) permissions. + +.. code-block:: shell + :class: copyable + + groupadd -r minio-user + useradd -M -r -g minio-user minio-user + +The command above creates the user **without** a home directory, as is typical for system service accounts. + +You **must** ``chown`` the drive paths you intend to use with MinIO. +If the ``minio-user`` user or group cannot read, write, or list contents of any drive, the MinIO process returns errors on startup. + +For example, the following command sets ``minio-user:minio-user`` as the user-group owner of all drives at ``/mnt/drives-n`` where ``n`` is between 1 and 16 inclusive: + +.. code-block:: shell + :class: copyable + + chown -R minio-user:minio-user /mnt/drives-{1...16} + +4. Enable TLS Connectivity +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can skip this step to deploy without TLS enabled. +MinIO strongly recommends *against* non-TLS deployments outside of early development. + +Create or provide :ref:`Transport Layer Security (TLS) ` certificates to MinIO to automatically enable HTTPS-secured connections between the server and clients. + +MinIO expects the default certificate names of ``private.key`` and ``public.crt`` for the private and public keys respectively. +Place the certificates in a directory accessible by the ``minio-user`` user/group: + +.. code-block:: shell + :class: copyable + + mkdir -P /opt/minio/certs + chown -R minio-user:minio-user /opt/minio/certs + + cp private.key /opt/minio/certs + cp public.crt /opt/minio/certs + + +MinIO verifies client certificates against the OS/System's default list of trusted Certificate Authorities. +To enable verification of third-party or internally-signed certificates, place the CA file in the ``/opt/minio/certs/CAs`` folder. +The CA file should include the full chain of trust from leaf to root to ensure successful verification. + +For more specific guidance on configuring MinIO for TLS, including multi-domain support via Server Name Indication (SNI), see :ref:`minio-tls`. + +.. dropdown:: Certificates for Early Development + + For local testing or development environments, you can use the MinIO :minio-git:`certgen ` to mint self-signed certificates. + For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + + .. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + + Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. + Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. + +5. Create the MinIO Environment File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create an environment file at ``/etc/default/minio``. +The MinIO service uses this file as the source of all :ref:`environment variables ` used by MinIO *and* the ``minio.service`` file. + +Modify the example to reflect your deployment topology. + +.. tab-set:: + + .. tab-item:: Multi-Node Multi-Drive + + Use Multi-Node Multi-Drive ("Distributed") deployment topologies in production environments. + + .. code-block:: shell + :class: copyable + + # Set the hosts and volumes MinIO uses at startup + # The command uses MinIO expansion notation {x...y} to denote a + # sequential series. + # + # The following example covers four MinIO hosts + # with 4 drives each at the specified hostname and drive locations. + # + # The command includes the port that each MinIO server listens on + # (default 9000). + # If you run without TLS, change https -> http + + MINIO_VOLUMES="https://minio{1...4}.example.net:9000/mnt/disk{1...4}/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + + .. tab-item:: Single-Node Multi-Drive + + Use Single-Node Multi-Drive deployments in development and evaluation environments. + You can also use them for smaller storage workloads which can tolerate data loss or unavailability due to node downtime. + + .. code-block:: shell + :class: copyable + + # Set the volumes MinIO uses at startup + # The command uses MinIO expansion notation {x...y} to denote a + # sequential series. + # + # The following specifies a single host with 4 drives at the specified location + # + # The command includes the port that the MinIO server listens on + # (default 9000). + # If you run without TLS, change https -> http + + MINIO_VOLUMES="https://minio1.example.net:9000/mnt/drive{1...4}/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + + .. tab-item:: Single-Node Single-Drive + + Use Single-Node Single-Drive ("Standalone") deployments in early development and evaluation environments. + MinIO does not recommend Standalone deployments in production, as the loss of the node or its storage medium results in data loss. + + .. code-block:: shell + :class: copyable + + # Set the volume MinIO uses at startup + # + # The following specifies the drive or folder path + + MINIO_VOLUMES="/mnt/drive1/minio" + + # Set all MinIO server command-line options + # + # The following explicitly sets the MinIO Console listen address to + # port 9001 on all network interfaces. + # The default behavior is dynamic port selection. + + MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs" + + # Set the root username. + # This user has unrestricted permissions to perform S3 and + # administrative API operations on any resource in the deployment. + # + # Defer to your organizations requirements for superadmin user name. + + MINIO_ROOT_USER=minioadmin + + # Set the root password + # + # Use a long, random, unique string that meets your organizations + # requirements for passwords. + + MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME + +Specify any other :ref:`environment variables ` or server command-line options as required by your deployment. + +For distributed deployments, all nodes **must** have matching ``/etc/default/minio`` environment files. +Use a utility such as ``shasum -a 256 /etc/default/minio`` on each node to verify an exact match across all nodes. + +6. Start the MinIO Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Use ``systemctl start minio`` to start each node in the deployment. + +You can track the status of the startup using ``journalctl -u minio`` on each node. + +On successful startup, the MinIO process emits a summary of the deployment that resembles the following output: + +.. code-block:: shell + + MinIO Object Storage Server + Copyright: 2015-2024 MinIO, Inc. + License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html + Version: RELEASE.2024-06-07T16-42-07Z (go1.22.4 linux/amd64) + + API: https://minio-1.example.net:9000 https://203.0.113.10:9000 https://127.0.0.1:9000 + RootUser: minioadmin + RootPass: minioadmin + + WebUI: https://minio-1.example.net:9001 https://203.0.113.10:9001 https://127.0.0.1:9001 + RootUser: minioadmin + RootPass: minioadmin + + CLI: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart + $ mc alias set 'myminio' 'https://minio-1.example.net:9000' 'minioadmin' 'minioadmin' + + Docs: https://min.io/docs/minio/linux/index.html + Status: 16 Online, 0 Offline. + +You may see increased log churn as the cluster starts up and synchronizes. + +Common reasons for startup failure include: + +- The MinIO process does not have read-write-list access to the specified drives +- The drives are not empty or contain non-MinIO data +- The drives are not formatted or mounted properly +- One or more hosts are not reachable over the network + +Following our checklists typically mitigates the risk of encountering those or similar issues. + +7. Connect to the Deployment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + + .. tab-item:: Console + + Open your browser and access any of the MinIO hostnames at port ``:9001`` to open the :ref:`MinIO Console ` login page. + For example, ``https://minio1.example.com:9001``. + + Log in with the :guilabel:`MINIO_ROOT_USER` and :guilabel:`MINIO_ROOT_PASSWORD` + from the previous step. + + .. image:: /images/minio-console/console-login.png + :width: 600px + :alt: MinIO Console Login Page + :align: center + + You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. + Each MinIO server includes its own embedded MinIO Console. + + .. tab-item:: CLI + + Follow the :ref:`installation instructions ` for ``mc`` on your local host. + Run ``mc --version`` to verify the installation. + + If your MinIO deployment uses third-party or self-signed TLS certificates, copy the :abbr:`CA (Certificate Authority)` files to ``~/.mc/certs/CAs`` to allow ``mc`` + + + Once installed, create an alias for the MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://minio-1.example.net:9000 USERNAME PASSWORD + + Change the hostname, username, and password to reflect your deployment. + The hostname can be any MinIO node in the deployment. + You can also specify the hostname load balancer, reverse proxy, or similar network control plane that handles connections to the deployment. + +8. Next Steps +~~~~~~~~~~~~~ + +TODO \ No newline at end of file diff --git a/source/operations/deployments/baremetal-deploy-minio-on-windows.rst b/source/operations/deployments/baremetal-deploy-minio-on-windows.rst new file mode 100644 index 000000000..22b0af9f5 --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-on-windows.rst @@ -0,0 +1,210 @@ +.. _deploy-minio-windows: + +======================= +Deploy MinIO on Windows +======================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +.. container:: extlinks-video + + - `Object Storage Essentials `__ + + - `How to Connect to MinIO with JavaScript `__ + +This page documents deploying MinIO onto Microsoft Windows hosts. + +MinIO officially supports Windows operating systems in the Active Support of the Microsoft Modern Lifecycle Policy. + +At the time of writing, that includes: + +- Windows Server 23H2 (**Recommended**) +- Windows Server 2022 LTSC +- Windows 11 Enterprise/Workstation 23H2 +- Windows 11 Enterprise/Workstation 22H2 +- Windows 10 Enterprise 21H2 (LTS) +- Windows 10 IoT 21H2 (LTS) +- Windows 10 Enterprise 22H2 + +MinIO *may* run on older or out-of-support Windows releases, with limited support or troubleshooting from either MinIO or Microsoft. + +The procedure includes guidance for deploying Single-Node Multi-Drive (SNMD) and Single-Node Single-Drive (SNSD) topologies in support of early development and evaluation environments. + +MinIO does not officially support Multi-Node Multi-Drive (MNMD) "Distributed" configurations on Windows hosts. + +Considerations +-------------- + +Review Checklists +~~~~~~~~~~~~~~~~~ + +Ensure you have reviewed our published Hardware, Software, and Security checklists before attempting this procedure. + +Erasure Coding Parity +~~~~~~~~~~~~~~~~~~~~~ + +MinIO automatically determines the default :ref:`erasure coding ` configuration for the cluster based on the total number of nodes and drives in the topology. +You can configure the per-object :term:`parity` setting when you set up the cluster *or* let MinIO select the default (``EC:4`` for production-grade clusters). + +Parity controls the relationship between object availability and storage on disk. +Use the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. + +While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. + +Procedure +--------- + +1. Download the MinIO Binary +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Download the MinIO executable from the following URL: + +.. code-block:: shell + :class: copyable + + https://dl.min.io/server/minio/release/windows-amd64/minio.exe + +The next step includes instructions for running the executable. +You cannot run the executable from the Explorer or by double clicking the file. +Instead, you call the executable to launch the server. + +2. Launch the MinIO Server +~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +In PowerShell or the Command Prompt, navigate to the location of the executable or add the path of the ``minio.exe`` file to the system ``$PATH``. +computer. + +.. tab-set:: + + .. tab-item:: Multi-Drive + + For Windows hosts with multiple drives, you can specify a sequential set of drives to use for configuring MinIO in the Single-Node Multi-Drive (SNMD) topology: + + .. code-block:: + :class: copyable + + .\minio.exe server {D...G}:\minio --console-address :9001 + + The :mc:`minio server` process prints its output to the system console, similar to the following: + + .. code-block:: shell + + API: http://192.0.2.10:9000 http://127.0.0.1:9000 + RootUser: minioadmin + RootPass: minioadmin + + Console: http://192.0.2.10:9001 http://127.0.0.1:9001 + RootUser: minioadmin + RootPass: minioadmin + + Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html + $ mc alias set myminio http://192.0.2.10:9000 minioadmin minioadmin + + Documentation: https://min.io/docs/minio/linux/index.html + + WARNING: Detected default credentials 'minioadmin:minioadmin', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables. + + The process is tied to the current PowerShell or Command Prompt window. + Closing the window stops the server and ends the process. + + .. tab-item:: Single-Drive + + Use this command to start a local MinIO instance in the ``C:\minio`` folder. + You can replace ``C:\minio`` with another drive or folder path on the local + + .. code-block:: + :class: copyable + + .\minio.exe server C:\minio --console-address :9001 + + The :mc:`minio server` process prints its output to the system console, similar to the following: + + .. code-block:: shell + + API: http://192.0.2.10:9000 http://127.0.0.1:9000 + RootUser: minioadmin + RootPass: minioadmin + + Console: http://192.0.2.10:9001 http://127.0.0.1:9001 + RootUser: minioadmin + RootPass: minioadmin + + Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html + $ mc alias set myminio http://192.0.2.10:9000 minioadmin minioadmin + + Documentation: https://min.io/docs/minio/linux/index.html + + WARNING: Detected default credentials 'minioadmin:minioadmin', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables. + + The process is tied to the current PowerShell or Command Prompt window. + Closing the window stops the server and ends the process. + +3. Connect your Browser to the MinIO Server +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Access the :ref:`minio-console` by going to a browser (such as Microsoft Edge) and going to ``http://127.0.0.1:9001`` or one of the Console addresses specified in the :mc:`minio server` command's output. +For example, ``Console: http://192.0.2.10:9001 http://127.0.0.1:9001`` in the example output indicates two possible addresses to use for connecting to the Console. + +While port ``9000`` is used for connecting to the API, MinIO automatically redirects browser access to the MinIO Console. + +Log in to the Console with the ``RootUser`` and ``RootPass`` user credentials displayed in the output. +These default to ``minioadmin | minioadmin``. + +.. image:: /images/minio-console/console-login.png + :width: 600px + :alt: MinIO Console displaying login screen + :align: center + +You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. +Each MinIO server includes its own embedded MinIO Console. + +.. image:: /images/minio-console/minio-console.png + :width: 600px + :alt: MinIO Console displaying bucket start screen + :align: center + +For more information, see the :ref:`minio-console` documentation. + +4. `(Optional)` Install the MinIO Client +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The :ref:`MinIO Client ` allows you to work with your MinIO deployment from Powershell. + +Download the standalone MinIO client for Windows from the following link: + +https://dl.min.io/client/mc/release/windows-amd64/mc.exe + +Double click on the file to run it. +Or, run the following in the Command Prompt or PowerShell. + +.. code-block:: + :class: copyable + + \path\to\mc.exe --help + +Use :mc:`mc.exe alias set ` to quickly authenticate and connect to the MinIO deployment. + +.. code-block:: shell + :class: copyable + + mc.exe alias set local http://127.0.0.1:9000 minioadmin minioadmin + mc.exe admin info local + +The :mc:`mc.exe alias set ` takes four arguments: + +- The name of the alias +- The hostname or IP address and port of the MinIO server +- The Access Key for a MinIO :ref:`user ` +- The Secret Key for a MinIO :ref:`user ` + +For additional details about this command, see :ref:`alias`. + +5. Next Steps +~~~~~~~~~~~~~ + +ToDo \ No newline at end of file diff --git a/source/operations/deployments/baremetal-deploy-minio-server.rst b/source/operations/deployments/baremetal-deploy-minio-server.rst new file mode 100644 index 000000000..bf8e67d21 --- /dev/null +++ b/source/operations/deployments/baremetal-deploy-minio-server.rst @@ -0,0 +1,25 @@ +.. _deploy-minio-standalone: + +======================== +Install the MinIO Server +======================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO supports deploying onto baremetal infrastructure - physical machines or virtualized hosts - running Linux, MacOS, and Windows. + +TODO conceptual information here + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/baremetal-deploy-minio-on-redhat-linux + /operations/deployments/baremetal-deploy-minio-on-ubuntu-linux + /operations/deployments/baremetal-deploy-minio-as-a-container + /operations/deployments/baremetal-deploy-minio-on-macos + /operations/deployments/baremetal-deploy-minio-on-windows \ No newline at end of file diff --git a/source/operations/install-deploy-manage/expand-minio-deployment.rst b/source/operations/deployments/baremetal-expand-minio-deployment.rst similarity index 97% rename from source/operations/install-deploy-manage/expand-minio-deployment.rst rename to source/operations/deployments/baremetal-expand-minio-deployment.rst index e00220a19..4bcaf2863 100644 --- a/source/operations/install-deploy-manage/expand-minio-deployment.rst +++ b/source/operations/deployments/baremetal-expand-minio-deployment.rst @@ -221,17 +221,9 @@ Complete any planned hardware expansion prior to :ref:`decommissioning older har 1) Install the MinIO Binary on Each Node in the New Server Pool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. cond:: linux - - .. include:: /includes/linux/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - -.. cond:: macos - - .. include:: /includes/macos/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc +.. include:: /includes/linux/common-installation.rst + :start-after: start-install-minio-binary-desc + :end-before: end-install-minio-binary-desc 2) Add TLS/SSL Certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/operations/install-deploy-manage/migrate-fs-gateway.rst b/source/operations/deployments/baremetal-migrate-fs-gateway.rst similarity index 95% rename from source/operations/install-deploy-manage/migrate-fs-gateway.rst rename to source/operations/deployments/baremetal-migrate-fs-gateway.rst index f0905d87f..04bbdaf54 100644 --- a/source/operations/install-deploy-manage/migrate-fs-gateway.rst +++ b/source/operations/deployments/baremetal-migrate-fs-gateway.rst @@ -20,11 +20,6 @@ Along with the deprecation announcement, MinIO also announced that the feature w As of :minio-release:`RELEASE.2022-10-29T06-21-33Z`, the MinIO Gateway and the related filesystem mode code have been removed. Deployments still using the `standalone` or `filesystem` MinIO modes that upgrade to MinIO Server :minio-release:`RELEASE.2022-10-29T06-21-33Z` or later receive an error when attempting to start MinIO. -.. cond:: linux - - .. note:: - - For deployments running in a container, see the `Container - Migrate from Gateway or Filesystem Mode `__ tutorial instead. Overview -------- @@ -68,7 +63,7 @@ Procedure #. Create a new Single-Node Single-Drive MinIO deployment. - Refer to the :ref:`documentation for step-by-step instructions ` for launching a new |SNSD| deployment. + Follow our :ref:`installation instructions ` for your OS of choice and configure the installation as a Single-Node Single-Drive (SNSD) topology. The location of the deployment can be any empty folder on the storage medium of your choice. A new folder on the same drive can work for the new deployment as long as the existing deployment is not on the root of a drive. @@ -259,6 +254,5 @@ Procedure #. Stop the server for both deployments. #. Restart the new MinIO deployment with the ports used for the previous standalone deployment. - For more about starting the MinIO service, refer to step four in the deploy |SNSD| :ref:`documentation `. Ensure you apply all environment variables and runtime configuration settings and validate the behavior of the new deployment. diff --git a/source/operations/install-deploy-manage/upgrade-minio-deployment.rst b/source/operations/deployments/baremetal-upgrade-minio-deployment.rst similarity index 61% rename from source/operations/install-deploy-manage/upgrade-minio-deployment.rst rename to source/operations/deployments/baremetal-upgrade-minio-deployment.rst index 3c50e14ba..f76464423 100644 --- a/source/operations/install-deploy-manage/upgrade-minio-deployment.rst +++ b/source/operations/deployments/baremetal-upgrade-minio-deployment.rst @@ -15,18 +15,4 @@ Upgrade a MinIO Deployment For deployments older than :minio-release:`RELEASE.2024-03-30T09-41-56Z` running with :ref:`AD/LDAP ` enabled, you **must** read through the release notes for :minio-release:`RELEASE.2024-04-18T19-09-19Z` before starting this procedure. You must take the extra steps documented in the linked release as part of the upgrade. -.. cond:: linux - - .. include:: /includes/linux/steps-upgrade-minio-deployment.rst - -.. cond:: container - - .. include:: /includes/container/steps-upgrade-minio-deployment.rst - -.. cond:: windows - - .. include:: /includes/windows/steps-upgrade-minio-deployment.rst - -.. cond:: macos - - .. include:: /includes/macos/steps-upgrade-minio-deployment.rst \ No newline at end of file +.. include:: /includes/linux/steps-upgrade-minio-deployment.rst \ No newline at end of file diff --git a/source/operations/deployments/baremetal.rst b/source/operations/deployments/baremetal.rst new file mode 100644 index 000000000..14ec32a2f --- /dev/null +++ b/source/operations/deployments/baremetal.rst @@ -0,0 +1,32 @@ +.. _minio-baremetal: +.. _minio-installation-platform-support: +.. _deploy-minio-distributed-baremetal: + +========================= +Deploy MinIO on Baremetal +========================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO supports deploying onto baremetal infrastructure - physical machines or virtualized hosts - running Linux, MacOS, and Windows. +You can also deploy MinIO as a container onto supported Operating Systems. + +- :ref:`Deploy MinIO onto RedHat Linux ` +- :ref:`Deploy MinIO onto Ubuntu Linux ` +- :ref:`Deploy MinIO onto Apple MacOS ` +- :ref:`Deploy MinIO as a Container ` +- :ref:`Deploy MinIO onto Microsoft Windows ` + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/baremetal-deploy-minio-server + /operations/deployments/baremetal-upgrade-minio-deployment + /operations/deployments/baremetal-expand-minio-deployment + /operations/deployments/baremetal-decommission-server-pool + /operations/deployments/baremetal-migrate-fs-gateway \ No newline at end of file diff --git a/source/operations/deployments/installation.rst b/source/operations/deployments/installation.rst new file mode 100644 index 000000000..2c4c34f99 --- /dev/null +++ b/source/operations/deployments/installation.rst @@ -0,0 +1,101 @@ +.. _deploy-minio-distributed: +.. _minio-mnmd: +.. _minio-installation: +.. _minio-snmd: +.. _minio-snsd: + +=========================== +Installation and Management +=========================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +This section documents steps for installing and managing the AGPLv3-licensed Community MinIO Object Storage on :ref:`Kubernetes ` and :ref:`Baremetal ` infrastructures. + +.. meta:: + :description: MinIO Deployment Topologies and Installation Instructions + :keywords: MinIO, Deploy, Architecture, Topology, Distributed, Replication, Install + +.. container:: extlinks-video + + - `Installing and Running MinIO on Linux `__ + + - `Object Storage Essentials `__ + + - `How to Connect to MinIO with JavaScript `__ + +MinIO is a software-defined high performance distributed object storage server. +You can run MinIO on consumer or enterprise-grade hardware and a variety +of operating systems and architectures. + +All MinIO deployments implement :ref:`Erasure Coding ` backends. +You can deploy MinIO using one of the following topologies: + +.. _minio-installation-comparison: + +:ref:`Single-Node Single-Drive ` (SNSD or "Standalone") + Local development and evaluation with no/limited reliability + +:ref:`Single-Node Multi-Drive ` (SNMD or "Standalone Multi-Drive") + Workloads with lower performance, scale, and capacity requirements + + Drive-level reliability with configurable tolerance for loss of up to 1/2 all drives + + Evaluation of multi-drive topologies and failover behavior. + +:ref:`Multi-Node Multi-Drive ` (MNMD or "Distributed") + Enterprise-grade high-performance object storage + + Multi Node/Drive level reliability with configurable tolerance for loss of up to 1/2 all nodes/drives + + Primary storage for AI/ML, Distributed Query, Analytics, and other Data Lake components + + Scalable for Petabyte+ workloads - both storage capacity and performance + +Kubernetes +---------- + +MinIO provides a Kubernetes-native Operator framework for managing and deploying Tenants onto your managed infrastructure. + +MinIO fully supports upstream Kubernetes and most flavors which inherit from the upstream as a base. +This includes, but is not limited to, RedHat Openshift, SUSE Rancher, VMWare Tanzu. +MinIO also fully supports cloud-based Kubernetes engines such as Elastic Kubernetes Engine, Google Kubernetes Service, and Azure Kubernetes Service. + +Select the link most appropriate for your Kubernetes infrastructure. +If your provider is not listed, use the Kubernetes Upstream documentation as a baseline and modify as needed based on your provider's guidance or divergence from upstream semantics and behavior. + +- :ref:`Deploy MinIO on Kubernetes (Upstream) ` +- :ref:`Deploy MinIO on Openshift Kubernetes ` +- :ref:`Deploy MinIO on SUSE Rancher Kubernetes ` +- :ref:`Deploy MinIO on Elastic Kubernetes Service ` +- :ref:`Deploy MinIO on Google Kubernetes Engine ` +- :ref:`Deploy MinIO on Azure Kubernetes Service ` + +Baremetal +--------- + +MinIO supports deploying onto baremetal infrastructure - physical machines or virtualized hosts - running Linux, MacOS, and Windows. +You can also deploy MinIO as a container onto supported Operating Systems. + +- :ref:`Deploy MinIO onto RedHat Linux ` +- :ref:`Deploy MinIO onto Ubuntu Linux ` +- :ref:`Deploy MinIO as a Container ` +- :ref:`Deploy MinIO onto MacOS ` +- :ref:`Deploy MinIO onto Windows ` + +.. important:: + + MinIO strongly recommends :minio-docs:`Linux (RHEL, Ubuntu) ` or :minio-docs:`Kubernetes (Upstream, OpenShift) ` for long-term development and production environments. + + MinIO provides no guarantee of support for :abbr:`SNMD (Single-Node Multi-Drive)` or :abbr:`MNMD (Multi-Node Multi-Drive)` topologies on MacOS, Windows, or Containerized deployments. + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/kubernetes + /operations/deployments/baremetal \ No newline at end of file diff --git a/source/operations/install-deploy-manage/delete-minio-tenant.rst b/source/operations/deployments/k8s-delete-minio-tenant-on-kubernetes.rst similarity index 100% rename from source/operations/install-deploy-manage/delete-minio-tenant.rst rename to source/operations/deployments/k8s-delete-minio-tenant-on-kubernetes.rst diff --git a/source/operations/deployments/k8s-deploy-minio-on-azure-kubernetes-service.rst b/source/operations/deployments/k8s-deploy-minio-on-azure-kubernetes-service.rst new file mode 100644 index 000000000..ddf663197 --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-azure-kubernetes-service.rst @@ -0,0 +1,262 @@ + +.. _deploy-operator-aks: + +================================================= +Deploy MinIO Operator on Azure Kubernetes Service +================================================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +Overview +-------- + +`Azure Kubernetes Engine `__ (AKS) is a highly available, secure, and fully managed Kubernetes service from Microsoft Azure. +The MinIO Kubernetes Operator supports deploying MinIO Tenants onto AKS infrastructure using the MinIO Operator Console or `kustomize `__ for :minio-git:`YAML-defined deployments `. + +:minio-web:`Through the AKS Marketplace ` + MinIO maintains an `AKS Marketplace listing `__ through which you can register your AKS cluster with |subnet|. + Any MinIO tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 access to MinIO engineers. + +Using Kubernetes Kustomize + MinIO provides Kustomize templates for deploying the MinIO Operator onto Kubernetes infrastructure. + You can use Kustomize to install the Operator onto EKS infrastructure. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +Using Kubernetes Helm + MinIO provides a Helm chart for deploying the MinIO Operator onto Kubernetes infrastructure. + See :ref:`minio-k8s-deploy-operator-helm` for instructions. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. +For instructions on deploying the MinIO Operator through the AKS Marketplace, see :minio-web:`Deploy MinIO through AKS ` + +This documentation assumes familiarity with all referenced Kubernetes and Azure Kubernetes Service concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Azure Kubernetes Service-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +Prerequisites +------------- + +AKS Cluster with Azure Virtual Machines +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This procedure assumes an existing :abbr:`AKS (Azure Kubernetes Service)` cluster with *at least* four Azure virtual machines (VM). +The Azure VMs should have matching machine types and configurations to ensure predictable performance with MinIO. + +MinIO provides :ref:`hardware guidelines ` for selecting the appropriate EC2 instance class and size. +MinIO strongly recommends selecting VM instances with support for Premium SSDs and *at least* 25Gbps Network bandwidth as a baseline for performance. + +For more complete information on Azure Virtual Machine types and Storage resources, see :azure-docs:`Sizes for virtual machines in Azure ` and :azure-docs:`Azure managed disk types ` + +``kubectl`` Access to the AKS Cluster +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure your host machine has a ``kubectl`` installation compatible with the target AKS cluster. +For guidance on connecting ``kubectl`` to AKS, see :aks-docs:`Install kubectl and configure cluster access `. + +Procedure +--------- + +The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. +To install Operator using a Helm chart, see :ref:`Deploy Operator with Helm `. + +The following procedure uses ``kubectl -k`` to install the Operator from the MinIO Operator GitHub repository. +``kubectl -k`` and ``kubectl --kustomize`` are aliases that perform the same command. + +.. important:: + + If you use Kustomize to install the Operator, you must use Kustomize to manage or upgrade that installation. + Do not use ``kubectl krew``, a Helm chart, or similar methods to manage or upgrade a MinIO Operator installation deployed with Kustomize. + + You can, however, use Kustomize to upgrade a previous version of Operator (5.0.14 or earlier) installed with the MinIO Kubernetes Plugin. + +1. Install the latest version of Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + :substitutions: + + kubectl apply -k "github.com/minio/operator?ref=v|operator-version-stable|" + +The output resembles the following: + +.. code-block:: shell + + namespace/minio-operator created + customresourcedefinition.apiextensions.k8s.io/miniojobs.job.min.io created + customresourcedefinition.apiextensions.k8s.io/policybindings.sts.min.io created + customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created + serviceaccount/console-sa created + serviceaccount/minio-operator created + clusterrole.rbac.authorization.k8s.io/console-sa-role created + clusterrole.rbac.authorization.k8s.io/minio-operator-role created + clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created + clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created + configmap/console-env created + secret/console-sa-secret created + service/console created + service/operator created + service/sts created + deployment.apps/console created + deployment.apps/minio-operator created + +2. Verify the Operator pods are running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl get pods -n minio-operator + +The output resembles the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + console-56c7d8bd89-485qh 1/1 Running 0 2m42s + minio-operator-6c758b8c45-nkhlx 1/1 Running 0 2m42s + minio-operator-6c758b8c45-dgd8n 1/1 Running 0 2m42s + +In this example, the ``minio-operator`` pod is MinIO Operator and the ``console`` pod is the Operator Console. + +You can modify your Operator deployment by applying kubectl patches. +You can find examples for common configurations in the `Operator GitHub repository `__. + +3. *(Optional)* Configure access to the Operator Console service +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. +You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access. + +For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: + +.. code-block:: shell + :class: copyable + + kubectl patch service -n minio-operator console -p ' + { + "spec": { + "ports": [ + { + "name": "http", + "port": 9090, + "protocol": "TCP", + "targetPort": 9090, + "nodePort": 30090 + }, + { + "name": "https", + "port": 9443, + "protocol": "TCP", + "targetPort": 9443, + "nodePort": 30433 + } + ], + "type": "NodePort" + } + }' + +The patch command should output ``service/console patched``. +You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. + +4. Verify the Operator installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + +.. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + +The response should resemble the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-56c7d8bd89-485qh 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-nkhlx 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-dgd8n 1/1 Running 0 5m20s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/operator ClusterIP 10.43.135.241 4221/TCP 5m20s + service/sts ClusterIP 10.43.117.251 4223/TCP 5m20s + service/console NodePort 10.43.235.38 9090:30090/TCP,9443:30433/TCP 5m20s + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 5m20s + deployment.apps/minio-operator 2/2 2 2 5m20s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-56c7d8bd89 1 1 1 5m20s + replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s + +5. Retrieve the Operator Console JWT for login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl apply -f - <`. diff --git a/source/operations/deployments/k8s-deploy-minio-on-elastic-kubernetes-service.rst b/source/operations/deployments/k8s-deploy-minio-on-elastic-kubernetes-service.rst new file mode 100644 index 000000000..6bd512cb1 --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-elastic-kubernetes-service.rst @@ -0,0 +1,268 @@ +.. _deploy-operator-eks: + +========================================================== +Deploy MinIO Operator on Amazon Elastic Kubernetes Service +========================================================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +Overview +-------- + +:eks-docs:`Amazon® Elastic Kubernetes Service® ` (EKS) is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. +The MinIO Kubernetes Operator supports deploying MinIO Tenants onto EKS infrastructure using the MinIO Operator Console or by using `kustomize `__ for :minio-git:`YAML-defined deployments `. + +MinIO supports the following methods for installing the MinIO Operator onto your :abbr:`EKS (Elastic Kubernetes Service)` clusters: + +:minio-web:`Through the AWS Marketplace ` + MinIO maintains an `AWS Marketplace listing `__ through which you can register your EKS cluster with |subnet|. + Any tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 direct access to MinIO engineers. + +Using Kubernetes Kustomize + MinIO provides Kustomize templates for deploying the MinIO Operator onto Kubernetes infrastructure. + You can use Kustomize to install the Operator onto EKS infrastructure. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +Using Kubernetes Helm + MinIO provides a Helm chart for deploying the MinIO Operator onto Kubernetes infrastructure. + See :ref:`minio-k8s-deploy-operator-helm` for instructions. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. +For instructions on deploying the MinIO Operator through the AWS Marketplace, see :minio-web:`Deploy MinIO through EKS `. + +This documentation assumes familiarity with all referenced Kubernetes and Elastic Kubernetes Service concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Elastic Kubernetes Service-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +Prerequisites +------------- + +In addition to the general :ref:`MinIO Operator prerequisites `, your EKS cluster must also meet the following requirements: + +EKS Cluster with EBS-Optimized EC2 Nodes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This procedure assumes an existing :abbr:`EKS (Elastic Kubernetes Service)` cluster with *at least* four EC2 nodes. +The EC2 nodes should have matching machine types and configurations to ensure predictable performance with MinIO. + +MinIO provides :ref:`hardware guidelines ` for selecting the appropriate EC2 instance class and size. +MinIO strongly recommends selecting EBS-optimized instances with *at least* 25Gbps Network bandwidth as a baseline for performance. + +For more complete information on the available EC2 and EBS resources, see `EC2 Instance Types `__ and `EBS Volume Types `__. +|subnet| customers should reach out to MinIO engineering as part of architecture planning for assistance in selecting the optimal instance and volume types for the target workload and performance goals. + +``kubectl`` Access to the EKS Cluster +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure your host machine has a ``kubectl`` installation compatible with the target EKS cluster. +For guidance on connecting ``kubectl`` to EKS, see :aws-docs:`Creating or updating a kubeconfig file for an Amazon EKS cluster `. + +Your ``kubectl`` configuration must include authentication as a user with the correct permissions. +MinIO provides an example IAM policy for Marketplace-based installations in the MinIO Operator :minio-git:`github repository `. +You can use this policy as a baseline for manual Operator installations. + +Procedure +--------- + +The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. +To install Operator using a Helm chart, see :ref:`Deploy Operator with Helm `. + +The following procedure uses ``kubectl -k`` to install the Operator from the MinIO Operator GitHub repository. +``kubectl -k`` and ``kubectl --kustomize`` are aliases that perform the same command. + +.. important:: + + If you use Kustomize to install the Operator, you must use Kustomize to manage or upgrade that installation. + Do not use ``kubectl krew``, a Helm chart, or similar methods to manage or upgrade a MinIO Operator installation deployed with Kustomize. + + You can, however, use Kustomize to upgrade a previous version of Operator (5.0.14 or earlier) installed with the MinIO Kubernetes Plugin. + +1. Install the latest version of Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + :substitutions: + + kubectl apply -k "github.com/minio/operator?ref=v|operator-version-stable|" + +The output resembles the following: + +.. code-block:: shell + + namespace/minio-operator created + customresourcedefinition.apiextensions.k8s.io/miniojobs.job.min.io created + customresourcedefinition.apiextensions.k8s.io/policybindings.sts.min.io created + customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created + serviceaccount/console-sa created + serviceaccount/minio-operator created + clusterrole.rbac.authorization.k8s.io/console-sa-role created + clusterrole.rbac.authorization.k8s.io/minio-operator-role created + clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created + clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created + configmap/console-env created + secret/console-sa-secret created + service/console created + service/operator created + service/sts created + deployment.apps/console created + deployment.apps/minio-operator created + +2. Verify the Operator pods are running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl get pods -n minio-operator + +The output resembles the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + console-56c7d8bd89-485qh 1/1 Running 0 2m42s + minio-operator-6c758b8c45-nkhlx 1/1 Running 0 2m42s + minio-operator-6c758b8c45-dgd8n 1/1 Running 0 2m42s + +In this example, the ``minio-operator`` pod is MinIO Operator and the ``console`` pod is the Operator Console. + +You can modify your Operator deployment by applying kubectl patches. +You can find examples for common configurations in the `Operator GitHub repository `__. + +3. *(Optional)* Configure access to the Operator Console service +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. +You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access. + +For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: + +.. code-block:: shell + :class: copyable + + kubectl patch service -n minio-operator console -p ' + { + "spec": { + "ports": [ + { + "name": "http", + "port": 9090, + "protocol": "TCP", + "targetPort": 9090, + "nodePort": 30090 + }, + { + "name": "https", + "port": 9443, + "protocol": "TCP", + "targetPort": 9443, + "nodePort": 30433 + } + ], + "type": "NodePort" + } + }' + +The patch command should output ``service/console patched``. +You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. + +4. Verify the Operator installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + +.. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + +The response should resemble the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-56c7d8bd89-485qh 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-nkhlx 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-dgd8n 1/1 Running 0 5m20s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/operator ClusterIP 10.43.135.241 4221/TCP 5m20s + service/sts ClusterIP 10.43.117.251 4223/TCP 5m20s + service/console NodePort 10.43.235.38 9090:30090/TCP,9443:30433/TCP 5m20s + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 5m20s + deployment.apps/minio-operator 2/2 2 2 5m20s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-56c7d8bd89 1 1 1 5m20s + replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s + +5. Retrieve the Operator Console JWT for login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl apply -f - <`. \ No newline at end of file diff --git a/source/operations/deployments/k8s-deploy-minio-on-google-kubernetes-engine.rst b/source/operations/deployments/k8s-deploy-minio-on-google-kubernetes-engine.rst new file mode 100644 index 000000000..b5b87bd8b --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-google-kubernetes-engine.rst @@ -0,0 +1,261 @@ +.. _deploy-operator-gke: + +================================================= +Deploy MinIO Operator on Google Kubernetes Engine +================================================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +Overview +-------- + +`Google Kubernetes Engine `__ (GKE) offers a highly automated secure and fully managed Kubernetes platform. +The MinIO Kubernetes Operator supports deploying MinIO Tenants onto GKE infrastructure using the MinIO Operator Console or `kustomize `__ for :minio-git:`YAML-defined deployments `. + +:minio-web:`Through the GKE Marketplace ` + MinIO maintains an `GKE Marketplace listing `__ through which you can register your GKE cluster with |subnet|. + Any MinIO tenant you deploy through Marketplace-connected clusters can take advantage of SUBNET registration, including 24/7 direct access to MinIO engineers. + +Using Kubernetes Kustomize + MinIO provides Kustomize templates for deploying the MinIO Operator onto Kubernetes infrastructure. + You can use Kustomize to install the Operator onto EKS infrastructure. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +Using Kubernetes Helm + MinIO provides a Helm chart for deploying the MinIO Operator onto Kubernetes infrastructure. + See :ref:`minio-k8s-deploy-operator-helm` for instructions. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. +For instructions on deploying the MinIO Operator through the GKE Marketplace, see :minio-web:`Deploy MinIO through GKE ` + +This documentation assumes familiarity with all referenced Kubernetes and Google Kubernetes Engine concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Google Kubernetes Engine-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +Prerequisites +------------- + +GKE Cluster with Compute Engine Nodes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This procedure assumes an existing :abbr:`GKE (Google Kubernetes Engine)` cluster with a MinIO Operator installation and *at least* four Compute Engine nodes. +The Compute Engine nodes should have matching machine types and configurations to ensure predictable performance with MinIO. + +MinIO provides :ref:`hardware guidelines ` for selecting the appropriate Compute Engine instance class and size. +MinIO strongly recommends selecting instances with support for local SSDs and *at least* 25Gbps egress bandwidth as a baseline for performance. + +For more complete information on the available Compute Engine and Persistent Storage resources, see :gcp-docs:`Machine families resources and comparison guide ` and :gcp-docs:`Persistent disks `. + +``kubectl`` Access to the GKE Cluster +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure your host machine has a ``kubectl`` installation compatible with the target GKE cluster. +For guidance on connecting ``kubectl`` to GKE, see :gke-docs:`Install kubectl and configure cluster access `. + +Procedure +--------- + +The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. +To install Operator using a Helm chart, see :ref:`Deploy Operator with Helm `. + +The following procedure uses ``kubectl -k`` to install the Operator from the MinIO Operator GitHub repository. +``kubectl -k`` and ``kubectl --kustomize`` are aliases that perform the same command. + +.. important:: + + If you use Kustomize to install the Operator, you must use Kustomize to manage or upgrade that installation. + Do not use ``kubectl krew``, a Helm chart, or similar methods to manage or upgrade a MinIO Operator installation deployed with Kustomize. + + You can, however, use Kustomize to upgrade a previous version of Operator (5.0.14 or earlier) installed with the MinIO Kubernetes Plugin. + +1. Install the latest version of Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + :substitutions: + + kubectl apply -k "github.com/minio/operator?ref=v|operator-version-stable|" + +The output resembles the following: + +.. code-block:: shell + + namespace/minio-operator created + customresourcedefinition.apiextensions.k8s.io/miniojobs.job.min.io created + customresourcedefinition.apiextensions.k8s.io/policybindings.sts.min.io created + customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created + serviceaccount/console-sa created + serviceaccount/minio-operator created + clusterrole.rbac.authorization.k8s.io/console-sa-role created + clusterrole.rbac.authorization.k8s.io/minio-operator-role created + clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created + clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created + configmap/console-env created + secret/console-sa-secret created + service/console created + service/operator created + service/sts created + deployment.apps/console created + deployment.apps/minio-operator created + +2. Verify the Operator pods are running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl get pods -n minio-operator + +The output resembles the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + console-56c7d8bd89-485qh 1/1 Running 0 2m42s + minio-operator-6c758b8c45-nkhlx 1/1 Running 0 2m42s + minio-operator-6c758b8c45-dgd8n 1/1 Running 0 2m42s + +In this example, the ``minio-operator`` pod is MinIO Operator and the ``console`` pod is the Operator Console. + +You can modify your Operator deployment by applying kubectl patches. +You can find examples for common configurations in the `Operator GitHub repository `__. + +3. *(Optional)* Configure access to the Operator Console service +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. +You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access. + +For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: + +.. code-block:: shell + :class: copyable + + kubectl patch service -n minio-operator console -p ' + { + "spec": { + "ports": [ + { + "name": "http", + "port": 9090, + "protocol": "TCP", + "targetPort": 9090, + "nodePort": 30090 + }, + { + "name": "https", + "port": 9443, + "protocol": "TCP", + "targetPort": 9443, + "nodePort": 30433 + } + ], + "type": "NodePort" + } + }' + +The patch command should output ``service/console patched``. +You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. + +4. Verify the Operator installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + +.. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + +The response should resemble the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-56c7d8bd89-485qh 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-nkhlx 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-dgd8n 1/1 Running 0 5m20s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/operator ClusterIP 10.43.135.241 4221/TCP 5m20s + service/sts ClusterIP 10.43.117.251 4223/TCP 5m20s + service/console NodePort 10.43.235.38 9090:30090/TCP,9443:30433/TCP 5m20s + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 5m20s + deployment.apps/minio-operator 2/2 2 2 5m20s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-56c7d8bd89 1 1 1 5m20s + replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s + +5. Retrieve the Operator Console JWT for login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl apply -f - <`. diff --git a/source/operations/deployments/k8s-deploy-minio-on-kubernetes-upstream.rst b/source/operations/deployments/k8s-deploy-minio-on-kubernetes-upstream.rst new file mode 100644 index 000000000..8c455ed66 --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-kubernetes-upstream.rst @@ -0,0 +1,244 @@ +.. _deploy-minio-kubernetes: +.. _minio-operator-installation: +.. _minio-operator-installation-kustomize: +.. _deploy-operator-kubernetes: +.. _deploy-operator-kubernetes-kustomize: + +=================================== +Deploy MinIO Operator on Kubernetes +=================================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +.. container:: extlinks-video + + - `Object Storage Essentials `__ + + - `How to Connect to MinIO with JavaScript `__ + +This page documents installing the MinIO Kubernetes Operator onto Kubernetes infrastructure. +This procedure assumes an installation of Kubernetes Upstream, though the instructions may work for other flavors of Kubernetes. + +The MinIO Operator installs a :kube-docs:`Custom Resource Definition (CRD) ` to support describing MinIO tenants as a Kubernetes :kube-docs:`object `. +See the MinIO Operator :minio-git:`CRD Reference ` for complete documentation on the MinIO CRD. + +Once you have installed the Kubernetes Operator, you can then deploy MinIO Tenants onto your Kubernetes worker nodes. + +This documentation assumes familiarity with referenced Kubernetes concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + + +Considerations +-------------- + +Procedure +--------- + +The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. +To install Operator using a Helm chart, see :ref:`Deploy Operator with Helm `. + +The following procedure uses ``kubectl -k`` to install the Operator from the MinIO Operator GitHub repository. +``kubectl -k`` and ``kubectl --kustomize`` are aliases that perform the same command. + +.. important:: + + If you use Kustomize to install the Operator, you must use Kustomize to manage or upgrade that installation. + Do not use ``kubectl krew``, a Helm chart, or similar methods to manage or upgrade a MinIO Operator installation deployed with Kustomize. + + You can, however, use Kustomize to upgrade a previous version of Operator (5.0.14 or earlier) installed with the MinIO Kubernetes Plugin. + +1. Install the latest version of Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + :substitutions: + + kubectl apply -k "github.com/minio/operator?ref=v|operator-version-stable|" + +The output resembles the following: + +.. code-block:: shell + + namespace/minio-operator created + customresourcedefinition.apiextensions.k8s.io/miniojobs.job.min.io created + customresourcedefinition.apiextensions.k8s.io/policybindings.sts.min.io created + customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created + serviceaccount/console-sa created + serviceaccount/minio-operator created + clusterrole.rbac.authorization.k8s.io/console-sa-role created + clusterrole.rbac.authorization.k8s.io/minio-operator-role created + clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created + clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created + configmap/console-env created + secret/console-sa-secret created + service/console created + service/operator created + service/sts created + deployment.apps/console created + deployment.apps/minio-operator created + +2. Verify the Operator pods are running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl get pods -n minio-operator + +The output resembles the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + console-56c7d8bd89-485qh 1/1 Running 0 2m42s + minio-operator-6c758b8c45-nkhlx 1/1 Running 0 2m42s + minio-operator-6c758b8c45-dgd8n 1/1 Running 0 2m42s + +In this example, the ``minio-operator`` pod is MinIO Operator and the ``console`` pod is the Operator Console. + +You can modify your Operator deployment by applying kubectl patches. +You can find examples for common configurations in the `Operator GitHub repository `__. + +.. _minio-k8s-deploy-operator-access-console: + +3. *(Optional)* Configure access to the Operator Console service +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. +You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access. + +For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: + +.. code-block:: shell + :class: copyable + + kubectl patch service -n minio-operator console -p ' + { + "spec": { + "ports": [ + { + "name": "http", + "port": 9090, + "protocol": "TCP", + "targetPort": 9090, + "nodePort": 30090 + }, + { + "name": "https", + "port": 9443, + "protocol": "TCP", + "targetPort": 9443, + "nodePort": 30433 + } + ], + "type": "NodePort" + } + }' + +The patch command should output ``service/console patched``. +You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. + +4. Verify the Operator installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + +.. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + +The response should resemble the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-56c7d8bd89-485qh 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-nkhlx 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-dgd8n 1/1 Running 0 5m20s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/operator ClusterIP 10.43.135.241 4221/TCP 5m20s + service/sts ClusterIP 10.43.117.251 4223/TCP 5m20s + service/console NodePort 10.43.235.38 9090:30090/TCP,9443:30433/TCP 5m20s + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 5m20s + deployment.apps/minio-operator 2/2 2 2 5m20s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-56c7d8bd89 1 1 1 5m20s + replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s + +5. Retrieve the Operator Console JWT for login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl apply -f - <`. + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/k8s-deploy-operator-helm-on-kubernetes \ No newline at end of file diff --git a/source/operations/deployments/k8s-deploy-minio-on-red-hat-open-shift-kubernetes.rst b/source/operations/deployments/k8s-deploy-minio-on-red-hat-open-shift-kubernetes.rst new file mode 100644 index 000000000..131dcc0a8 --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-red-hat-open-shift-kubernetes.rst @@ -0,0 +1,326 @@ + +.. _deploy-operator-openshift: + +========================================= +Deploy MinIO Operator on RedHat OpenShift +========================================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. +OpenShift includes an enterprise-grade Linux operating system, container runtime, networking, monitoring, registry, and authentication and authorization solutions. + +You can deploy the MinIO Kubernetes Operator through the :openshift-docs:`Red Hat® OpenShift® Container Platform 4.8+ `. +You can deploy and manage MinIO Tenants through OpenShift after deploying the MinIO Operator. +This procedure includes instructions for the following deployment paths: + +- Purchase and Deploy MinIO through the `RedHat Marketplace `__. +- Deploy MinIO through the OpenShift `OperatorHub `__ + +After deploying the MinIO Operator into your OpenShift cluster, you can create and manage MinIO Tenants through the :openshift-docs:`OperatorHub ` user interface. + +This documentation assumes familiarity with all referenced Kubernetes and OpenShift concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or OpenShift-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>` and :openshift-docs:`OpenShift Container Platform 4.8+ Documentation `. + +Prerequisites +------------- + +In addition to the general :ref:`MinIO Operator prerequisites `, your OpenShift cluster must also meet the following requirements: + +RedHat OpenShift 4.8+ +~~~~~~~~~~~~~~~~~~~~~ + +The MinIO Kubernetes Operator is available starting with `OpenShift 4.8+ `__. + +Red Hat Marketplace installation requires registration of the OpenShift cluster with the Marketplace for the necessary namespaces. +See `Register OpenShift cluster with Red Hat Marketplace `__ for complete instructions. + +For older versions of OpenShift, use the generic :ref:`deploy-operator-kubernetes` procedure. + +Administrator Access +~~~~~~~~~~~~~~~~~~~~ + +Installation of operators through the Red Hat Marketplace and the Operator Hub is restricted to OpenShift cluster administrators (``cluster-admin`` privileges). +This procedure requires logging into the Marketplace and/or OpenShift with an account that has those privileges. + +OpenShift ``oc`` CLI +~~~~~~~~~~~~~~~~~~~~ + +:openshift-docs:`Download and Install ` the OpenShift :abbr:`CLI (command-line interface)` ``oc`` for use in this procedure. + +Pod Security Context Constraints +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The MinIO Operator deploys pods using the following default :kube-docs:`Security Context ` per pod: + +.. code-block:: yaml + :class: copyable + + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + fsGroup: 1000 + +Certain OpenShift :openshift-docs:`Security Context Constraints ` limit the allowed UID or GID for a pod such that MinIO cannot deploy the Tenant successfully. +Ensure that the Project in which the Operator deploys the Tenant has sufficient SCC settings that allow the default pod security context. +You can alternatively modify the tenant security context settings during deployment. + +The following command returns the optimal value for the securityContext: + +.. code-block:: shell + :class: copyable + + oc get namespace \ + -o=jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}{"\n"}' + +The command returns output similar to the following: + +.. code-block:: shell + + 1056560000/10000 + +Take note of this value before the slash for use in this procedure. + +Procedure +--------- + +1) Access the MinIO Operator Installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Select the tab that corresponds to your preferred installation method: + +.. tab-set:: + + .. tab-item:: Red Hat OperatorHub + + Log into the OpenShift Web Console as a user with ``cluster-admin`` privileges. + + From the :guilabel:`Administrator` panel, select :guilabel:`Operators`, then :guilabel:`OperatorHub`. + + From the :guilabel:`OperatorHub` page, type "MinIO" into the :guilabel:`Filter` text entry. Select the :guilabel:`MinIO Operator` tile from the search list. + + .. image:: /images/openshift/minio-openshift-select-minio.png + :align: center + :width: 90% + :class: no-scaled-link + :alt: From the OperatorHub, search for MinIO, then select the MinIO Tile. + + Select the :guilabel:`MinIO Operator` tile, then click :guilabel:`Install` to begin the installation. + + .. tab-item:: Red Hat Marketplace + + Open the `MinIO Red Hat Marketplace listing `__ in your browser. + Click :guilabel:`Login` to log in with your Red Hat Marketplace account. + + After logging in, click :guilabel:`Purchase` to purchase the MinIO Operator for your account. + + After completing the purchase, click :guilabel:`Workplace` from the top navigation and select :guilabel:`My Software`. + + .. image:: /images/openshift/minio-openshift-marketplace-my-software.png + :align: center + :width: 90% + :class: no-scaled-link + :alt: From the Red Hat Marketplace, select Workplace, then My Software + + Click :guilabel:`MinIO Hybrid Cloud Object Storage` and select :guilabel:`Install Operator` to start the Operator Installation procedure in OpenShift. + +2) Configure and Deploy the Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The :guilabel:`Install Operator` page provides a walkthrough for configuring the MinIO Operator installation. + +.. image:: /images/openshift/minio-openshift-operator-installation.png + :align: center + :width: 90% + :class: no-scaled-link + :alt: Complete the Operator Installation Walkthrough + +- For :guilabel:`Update channel`, select any of the available options. + +- For :guilabel:`Installation Mode`, select :guilabel:`All namespaces on the cluster` + +- For :guilabel:`Installed Namespace`, select :guilabel:`openshift-operators` + +- For :guilabel:`Approval Strategy`, select the approval strategy of your choice. + +See the :openshift-docs:`Operator Installation Documentation ` :guilabel:`Step 5` for complete descriptions of each displayed option. + +Click :guilabel:`Install` to start the installation procedure. +The web console displays a widget for tracking the installation progress. + +.. image:: /images/openshift/minio-openshift-operator-installation-progress.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: Wait for Installation to Complete. + +Once installation completes, click :guilabel:`View Operator` to view the MinIO Operator page. + +3) Configure TLS Certificates +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the :openshift-docs:`OpenShift Service CA Operator `. +This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants. +It automatically renews and rotates the certificates 13 months before expiration. +No additional action is required. + +For Operator installations deployed by other methods, configure the :openshift-docs:`Service CA certificates ` manually. +See the dropdowns below for details. + +.. dropdown:: OpenShift Service CA Certificate configuration + + To manually enable the ``service-ca`` Operator to manage TLS certificates: + + #. Use the following :openshift-docs:`oc ` command to edit the deployment: + + .. code-block:: shell + :class: copyable + + oc edit deployment minio-operator -n minio-operator + + If needed, replace ``minio-operator`` with the name and namespace of your deployment. + ``oc edit`` opens the deployment configuration file in an editor. + + #. In the ``spec`` section, add the highlighted MinIO Operator :ref:`environment variables `: + + .. code-block:: shell + :class: copyable + :emphasize-lines: 5-8 + + containers: + - args: + - controller + env: + - name: MINIO_CONSOLE_TLS_ENABLE + value: 'on' + - name: MINIO_OPERATOR_RUNTIME + value: OpenShift + + #. In the ``volumes`` section, add the following volumes and volume mounts: + + - ``sts-tls`` + - ``openshift-service-ca`` + - ``openshift-csr-signer-ca`` + + The added volume configuration resembles the following: + + .. code-block:: shell + :class: copyable + + volumes: + - name: sts-tls + projected: + sources: + - secret: + name: sts-tls + items: + - key: tls.crt + path: public.crt + - key: tls.key + path: private.key + optional: true + defaultMode: 420 + - name: openshift-service-ca + configMap: + name: openshift-service-ca.crt + items: + - key: service-ca.crt + path: service-ca.crt + defaultMode: 420 + optional: true + - name: openshift-csr-signer-ca + projected: + sources: + - secret: + name: openshift-csr-signer-ca + items: + - key: tls.crt + path: tls.crt + optional: true + defaultMode: 420 + volumeMounts: + - name: openshift-service-ca + mountPath: /tmp/service-ca + - name: openshift-csr-signer-ca + mountPath: /tmp/csr-signer-ca + - name: sts-tls + mountPath: /tmp/sts + +.. dropdown:: OpenShift Service CA Certificate for Helm deployments + + For Helm deployments on OpenShift, add the following :ref:`environment variables ` and volumes to the ``values.yaml`` in the Operator Helm chart before deploying. + + The added YAML configuration for the ``operator`` pod resembles the following: + + .. code-block:: + :class: copyable + + operator: + env: + - name: MINIO_OPERATOR_RUNTIME + value: "OpenShift" + - name: MINIO_CONSOLE_TLS_ENABLE + value: "on" + + volumes: + - name: sts-tls + projected: + sources: + - secret: + name: sts-tls + items: + - key: tls.crt + path: public.crt + - key: tls.key + path: private.key + optional: true + defaultMode: 420 + - name: openshift-service-ca + configMap: + name: openshift-service-ca.crt + items: + - key: service-ca.crt + path: service-ca.crt + defaultMode: 420 + optional: true + - name: openshift-csr-signer-ca + projected: + sources: + - secret: + name: openshift-csr-signer-ca + items: + - key: tls.crt + path: tls.crt + optional: true + defaultMode: 420 + volumeMounts: + - name: openshift-service-ca + mountPath: /tmp/service-ca + - name: openshift-csr-signer-ca + mountPath: /tmp/csr-signer-ca + - name: sts-tls + mountPath: /tmp/sts + + +4) Open the MinIO Operator Interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can find the MinIO Operator Interface from the :guilabel:`Operators` left-hand navigation header + +1. Go to :guilabel:`Operators`, then :guilabel:`Installed Operators`. + +2. For the :guilabel:`Project` dropdown, select :guilabel:`openshift-operators`. + +3. Select :guilabel:`MinIO Operators` from the list of installed operators. + The :guilabel:`Status` column must read :guilabel:`Success` to access the Operator interface. + +5) Next Steps +~~~~~~~~~~~~~ + +After deploying the MinIO Operator, you can create a new MinIO Tenant. +To deploy a MinIO Tenant using OpenShift, see :ref:`deploy-minio-tenant-redhat-openshift`. diff --git a/source/operations/deployments/k8s-deploy-minio-on-suse-rancher-kubernetes.rst b/source/operations/deployments/k8s-deploy-minio-on-suse-rancher-kubernetes.rst new file mode 100644 index 000000000..491b3127b --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-on-suse-rancher-kubernetes.rst @@ -0,0 +1,265 @@ +.. _deploy-operator-rancher: + +===================================== +Deploy MinIO Operator on SUSE Rancher +===================================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +SUSE® Rancher® is a multi-cluster container management platform for organizations that deploy containerized workloads, orchestrated by Kubernetes. +Rancher can manage access, usage, infrastructure and applications across clusters, that are Cloud Native Computing Foundation (CNCF) conformant and certified, anywhere across edge, on-premise data centers, or cloud service providers. + +Rancher supports MinIO as part of the `SUSE One Partner Solution Stack `__. + +MinIO supports the following methods for installing the MinIO Operator onto SUSE Rancher-managed clusters: + +SUSE Rancher Apps & Marketplace + + You can deploy and manage the MinIO Operator through the SUSE Rancher Apps & Marketplace. + See `MinIO Object Storage for SUSE Rancher `__ for a procedure on that installation path. + +Using Kubernetes Kustomize + MinIO provides Kustomize templates for deploying the MinIO Operator onto Kubernetes infrastructure. + You can use Kustomize to install the Operator onto Rancher clusters. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +Using Kubernetes Helm + MinIO provides a Helm chart for deploying the MinIO Operator onto Kubernetes infrastructure. + See :ref:`minio-k8s-deploy-operator-helm` for instructions. + + MinIO Operator installations and Tenants deployed through this path require manual subscription with MinIO SUBNET for licensing and support. + +This page documents deploying the MinIO Operator through the CLI using Kustomize. + +This documentation assumes familiarity with all referenced Kubernetes and Rancher Kubernetes concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related or Rancher-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +Prerequisites +------------- + +In addition to the general :ref:`MinIO Operator prerequisites `, your EKS cluster must also meet the following requirements: + +Existing Rancher Cluster +~~~~~~~~~~~~~~~~~~~~~~~~ + +This procedure assumes an existing Rancher cluster onto which you can deploy the MinIO Operator. + +The Operator by default deploys pods and services with two replicas each and pod anti-affinity. +The Rancher cluster should therefore have at least two nodes available for scheduling Operator pods and services. +While these nodes *may* be the same nodes intended for use by MinIO Tenants, co-locating Operator and Tenant pods may increase the risk of service interruptions due to the loss of any one node. + +``kubectl`` Access to the Rancher Cluster +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure your host machine has a ``kubectl`` installation compatible with the target Rancher cluster. +For guidance on connecting ``kubectl`` to Rancher, see `Creating or updating a kubeconfig file for an Amazon EKS cluster `__. + +Your ``kubectl`` configuration must include authentication as a user with sufficient permissions to deploy Kubernetes resources. +You can reference the MinIO Operator default :minio-git:`cluster role ` for guidance on the Kubernetes APIs, resources, and verbs which the Operator uses. + +Procedure +--------- + +The following steps deploy Operator using Kustomize and a ``kustomization.yaml`` file from the MinIO Operator GitHub repository. +To install Operator using a Helm chart, see :ref:`Deploy Operator with Helm `. + +The following procedure uses ``kubectl -k`` to install the Operator from the MinIO Operator GitHub repository. +``kubectl -k`` and ``kubectl --kustomize`` are aliases that perform the same command. + +.. important:: + + If you use Kustomize to install the Operator, you must use Kustomize to manage or upgrade that installation. + Do not use ``kubectl krew``, a Helm chart, or similar methods to manage or upgrade a MinIO Operator installation deployed with Kustomize. + + You can, however, use Kustomize to upgrade a previous version of Operator (5.0.14 or earlier) installed with the MinIO Kubernetes Plugin. + +1. Install the latest version of Operator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + :substitutions: + + kubectl apply -k "github.com/minio/operator?ref=v|operator-version-stable|" + +The output resembles the following: + +.. code-block:: shell + + namespace/minio-operator created + customresourcedefinition.apiextensions.k8s.io/miniojobs.job.min.io created + customresourcedefinition.apiextensions.k8s.io/policybindings.sts.min.io created + customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created + serviceaccount/console-sa created + serviceaccount/minio-operator created + clusterrole.rbac.authorization.k8s.io/console-sa-role created + clusterrole.rbac.authorization.k8s.io/minio-operator-role created + clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created + clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created + configmap/console-env created + secret/console-sa-secret created + service/console created + service/operator created + service/sts created + deployment.apps/console created + deployment.apps/minio-operator created + +2. Verify the Operator pods are running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl get pods -n minio-operator + +The output resembles the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + console-56c7d8bd89-485qh 1/1 Running 0 2m42s + minio-operator-6c758b8c45-nkhlx 1/1 Running 0 2m42s + minio-operator-6c758b8c45-dgd8n 1/1 Running 0 2m42s + +In this example, the ``minio-operator`` pod is MinIO Operator and the ``console`` pod is the Operator Console. + +You can modify your Operator deployment by applying kubectl patches. +You can find examples for common configurations in the `Operator GitHub repository `__. + +3. *(Optional)* Configure access to the Operator Console service +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. +You must instead configure a network control plane component, such as a load balancer or ingress, to grant that external access. + +For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch: + +.. code-block:: shell + :class: copyable + + kubectl patch service -n minio-operator console -p ' + { + "spec": { + "ports": [ + { + "name": "http", + "port": 9090, + "protocol": "TCP", + "targetPort": 9090, + "nodePort": 30090 + }, + { + "name": "https", + "port": 9443, + "protocol": "TCP", + "targetPort": 9443, + "nodePort": 30433 + } + ], + "type": "NodePort" + } + }' + +The patch command should output ``service/console patched``. +You can now access the service through ports ``30433`` (HTTPS) or ``30090`` (HTTP) on any of your Kubernetes worker nodes. + +For Rancher clusters configured with + +4. Verify the Operator installation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + +.. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + +The response should resemble the following: + +.. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-56c7d8bd89-485qh 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-nkhlx 1/1 Running 0 5m20s + pod/minio-operator-6c758b8c45-dgd8n 1/1 Running 0 5m20s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/operator ClusterIP 10.43.135.241 4221/TCP 5m20s + service/sts ClusterIP 10.43.117.251 4223/TCP 5m20s + service/console NodePort 10.43.235.38 9090:30090/TCP,9443:30433/TCP 5m20s + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 5m20s + deployment.apps/minio-operator 2/2 2 2 5m20s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-56c7d8bd89 1 1 1 5m20s + replicaset.apps/minio-operator-6c758b8c45 2 2 2 5m20s + +5. Retrieve the Operator Console JWT for login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: shell + :class: copyable + + kubectl apply -f - <`. \ No newline at end of file diff --git a/source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst b/source/operations/deployments/k8s-deploy-minio-tenant-helm-on-kubernetes.rst similarity index 99% rename from source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst rename to source/operations/deployments/k8s-deploy-minio-tenant-helm-on-kubernetes.rst index b9e527bc2..8b239bd89 100644 --- a/source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst +++ b/source/operations/deployments/k8s-deploy-minio-tenant-helm-on-kubernetes.rst @@ -43,7 +43,7 @@ You must meet the following requirements to install a MinIO Tenant with Helm: This procedure assumes your Kubernetes cluster access grants you broad administrative permissions. -For more about Tenant installation requirements, including supported Kubernetes versions and TLS certificates, see the :ref:`Tenant deployment prerequisites `. +For more about Tenant installation requirements, including supported Kubernetes versions and TLS certificates, see the :ref:`Tenant deployment prerequisites `. This procedure assumes familiarity the with referenced Kubernetes concepts and utilities. While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. @@ -367,7 +367,7 @@ This method may support easier pre-configuration of the Tenant compared to the : mc alias set myminio https://localhost:9000 minio minio123 --insecure - This example uses the non-TLS ``myminio-hl`` service, which requires :std:option:`--insecure `. + This example uses the non-TLS ``myminio-hl`` service, which requires the ``--insecure`` option.. If you have a TLS cert configured, omit ``--insecure`` and use ``svc/minio`` instead. diff --git a/source/operations/deployments/k8s-deploy-minio-tenant-on-kubernetes.rst b/source/operations/deployments/k8s-deploy-minio-tenant-on-kubernetes.rst new file mode 100644 index 000000000..220134863 --- /dev/null +++ b/source/operations/deployments/k8s-deploy-minio-tenant-on-kubernetes.rst @@ -0,0 +1,259 @@ +.. _minio-k8s-deploy-minio-tenant: +.. _deploy-minio-tenant-redhat-openshift: + +===================== +Deploy a MinIO Tenant +===================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +This procedure documents deploying a MinIO Tenant using the MinIO Operator. + +.. screenshot temporarily removed + + .. image:: /images/k8s/operator-dashboard.png + :align: center + :width: 70% + :class: no-scaled-link + :alt: MinIO Operator Console + + +Deploying Single-Node topologies requires additional configurations not covered in this documentation. +You can alternatively use a simple Kubernetes YAML object to describe a Single-Node topology for local testing and evaluation as necessary. +MinIO does not recommend nor support single-node deployment topologies for production environments. + +This documentation assumes familiarity with all referenced Kubernetes concepts, utilities, and procedures. +While this documentation *may* provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +.. _minio-k8s-deploy-minio-tenant-security: + +Deploy a MinIO Tenant using Kustomize +------------------------------------- + +The following procedure uses ``kubectl -k`` to deploy a MinIO Tenant using the ``base`` Kustomization template in the :minio-git:`MinIO Operator Github repository `. + +You can select a different base or pre-built template from the :minio-git:`repository ` as your starting point, or build your own Kustomization resources using the :ref:`MinIO Custom Resource Documentation `. + +.. important:: + + If you use Kustomize to deploy a MinIO Tenant, you must use Kustomize to manage or upgrade that deployment. + Do not use ``kubectl krew``, a Helm Chart, or similar methods to manage or upgrade the MinIO Tenant. + +This procedure is not exhaustive of all possible configuration options available in the :ref:`Tenant CRD `. +It provides a baseline from which you can modify and tailor the Tenant to your requirements. + +.. container:: procedure + + #. Create a YAML object for the Tenant + + Use the ``kubectl kustomize`` command to produce a YAML file containing all Kubernetes resources necessary to deploy the ``base`` Tenant: + + .. code-block:: shell + :class: copyable + + kubectl kustomize https://github.com/minio/operator/examples/kustomization/base/ > tenant-base.yaml + + The command creates a single YAML file with multiple objects separated by the ``---`` line. + Open the file in your preferred editor. + + The following steps reference each object based on it's ``kind`` and ``metadata.name`` fields: + + #. Configure the Tenant topology + + The ``kind: Tenant`` object describes the MinIO Tenant. + + The following fields share the ``spec.pools[0]`` prefix and control the number of servers, volumes per server, and storage class of all pods deployed in the Tenant: + + .. list-table:: + :header-rows: 1 + :widths: 30 70 + + * - Field + - Description + + * - ``servers`` + - The number of MinIO pods to deploy in the Server Pool. + + * - ``volumesPerServer`` + - The number of persistent volumes to attach to each MinIO pod (``servers``). + The Operator generates ``volumesPerServer x servers`` Persistant Volume Claims for the Tenant. + + * - ``volumeClaimTemplate.spec.storageClassName`` + - The Kubernetes storage class to associate with the generated Persistent Volume Claims. + + If no storage class exists matching the specified value *or* if the specified storage class cannot meet the requested number of PVCs or storage capacity, the Tenant may fail to start. + + * - ``volumeClaimTemplate.spec.resources.requests.storage`` + - The amount of storage to request for each generated PVC. + + #. Configure Tenant Affinity or Anti-Affinity + + The MinIO Operator supports the following Kubernetes Affinity and Anti-Affinity configurations: + + - Node Affinity (``spec.pools[n].nodeAffinity``) + - Pod Affinity (``spec.pools[n].podAffinity``) + - Pod Anti-Affinity (``spec.pools[n].podAntiAffinity``) + + MinIO recommends configuring Tenants with Pod Anti-Affinity to ensure that the Kubernetes schedule does not schedule multiple pods on the same worker node. + + If you have specific worker nodes on which you want to deploy the tenant, pass those node labels or filters to the ``nodeAffinity`` field to constrain the scheduler to place pods on those nodes. + + #. Configure Network Encryption + + The MinIO Tenant CRD provides the following fields from which you can configure tenant TLS network encryption: + + .. list-table:: + :header-rows: 1 + :widths: 30 70 + + * - Field + - Description + + * - ``tenant.certificate.requestAutoCert`` + - Enable or disable MinIO :ref:`automatic TLS certificate generation ` + + Defaults to ``true`` or enabled if omitted. + + * - ``tenant.certificate.certConfig`` + - Customize the behavior of :ref:`automatic TLS `, if enabled. + + * - ``tenant.certificate.externalCertSecret`` + - Enable TLS for multiple hostnames via Server Name Indication (SNI) + + Specify one or more Kubernetes secrets of type ``kubernetes.io/tls`` or ``cert-manager``. + + * - ``tenant.certificate.externalCACertSecret`` + - Enable validation of client TLS certificates signed by unknown, third-party, or internal Certificate Authorities (CA). + + Specify one or more Kubernetes secrets of type ``kubernetes.io/tls`` containing the full chain of CA certificates for a given authority. + + #. Configure MinIO Environment Variables + + You can set MinIO Server environment variables using the ``tenant.configuration`` field. + + .. list-table:: + :header-rows: 1 + :widths: 30 70 + + * - Field + - Description + + * - ``tenant.configuration`` + - Specify a Kubernetes opaque secret whose data payload ``config.env`` contains each MinIO environment variable you want to set. + + The ``config.env`` data payload **must** be a base64-encoded string. + You can create a local file, set your environment variables, and then use ``cat LOCALFILE | base64`` to create the payload. + + The YAML includes an object ``kind: Secret`` with ``metadata.name: storage-configuration`` that sets the root username, password, erasure parity settings, and enables Tenant Console. + + Modify this as needed to reflect your Tenant requirements. + + #. Review the Namespace + + The YAML object ``kind: Namespace`` sets the default namespace for the Tenant to ``minio-tenant``. + + You can change this value to create a different namespace for the Tenant. + You must change **all** ``metadata.namespace`` values in the YAML file to match the Namespace. + + #. Deploy the Tenant + + Use the ``kubectl apply -f`` command to deploy the Tenant. + + .. code-block:: shell + :class: copyable + + kubectl apply -f tenant-base.yaml + + The command creates each of the resources specified in the YAML object at the configured namespace. + + You can monitor the progress using the following command: + + .. code-block:: shell + :class: copyable + + watch kubectl get all -n minio-tenant + + #. Expose the Tenant MinIO S3 API port + + To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. + + * Forward the Tenant's MinIO port: + + .. code-block:: shell + :class: copyable + + kubectl port-forward svc/MINIO_TENANT_NAME-hl 9000 -n MINIO_TENANT_NAMESPACE + + * Create an alias for the Tenant service: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://localhost:9000 minio minio123 --insecure + + You can use :mc:`mc mb` to create a bucket on the Tenant: + + .. code-block:: shell + :class: copyable + + mc mb myminio/mybucket --insecure + + If you deployed your MinIO Tenant using TLS certificates minted by a trusted Certificate Authority (CA) you can omit the ``--insecure`` flag. + + See :ref:`create-tenant-connect-tenant` for specific instructions. + +.. _create-tenant-connect-tenant: + +Connect to the Tenant +--------------------- + +The MinIO Operator creates services for the MinIO Tenant. + + +Use the ``kubectl get svc -n NAMESPACE`` command to review the deployed services. +For Kubernetes services which use a custom ``kubectl`` analog, you can substitute the name of that program. + +.. code-block:: shell + :class: copyable + + kubectl get svc -n minio-tenant-1 + +.. code-block:: shell + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + minio LoadBalancer 10.97.114.60 443:30979/TCP 2d3h + TENANT-NAMESPACE-console LoadBalancer 10.106.103.247 9443:32095/TCP 2d3h + TENANT-NAMESPACE-hl ClusterIP None 9000/TCP 2d3h + +- The ``minio`` service corresponds to the MinIO Tenant service. + Applications should use this service for performing operations against the MinIO Tenant. + +- The ``*-console`` service corresponds to the :minio-git:`MinIO Console `. + Administrators should use this service for accessing the MinIO Console and performing administrative operations on the MinIO Tenant. + +The remaining services support Tenant operations and are not intended for consumption by users or administrators. + +By default each service is visible only within the Kubernetes cluster. +Applications deployed inside the cluster can access the services using the ``CLUSTER-IP``. + +Applications external to the Kubernetes cluster can access the services using the ``EXTERNAL-IP``. +This value is only populated for Kubernetes clusters configured for Ingress or a similar network access service. +Kubernetes provides multiple options for configuring external access to services. + +See the Kubernetes documentation on :kube-docs:`Publishing Services (ServiceTypes) ` and :kube-docs:`Ingress ` for more complete information on configuring external access to services. + +For specific flavors of Kubernetes, such as OpenShift or Rancher, defer to the service documentation on the preferred or available methods of exposing Services to internal or external access. + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/k8s-deploy-minio-tenant-helm-on-kubernetes + /operations/deployments/k8s-upgrade-minio-tenant-on-kubernetes + /operations/deployments/k8s-expand-minio-tenant-on-kubernetes + /operations/deployments/k8s-modify-minio-tenant-on-kubernetes + /operations/deployments/k8s-delete-minio-tenant-on-kubernetes diff --git a/source/operations/install-deploy-manage/deploy-operator-helm.rst b/source/operations/deployments/k8s-deploy-operator-helm-on-kubernetes.rst similarity index 100% rename from source/operations/install-deploy-manage/deploy-operator-helm.rst rename to source/operations/deployments/k8s-deploy-operator-helm-on-kubernetes.rst diff --git a/source/operations/install-deploy-manage/expand-minio-tenant.rst b/source/operations/deployments/k8s-expand-minio-tenant-on-kubernetes.rst similarity index 73% rename from source/operations/install-deploy-manage/expand-minio-tenant.rst rename to source/operations/deployments/k8s-expand-minio-tenant-on-kubernetes.rst index c56fecafc..6e1008aa7 100644 --- a/source/operations/install-deploy-manage/expand-minio-tenant.rst +++ b/source/operations/deployments/k8s-expand-minio-tenant-on-kubernetes.rst @@ -46,16 +46,14 @@ Persistent Volumes :start-after: start-exclusive-drive-access :end-before: end-exclusive-drive-access -.. cond:: not eks +MinIO can use any Kubernetes :kube-docs:`Persistent Volume (PV) ` that supports the :kube-docs:`ReadWriteOnce ` access mode. +MinIO's consistency guarantees require the exclusive storage access that ``ReadWriteOnce`` provides. - MinIO can use any Kubernetes :kube-docs:`Persistent Volume (PV) ` that supports the :kube-docs:`ReadWriteOnce ` access mode. - MinIO's consistency guarantees require the exclusive storage access that ``ReadWriteOnce`` provides. +For Kubernetes clusters where nodes have Direct Attached Storage, MinIO strongly recommends using the `DirectPV CSI driver `__. +DirectPV provides a distributed persistent volume manager that can discover, format, mount, schedule, and monitor drives across Kubernetes nodes. +DirectPV addresses the limitations of manually provisioning and monitoring :kube-docs:`local persistent volumes `. - For Kubernetes clusters where nodes have Direct Attached Storage, MinIO strongly recommends using the `DirectPV CSI driver `__. - DirectPV provides a distributed persistent volume manager that can discover, format, mount, schedule, and monitor drives across Kubernetes nodes. - DirectPV addresses the limitations of manually provisioning and monitoring :kube-docs:`local persistent volumes `. - -.. cond:: eks +.. note:: MinIO Tenants on EKS must use the :github:`EBS CSI Driver ` to provision the necessary underlying persistent volumes. MinIO strongly recommends using SSD-backed EBS volumes for best performance. @@ -117,27 +115,3 @@ The MinIO Operator supports expanding a MinIO Tenant by adding additional pools. You can use the ``kubectl get events -n TENANT-NAMESPACE --watch`` to monitor the progress of expansion. The MinIO Operator updates services to route connections appropriately across the new nodes. If you use customized services, routes, ingress, or similar Kubernetes network components, you may need to update those components for the new pod hostname ranges. - -.. Following link is intended for K8s only -.. _minio-decommissioning: - -Decommission a Tenant Server Pool ----------------------------------- - -Decommissioning a server pool involves three steps: - -1) Run the :mc-cmd:`mc admin decommission start` command against the Tenant - -2) Wait until decommissioning completes - -3) Modify the Tenant YAML to remove the decommissioned pool - -When removing the Tenant pool, ensure the ``spec.pools.[n].name`` fields have values for all remaining pools. - -.. include:: /includes/common-installation.rst - :start-after: start-pool-order-must-not-change - :end-before: end-pool-order-must-not-change - -.. important:: - - You cannot reuse the same pool name or hostname sequence for a decommissioned pool. \ No newline at end of file diff --git a/source/operations/deployments/k8s-minio-operator.rst b/source/operations/deployments/k8s-minio-operator.rst new file mode 100644 index 000000000..85231bca3 --- /dev/null +++ b/source/operations/deployments/k8s-minio-operator.rst @@ -0,0 +1,171 @@ + +.. _deploy-minio-operator: + +========================= +MinIO Kubernetes Operator +========================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO is a Kubernetes-native high performance object store with an S3-compatible API. +The MinIO Kubernetes Operator supports deploying MinIO Tenants onto private and public cloud infrastructures ("Hybrid" Cloud). + +The MinIO Operator installs a :kube-docs:`Custom Resource Definition (CRD) ` to support describing MinIO tenants as a Kubernetes :kube-docs:`object `. + +The MinIO Operator exists in its own namespace. +Within the Operator's namespace, the MinIO Operator utilizes two pods: + +- The Operator pod for the base Operator functions to deploy, manage, modify, and maintain tenants. +- Console pod for the Operator's Graphical User Interface, the Operator Console. + +See the MinIO Operator :minio-git:`CRD Reference ` for complete documentation on the MinIO CRD. + +.. _minio-operator-prerequisites: + +Operator Prerequisites +---------------------- + +Kubernetes Version 1.21.0 +~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. important:: + + MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life `__ Kubernetes APIs. + +Starting with v5.0.0, MinIO **requires** Kubernetes 1.21.0 or later for both the infrastructure and the ``kubectl`` CLI tool. + +.. versionadded:: Operator 5.0.6 + +For Kubernetes 1.25.0 and later, MinIO supports deploying in environments with the :kube-docs:`Pod Security admission (PSA) ` ``restricted`` policy enabled. + + +Kustomize and ``kubectl`` +~~~~~~~~~~~~~~~~~~~~~~~~~ + +`Kustomize `__ is a YAML-based templating tool that allows you to define Kubernetes resources in a declarative and repeatable fashion. +Kustomize is included with the :kube-docs:`kubectl ` command line tool. + +This procedure assumes that your local host machine has both the matching version of ``kubectl`` for your Kubernetes cluster *and* the necessary access to that cluster to create new resources. + +The `default MinIO Operator Kustomize template `__ provides a starting point for customizing configurations for your local environment. +You can modify the default Kustomization file or apply your own `patches `__ to customize the Operator deployment for your Kubernetes cluster. + +.. _minio-k8s-deploy-operator-tls: + +Kubernetes TLS Certificate API +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionchanged:: Operator v.5.0.0 + + The MinIO Operator manages TLS Certificate Signing Requests (CSR) using the Kubernetes ``certificates.k8s.io`` :kube-docs:`TLS certificate management API ` to create signed TLS certificates in the following circumstances: + + - When ``autoCert`` is enabled. + - For the MinIO Console when the :envvar:`MINIO_CONSOLE_TLS_ENABLE` environment variable is set to ``on``. + - For :ref:`STS service ` when :envvar:`OPERATOR_STS_ENABLED` environment variable is set to ``on``. + - For retrieving the health of the cluster. + + The MinIO Operator reads certificates inside the ``operator-ca-tls`` secret and syncs this secret within the tenant namespace to trust private certificate authorities, such as when using cert-manager. + +For any of these circumstances, the MinIO Operator *requires* that the Kubernetes ``kube-controller-manager`` configuration include the following :kube-docs:`configuration settings `: + +- ``--cluster-signing-key-file`` - Specify the PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates. + +- ``--cluster-signing-cert-file`` - Specify the PEM-encoded x.509 Certificate Authority certificate used to issue cluster-scoped certificates. + +The Kubernetes TLS API uses the CA signature algorithm for generating new TLS certificate. +MinIO recommends ECDSA (e.g. `NIST P-256 curve `__) or EdDSA (e.g. :rfc:`Curve25519 <7748>`) TLS private keys/certificates due to their lower computation requirements compared to RSA. +See :ref:`minio-TLS-supported-cipher-suites` for a complete list of supported TLS Cipher Suites. + +If the Kubernetes cluster is not configured to respond to a generated :abbr:`CSR (Certificate Signing Request)`, the Operator cannot complete initialization. +Some Kubernetes providers do not specify these configuration values by default. + +To check whether the ``kube-controller-manager`` specifies the cluster signing key and certificate files, use the following command: + +.. code-block:: shell + :class: copyable + + kubectl get pod kube-controller-manager-$CLUSTERNAME-control-plane \ + -n kube-system -o yaml + +- Replace ``$CLUSTERNAME`` with the name of the Kubernetes cluster. + +Confirm that the output contains the highlighted lines. +The output of the example command above may differ from the output in your terminal: + +.. code-block:: shell + :emphasize-lines: 12,13 + + spec: + containers: + - command: + - kube-controller-manager + - --allocate-node-cidrs=true + - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf + - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf + - --bind-address=127.0.0.1 + - --client-ca-file=/etc/kubernetes/pki/ca.crt + - --cluster-cidr=10.244.0.0/16 + - --cluster-name=my-cluster-name + - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt + - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key + ... + +.. important:: + + The MinIO Operator automatically generates TLS certificates for all MinIO Tenant pods using the specified Certificate Authority (CA). + Clients external to the Kubernetes cluster must trust the Kubernetes cluster CA to connect to the MinIO Operator or MinIO Tenants. + + Clients which cannot trust the Kubernetes cluster CA can disable TLS validation for connections to the MinIO Operator or a MinIO Tenant. + + Alternatively, you can generate x.509 TLS certificates signed by a known and trusted CA and pass those certificates to MinIO Tenants. + See :ref:`minio-tls` for more complete documentation. + +Operator Internals +------------------ + +Operator Namespace +~~~~~~~~~~~~~~~~~~ + +ToDO + +Tenant Namespace +~~~~~~~~~~~~~~~~ + +When you use the Operator to create a tenant, the tenant *must* have its own namespace. +Within that namespace, the Operator generates the pods required by the tenant configuration. + +Each Tenant pod runs three containers: + +- MinIO Container that runs all of the standard MinIO functions, equivalent to basic MinIO installation on baremetal. + This container stores and retrieves objects in the provided mount points (persistent volumes). + +- InitContainer that only exists during the launch of the pod to manage configuration secrets during startup. + Once startup completes, this container terminates. + +- SideCar container that monitors configuration secrets for the tenant and updates them as they change. + This container also monitors for root credentials and creates an error if it does not find root credentials. + +Starting with v5.0.6, the MinIO Operator supports custom :kube-docs:`init containers ` for additional pod initialization that may be required for your environment. + +The tenant utilizes Persistent Volume Claims to talk to the Persistent Volumes that store the objects. + +.. image:: /images/k8s/OperatorsComponent-Diagram.png + :width: 600px + :alt: A diagram of the namespaces and pods used by or maintained by the MinIO Operator. + :align: center + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/k8s-deploy-minio-on-kubernetes-upstream + /operations/deployments/k8s-deploy-minio-on-red-hat-open-shift-kubernetes + /operations/deployments/k8s-deploy-minio-on-suse-rancher-kubernetes + /operations/deployments/k8s-deploy-minio-on-elastic-kubernetes-service + /operations/deployments/k8s-deploy-minio-on-google-kubernetes-engine + /operations/deployments/k8s-deploy-minio-on-azure-kubernetes-service + /operations/deployments/k8s-upgrade-minio-operator-kubernetes \ No newline at end of file diff --git a/source/operations/deployments/k8s-minio-tenants.rst b/source/operations/deployments/k8s-minio-tenants.rst new file mode 100644 index 000000000..eaef6d2d8 --- /dev/null +++ b/source/operations/deployments/k8s-minio-tenants.rst @@ -0,0 +1,108 @@ +=========================== +MinIO Tenants on Kubernetes +=========================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +A MinIO Tenant consists of a complete set of Kubernetes resources deployed within a namespace that support the MinIO Object Storage service. + +This documentation assumes a :ref:`MinIO Operator installation ` on the target Kubernetes infrastructure. + +Prerequisites +------------- + +Your Kubernetes infrastructure must meet the following pre-requisites for deploying MinIO Tenants. + +MinIO Kubernetes Operator +~~~~~~~~~~~~~~~~~~~~~~~~~ + +The procedures on this page *requires* a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. +This procedure assumes the latest stable Operator, version |operator-version-stable|. + +See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator. + +Worker Nodes with Local Storage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +MinIO **strongly recommends** deploying Tenants onto Kubernetes worker nodes with locally attached storage. + +The Worker Nodes should meet MinIO's :ref:`hardware checklist ` for production environments. + +Avoid colocating MinIO tenants onto worker nodes hosting other high-performance softwares, and where necessary to do so ensure you configure the appropriate limits and constraints to guarantee MinIO access to the necessary compute and storage resources. + +.. _deploy-minio-tenant-pv: + +Persistent Volumes +~~~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-admonitions.rst + :start-after: start-exclusive-drive-access + :end-before: end-exclusive-drive-access + +MinIO can typically use any Kubernetes :kube-docs:`Persistent Volume (PV) ` that supports the :kube-docs:`ReadWriteOnce ` access mode. +MinIO's consistency guarantees require the exclusive storage access that ``ReadWriteOnce`` provides. +Additionally, MinIO recommends setting a reclaim policy of ``Retain`` for the PVC :kube-docs:`StorageClass `. +Where possible, configure the Storage Class, CSI, or other provisioner underlying the PV to format volumes as XFS to ensure best performance. + +For Kubernetes clusters where nodes have Direct Attached Storage, MinIO strongly recommends using the `DirectPV CSI driver `__. +DirectPV provides a distributed persistent volume manager that can discover, format, mount, schedule, and monitor drives across Kubernetes nodes. +DirectPV addresses the limitations of manually provisioning and monitoring :kube-docs:`local persistent volumes `. + +For Tenants deploying onto Amazon Elastic, Azure, or Google Kubernetes, select the tabs below for specific guidance on PV configuration: + +.. tab-set:: + + .. tab-item:: Amazon EKS + + MinIO Tenants on EKS must use the :github:`EBS CSI Driver ` to provision the necessary underlying persistent volumes. + MinIO strongly recommends using SSD-backed EBS volumes for best performance. + MinIO strongly recommends deploying EBS-based PVs with the XFS filesystem. + Create a StorageClass for the MinIO EBS PVs and set the ``csi.storage.k8s.io/fstype`` `parameter `__ to ``xfs`` . + + MinIO recommends the following :github:`EBS volume types `: + + - ``io2`` (Provisioned IOPS SSD) **Preferred** + - ``io1`` (Provisioned IOPS SSD) + - ``gp3`` (General Purpose SSD) + - ``gp2`` (General Purpose SSD) + + For more information on EBS resources, see `EBS Volume Types `__. + For more information on StorageClass Parameters, see `StorageClass Parameters `__. + + .. tab-item:: Google GKS + + MinIO Tenants on GKE should use the :gke-docs:`Compute Engine Persistent Disk CSI Driver ` to provision the necessary underlying persistent volumes. + + MinIO recommends the following :gke-docs:`GKE CSI Driver ` storage classes: + + - ``standard-rwo`` (Balanced Persistent SSD) + - ``premium-rwo`` (Performance Persistent SSD) + + MinIO strongly recommends SSD-backed disk types for best performance. + For more information on GKE disk types, see :gcp-docs:`Persistent Disks `. + + .. tab-item:: Azure AKS + + MinIO Tenants on AKS should use the :azure-docs:`Azure Disks CSI driver ` to provision the necessary underlying persistent volumes. + + MinIO recommends the following :aks-docs:`AKS CSI Driver ` storage classes: + + - ``managed-csi`` (Standard SSD) + - ``managed-csi-premium`` (Premium SSD) + + MinIO strongly recommends SSD-backed disk types for best performance. + For more information on AKS disk types, see :azure-docs:`Azure disk types `. + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/k8s-deploy-minio-tenant-on-kubernetes + /operations/deployments/k8s-modify-minio-tenant-on-kubernetes + /operations/deployments/k8s-upgrade-minio-tenant-on-kubernetes + /operations/deployments/k8s-expand-minio-tenant-on-kubernetes + /operations/deployments/k8s-delete-minio-tenant-on-kubernetes \ No newline at end of file diff --git a/source/operations/deployments/k8s-modify-minio-tenant-on-kubernetes.rst b/source/operations/deployments/k8s-modify-minio-tenant-on-kubernetes.rst new file mode 100644 index 000000000..42ca5227d --- /dev/null +++ b/source/operations/deployments/k8s-modify-minio-tenant-on-kubernetes.rst @@ -0,0 +1,78 @@ +.. _minio-k8s-modify-minio-tenant: +.. _minio-k8s-modify-minio-tenant-security: + +===================== +Modify a MinIO Tenant +===================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +You can modify tenants after deployment to change mutable configuration settings. +See :ref:`minio-operator-crd` for a complete description of available settings in the MinIO Custom Resource Definition. + +The method for modifying the Tenant depends on how you deployed the tenant: + +.. tab-set:: + + .. tab-item:: Kustomize + :sync: kustomize + + For Kustomize-deployed Tenants, you can modify the base Kustomization resources and apply them using ``kubectl apply -k`` against the directory containing the ``kustomization.yaml`` object. + + .. code-block:: shell + + kubectl apply -k ~/kustomization/TENANT-NAME/ + + Modify the path to the Kustomization directory to match your local configuration. + + .. tab-item:: Helm + :sync: helm + + For Helm-deployed Tenants, you can modify the base ``values.yaml`` and upgrade the Tenant using the chart: + + .. code-block:: shell + + helm upgrade TENANT-NAME minio-operator/tenant -f values.yaml -n TENANT-NAMESPACE + + The command above assumes use of the MinIO Operator Chart repository. + If you installed the Chart manually or by using a different repository name, specify that chart or name in the command. + + Replace ``TENANT-NAME`` and ``TENANT-NAMESPACE`` with the name and namespace of the Tenant, respectively. + You can use ``helm list -n TENANT-NAMESPACE`` to validate the Tenant name. + +Add Trusted Certificate Authorities + The MinIO Tenant validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. + The MinIO Operator can attach additional third-party Certificate Authorities (CA) to the Tenant to allow validation of client TLS certificates signed by those CAs. + + To customize the trusted CAs mounted to each Tenant MinIO pod, enable the :guilabel:`Custom Certificates` switch. + Select the :guilabel:`Add CA Certificate +` button to add third party CA certificates. + + If the MinIO Tenant cannot match an incoming client's TLS certificate issuer against either the container OS's trust store *or* an explicitly attached CA, MinIO rejects the connection as invalid. + + +Manage Tenant Pools +------------------- + +Specify Runtime Class +~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: Console 0.23.1 + +When adding a new pool or modifying an existing pool for a tenant, you can specify the :kube-docs:`Runtime Class Name ` for pools to use. + +.. Following link is intended for K8s only + +Decommission a Tenant Server Pool +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +MinIO Operator 4.4.13 and later support decommissioning a server pool in a Tenant. +Specifically, you can follow the :minio-docs:`Decommission a Server pool ` procedure to remove the pool from the tenant, then edit the tenant YAML to drop the pool from the StatefulSet. +When removing the Tenant pool, ensure the ``spec.pools.[n].name`` fields have values for all remaining pools. + +.. include:: /includes/common-installation.rst + :start-after: start-pool-order-must-not-change + :end-before: end-pool-order-must-not-change diff --git a/source/operations/install-deploy-manage/upgrade-minio-operator-4.5.7-earlier.rst b/source/operations/deployments/k8s-upgrade-minio-operator-4.5.7-earlier.rst similarity index 94% rename from source/operations/install-deploy-manage/upgrade-minio-operator-4.5.7-earlier.rst rename to source/operations/deployments/k8s-upgrade-minio-operator-4.5.7-earlier.rst index e9ceedcc2..58e9827d6 100644 --- a/source/operations/install-deploy-manage/upgrade-minio-operator-4.5.7-earlier.rst +++ b/source/operations/deployments/k8s-upgrade-minio-operator-4.5.7-earlier.rst @@ -179,7 +179,7 @@ Procedure "value": "cluster.local" } ], - "image": "minio/operator:v|operator-version-stable|", + "image": "minio/operator:v5.0.x", "imagePullPolicy": "IfNotPresent", "name": "minio-operator" } @@ -227,15 +227,6 @@ Procedure kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers' - #. *(Optional)* Connect to the Operator Console - - .. include:: /includes/common/common-k8s-connect-operator-console-no-plugin.rst - - #. Retrieve the Operator Console JWT for login - - To continue upgrading to |operator-version-stable|, see :ref:`minio-k8s-upgrade-minio-operator`. - - .. include:: /includes/common/common-k8s-operator-console-jwt.rst .. tab-item:: Upgrade using Helm @@ -271,6 +262,34 @@ Procedure NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator minio-operator 1 2023-11-01 15:49:54.539724775 -0400 EDT deployed operator-5.0.x v5.0.x + You can also introspect the operator pods directly to determine the installed version. + The following example uses the ``jq`` tool to filter the necessary information from ``kubectl``: + + .. code-block:: shell + :class: copyable + + kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers' + + The output resembles the following: + + .. code-block:: json + :emphasize-lines: 8-10 + :substitutions: + + { + "env": [ + { + "name": "CLUSTER_DOMAIN", + "value": "cluster.local" + } + ], + "image": "minio/operator:v5.0.x", + "imagePullPolicy": "IfNotPresent", + "name": "minio-operator" + } + + If your local host does not have the ``jq`` utility installed, you can run the first part of the command and locate the ``spec.containers`` section of the output. + #. Update the Operator Repository Use ``helm repo update minio-operator`` to update the MinIO Operator repo. @@ -315,11 +334,13 @@ Procedure #. Validate the Operator upgrade - .. include:: /includes/common/common-k8s-connect-operator-console-no-plugin.rst + You can check the new Operator version with the same ``kubectl`` command used previously: - #. Retrieve the Operator Console JWT for login + .. code-block:: shell + :class: copyable + + kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers' - .. include:: /includes/common/common-k8s-operator-console-jwt.rst .. _minio-k8s-upgrade-minio-operator-to-4.5.8: @@ -397,8 +418,6 @@ You can then upgrade from release 4.5.8 to 5.0.15. You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step. - .. include:: /includes/common/common-k8s-connect-operator-console.rst - .. _minio-k8s-upgrade-minio-operator-4.2.2-procedure: Upgrade MinIO Operator 4.0.0 through 4.2.2 to 4.2.3 diff --git a/source/operations/install-deploy-manage/upgrade-minio-operator.rst b/source/operations/deployments/k8s-upgrade-minio-operator-kubernetes.rst similarity index 100% rename from source/operations/install-deploy-manage/upgrade-minio-operator.rst rename to source/operations/deployments/k8s-upgrade-minio-operator-kubernetes.rst diff --git a/source/operations/install-deploy-manage/upgrade-minio-tenant.rst b/source/operations/deployments/k8s-upgrade-minio-tenant-on-kubernetes.rst similarity index 100% rename from source/operations/install-deploy-manage/upgrade-minio-tenant.rst rename to source/operations/deployments/k8s-upgrade-minio-tenant-on-kubernetes.rst diff --git a/source/operations/deployments/kubernetes.rst b/source/operations/deployments/kubernetes.rst new file mode 100644 index 000000000..12edb7f7b --- /dev/null +++ b/source/operations/deployments/kubernetes.rst @@ -0,0 +1,48 @@ +.. _minio-kubernetes: + +========================== +Deploy MinIO on Kubernetes +========================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO is a Kubernetes-native high performance object store with an S3-compatible API. +The MinIO Kubernetes Operator supports deploying MinIO Tenants onto private and public cloud infrastructures ("Hybrid" Cloud). + +All documentation assumes familiarity with referenced Kubernetes concepts, utilities, and procedures. +While MinIO documentation *may* provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +MinIO Operator Architecture +--------------------------- + +.. todo: image of architecture + +MinIO Operator +-------------- + +The MinIO Operator is a first-party Kubernetes-native operator that manages the deployment of MinIO Tenants onto Kubernetes infrastructure. + +The Operator provides MinIO-centric functionality around Tenant management, including support for configuring all core MinIO features. + +You can interact with the Operator through the MinIO :kube-docs:`Custom Resource Definition (CRD) `, or through the Operator Console UI. + +The CRD provides a highly customizable entry point for using tools like Kustomize for deploying Tenants. +You can also use the MinIO Operator Console, a rich web-based UI that has complete support for deploying and configuring MinIO Tenants. + +.. important:: + + The MinIO Operator Console UI is deprecated and removed in MinIO Operator 6.0.0. + + You can continue to use standard Kubernetes approaches for MinIO Tenant management, such as Kustomize templates, Helm Charts, and ``kubectl`` commands for introspecting Tenant namespaces and resources. + + +.. toctree:: + :titlesonly: + :hidden: + + /operations/deployments/k8s-minio-operator + /operations/deployments/k8s-minio-tenants \ No newline at end of file diff --git a/source/operations/external-iam.rst b/source/operations/external-iam.rst index 3548c2141..f9fb1c3fd 100644 --- a/source/operations/external-iam.rst +++ b/source/operations/external-iam.rst @@ -46,12 +46,11 @@ For example, consider a claim with the following key-value assignment: The specified policy claim directs MinIO to attach the policies with names matching ``readwrite_data``, ``read_analytics``, and ``read_logs`` to the authenticated user. -.. cond:: linux or container or macos or windows - You can set a custom policy claim using the - :envvar:`MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable - *or* by using :mc-cmd:`mc admin config set` to set the - :mc-conf:`identity_openid claim_name ` setting. +You can set a custom policy claim using the +:envvar:`MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable +*or* by using :mc-cmd:`mc admin config set` to set the +:mc-conf:`identity_openid claim_name ` setting. See :ref:`minio-external-identity-management-openid-access-control` for more information on mapping MinIO policies to an OIDC-managed identity. @@ -77,36 +76,35 @@ Querying the Active Directory / LDAP Service MinIO queries the configured Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. This process, called Lookup-Bind mode, uses an AD/LDAP user with minimal permissions, only sufficient to authenticate with the AD/LDAP server for user and group lookups. -.. cond:: linux or container or macos or windows - The following tabs provide a reference of the environment variables and - configuration settings required for enabling Lookup-Bind mode. +The following tabs provide a reference of the environment variables and +configuration settings required for enabling Lookup-Bind mode. - .. tab-set:: +.. tab-set:: - .. tab-item:: Environment Variable + .. tab-item:: Environment Variable - - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN` - - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD` - - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN` - - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` + - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN` + - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD` + - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN` + - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` - See the :ref:`minio-server-envvar-external-identity-management-ad-ldap` - reference documentation for more information on these variables. The - :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete - instructions on setting these values. + See the :ref:`minio-server-envvar-external-identity-management-ad-ldap` + reference documentation for more information on these variables. The + :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete + instructions on setting these values. - .. tab-item:: Configuration Setting + .. tab-item:: Configuration Setting - - :mc-conf:`identity_ldap lookup_bind_dn ` - - :mc-conf:`identity_ldap lookup_bind_password ` - - :mc-conf:`identity_ldap user_dn_search_base_dn ` - - :mc-conf:`identity_ldap user_dn_search_filter ` + - :mc-conf:`identity_ldap lookup_bind_dn ` + - :mc-conf:`identity_ldap lookup_bind_password ` + - :mc-conf:`identity_ldap user_dn_search_base_dn ` + - :mc-conf:`identity_ldap user_dn_search_filter ` - See the :mc-conf:`identity_ldap` reference documentation for more - information on these settings. The - :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete - instructions on setting these variables. + See the :mc-conf:`identity_ldap` reference documentation for more + information on these settings. The + :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete + instructions on setting these variables. .. _minio-external-identity-management-ad-ldap-access-control: @@ -137,36 +135,30 @@ Group Lookup MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing :ref:`policies ` to each group DN and assigns each matching policy to the authenticated user. -.. cond:: k8s +The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups: - The MinIO Operator Console provides the necessary fields for configuring Group Lookup as part of configuring AD/LDAP identity management for new or existing MinIO Tenants. +.. tab-set:: -.. cond:: linux or container or macos or windows + .. tab-item:: Environment Variable - The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups: + - :envvar:`MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN` + - :envvar:`MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER` - .. tab-set:: + See the :ref:`minio-server-envvar-external-identity-management-ad-ldap` + reference documentation for more information on these variables. The + :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete + instructions on setting these values. - .. tab-item:: Environment Variable + .. tab-item:: Configuration Setting - - :envvar:`MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN` - - :envvar:`MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER` - See the :ref:`minio-server-envvar-external-identity-management-ad-ldap` - reference documentation for more information on these variables. The - :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete - instructions on setting these values. + - :mc-conf:`identity_ldap group_search_base_dn ` + - :mc-conf:`identity_ldap group_search_filter ` - .. tab-item:: Configuration Setting - - - - :mc-conf:`identity_ldap group_search_base_dn ` - - :mc-conf:`identity_ldap group_search_filter ` - - See the :mc-conf:`identity_ldap` reference documentation for more - information on these settings. The - :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete - instructions on setting these variables. + See the :mc-conf:`identity_ldap` reference documentation for more + information on these settings. The + :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete + instructions on setting these variables. .. toctree:: :glob: diff --git a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst index 636f8d927..d92c27e12 100644 --- a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst +++ b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst @@ -18,258 +18,99 @@ MinIO supports configuring a single Active Directory / LDAP Connect for external The procedure on this page provides instructions for: -.. cond:: k8s +.. tab-set:: + :class: parent-tab - - Configuring a MinIO Tenant to use an external AD/LDAP provider - - Accessing the Tenant Console using AD/LDAP Credentials. - - Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. + .. tab-item:: Kubernetes + :sync: k8s -.. cond:: linux or macos or container or windows + For MinIO Tenants deployed using the :ref:`MinIO Kubernetes Operator `, this procedure covers: - - Configuring a MinIO cluster for an external AD/LDAP provider. - - Accessing the MinIO Console using AD/LDAP credentials. - - Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. + - Configuring a MinIO Tenant to use an external AD/LDAP provider + - Accessing the Tenant Console using AD/LDAP Credentials. + - Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. + + .. tab-item:: Baremetal + :sync: baremetal + + For MinIO deployments on baremetal infrastructure, this procedure covers: + + - Configuring a MinIO cluster for an external AD/LDAP provider. + - Accessing the MinIO Console using AD/LDAP credentials. + - Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. This procedure is generic for AD/LDAP services. See the documentation for the AD/LDAP provider of your choice for specific instructions or procedures on configuration of user identities. - Prerequisites ------------- -.. cond:: k8s - - MinIO Kubernetes Operator - ~~~~~~~~~~~~~~~~~~~~~~~~~ - - .. include:: /includes/k8s/common-operator.rst - :start-after: start-requires-operator-plugin - :end-before: end-requires-operator-plugin - -Active Directory / LDAP Compatible IDentity Provider -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This procedure assumes an existing Active Directory or LDAP service. -Instructions on configuring AD/LDAP are out of scope for this procedure. - -.. cond:: k8s - - - For AD/LDAP deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the AD/LDAP service. - - - For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. - This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. - -MinIO requires a read-only access keys with which it :ref:`binds ` to perform authenticated user and group queries. -Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding :ref:`policy ` on the MinIO deployment. -An AD/LDAP user with no assigned policy *and* with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster. - -.. cond:: k8s - - MinIO Tenant - ~~~~~~~~~~~~ - - This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant `. - - You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable AD/LDAP Identity Management. - -.. cond:: linux or container or macos or windows - - MinIO Deployment - ~~~~~~~~~~~~~~~~ - - This procedure assumes an existing MinIO cluster running the :minio-git:`latest stable MinIO version `. - Defer to the :ref:`minio-installation` for more complete documentation on new MinIO deployments. - - This procedure *may* work as expected for older versions of MinIO. - -.. cond:: linux or container or macos or windows - - Install and Configure ``mc`` with Access to the MinIO Cluster - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This procedure uses :mc:`mc` for performing operations on the MinIO cluster. - Install ``mc`` on a machine with network access to the cluster. - See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. - - This procedure assumes a configured :mc:`alias ` for the MinIO cluster. - -.. Lightly modeled after the SSE tutorials - -.. cond:: k8s - - .. _minio-external-identity-management-ad-ldap-configure: - - .. include:: /includes/k8s/steps-configure-ad-ldap-external-identity-management.rst - -.. Doing this the quick and dirty way. Need to revise later to be proper full includes via stepfiles - -.. cond:: linux or container or macos or windows +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ - .. _minio-external-identity-management-ad-ldap-configure: +.. tab-set:: + :class: hidden + .. tab-item:: Kubernetes + :sync: k8s - Procedure - --------- + You must have access to the MinIO Operator Console web UI. + You can either expose the MinIO Operator Console service using your preferred Kubernetes routing component, or use temporary port forwarding to expose the Console service port on your local machine. - 1) Set the Active Directory / LDAP Configuration Settings - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + .. tab-item:: Baremetal + :sync: baremetal - Configure the AD/LDAP provider using one of the following: + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. - * MinIO Client - * Environment variables - * MinIO Console + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. - All methods require starting/restarting the MinIO deployment to apply changes. - - The following tabs provide a quick reference for the available configuration methods: - - .. tab-set:: - - .. tab-item:: MinIO Client - - MinIO supports specifying the AD/LDAP provider settings using :mc:`mc idp ldap` commands. - - For distributed deployments, the :mc:`mc idp ldap` command applies the configuration to all nodes in the deployment. - - The following example code sets *all* configuration settings related to configuring an AD/LDAP provider for external identity management. - The minimum *required* settings are: - - - :mc-conf:`server_addr ` - - :mc-conf:`lookup_bind_dn ` - - :mc-conf:`lookup_bind_password ` - - :mc-conf:`user_dn_search_base_dn ` - - :mc-conf:`user_dn_search_filter ` - - .. code-block:: shell - :class: copyable - - mc idp ldap add ALIAS \ - server_addr="ldaps.example.net:636" \ - lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" \ - lookup_bind_password="xxxxxxxx" \ - user_dn_search_base_dn="DC=example,DC=net" \ - user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))" \ - group_search_filter= "(&(objectClass=group)(member=%d))" \ - group_search_base_dn="ou=MinIO Users,dc=example,dc=net" \ - enabled="true" \ - tls_skip_verify="off" \ - server_insecure=off \ - server_starttls="off" \ - srv_record_name="" \ - comment="Test LDAP server" - - For more complete documentation on these settings, see :mc:`mc idp ldap`. - - .. admonition:: :mc:`mc idp ldap` recommended - :class: note - - :mc:`mc idp ldap` offers additional features and improved validation over :mc-cmd:`mc admin config set` runtime configuration settings. - :mc:`mc idp ldap` supports the same settings as :mc:`mc admin config` and the :mc-conf:`identity_ldap` configuration key. - - The :mc-conf:`identity_ldap` configuration key remains available for existing scripts and tools. - - .. tab-item:: Environment Variables - - MinIO supports specifying the AD/LDAP provider settings using :ref:`environment variables `. - The :mc:`minio server` process applies the specified settings on its next startup. - For distributed deployments, specify these settings across all nodes in the deployment using the *same* values. - Any differences in server configurations between nodes will result in startup or configuration failures. - - The following example code sets *all* environment variables related to configuring an AD/LDAP provider for external identity management. The minimum *required* variable are: - - - :envvar:`MINIO_IDENTITY_LDAP_SERVER_ADDR` - - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN` - - :envvar:`MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD` - - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN` - - :envvar:`MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` - - .. code-block:: shell - :class: copyable - - export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636" - export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" - export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net" - export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))" - export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx" - export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))" - export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net" - export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off" - export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off" - export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off" - export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME="" - export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server" - - For complete documentation on these variables, see :ref:`minio-server-envvar-external-identity-management-ad-ldap` - - .. tab-item:: MinIO Console - - MinIO supports specifying the AD/LDAP provider settings using the :ref:`MinIO Console `. - For distributed deployments, configuring AD/LDAP from the Console applies the configuration to all nodes in the deployment. - - .. include:: /includes/common-minio-external-auth.rst - :start-after: start-minio-ad-ldap-console-enable - :end-before: end-minio-ad-ldap-console-enable - - 2) Restart the MinIO Deployment - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - You must restart the MinIO deployment to apply the configuration changes. - - If you configured AD/LDAP from the MinIO Console, no additional action is required. - The MinIO Console automatically restarts the deployment after saving the new AD/LDAP configuration. - - For MinIO Client and environment variable configuration, use the :mc-cmd:`mc admin service restart` command to restart the deployment: - - .. code-block:: shell - :class: copyable - - mc admin service restart ALIAS +Active Directory / LDAP Compatible IDentity Provider +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Replace ``ALIAS`` with the :ref:`alias ` of the deployment to restart. +This procedure assumes an existing Active Directory or LDAP service. +Instructions on configuring AD/LDAP are out of scope for this procedure. - 3) Use the MinIO Console to Log In with AD/LDAP Credentials - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. tab-set:: + :class: hidden - The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment. + .. tab-item:: Kubernetes + :sync: k8s - You can access the Console by opening the root URL for the MinIO cluster. For example, ``https://minio.example.net:9000``. + - For AD/LDAP deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the AD/LDAP service. - Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. + - For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. + This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. - You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. - Access Keys are long-lived credentials which inherit their privileges from the parent user. - The parent user can further restrict those privileges while creating the service account. + .. tab-item:: Baremetal + :sync: baremetal - 4) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The MinIO deployment must have bidirectional network connectivity to the target AD / LDAP service. - MinIO requires clients to authenticate using :s3-api:`AWS Signature Version 4 protocol ` with support for the deprecated Signature Version 2 protocol. - Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as ``PUT``, ``GET``, and ``DELETE`` operations. +MinIO requires a read-only access keys with which it :ref:`binds ` to perform authenticated user and group queries. +Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding :ref:`policy ` on the MinIO deployment. +An AD/LDAP user with no assigned policy *and* with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster. - Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint and AD/LDAP user credentials. - MinIO provides an example Go application :minio-git:`ldap.go ` that manages this workflow. +.. _minio-external-identity-management-ad-ldap-configure: - .. code-block:: shell +Configure MinIO with Active Directory or LDAP External Identity Management +-------------------------------------------------------------------------- - POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity - &LDAPUsername=USERNAME - &LDAPPassword=PASSWORD - &Version=2011-06-15 - &Policy={} +.. tab-set:: + :class: hidden - - Replace the ``LDAPUsername`` with the username of the AD/LDAP user. + .. tab-item:: Kubernetes + :sync: k8s - - Replace the ``LDAPPassword`` with the password of the AD/LDAP user. + .. include:: /includes/k8s/steps-configure-ad-ldap-external-identity-management.rst - - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + .. tab-item:: Baremetal + :sync: baremetal - Omit to use the :ref:`policy whose name matches ` the Distinguished Name (DN) of the AD/LDAP user. + .. include:: /includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst - The API response consists of an XML document containing the access key, secret key, session token, and expiration date. - Applications can use the access key and secret key to access and perform operations on MinIO. - See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation. Disable a Configured Active Directory / LDAP Connection diff --git a/source/operations/external-iam/configure-keycloak-identity-management.rst b/source/operations/external-iam/configure-keycloak-identity-management.rst index cde64d158..2b4c97a86 100644 --- a/source/operations/external-iam/configure-keycloak-identity-management.rst +++ b/source/operations/external-iam/configure-keycloak-identity-management.rst @@ -16,32 +16,34 @@ Overview This procedure configures MinIO to use `Keycloak `__ as an external IDentity Provider (IDP) for authentication of users via the OpenID Connect (OIDC) protocol. -This procedure specifically covers the following steps: +This page has procedures for configuring OIDC for MinIO deployments in Kubernetes and Baremetal infrastructures. -.. cond:: k8s +Select the tab corresponding to your infrastructure to switch between instruction sets. - - Configure Keycloak for use with MinIO authentication and authorization - - Configure a new or existing MinIO Tenant to use Keycloak as the OIDC provider - - Create policies to control access of Keycloak-authenticated users - - Log into the MinIO Tenant Console using SSO and a Keycloak-managed identity - - Generate temporary S3 access credentials using the ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API +.. tab-set:: + :class: parent-tab + + .. tab-item:: Kubernetes + :sync: k8s + + For MinIO Tenants deployed using the :ref:`MinIO Kubernetes Operator `, this procedure covers: -.. cond:: linux or macos or windows + - Configure Keycloak for use with MinIO authentication and authorization + - Configure a new or existing MinIO Tenant to use Keycloak as the OIDC provider + - Create policies to control access of Keycloak-authenticated users + - Log into the MinIO Tenant Console using SSO and a Keycloak-managed identity + - Generate temporary S3 access credentials using the ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API - - Configure Keycloak for use with MinIO authentication and authorization - - Configure a new or existing MinIO cluster to use Keycloak as the OIDC provider - - Create policies to control access of Keycloak-authenticated users - - Log into the MinIO Console using SSO and a Keycloak-managed identity - - Generate temporary S3 access credentials using the ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API + .. tab-item:: Baremetal + :sync: baremetal -.. cond:: container + For MinIO deployments on baremetal infrastructure, this procedure covers: - - Deploy a Keycloak and MinIO Container - - Configure Keycloak for use with MinIO authentication and authorization - - Configure MinIO to use Keycloak as the OIDC provider - - Create policies to control access of Keycloak-authenticated users - - Log into the MinIO Console using SSO and a Keycloak-managed identity - - Generate temporary S3 access credentials using the ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API + - Configure Keycloak for use with MinIO authentication and authorization + - Configure a new or existing MinIO cluster to use Keycloak as the OIDC provider + - Create policies to control access of Keycloak-authenticated users + - Log into the MinIO Console using SSO and a Keycloak-managed identity + - Generate temporary S3 access credentials using the ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API This procedure was written and tested against Keycloak ``21.0.0``. The provided instructions may work against other Keycloak versions. @@ -50,80 +52,68 @@ This procedure assumes you have prior experience with Keycloak and have reviewed Prerequisites ------------- -.. cond:: k8s - - MinIO Kubernetes Operator - ~~~~~~~~~~~~~~~~~~~~~~~~~ - - .. include:: /includes/k8s/common-operator.rst - :start-after: start-requires-operator-plugin - :end-before: end-requires-operator-plugin - - MinIO Tenant - ~~~~~~~~~~~~ - - This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant `. - - You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable Keycloak Identity Management. - -.. cond:: linux or container or macos or windows +Keycloak Deployment and Realm Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - MinIO Deployment - ~~~~~~~~~~~~~~~~ +This procedure assumes an existing Keycloak deployment to which you have administrative access. +Specifically, you must have permission to create and configure Realms, Clients, Client Scopes, Realm Roles, Users, and Groups on the Keycloak deployment. - This procedure assumes an existing MinIO cluster running the :minio-git:`latest stable MinIO version `. - Refer to the :ref:`minio-installation` for more complete documentation on new MinIO deployments. +.. tab-set:: + :class: hidden - This procedure *may* work as expected for older versions of MinIO. + .. tab-item:: Kubernetes + :sync: k8s -.. cond:: not container + For Keycloak deployments within the same Kubernetes cluster as the MinIO Tenant, this procedure assumes bidirectional access between the Keycloak and MinIO pods/services. + For Keycloak deployments external to the Kubernetes cluster, this procedure assumes an existing Ingress, Load Balancer, or similar Kubernetes network control component that manages network access to and from the MinIO Tenant. - Keycloak Deployment and Realm Configuration - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - This procedure assumes an existing Keycloak deployment to which you have administrative access. - Specifically, you must have permission to create and configure Realms, Clients, Client Scopes, Realm Roles, Users, and Groups on the Keycloak deployment. + .. tab-item:: Baremetal + :sync: baremetal - .. cond:: k8s + The MinIO deployment must have bidirectional access to the target OIDC service. - For Keycloak deployments within the same Kubernetes cluster as the MinIO Tenant, this procedure assumes bidirectional access between the Keycloak and MinIO pods/services. +Ensure each user identity intended for use with MinIO has the appropriate :ref:`claim ` configured such that MinIO can associate a :ref:`policy ` to the authenticated user. +An OpenID user with no assigned policy has no permission to access any action or resource on the MinIO cluster. - For Keycloak deployments external to the Kubernetes cluster, this procedure assumes an existing Ingress, Load Balancer, or similar Kubernetes network control component that manages network access to and from the MinIO Tenant. - .. cond:: not k8s +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ - This procedure assumes bidirectional access between the Keycloak and MinIO deployments. - -Install and Configure ``mc`` with Access to the MinIO Cluster -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. tab-set:: + :class: hidden -This procedure uses :mc:`mc` for performing operations on the MinIO cluster. -Install ``mc`` on a machine with network access to the cluster. + .. tab-item:: Kubernetes + :sync: k8s -.. cond:: k8s + You must have access to the MinIO Operator Console web UI. + You can either expose the MinIO Operator Console service using your preferred Kubernetes routing component, or use temporary port forwarding to expose the Console service port on your local machine. - Your local host must have access to the MinIO Tenant, such as through Ingress, a Load Balancer, or a similar Kubernetes network control component. + .. tab-item:: Baremetal + :sync: baremetal -See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. -This procedure assumes a configured :mc:`alias ` for the MinIO cluster. + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. .. _minio-external-identity-management-keycloak-configure: Configure MinIO for Keycloak Identity Management ------------------------------------------------ -.. cond:: linux or macos or windows - - .. include:: /includes/linux/steps-configure-keycloak-identity-management.rst +.. tab-set:: -.. cond:: k8s + .. tab-item:: Kubernetes + :sync: k8s - .. include:: /includes/k8s/steps-configure-keycloak-identity-management.rst + .. include:: /includes/k8s/steps-configure-keycloak-identity-management.rst -.. cond:: container + .. tab-item:: Baremetal + :sync: baremetal - .. include:: /includes/container/steps-configure-keycloak-identity-management.rst + .. include:: /includes/baremetal/steps-configure-keycloak-identity-management.rst Enable the Keycloak Admin REST API ---------------------------------- diff --git a/source/operations/external-iam/configure-openid-external-identity-management.rst b/source/operations/external-iam/configure-openid-external-identity-management.rst index 9b1dc52e4..299e99d86 100644 --- a/source/operations/external-iam/configure-openid-external-identity-management.rst +++ b/source/operations/external-iam/configure-openid-external-identity-management.rst @@ -8,25 +8,37 @@ Configure MinIO for Authentication using OpenID .. contents:: Table of Contents :local: - :depth: 2 + :depth: 1 Overview -------- MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. -The procedure on this page provides instructions for: -.. cond:: k8s +This page has procedures for configuring OIDC for MinIO deployments in Kubernetes and Baremetal infrastructures. - - Configuring a MinIO Tenant to use an external OIDC provider. - - Accessing the Tenant Console using OIDC Credentials. - - Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. +Select the tab corresponding to your infrastructure to switch between instruction sets. -.. cond:: linux or container or macos or windows +.. tab-set:: + :class: parent-tab - - Configuring a MinIO cluster for an external OIDC provider. - - Logging into the cluster using the MinIO Console and OIDC credentials. - - Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. + .. tab-item:: Kubernetes + :sync: k8s + + For MinIO Tenants deployed using the :ref:`MinIO Kubernetes Operator `, this procedure covers: + + - Configuring a MinIO Tenant to use an external OIDC provider. + - Accessing the Tenant Console using OIDC Credentials. + - Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. + + .. tab-item:: Baremetal + :sync: baremetal + + For MinIO deployments on baremetal infrastructure, this procedure covers: + + - Configuring a MinIO cluster for an external OIDC provider. + - Logging into the cluster using the MinIO Console and OIDC credentials. + - Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. This procedure is generic for OIDC compatible providers. Defer to the documentation for the OIDC provider of your choice for specific instructions or procedures on authentication and JWT retrieval. @@ -34,236 +46,68 @@ Defer to the documentation for the OIDC provider of your choice for specific ins Prerequisites ------------- -.. cond:: k8s - - MinIO Kubernetes Operator - ~~~~~~~~~~~~~~~~~~~~~~~~~ - - .. include:: /includes/k8s/common-operator.rst - :start-after: start-requires-operator-plugin - :end-before: end-requires-operator-plugin - OpenID-Connect (OIDC) Compatible IDentity Provider ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This procedure assumes an existing OIDC provider such as Okta, KeyCloak, Dex, Google, or Facebook. Instructions on configuring these services are out of scope for this procedure. -.. cond:: k8s - - - For OIDC services within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the OIDC service. - - - For OIDC services external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. - This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. - -Ensure each user identity intended for use with MinIO has the appropriate :ref:`claim ` configured such that MinIO can associate a :ref:`policy ` to the authenticated user. -An OpenID user with no assigned policy has no permission to access any action or resource on the MinIO cluster. - -.. cond:: k8s - - MinIO Tenant - ~~~~~~~~~~~~ - - This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant `. - - You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable OIDC Identity Management. - -.. cond:: linux or container or macos or windows - - MinIO Deployment - ~~~~~~~~~~~~~~~~ - - This procedure assumes an existing MinIO cluster running the :minio-git:`latest stable MinIO version `. - Defer to the :ref:`minio-installation` for more complete documentation on new MinIO deployments. - - This procedure *may* work as expected for older versions of MinIO. +.. tab-set:: + :class: hidden -.. cond:: linux or container or macos or windows + .. tab-item:: Kubernetes + :sync: k8s - Install and Configure ``mc`` with Access to the MinIO Cluster - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - For OIDC services within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the OIDC service. - This procedure uses :mc:`mc` for performing operations on the MinIO cluster. - Install ``mc`` on a machine with network access to the cluster. - See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. + - For OIDC services external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. + This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. - This procedure assumes a configured :mc:`alias ` for the MinIO cluster. + .. tab-item:: Baremetal + :sync: baremetal -.. Lightly modeled after the SSE tutorials + The MinIO deployment must have bidirectional network connectivity to the target OIDC service. -.. cond:: k8s - - .. _minio-external-identity-management-openid-configure: - - .. include:: /includes/k8s/steps-configure-openid-external-identity-management.rst - - -.. Doing this the quick and dirty way. Need to revise later to be proper full includes via stepfiles - -.. cond:: linux or container or macos or windows - - .. _minio-external-identity-management-openid-configure: - - Procedure - --------- - - 1) Set the OpenID Configuration Settings - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - You can configure the :abbr:`OIDC (OpenID Connect)` provider using either - environment variables *or* server runtime configuration settings. Both - methods require starting/restarting the MinIO deployment to apply changes. The - following tabs provide a quick reference of all required and optional - environment variables and configuration settings respectively: - - .. tab-set:: - - .. tab-item:: Environment Variables - - MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider - settings using :ref:`environment variables - `. The - :mc:`minio server` process applies the specified settings on its next - startup. For distributed deployments, specify these settings across all - nodes in the deployment using the *same* values consistently. - - The following example code sets *all* environment variables related to - configuring an :abbr:`OIDC (OpenID Connect)` provider for external - identity management. The minimum *required* variable is - :envvar:`MINIO_IDENTITY_OPENID_CONFIG_URL`: - - .. code-block:: shell - :class: copyable - - export MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration" - export MINIO_IDENTITY_OPENID_CLIENT_ID="" - export MINIO_IDENTITY_OPENID_CLIENT_SECRET="" - export MINIO_IDENTITY_OPENID_CLAIM_NAME="" - export MINIO_IDENTITY_OPENID_CLAIM_PREFIX="" - export MINIO_IDENTITY_OPENID_SCOPES="" - export MINIO_IDENTITY_OPENID_REDIRECT_URI="" - export MINIO_IDENTITY_OPENID_COMMENT="" - - Replace the ``MINIO_IDENTITY_OPENID_CONFIG_URL`` with the URL endpoint of - the :abbr:`OIDC (OpenID Connect)` provider discovery document. - - For complete documentation on these variables, see - :ref:`minio-server-envvar-external-identity-management-openid` +Ensure each user identity intended for use with MinIO has the appropriate :ref:`claim ` configured such that MinIO can associate a :ref:`policy ` to the authenticated user. +An OpenID user with no assigned policy has no permission to access any action or resource on the MinIO cluster. - .. tab-item:: Configuration Settings - MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider - settings using :mc-conf:`configuration settings `. The - :mc:`minio server` process applies the specified settings on its next - startup. For distributed deployments, the :mc:`mc admin config` - command applies the configuration to all nodes in the deployment. +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ - The following example code sets *all* configuration settings related to - configuring an :abbr:`OIDC (OpenID Connect)` provider for external - identity management. The minimum *required* setting is - :mc-conf:`identity_openid config_url `: +.. tab-set:: + :class: hidden - .. code-block:: shell - :class: copyable + .. tab-item:: Kubernetes + :sync: k8s - mc admin config set ALIAS/ identity_openid \ - config_url="https://openid-provider.example.net/.well-known/openid-configuration" \ - client_id="" \ - client_secret="" \ - claim_name="" \ - claim_prefix="" \ - scopes="" \ - redirect_uri="" \ - comment="" + You must have access to the MinIO Operator Console web UI. + You can either expose the MinIO Operator Console service using your preferred Kubernetes routing component, or use temporary port forwarding to expose the Console service port on your local machine. - Replace the ``config_url`` with the URL endpoint of the - :abbr:`OIDC (OpenID Connect)` provider discovery document. + .. tab-item:: Baremetal + :sync: baremetal - For more complete documentation on these settings, see - :mc-conf:`identity_openid`. + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. - 2) Restart the MinIO Deployment - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. - You must restart the MinIO deployment to apply the configuration changes. - Use the :mc-cmd:`mc admin service restart` command to restart the deployment. +.. _minio-external-identity-management-openid-configure: - .. code-block:: shell - :class: copyable +Configure MinIO with OpenID External Identity Management +-------------------------------------------------------- - mc admin service restart ALIAS +.. tab-set:: + :class: hidden - Replace ``ALIAS`` with the :ref:`alias ` of the deployment to - restart. + .. tab-item:: Kubernetes + :sync: k8s - 3) Use the MinIO Console to Log In with OIDC Credentials - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - The MinIO Console supports the full workflow of authenticating to the - :abbr:`OIDC (OpenID Connect)` provider, generating temporary credentials using - the MinIO :ref:`minio-sts-assumerolewithwebidentity` Security Token Service - (STS) endpoint, and logging the user into the MinIO deployment. - - Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is - embedded in the MinIO server. You can access the Console by opening the root URL - for the MinIO cluster. For example, ``https://minio.example.net:9000``. - - From the Console, click :guilabel:`BUTTON` to begin the OpenID authentication - flow. - - Once logged in, you can perform any action for which the authenticated - user is :ref:`authorized - `. - - You can also create :ref:`access keys ` for - supporting applications which must perform operations on MinIO. Access Keys - are long-lived credentials which inherit their privileges from the parent user. - The parent user can further restrict those privileges while creating the service - account. - - 4) Generate S3-Compatible Temporary Credentials using OIDC Credentials - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4 - protocol ` with support for the deprecated - Signature Version 2 protocol. Specifically, clients must present a valid access - key and secret key to access any S3 or MinIO administrative API, such as - ``PUT``, ``GET``, and ``DELETE`` operations. - - Applications can generate temporary access credentials as-needed using the - :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) - API endpoint and the JSON Web Token (JWT) returned by the - :abbr:`OIDC (OpenID Connect)` provider. - - The application must provide a workflow for logging into the - :abbr:`OIDC (OpenID Connect)` provider and retrieving the - JSON Web Token (JWT) associated to the authentication session. Defer to the - provider documentation for obtaining and parsing the JWT token after successful - authentication. MinIO provides an example Go application - :minio-git:`web-identity.go ` with - an example of managing this workflow. - - Once the application retrieves the JWT token, use the - ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials: - - .. code-block:: shell - :class: copyable - - POST https://minio.example.net?Action=AssumeRoleWithWebIdentity - &WebIdentityToken=TOKEN - &Version=2011-06-15 - &DurationSeconds=86400 - &Policy=Policy - - - Replace the ``TOKEN`` with the JWT token returned in the previous step. - - Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours. - - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. + .. include:: /includes/k8s/steps-configure-openid-external-identity-management.rst - Omit to use the policy associated to the OpenID user :ref:`policy claim `. + .. tab-item:: Baremetal + :sync: baremetal - The API response consists of an XML document containing the - access key, secret key, session token, and expiration date. Applications - can use the access key and secret key to access and perform operations on - MinIO. - - See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation. + .. include:: /includes/baremetal/steps-configure-openid-external-identity-management.rst + diff --git a/source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst b/source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst deleted file mode 100644 index ac1466730..000000000 --- a/source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst +++ /dev/null @@ -1,328 +0,0 @@ -.. _deploy-minio-distributed: -.. _minio-mnmd: - -==================================== -Deploy MinIO: Multi-Node Multi-Drive -==================================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -The procedures on this page cover deploying MinIO in a Multi-Node Multi-Drive (MNMD) or "Distributed" configuration. -|MNMD| deployments provide enterprise-grade performance, availability, and scalability and are the recommended topology for all production workloads. - -|MNMD| deployments support :ref:`erasure coding ` configurations which tolerate the loss of up to half the nodes or drives in the deployment while continuing to serve read operations. -Use the MinIO `Erasure Code Calculator `__ when planning and designing your MinIO deployment to explore the effect of erasure code settings on your intended topology. - -.. _deploy-minio-distributed-prereqs: - -Prerequisites -------------- - -Networking and Firewalls -~~~~~~~~~~~~~~~~~~~~~~~~ - -Each node should have full bidirectional network access to every other node in -the deployment. For containerized or orchestrated infrastructures, this may -require specific configuration of networking and routing components such as -ingress or load balancers. Certain operating systems may also require setting -firewall rules. For example, the following command explicitly opens the default -MinIO server API port ``9000`` for servers running firewalld : - -.. code-block:: shell - :class: copyable - - firewall-cmd --permanent --zone=public --add-port=9000/tcp - firewall-cmd --reload - -All MinIO servers in the deployment *must* use the same listen port. - -If you set a static :ref:`MinIO Console ` port (e.g. ``:9001``) -you must *also* grant access to that port to ensure connectivity from external -clients. - -MinIO **strongly recomends** using a load balancer to manage connectivity to the -cluster. The Load Balancer should use a "Least Connections" algorithm for -routing requests to the MinIO deployment, since any MinIO node in the deployment -can receive, route, or process client requests. - -The following load balancers are known to work well with MinIO: - -- `NGINX `__ -- `HAProxy `__ - -Configuring firewalls or load balancers to support MinIO is out of scope for -this procedure. -The :ref:`integrations-nginx-proxy` reference provides a baseline configuration for using NGINX as a reverse proxy with basic load balancing configured. - -Sequential Hostnames -~~~~~~~~~~~~~~~~~~~~ - -MinIO *requires* using expansion notation ``{x...y}`` to denote a sequential series of MinIO hosts when creating a server pool. -MinIO supports using either a sequential series of hostnames *or* IP addresses to represent each :mc:`minio server` process in the deployment. - -This procedure assumes use of sequential hostnames due to the lower overhead of management, especially in larger distributed clusters. - -Create the necessary DNS hostname mappings *prior* to starting this procedure. -For example, the following hostnames would support a 4-node distributed deployment: - -- ``minio-01.example.com`` -- ``minio-02.example.com`` -- ``minio-03.example.com`` -- ``minio-04.example.com`` - -You can specify the entire range of hostnames using the expansion notation ``minio-0{1...4}.example.com``. - -.. dropdown:: Non-Sequential Hostnames or IP Addresses - - MinIO does not support non-sequential hostnames or IP addresses for distributed deployments. - You can instead use ``/etc/hosts`` on each node to set a simple DNS scheme that supports expansion notation. - For example: - - .. code-block:: shell - - # /etc/hosts - - 198.0.2.10 minio-01.example.net - 198.51.100.3 minio-02.example.net - 198.0.2.43 minio-03.example.net - 198.51.100.12 minio-04.example.net - - The above hosts configuration supports expansion notation of ``minio-0{1...4}.example.net``, mapping the sequential hostnames to the desired IP addresses. - -.. _deploy-minio-distributed-prereqs-storage: - -Storage Requirements -~~~~~~~~~~~~~~~~~~~~ - -.. |deployment| replace:: deployment - -.. include:: /includes/common-installation.rst - :start-after: start-storage-requirements-desc - :end-before: end-storage-requirements-desc - -.. include:: /includes/common-admonitions.rst - :start-after: start-exclusive-drive-access - :end-before: end-exclusive-drive-access - -Memory Requirements -~~~~~~~~~~~~~~~~~~~ - -.. versionchanged:: RELEASE.2024-01-28T22-35-53Z - - MinIO pre-allocates 2GiB of system memory at startup. - -MinIO recommends a *minimum* of 32GiB of memory per host. -See :ref:`minio-hardware-checklist-memory` for more guidance on memory allocation in MinIO. - -Time Synchronization -~~~~~~~~~~~~~~~~~~~~ - -Multi-node systems must maintain synchronized time and date to maintain stable internode operations and interactions. -Make sure all nodes sync to the same time server regularly. -Operating systems vary for methods used to synchronize time and date, such as with ``ntp``, ``timedatectl``, or ``timesyncd``. - -Check the documentation for your operating system for how to set up and maintain accurate and identical system clock times across nodes. - -Considerations --------------- - -Erasure Coding Parity -~~~~~~~~~~~~~~~~~~~~~ - -MinIO :ref:`erasure coding ` is a data redundancy and availability feature that allows MinIO deployments to automatically reconstruct objects on-the-fly despite the loss of multiple drives or nodes in the cluster. - -MinIO defaults to ``EC:4``, or 4 parity blocks per :ref:`erasure set `. -You can set a custom parity level by setting the appropriate :ref:`MinIO Storage Class environment variable `. -Consider using the MinIO `Erasure Code Calculator `__ for guidance in selecting the appropriate erasure code parity level for your cluster. - -.. important:: - - While you can change erasure parity settings at any time, objects written with a given parity do **not** automatically update to the new parity settings. - -Capacity-Based Planning -~~~~~~~~~~~~~~~~~~~~~~~ - -MinIO recommends planning storage capacity sufficient to store **at least** 2 years of data before reaching 70% usage. -Performing :ref:`server pool expansion ` more frequently or on a "just-in-time" basis generally indicates an architecture or planning issue. - -For example, consider an application suite expected to produce at least 100 TiB of data per year and a 3 year target before expansion. -By ensuring the deployment has ~500TiB of usable storage up front, the cluster can safely meet the 70% threshold with additional buffer for growth in data storage output per year. - -Since MinIO :ref:`erasure coding ` requires some storage for parity, the total **raw** storage must exceed the planned **usable** capacity. -Consider using the MinIO `Erasure Code Calculator `__ for guidance in planning capacity around specific erasure code settings. - -Recommended Operating Systems -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. cond:: linux - - This tutorial assumes all hosts running MinIO use a - :ref:`recommended Linux operating system ` - such as RHEL8+ or Ubuntu 18.04+. - -.. cond:: macos - - This tutorial assumes all hosts running MinIO use a non-EOL macOS version (10.14+). - -.. cond:: Windows - - This tutorial assumes all hosts running MinIO use a non-EOL Windows distribution. - - Support for running distributed MinIO deployments on Windows is *experimental*. - -Pre-Existing Data -~~~~~~~~~~~~~~~~~ - -When starting a new MinIO server in a distributed environment, the storage devices must not have existing data. - -Once you start the MinIO server, all interactions with the data must be done through the S3 API. -Use the :ref:`MinIO Client `, the :ref:`MinIO Console `, or one of the MinIO :ref:`Software Development Kits ` to work with the buckets and objects. - -.. warning:: - - Modifying files on the backend drives can result in data corruption or data loss. - -.. _deploy-minio-distributed-baremetal: - -Deploy Distributed MinIO ------------------------- - -The following procedure creates a new distributed MinIO deployment consisting -of a single :ref:`Server Pool `. - -All commands provided below use example values. Replace these values with -those appropriate for your deployment. - -Review the :ref:`deploy-minio-distributed-prereqs` before starting this -procedure. - -1) Install the MinIO Binary on Each Node -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. cond:: linux - - .. include:: /includes/linux/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - -.. cond:: macos - - .. include:: /includes/macos/common-installation.rst - :start-after: start-install-minio-binary-desc - :end-before: end-install-minio-binary-desc - -2) Create the ``systemd`` Service File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/linux/common-installation.rst - :start-after: start-install-minio-systemd-desc - :end-before: end-install-minio-systemd-desc - -3) Create the Service Environment File -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Create an environment file at ``/etc/default/minio``. The MinIO -service uses this file as the source of all -:ref:`environment variables ` used by -MinIO *and* the ``minio.service`` file. - -The following examples assumes that: - -- The deployment has a single server pool consisting of four MinIO server hosts - with sequential hostnames. - - .. code-block:: shell - - minio1.example.com minio3.example.com - minio2.example.com minio4.example.com - -- All hosts have four locally-attached drives with sequential mount-points: - - .. code-block:: shell - - /mnt/disk1/minio /mnt/disk3/minio - /mnt/disk2/minio /mnt/disk4/minio - -- The deployment has a load balancer running at ``https://minio.example.net`` - that manages connections across all four MinIO hosts. - -Modify the example to reflect your deployment topology: - -.. code-block:: shell - :class: copyable - - # Set the hosts and volumes MinIO uses at startup - # The command uses MinIO expansion notation {x...y} to denote a - # sequential series. - # - # The following example covers four MinIO hosts - # with 4 drives each at the specified hostname and drive locations. - # The command includes the port that each MinIO server listens on - # (default 9000) - - MINIO_VOLUMES="https://minio{1...4}.example.net:9000/mnt/disk{1...4}/minio" - - # Set all MinIO server options - # - # The following explicitly sets the MinIO Console listen address to - # port 9001 on all network interfaces. The default behavior is dynamic - # port selection. - - MINIO_OPTS="--console-address :9001" - - # Set the root username. This user has unrestricted permissions to - # perform S3 and administrative API operations on any resource in the - # deployment. - # - # Defer to your organizations requirements for superadmin user name. - - MINIO_ROOT_USER=minioadmin - - # Set the root password - # - # Use a long, random, unique string that meets your organizations - # requirements for passwords. - - MINIO_ROOT_PASSWORD=minio-secret-key-CHANGE-ME - -You may specify other :ref:`environment variables -` or server commandline options as required -by your deployment. All MinIO nodes in the deployment should include the same -environment variables with the same values for each variable. - -4) Add TLS/SSL Certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common-installation.rst - :start-after: start-install-minio-tls-desc - :end-before: end-install-minio-tls-desc - -5) Run the MinIO Server Process -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Issue the following commands on each node in the deployment to start the -MinIO service: - -.. include:: /includes/linux/common-installation.rst - :start-after: start-install-minio-start-service-desc - :end-before: end-install-minio-start-service-desc - -6) Open the MinIO Console -~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common-installation.rst - :start-after: start-install-minio-console-desc - :end-before: end-install-minio-console-desc - -7) Next Steps -~~~~~~~~~~~~~ - -- Create an :ref:`alias ` for accessing the deployment using - :mc:`mc`. - -- :ref:`Create users and policies to control access to the deployment - `. diff --git a/source/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst b/source/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst deleted file mode 100644 index b39fcbb0a..000000000 --- a/source/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst +++ /dev/null @@ -1,67 +0,0 @@ -.. _minio-snmd: - -===================================== -Deploy MinIO: Single-Node Multi-Drive -===================================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 2 - -The procedures on this page cover deploying MinIO in a Single-Node Multi-Drive (SNMD) configuration. -|SNMD| deployments provide drive-level reliability and failover/recovery with performance and scaling limitations imposed by the single node. - -.. cond:: linux or macos or windows - - For production environments, MinIO strongly recommends deploying with the :ref:`Multi-Node Multi-Drive (Distributed) ` topology for enterprise-grade performance, availability, and scalability. - -.. cond:: container - - For production environments, MinIO strongly recommends using the MinIO Kubernetes Operator to deploy Multi-Node Multi-Drive (MNMD) or "Distributed" Tenants. - -Prerequisites -------------- - -Storage Requirements -~~~~~~~~~~~~~~~~~~~~ - -.. |deployment| replace:: deployment - -.. include:: /includes/common-installation.rst - :start-after: start-storage-requirements-desc - :end-before: end-storage-requirements-desc - -.. include:: /includes/common-admonitions.rst - :start-after: start-exclusive-drive-access - :end-before: end-exclusive-drive-access - -Memory Requirements -~~~~~~~~~~~~~~~~~~~ - -.. versionchanged:: RELEASE.2024-01-28T22-35-53Z - - MinIO pre-allocates 2GiB of system memory at startup. - -MinIO recommends a *minimum* of 32GiB of memory per host. -See :ref:`minio-hardware-checklist-memory` for more guidance on memory allocation in MinIO. - -.. _deploy-minio-standalone-multidrive: - -Deploy Single-Node Multi-Drive MinIO ------------------------------------- - -The following procedure deploys MinIO consisting of a single MinIO server and a multiple drives or storage volumes. - -.. cond:: linux - - .. include:: /includes/linux/steps-deploy-minio-single-node-multi-drive.rst - -.. cond:: macos - - .. include:: /includes/macos/steps-deploy-minio-single-node-multi-drive.rst - -.. cond:: container - - .. include:: /includes/container/steps-deploy-minio-single-node-multi-drive.rst \ No newline at end of file diff --git a/source/operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst b/source/operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst deleted file mode 100644 index 6810e21c4..000000000 --- a/source/operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst +++ /dev/null @@ -1,129 +0,0 @@ -.. _minio-snsd: - -====================================== -Deploy MinIO: Single-Node Single-Drive -====================================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 2 - -The procedures on this page cover deploying MinIO in a Single-Node Single-Drive (SNSD) configuration for early development and evaluation. -|SNSD| deployments use a zero-parity erasure coded backend that provides no added reliability or availability beyond what the underlying storage volume implements. -These deployments are best suited for local testing and evaluation, or for small-scale data workloads that do not have availability or performance requirements. - -.. cond:: container - - For extended development or production environments in orchestrated environments, use the MinIO Kubernetes Operator to deploy a Tenant on multiple worker nodes. - -.. cond:: linux - - For extended development or production environments, deploy MinIO in a :ref:`Multi-Node Multi-Drive (Distributed) ` topology - -.. important:: - - :minio-release:`RELEASE.2022-10-29T06-21-33Z` fully removes the `deprecated Gateway/Filesystem `__ backends. - MinIO returns an error if it starts up and detects existing Filesystem backend files. - - To migrate from an FS-backend deployment, use :mc:`mc mirror` or :mc:`mc cp` to copy your data over to a new MinIO |SNSD| deployment. - You should also recreate any necessary users, groups, policies, and bucket configurations on the |SNSD| deployment. - -.. _minio-snsd-pre-existing-data: - -Pre-Existing Data ------------------ - -MinIO startup behavior depends on the the contents of the specified storage volume or path. -The server checks for both MinIO-internal backend data and the structure of existing folders and files. -The following table lists the possible storage volume states and MinIO behavior: - -.. list-table:: - :header-rows: 1 - :widths: 40 60 - - * - Storage Volume State - - Behavior - - * - Empty with **no** files, folders, or MinIO backend data - - - MinIO starts in |SNSD| mode and creates the zero-parity backend - - * - Existing |SNSD| zero-parity objects and MinIO backend data - - MinIO resumes in |SNSD| mode - - * - Existing filesystem folders, files, but **no** MinIO backend data - - MinIO returns an error and does not start - - * - Existing filesystem folders, files, and legacy "FS-mode" backend data - - MinIO returns an error and does not start - - .. versionchanged:: RELEASE.2022-10-29T06-21-33Z - -Prerequisites -------------- - -Storage Requirements -~~~~~~~~~~~~~~~~~~~~ - -The following requirements summarize the :ref:`minio-hardware-checklist-storage` section of MinIO's hardware recommendations: - -Use Local Storage - Direct-Attached Storage (DAS) has significant performance and consistency advantages over networked storage (:abbr:`NAS (Network Attached Storage)`, :abbr:`SAN (Storage Area Network)`, :abbr:`NFS (Network File Storage)`). - MinIO strongly recommends flash storage (NVMe, SSD) for primary or "hot" data. - -Use XFS-Formatting for Drives - MinIO strongly recommends provisioning XFS formatted drives for storage. - MinIO uses XFS as part of internal testing and validation suites, providing additional confidence in performance and behavior at all scales. - -Persist Drive Mounting and Mapping Across Reboots - Use ``/etc/fstab`` to ensure consistent drive-to-mount mapping across node reboots. - - Non-Linux Operating Systems should use the equivalent drive mount management tool. - -.. include:: /includes/common-admonitions.rst - :start-after: start-exclusive-drive-access - :end-before: end-exclusive-drive-access - -Memory Requirements -~~~~~~~~~~~~~~~~~~~ - -.. versionchanged:: RELEASE.2024-01-28T22-35-53Z - - MinIO pre-allocates 2GiB of system memory at startup. - -MinIO recommends a *minimum* of 32GiB of memory per host. -See :ref:`minio-hardware-checklist-memory` for more guidance on memory allocation in MinIO. - -.. _deploy-minio-standalone: - -Deploy Single-Node Single-Drive MinIO -------------------------------------- - -The following procedure deploys MinIO consisting of a single MinIO server and a single drive or storage volume. - -.. admonition:: Network File System Volumes Break Consistency Guarantees - :class: note - - MinIO's strict **read-after-write** and **list-after-write** consistency - model requires local drive filesystems. - - MinIO cannot provide consistency guarantees if the underlying storage - volumes are NFS or a similar network-attached storage volume. - -.. cond:: linux - - .. include:: /includes/linux/steps-deploy-minio-single-node-single-drive.rst - -.. cond:: macos - - .. include:: /includes/macos/steps-deploy-minio-single-node-single-drive.rst - -.. cond:: container - - .. include:: /includes/container/steps-deploy-minio-single-node-single-drive.rst - -.. cond:: windows - - .. include:: /includes/windows/steps-deploy-minio-single-node-single-drive.rst diff --git a/source/operations/install-deploy-manage/deploy-minio-tenant.rst b/source/operations/install-deploy-manage/deploy-minio-tenant.rst deleted file mode 100644 index b6ca8a04e..000000000 --- a/source/operations/install-deploy-manage/deploy-minio-tenant.rst +++ /dev/null @@ -1,443 +0,0 @@ -.. The following label handles links from content to distributed MinIO in K8s context -.. _deploy-minio-distributed: - -.. Redirect all references to tenant topologies here - -.. _minio-snsd: -.. _minio-snmd: -.. _minio-mnmd: - -.. _minio-k8s-deploy-minio-tenant: - -===================== -Deploy a MinIO Tenant -===================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -.. cond:: openshift - - This procedure documents deploying a MinIO Tenant through OpenShift 4.7+ using the OpenShift Web Console and the MinIO Kubernetes Operator. - -.. cond:: k8s and not openshift - - This procedure documents deploying a MinIO Tenant onto a stock Kubernetes cluster using either Kustomize or MinIO's Helm Charts. - -.. screenshot temporarily removed - - .. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - - -Deploying Single-Node topologies requires additional configurations not covered in this documentation. -You can alternatively use a simple Kubernetes YAML object to describe a Single-Node topology for local testing and evaluation as necessary. -MinIO does not recommend nor support single-node deployment topologies for production environments. - -This documentation assumes familiarity with all referenced Kubernetes concepts, utilities, and procedures. -While this documentation *may* provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. - - -Prerequisites -------------- - -MinIO Kubernetes Operator -~~~~~~~~~~~~~~~~~~~~~~~~~ - -The procedures on this page *requires* a valid installation of the MinIO -Kubernetes Operator and assumes the local host has a matching installation of -the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator, version |operator-version-stable|. - -See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator. - -.. cond:: k8s and not (openshift or eks or gke or aks) - - Kubernetes Version |k8s-floor| - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - MinIO tests |operator-version-stable| against a floor of Kubernetes API of |k8s-floor|. - MinIO **strongly recommends** maintaining Kubernetes infrastructure using `actively maintained Kubernetes API versions `__. - - - MinIO **strongly recommends** upgrading Kubernetes clusters running with `End-Of-Life API versions `__. - - -.. cond:: openshift - - OpenShift 4.7+ and ``oc`` CLI Tool - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This procedure assumes installation of the MinIO Operator using the OpenShift 4.7+ and the OpenShift OperatorHub. - - This procedure assumes your local machine has the OpenShift ``oc`` CLI tool installed and configured for access to the OpenShift Cluster. - :openshift-docs:`Download and Install ` the OpenShift :abbr:`CLI (command-line interface)` ``oc`` for use in this procedure. - - See :ref:`deploy-operator-openshift` for more complete instructions. - -.. cond:: openshift - - Check Security Context Constraints - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - The MinIO Operator deploys pods using the following default :kube-docs:`Security Context ` per pod: - - .. code-block:: yaml - :class: copyable - - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - fsGroup: 1000 - - Certain OpenShift :openshift-docs:`Security Context Constraints ` limit the allowed UID or GID for a pod such that MinIO cannot deploy the Tenant successfully. - Ensure that the Project in which the Operator deploys the Tenant has sufficient SCC settings that allow the default pod security context. - You can alternatively modify the tenant security context settings during deployment. - - The following command returns the optimal value for the securityContext: - - .. code-block:: shell - :class: copyable - - oc get namespace \ - -o=jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}{"\n"}' - - The command returns output similar to the following: - - .. code-block:: shell - - 1056560000/10000 - - Take note of this value before the slash for use in this procedure. - -.. cond:: gke - - GKE Cluster with Compute Engine Nodes - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This procedure assumes an existing :abbr:`GKE (Google Kubernetes Engine)` cluster with a MinIO Operator installation and *at least* four Compute Engine nodes. - The Compute Engine nodes should have matching machine types and configurations to ensure predictable performance with MinIO. - - MinIO provides :ref:`hardware guidelines ` for selecting the appropriate Compute Engine instance class and size. - MinIO strongly recommends selecting instances with support for local SSDs and *at least* 25Gbps egress bandwidth as a baseline for performance. - - For more complete information on the available Compute Engine and Persistent Storage resources, see :gcp-docs:`Machine families resources and comparison guide ` and :gcp-docs:`Persistent disks `. - -.. cond:: eks - - EKS Cluster with EBS-Optimized EC2 Nodes - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This procedure assumes an existing :abbr:`EKS (Elastic Kubernetes Service)` cluster with *at least* four EC2 nodes. - The EC2 nodes should have matching machine types and configurations to ensure predictable performance with MinIO. - - MinIO provides :ref:`hardware guidelines ` for selecting the appropriate EC2 instance class and size. - MinIO strongly recommends selecting EBS-optimized instances with *at least* 25Gbps Network bandwidth as a baseline for performance. - - For more complete information on the available EC2 and EBS resources, see `EC2 Instance Types `__ and `EBS Volume Types `__. - |subnet| customers should reach out to MinIO engineering as part of architecture planning for assistance in selecting the optimal instance and volume types for the target workload and performance goals. - -.. cond:: aks - - AKS Cluster with Azure Virtual Machines - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - This procedure assumes an existing :abbr:`AKS (Azure Kubernetes Service)` cluster with *at least* four Azure virtual machines (VM). - The Azure VMs should have matching machine types and configurations to ensure predictable performance with MinIO. - - MinIO provides :ref:`hardware guidelines ` for selecting the appropriate EC2 instance class and size. - MinIO strongly recommends selecting VM instances with support for Premium SSDs and *at least* 25Gbps Network bandwidth as a baseline for performance. - - For more complete information on Azure Virtual Machine types and Storage resources, see :azure-docs:`Sizes for virtual machines in Azure ` and :azure-docs:`Azure managed disk types ` - -.. _deploy-minio-tenant-pv: - -Persistent Volumes -~~~~~~~~~~~~~~~~~~ - -.. include:: /includes/common-admonitions.rst - :start-after: start-exclusive-drive-access - :end-before: end-exclusive-drive-access - -.. cond:: not eks - - MinIO can use any Kubernetes :kube-docs:`Persistent Volume (PV) ` that supports the :kube-docs:`ReadWriteOnce ` access mode. - MinIO's consistency guarantees require the exclusive storage access that ``ReadWriteOnce`` provides. - The Persistent Volume **must** exist prior to deploying the Tenant. - - - Additionally, MinIO recommends setting a reclaim policy of ``Retain`` for the PVC :kube-docs:`StorageClass `. - Where possible, configure the Storage Class, CSI, or other provisioner underlying the PV to format volumes as XFS to ensure best performance. - - For Kubernetes clusters where nodes have Direct Attached Storage, MinIO strongly recommends using the `DirectPV CSI driver `__. - DirectPV provides a distributed persistent volume manager that can discover, format, mount, schedule, and monitor drives across Kubernetes nodes. - DirectPV addresses the limitations of manually provisioning and monitoring :kube-docs:`local persistent volumes `. - -.. cond:: eks - - MinIO Tenants on EKS must use the :github:`EBS CSI Driver ` to provision the necessary underlying persistent volumes. - MinIO strongly recommends using SSD-backed EBS volumes for best performance. - MinIO strongly recommends deploying EBS-based PVs with the XFS filesystem. - Create a StorageClass for the MinIO EBS PVs and set the ``csi.storage.k8s.io/fstype`` `parameter `__ to ``xfs`` . - For more information on EBS resources, see `EBS Volume Types `__. - For more information on StorageClass Parameters, see `StorageClass Parameters `__. - -.. cond:: gke - - MinIO Tenants on GKE should use the :gke-docs:`Compute Engine Persistent Disk CSI Driver ` to provision the necessary underlying persistent volumes. - MinIO strongly recommends SSD-backed disk types for best performance. - For more information on GKE disk types, see :gcp-docs:`Persistent Disks `. - -.. cond:: aks - - MinIO Tenants on AKS should use the :azure-docs:`Azure Disks CSI driver ` to provision the necessary underlying persistent volumes. - MinIO strongly recommends SSD-backed disk types for best performance. - For more information on AKS disk types, see :azure-docs:`Azure disk types `. - -.. _minio-k8s-deploy-minio-tenant-security: - -Deploy a MinIO Tenant using Kustomize -------------------------------------- - -The following procedure uses ``kubectl -k`` to deploy a MinIO Tenant using the ``base`` Kustomization template in the :minio-git:`MinIO Operator Github repository `. - -You can select a different base or pre-built template from the :minio-git:`repository ` as your starting point, or build your own Kustomization resources using the :ref:`MinIO Custom Resource Documentation `. - -.. important:: - - If you use Kustomize to deploy a MinIO Tenant, you must use Kustomize to manage or upgrade that deployment. - Do not use ``kubectl krew``, a Helm Chart, or similar methods to manage or upgrade the MinIO Tenant. - -This procedure is not exhaustive of all possible configuration options available in the :ref:`Tenant CRD `. -It provides a baseline from which you can modify and tailor the Tenant to your requirements. - -.. container:: procedure - - #. Create a YAML object for the Tenant - - Use the ``kubectl kustomize`` command to produce a YAML file containing all Kubernetes resources necessary to deploy the ``base`` Tenant: - - .. code-block:: shell - :class: copyable - - kubectl kustomize https://github.com/minio/operator/examples/kustomization/base/ > tenant-base.yaml - - The command creates a single YAML file with multiple objects separated by the ``---`` line. - Open the file in your preferred editor. - - The following steps reference each object based on it's ``kind`` and ``metadata.name`` fields: - - #. Configure the Tenant topology - - The ``kind: Tenant`` object describes the MinIO Tenant. - - The following fields share the ``spec.pools[0]`` prefix and control the number of servers, volumes per server, and storage class of all pods deployed in the Tenant: - - .. list-table:: - :header-rows: 1 - :widths: 30 70 - - * - Field - - Description - - * - ``servers`` - - The number of MinIO pods to deploy in the Server Pool. - - * - ``volumesPerServer`` - - The number of persistent volumes to attach to each MinIO pod (``servers``). - The Operator generates ``volumesPerServer x servers`` Persistant Volume Claims for the Tenant. - - * - ``volumeClaimTemplate.spec.storageClassName`` - - The Kubernetes storage class to associate with the generated Persistent Volume Claims. - - If no storage class exists matching the specified value *or* if the specified storage class cannot meet the requested number of PVCs or storage capacity, the Tenant may fail to start. - - * - ``volumeClaimTemplate.spec.resources.requests.storage`` - - The amount of storage to request for each generated PVC. - - #. Configure Tenant Affinity or Anti-Affinity - - The MinIO Operator supports the following Kubernetes Affinity and Anti-Affinity configurations: - - - Node Affinity (``spec.pools[n].nodeAffinity``) - - Pod Affinity (``spec.pools[n].podAffinity``) - - Pod Anti-Affinity (``spec.pools[n].podAntiAffinity``) - - MinIO recommends configuring Tenants with Pod Anti-Affinity to ensure that the Kubernetes schedule does not schedule multiple pods on the same worker node. - - If you have specific worker nodes on which you want to deploy the tenant, pass those node labels or filters to the ``nodeAffinity`` field to constrain the scheduler to place pods on those nodes. - - #. Configure Network Encryption - - The MinIO Tenant CRD provides the following fields from which you can configure tenant TLS network encryption: - - .. list-table:: - :header-rows: 1 - :widths: 30 70 - - * - Field - - Description - - * - ``tenant.certificate.requestAutoCert`` - - Enable or disable MinIO :ref:`automatic TLS certificate generation ` - - Defaults to ``true`` or enabled if omitted. - - * - ``tenant.certificate.certConfig`` - - Customize the behavior of :ref:`automatic TLS `, if enabled. - - * - ``tenant.certificate.externalCertSecret`` - - Enable TLS for multiple hostnames via Server Name Indication (SNI) - - Specify one or more Kubernetes secrets of type ``kubernetes.io/tls`` or ``cert-manager``. - - * - ``tenant.certificate.externalCACertSecret`` - - Enable validation of client TLS certificates signed by unknown, third-party, or internal Certificate Authorities (CA). - - Specify one or more Kubernetes secrets of type ``kubernetes.io/tls`` containing the full chain of CA certificates for a given authority. - - #. Configure MinIO Environment Variables - - You can set MinIO Server environment variables using the ``tenant.configuration`` field. - - .. list-table:: - :header-rows: 1 - :widths: 30 70 - - * - Field - - Description - - * - ``tenant.configuration`` - - Specify a Kubernetes opaque secret whose data payload ``config.env`` contains each MinIO environment variable you want to set. - - The ``config.env`` data payload **must** be a base64-encoded string. - You can create a local file, set your environment variables, and then use ``cat LOCALFILE | base64`` to create the payload. - - The YAML includes an object ``kind: Secret`` with ``metadata.name: storage-configuration`` that sets the root username, password, erasure parity settings, and enables Tenant Console. - - Modify this as needed to reflect your Tenant requirements. - - #. Review the Namespace - - The YAML object ``kind: Namespace`` sets the default namespace for the Tenant to ``minio-tenant``. - - You can change this value to create a different namespace for the Tenant. - You must change **all** ``metadata.namespace`` values in the YAML file to match the Namespace. - - #. Deploy the Tenant - - Use the ``kubectl apply -f`` command to deploy the Tenant. - - .. code-block:: shell - :class: copyable - - kubectl apply -f tenant-base.yaml - - The command creates each of the resources specified in the YAML object at the configured namespace. - - You can monitor the progress using the following command: - - .. code-block:: shell - :class: copyable - - watch kubectl get all -n minio-tenant - - #. Expose the Tenant MinIO S3 API port - - To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. - - * Forward the Tenant's MinIO port: - - .. code-block:: shell - :class: copyable - - kubectl port-forward svc/MINIO_TENANT_NAME-hl 9000 -n MINIO_TENANT_NAMESPACE - - * Create an alias for the Tenant service: - - .. code-block:: shell - :class: copyable - - mc alias set myminio https://localhost:9000 minio minio123 --insecure - - You can use :mc:`mc mb` to create a bucket on the Tenant: - - .. code-block:: shell - :class: copyable - - mc mb myminio/mybucket --insecure - - If you deployed your MinIO Tenant using TLS certificates minted by a trusted Certificate Authority (CA) you can omit the ``--insecure`` flag. - - See :ref:`create-tenant-connect-tenant` for specific instructions. - -.. _create-tenant-connect-tenant: - -Connect to the Tenant ---------------------- - -The MinIO Operator creates services for the MinIO Tenant. - -.. cond:: openshift - - Use the ``oc get svc -n TENANT-PROJECT`` command to review the deployed services: - - .. code-block:: shell - :class: copyable - - oc get svc -n TENANT-NAMESPACE - -.. cond:: k8s and not openshift - - Use the ``kubectl get svc -n NAMESPACE`` command to review the deployed services: - - .. code-block:: shell - :class: copyable - - kubectl get svc -n TENANT-NAMESPACE - -.. code-block:: shell - - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - minio LoadBalancer 10.97.114.60 443:30979/TCP 2d3h - TENANT-NAMESPACE-console LoadBalancer 10.106.103.247 9443:32095/TCP 2d3h - TENANT-NAMESPACE-hl ClusterIP None 9000/TCP 2d3h - -- The ``minio`` service corresponds to the MinIO Tenant service. - Applications should use this service for performing operations against the MinIO Tenant. - -- The ``*-console`` service corresponds to the :minio-git:`MinIO Console `. - Administrators should use this service for accessing the MinIO Console and performing administrative operations on the MinIO Tenant. - -The remaining services support Tenant operations and are not intended for consumption by users or administrators. - -By default each service is visible only within the Kubernetes cluster. -Applications deployed inside the cluster can access the services using the ``CLUSTER-IP``. - -Applications external to the Kubernetes cluster can access the services using the ``EXTERNAL-IP``. -This value is only populated for Kubernetes clusters configured for Ingress or a similar network access service. -Kubernetes provides multiple options for configuring external access to services. - -.. cond:: k8s and not openshift - - See the Kubernetes documentation on :kube-docs:`Publishing Services (ServiceTypes) ` and :kube-docs:`Ingress ` for more complete information on configuring external access to services. - -.. cond:: openshift - - See the OpenShift documentation on :openshift-docs:`Route or Ingress ` for more complete information on configuring external access to services. - -.. cond:: openshift - - .. include:: /includes/openshift/steps-deploy-minio-tenant.rst - -.. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/deploy-minio-tenant-helm diff --git a/source/operations/install-deploy-manage/minio-operator-console.rst b/source/operations/install-deploy-manage/minio-operator-console.rst deleted file mode 100644 index 31886568d..000000000 --- a/source/operations/install-deploy-manage/minio-operator-console.rst +++ /dev/null @@ -1,127 +0,0 @@ -:orphan: - -.. _minio-operator-console: - -====================== -MinIO Operator Console -====================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 2 - -.. warning:: - - MinIO Operator 6.0.0 deprecates and removes the Operator Console. - - You can use either Kustomization or Helm to manage and deploy MinIO Tenants. - - This page provides a historical view at the Operator Console, and will recieve no further updates or corrections. - -The Operator Console provides a rich user interface for deploying and -managing MinIO Tenants on Kubernetes infrastructure. Installing the -MinIO :ref:`Kubernetes Operator ` automatically -installs and configures the Operator Console. - -.. screenshot temporarily removed - .. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - -This page summarizes the functions available with the MinIO Operator Console. - -.. _minio-operator-console-connect: - -Connect to the Operator Console -------------------------------- - -.. include:: /includes/common/common-k8s-connect-operator-console.rst - -Tenant Management ------------------ - -The MinIO Operator Console supports deploying, managing, and monitoring MinIO Tenants on the Kubernetes cluster. - -.. screenshot temporarily removed - .. image:: /images/k8s/operator-dashboard.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console - -You can :ref:`deploy a MinIO Tenant ` through the Operator Console. - -The Operator Console automatically detects MinIO Tenants deployed on the cluster when provisioned through: - -- Operator Console -- Helm -- Kustomize - -Select a listed tenant to open an in-browser view of that tenant's MinIO Console. -You can use this view to directly manage, modify, expand, upgrade, and delete the tenant through the Operator UI. - -.. versionadded:: Operator 5.0.0 - - You can download a Log Report for a tenant from the Pods summary screen. - - The report downloads as ``-report.zip``. - The ZIP archive contains status, events, and log information for each pool on the deployment. - The archive also includes a summary yaml file describing the deployment. - - |subnet| users relying on the commercial license should register the MinIO tenants to their SUBNET account, which can be done through the Operator Console. - -Tenant Registration -------------------- - -|subnet| users relying on the commercial license should register the MinIO tenants to their SUBNET account, which can be done through the Operator Console. - -.. screenshot temporarily removed - .. image:: /images/k8s/operator-console-register.png - :align: center - :width: 70% - :class: no-scaled-link - :alt: MinIO Operator Console Register Screen - -#. Select the :guilabel:`Register` tab -#. Enter the :guilabel:`API Key` - - You can obtain the key from |SUBNET| through the Console by selecting :guilabel:`Get from SUBNET`. - -TLS Certificate Renewal ------------------------ - -Operator 4.5.4 or later -~~~~~~~~~~~~~~~~~~~~~~~ - -Operator versions 4.5.4 and later automatically renew a tenant's certificates when the duration of the certificate has reached 80% of its life. - -For example, a tenant certificate was issued on January 1, 2023, and set to expire on December 31, 2023. -80% of the 1 year life of the certificate comes on day 292, or October 19, 2023. -On that date, Operator automatically renews the tenant's certificate. - -Operator 4.3.3 to 4.5.3 -~~~~~~~~~~~~~~~~~~~~~~~ - -Operator versions 4.3.3 through 4.5.3 automatically renew tenant certificates after they reach 48 hours before expiration. - -For a certificate that expires on December 31, 2023, Operator renews the certificate on December 29 or December 30, within 48 of the expiration. - -Operator 4.3.2 or earlier -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Operator versions 4.3.2 and earlier do not automatically renew certificates. -You must renew the tenant certificates on these releases separately. - -Review Your MinIO License -------------------------- - -To review which license you are using and the features available through different license options, select the :guilabel:`License` tab. - -MinIO supports two licenses: `AGPLv3 Open Source `__ or a `MinIO Commercial License `__. -Subscribers to |SUBNET| use MinIO under a commercial license. - -You can also :guilabel:`Subscribe` from the License screen. diff --git a/source/operations/install-deploy-manage/modify-minio-tenant.rst b/source/operations/install-deploy-manage/modify-minio-tenant.rst deleted file mode 100644 index fcd525c14..000000000 --- a/source/operations/install-deploy-manage/modify-minio-tenant.rst +++ /dev/null @@ -1,47 +0,0 @@ -.. _minio-k8s-modify-minio-tenant: -.. _minio-k8s-modify-minio-tenant-security: - -===================== -Modify a MinIO Tenant -===================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -You can modify tenants after deployment to change mutable configuration settings. -See :ref:`minio-operator-crd` for a complete description of available settings in the MinIO Custom Resource Definition. - -The method for modifying the Tenant depends on how you deployed the tenant: - -.. tab-set:: - - .. tab-item:: Kustomize - :sync: kustomize - - For Kustomize-deployed Tenants, you can modify the base Kustomization resources and apply them using ``kubectl apply -k`` against the directory containing the ``kustomization.yaml`` object. - - .. code-block:: shell - - kubectl apply -k ~/kustomization/TENANT-NAME/ - - Modify the path to the Kustomization directory to match your local configuration. - - .. tab-item:: Helm - :sync: helm - - For Helm-deployed Tenants, you can modify the base ``values.yaml`` and upgrade the Tenant using the chart: - - .. code-block:: shell - - helm upgrade TENANT-NAME minio-operator/tenant -f values.yaml -n TENANT-NAMESPACE - - The command above assumes use of the MinIO Operator Chart repository. - If you installed the Chart manually or by using a different repository name, specify that chart or name in the command. - - Replace ``TENANT-NAME`` and ``TENANT-NAMESPACE`` with the name and namespace of the Tenant, respectively. - You can use ``helm list -n TENANT-NAMESPACE`` to validate the Tenant name. - - See :ref:`minio-tenant-chart-values` for more complete documentation on the available Chart fields. \ No newline at end of file diff --git a/source/operations/installation.rst b/source/operations/installation.rst deleted file mode 100644 index 1f768d3ad..000000000 --- a/source/operations/installation.rst +++ /dev/null @@ -1,27 +0,0 @@ -.. cond:: linux or windows or macos - - .. include:: /includes/common/installation.rst - -.. cond:: container - - .. include:: /includes/container/installation.rst - -.. cond:: openshift - - .. include:: /includes/openshift/deploy-minio-on-openshift.rst - -.. cond:: eks - - .. include:: /includes/eks/deploy-minio-on-elastic-kubernetes-service.rst - -.. cond:: gke - - .. include:: /includes/gke/deploy-minio-on-google-kubernetes-engine.rst - -.. cond:: aks - - .. include:: /includes/aks/deploy-minio-on-azure-kubernetes-service.rst - -.. cond:: k8s and not (openshift or eks or gke or aks) - - .. include:: /includes/k8s/deploy-operator.rst diff --git a/source/operations/manage-existing-deployments.rst b/source/operations/manage-existing-deployments.rst deleted file mode 100644 index 9ea50dbb9..000000000 --- a/source/operations/manage-existing-deployments.rst +++ /dev/null @@ -1,42 +0,0 @@ -.. _minio-manage: - -================================= -Manage Existing MinIO Deployments -================================= - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 1 - -Management of an existing MinIO deployment typically falls into the following categories: - -Expansion - Increase the total storage capacity of the MinIO Deployment by adding a Server Pool - -Upgrade - Test and deploy the latest stable version of MinIO to take advantage of new features, fixes, and performance improvements. - -Decommission - Drain data from an older storage pool in preparation for removing it from the deployment - -.. cond:: not (linux or k8s) - - .. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/upgrade-minio-deployment - /operations/install-deploy-manage/migrate-fs-gateway - -.. cond:: linux or k8s - - .. toctree:: - :titlesonly: - :hidden: - - /operations/install-deploy-manage/expand-minio-deployment - /operations/install-deploy-manage/upgrade-minio-deployment - /operations/install-deploy-manage/decommission-server-pool - /operations/install-deploy-manage/migrate-fs-gateway diff --git a/source/operations/monitoring/collect-minio-metrics-using-prometheus.rst b/source/operations/monitoring/collect-minio-metrics-using-prometheus.rst index 12259f651..1fc4b9ebc 100644 --- a/source/operations/monitoring/collect-minio-metrics-using-prometheus.rst +++ b/source/operations/monitoring/collect-minio-metrics-using-prometheus.rst @@ -164,11 +164,8 @@ Use the :mc:`mc admin prometheus generate` command to generate the scrape config This can be any single node, or a load balancer/proxy which handles connections to the MinIO nodes. - .. cond:: k8s - - For Prometheus deployments in the same cluster as the MinIO Tenant, you can specify the service DNS name for the ``minio`` service. - - For Prometheus deployments external to the cluster, you must specify an ingress or load balancer endpoint configured to route connections to and from the MinIO Tenant. + For MinIO Tenants on Kubernetes infrastructure, when using a Prometheus cluster in that same cluster you can specify the service DNS name for the ``minio`` service. + You can otherwise specify the ingress or load balancer endpoint configured to route connections to and from the MinIO Tenant. 2) Restart Prometheus with the Updated Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/operations/monitoring/metrics-and-alerts.rst b/source/operations/monitoring/metrics-and-alerts.rst index 118180d4a..e715d1713 100644 --- a/source/operations/monitoring/metrics-and-alerts.rst +++ b/source/operations/monitoring/metrics-and-alerts.rst @@ -100,16 +100,8 @@ MinIO provides the following scraping endpoints, relative to the base URL: For a complete list of metrics for each endpoint, see :ref:`Available Metrics `. -.. cond:: k8s - - The MinIO Operator supports deploying a per-tenant Prometheus instance configured to support metrics and visualization. - - If you deploy the Tenant with this feature disabled *but* still want the historical metric views, you can instead configure an external Prometheus service to scrape the Tenant metrics. - Once configured, you can update the Tenant to query that Prometheus service to retrieve metric data: - -.. cond:: linux or container or macos or windows - To enable historical data visualization in MinIO Console, set the following environment variables on each node in the MinIO deployment: +To enable historical data visualization in MinIO Console, set the following environment variables on each node in the MinIO deployment: - Set :envvar:`MINIO_PROMETHEUS_URL` to the URL of the Prometheus service - Set :envvar:`MINIO_PROMETHEUS_JOB_ID` to the unique job ID assigned to the collected metrics diff --git a/source/operations/monitoring/monitor-and-alert-using-influxdb.rst b/source/operations/monitoring/monitor-and-alert-using-influxdb.rst index ae0c2262d..ea50b3a7d 100644 --- a/source/operations/monitoring/monitor-and-alert-using-influxdb.rst +++ b/source/operations/monitoring/monitor-and-alert-using-influxdb.rst @@ -27,9 +27,7 @@ The procedure on this page documents the following: - An existing MinIO deployment with network access to the InfluxDB deployment - An :mc:`mc` installation on your local host configured to :ref:`access ` the MinIO deployment -.. cond:: k8s - - This procedure assumes all necessary network control components, such as Ingress or Load Balancers, to facilitate access between the MinIO Tenant and the InfluxDB service. +For MinIO Deployments on Kubernetes, this procedure assumes all necessary network control components, such as Ingress or Load Balancers, to facilitate access between the MinIO Tenant and the InfluxDB service. Configure InfluxDB to Collect and Alert using MinIO Metrics ----------------------------------------------------------- @@ -44,9 +42,7 @@ Configure InfluxDB to Collect and Alert using MinIO Metrics - You cannot enable authenticated access to the MinIO metrics endpoint via the InfluxDB UI - You cannot set a tag for collected metrics (e.g. ``url_tag``) for uniquely identifying the metrics for a given MinIO deployment - .. cond:: k8s - - The Telegraf Prometheus plugin also supports Kubernetes-specific features, such as scraping the ``minio`` service for a given MinIO Tenant. + The Telegraf Prometheus plugin also supports Kubernetes-specific features, such as scraping the ``minio`` service for a given MinIO Tenant. Configuring Telegraf is out of scope for this procedure. You can use this procedure as general guidance for configuring Telegraf to scrape MinIO metrics. diff --git a/source/operations/network-encryption.rst b/source/operations/network-encryption.rst index 101c5fee4..718d21b7f 100644 --- a/source/operations/network-encryption.rst +++ b/source/operations/network-encryption.rst @@ -1,4 +1,6 @@ .. _minio-tls: +.. _minio-TLS-third-party-ca: +.. _minio-tls-user-generated: ======================== Network Encryption (TLS) @@ -8,9 +10,7 @@ Network Encryption (TLS) .. contents:: Table of Contents :local: - :depth: 1 - -MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic. + :depth: 2 .. admonition:: SSL is Deprecated :class: note @@ -18,38 +18,36 @@ MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and ou TLS is the successor to Secure Socket Layer (SSL) encryption. SSL is fully `deprecated `__ as of June 30th, 2018. -.. _minio-tls-user-generated: - -Enabling TLS ------------- +Overview +-------- -.. cond:: not k8s +MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic. +MinIO can automatically detect certificates specified to either a default or custom search path and enable TLS for all connections. +MinIO supports Server Name Indication (SNI) requests from clients, where MinIO attempts to locate the appropriate TLS certificate for the hostname specified by the client. - The sections below describe how to enable TLS for MinIO. - You may use TLS certificates from a well-known Certificate Authority, an internal or private CA, or self-signed certs. +.. todo: add an image - Before beginning, note these important points: +MinIO requires *at minimum* a single default TLS certificate and can support multiple TLS certificates in support of SNI connectivity. +MinIO uses the TLS Subject Alternate Name (SAN) list to determine which certificate to return to the client. +If MinIO cannot find a TLS certificate whose SAN covers the client-requested hostname, MinIO uses the default certificate and attempts to establish the handshake. - - Configure TLS on each node. - - Ensure certs are readable by the user who runs the MinIO Server process. - - Update :envvar:`MINIO_VOLUMES` and any needed services or apps to use an ``HTTPS`` URL. +You can specify a single TLS certificate which covers all possible SANs for which the MinIO deployment accepts connections. -.. cond:: k8s +This configuration requires the least configuration, but necessarily exposes all hostnames configured in the TLS SAN to connecting clients. +Depending on your TLS configuration, this may include internal or private SAN domains. - For Kubernetes clusters with a valid :ref:`TLS Cluster Signing Certificate `, - the MinIO Kubernetes Operator can automatically generate TLS certificates while :ref:`deploying ` or :ref:`modifying ` a MinIO Tenant. - The TLS certificate generation process is as follows: +You can instead specify multiple TLS certificates separated by domain(s) with a single default certificate for any non-matching hostname requests. +This configuration requires more configuration, but only exposes those hostnames configured in the returned TLS SAN array. - - The Operator generates a Certificate Signing Request (CSR) associated to the Tenant. - The :abbr:`CSR (Certificate Signing Request)` includes the appropriate DNS Subject Alternate Names (SANs) for the Tenant services and pods. +.. _minio-tls-kubernetes: - The Operator then waits for :abbr:`CSR (Certificate Signing Request)` approval +MinIO TLS on Kubernetes +----------------------- - - The :abbr:`CSR (Certificate Signing Request)` waits pending approval. - The Kubernetes TLS API can automatically approve the :abbr:`CSR (Certificate Signing Request)` if properly configured. - Otherwise, a cluster administrator must manually approve the :abbr:`CSR (Certificate Signing Request)` before Kubernetes can generate the necessary certificates. +The MinIO Kubernetes Operator provides three approaches for configuring TLS on MinIO Tenants: - - The Operator applies the generated TLS Certificates to each MinIO Pod in the Tenant. +Automatic TLS using Cluster Signing API + For Kubernetes clusters with a valid :ref:`TLS Cluster Signing Certificate `,the MinIO Kubernetes Operator can automatically generate TLS certificates while :ref:`deploying ` or :ref:`modifying ` a MinIO Tenant. The Kubernetes TLS API uses the Kubernetes cluster Certificate Authority (CA) signature algorithm when generating new TLS certificates. See :ref:`minio-TLS-supported-cipher-suites` for a complete list of MinIO's supported TLS Cipher Suites and recommended signature algorithms. @@ -64,373 +62,159 @@ Enabling TLS If you have a custom Subject Alternative Name (SAN) certificate that is *not* also a wildcard cert, the TLS certificate SAN **must** apply to the hostname for its parent node. Without a wildcard, the SAN must match exactly to be able to connect to the tenant. - Certificate Management with cert-manager - ---------------------------------------- - +cert-manager Certificate Management The MinIO Operator supports using `cert-manager `__ as a full replacement for its built-in automatic certificate management *or* user-driven manual certificate management. For instructions for deploying the MinIO Operator and tenants using cert-manager, refer to the :ref:`cert-manager page `. +Manual Certificate Management + The Tenant CRD spec ``spec.externalCertsSecret`` supports specifying either ``opaque`` or ``kubernetes.io/tls`` type :kube-docs:`secrets ` containing the ``private.key`` and ``public.crt`` to use for TLS. -.. cond:: linux - - The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS. - The search location depends on your MinIO configuration: - - .. tab-set:: - - .. tab-item:: Default Path - - By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: - - .. code-block:: shell - - ${HOME}/.minio/certs - - Where ``${HOME}`` is the home directory of the user running the MinIO Server process. - You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. - - For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process. - If that user has no home directory, use the :guilabel:`Custom Path` option instead. - - .. tab-item:: Custom Path - - You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter. - - For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates. - - .. code-block:: shell - - minio server --certs-dir /opt/minio/certs ... - - The user running the MinIO service *must* have read and write permissions to this directory. - - Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. - - For example: - - .. code-block:: shell - - /path/to/certs - private.key - public.crt - - You can use the MinIO :minio-git:`certgen ` to mint self-signed certificates for evaluating MinIO with TLS enabled. - For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: - - .. code-block:: shell - - certgen -host "localhost,minio-*.example.net" - - Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. - Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. - - If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. - You may also need to update URLs used by applications or clients. - -.. cond:: container - - Start the MinIO container with the :mc-cmd:`minio/minio:latest server --certs-dir ` parameter and specify the path to a directory in which MinIO searches for certificates. - You must mount a local host volume to that path when starting the container to ensure the MinIO Server can access the necessary certificates. - - Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the specified directory, with the private key as ``private.key`` and public certificate as ``public.crt``. - For example: - - .. code-block:: shell - - /opts/certs - private.key - public.crt - - You can use the MinIO :minio-git:`certgen ` to mint self-signed certificates for evaluating MinIO with TLS enabled. - For example, the following command generates a self-signed certificate with a set of IP and DNS SANs associated to the MinIO Server hosts: - - .. code-block:: shell - - certgen -host "localhost,minio-*.example.net" - - You may need to start the container and set a ``--hostname`` that matches the TLS certificate DNS SAN. + You can specify multiple certificates to support Tenants which have multiple assigned hostnames. - Move the certificates to the local host machine path that the container mounts to its ``--certs-dir`` path. - When the MinIO container starts, the server searches the specified location for certificates and uses them to enable TLS. - Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. - If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. - You may also need to update URLs used by applications or clients. - - -.. cond:: macos - - The MinIO server searches the following directory for TLS keys and certificates: - - .. code-block:: shell - - ${HOME}/.minio/certs - - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, use that directory instead of the defaults. - - Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. - - For example: - - .. code-block:: shell - - ${HOME}/.minio/certs - private.key - public.crt - - Where ``${HOME}`` is the home directory of the user running the MinIO Server process. - You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. - - You can use the MinIO :minio-git:`certgen ` to mint self-signed certificates for evaluating MinIO with TLS enabled. - For example, the following command generates a self-signed certificate with a set of IP and DNS SANs associated to the MinIO Server hosts: - - .. code-block:: shell - - certgen -host "localhost,minio-*.example.net" +Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Certificates +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Place the generated ``public.crt`` and ``private.key`` into the ``/.minio/certs`` directory to enable TLS for the MinIO deployment. - Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. +If deploying MinIO Tenants with certificates minted by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the Operator to ensure it can trust those certificates. - If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. - You may also need to update URLs used by applications or clients. +The Operator may log warnings related to TLS cert validation for Tenants deployed with untrusted certificates. +The following procedure attaches a secret containing the ``public.crt`` of the Certificate Authority to the MinIO Operator. +You can specify multiple CAs in a single certificate, as long as you maintain the ``BEGIN`` and ``END`` delimiters as-is. -.. cond:: windows +1. Create the ``operator-ca-tls`` secret - The MinIO server searches the following directory for TLS keys and certificates: + The following creates a Kubernetes secret in the MinIO Operator namespace (``minio-operator``). .. code-block:: shell + :class: copyable - %%USERPROFILE%%\.minio\certs + kubectl create secret generic operator-ca-tls \ + --from-file=public.crt -n minio-operator - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, use that directory instead of the defaults. + The ``public.crt`` file must correspond to a valid TLS certificate containing one or more CA definitions. - Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. +2. Restart the Operator - For example: + Once created, you must restart the Operator to load the new CAs: .. code-block:: shell + :class: copyable - %%USERPROFILE%%\.minio\certs - private.key - public.crt - - Where ``%%USERPROFILE%%`` is the location of the `User Profile folder `__ of the user running the MinIO Server process. - - You can use the MinIO :minio-git:`certgen ` to mint self-signed certificates for evaluating MinIO with TLS enabled. - For example, the following command generates a self-signed certificate with a set of IP and DNS SANs associated to the MinIO Server hosts: - - .. code-block:: shell + kubectl rollout restart deployments.apps/minio-operator -n minio-operator - certgen.exe -host "localhost,minio-*.example.net" - - Place the generated ``public.crt`` and ``private.key`` into the ``\.minio\certs`` directory to enable TLS for the MinIO deployment. - Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. - - If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. - You may also need to update URLs used by applications or clients. - - -.. cond:: k8s - - Supported Secret Types - ~~~~~~~~~~~~~~~~~~~~~~ - - MinIO supports three types of :kube-docs:`secrets in Kubernetes `. - - #. ``opaque`` - - Using ``private.key`` and ``public.crt`` files. - #. ``tls`` - - Using ``tls.key`` and ``tls.crt`` files. - #. `cert-manager `__ 1.7.x or later - - Running on Kubernetes 1.21 or later. - - .. note:: - - For the best support of *tls* or *cert-manager* secrets, upgrade to Operator version 5.0.10 or later. - -Multiple Domain-Based TLS Certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. cond:: k8s - - The MinIO Operator supports attaching user-specified TLS certificates when :ref:`deploying ` or :ref:`modifying ` the MinIO Tenant. - - These custom certificates support `Server Name Indication (SNI) `__, where the MinIO server identifies which certificate to use based on the hostname specified by the connecting client. - For example, you can generate certificates signed by your organization's preferred Certificate Authority (CA) and attach those to the MinIO Tenant. - Applications which trust that :abbr:`CA (Certificate Authority)` can connect to the MinIO Tenant and fully validate the Tenant TLS certificates. - -.. cond:: linux +Third-Party Certificate Authorities +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The MinIO server supports multiple TLS certificates, where the server uses `Server Name Indication (SNI) `__ to identify which certificate to use when responding to a client request. - When a client connects using a specific hostname, MinIO uses :abbr:`SNI (Server Name Indication)` to select the appropriate TLS certificate for that hostname. +The MinIO Kubernetes Operator can automatically attach third-party Certificate Authorities when :ref:`deploying ` or :ref:`modifying ` a MinIO Tenant. - For example, consider a MinIO deployment reachable through the following hostnames: +You can add, update, or remove CAs from the tenant at any time. +You must restart the MinIO Tenant for the changes to the configured CAs to apply. - - ``https://minio.example.net`` (default TLS certificates) - - ``https://s3.example.net`` - - ``https://minio.internal-example.net`` +The Operator places the specified CAs on each MinIO Server pod such that all pods have a consistent set of trusted CAs. +If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - Place the certificates in the ``/certs`` folder, creating a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. - While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. - Place the TLS private and public key for that domain in the subfolder. - - The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``). +.. _minio-tls-baremetal: - .. tab-set:: +MinIO TLS on Baremetal +---------------------- - .. tab-item:: Default Certificate Path +The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS. +MinIO automatically enables TLS upon discovery and validation of certificates. +The search location depends on your MinIO configuration: - .. code-block:: shell +.. tab-set:: - ${HOME}/.minio/certs - private.key - public.crt - s3-example.net/ - private.key - public.crt - internal-example.net/ - private.key - public.crt + .. tab-item:: Default Path - .. tab-item:: Custom Certificate Path + By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: - The following example assumes the MinIO Server was started with ``--certs dir | -S /opt/minio/certs``: + .. code-block:: shell - .. code-block:: shell + ${HOME}/.minio/certs - /opt/minio/certs - private.key - public.crt - s3-example.net/ - private.key - public.crt - internal-example.net/ - private.key - public.crt + Where ``${HOME}`` is the home directory of the user running the MinIO Server process. + You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. - While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate. - Using a TLS certificate per hostname better protects each individual hostname from discovery. - The individual TLS certificate SANs **must** apply to the hostname for their respective parent node. + For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process. + If that user has no home directory, use the :guilabel:`Custom Path` option instead. - If the client-specified hostname or IP address does not match any of the configured TLS certificates, the connection typically fails with a certificate validation error. + .. tab-item:: Custom Path + You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter. -.. cond:: container + For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates. - The MinIO server supports multiple TLS certificates, where the server uses `Server Name Indication (SNI) `__ to identify which certificate to use when responding to a client request. - When a client connects using a specific hostname, MinIO uses :abbr:`SNI (Server Name Indication)` to select the appropriate TLS certificate for that hostname. + .. code-block:: shell - For example, consider a MinIO deployment reachable through the following hostnames: + minio server --certs-dir /opt/minio/certs ... - - ``https://minio.example.net`` (default TLS certificates) - - ``https://s3.example.net`` - - ``https://minio.internal-example.net`` + The user running the MinIO service *must* have read and write permissions to this directory. - Start the MinIO container with the :mc-cmd:`minio/minio:latest server --certs-dir ` parameter and specify the path to a directory in which MinIO searches for certificates. - You must mount a local host volume to that path when starting the container to ensure the MinIO Server can access the necessary certificates. +Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. - Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the specified directory, with the private key as ``private.key`` and public certificate as ``public.crt``. - For other hostnames, create a subfolder whose name matches the domain to improve human readability. - Place the TLS private and public key for that domain in the subfolder. +For distributed MinIO deployments, each node in the deployment must have matching TLS certificate configurations. - For example: +Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Certificates +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .. code-block:: shell +If using Certificates signed by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the MinIO Server. +If the MinIO server does not have the necessary CAs, it may return warnings or errors related to TLS validation when connecting to other services. - /opts/certs - private.key - public.crt - s3-example.net/ - private.key - public.crt - internal-example.net/ - private.key - public.crt +Place the CA certificates in the ``/certs/CAs`` folder. +The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) - When the MinIO container starts, the server searches the mounted location ``/opts/certs`` for certificates and uses them enable TLS. - MinIO serves clients connecting to the container using a supported hostname with the associated certificates. - Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. +.. tab-set:: - While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate. - Using one TLS certificate per hostname better protects each individual hostname from discovery. - The individual TLS certificate SANs **must** apply to the hostname for their respective parent node. + .. tab-item:: Default Certificate Path - If the client-specified hostname or IP address does not match any of the configured TLS certificates, the connection typically fails with a certificate validation error. + .. code-block:: shell -.. cond:: macos + mv myCA.crt ${HOME}/.minio/certs/CAs - The MinIO server supports multiple TLS certificates, where the server uses `Server Name Indication (SNI) `__ to identify which certificate to use when responding to a client request. - When a client connects using a specific hostname, MinIO uses SNI to select the appropriate TLS certificate for that hostname. + .. tab-item:: Custom Certificate Path - For example, consider a MinIO deployment reachable through the following hostnames: + The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: - - ``https://minio.example.net`` (default TLS certificates) - - ``https://s3.example.net`` - - ``https://minio.internal-example.net`` + .. code-block:: shell - Create a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. - While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. - Place the TLS private and public key for that domain in the subfolder. + mv myCA.crt /opt/minio/certs/CAs/ - For example: +For a self-signed certificate, the Certificate Authority is typically the private key used to sign the cert. - .. code-block:: shell +For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert. +A non-global CA must include the full chain of trust from the intermediate certificate to the root. - ${HOME}/.minio/certs - private.key - public.crt - s3-example.net/ - private.key - public.crt - internal-example.net/ - private.key - public.crt +If the provided file is not an X.509 certificate, MinIO ignores it and may return errors for validating certificates signed by that CA. - While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate. - Using a TLS certificate per hostname better protects each individual hostname from discovery. - The individual TLS certificate SANs **must** apply to the hostname for their respective parent node. +Third-Party Certificate Authorities +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - If the client-specified hostname or IP address does not match any of the configured TLS certificates, the connection typically fails with a certificate validation error. +The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. -.. cond:: windows +Place the CA certificates in the ``/certs/CAs`` folder. +The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) - The MinIO server supports multiple TLS certificates, where the server uses `Server Name Indication (SNI) `__ to identify which certificate to use when responding to a client request. - When a client connects using a specific hostname, MinIO uses SNI to select the appropriate TLS certificate for that hostname. +.. tab-set:: - For example, consider a MinIO deployment reachable through the following hostnames: + .. tab-item:: Default Certificate Path - - ``https://minio.example.net`` (default TLS certificates) - - ``https://s3.example.net`` - - ``https://minio.internal-example.net`` + .. code-block:: shell - Create a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. - While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. - Place the TLS private and public key for that domain in the subfolder. + mv myCA.crt ${HOME}/certs/CAs - For example: + .. tab-item:: Custom Certificate Path - .. code-block:: shell + The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: - %%USERPROFILE%%\.minio\certs - private.key - public.crt - s3-example.net\ - private.key - public.crt - internal-example.net\ - private.key - public.crt + .. code-block:: shell - While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate. - Using a TLS certificate per hostname better protects each individual hostname from discovery. - The individual TLS certificate SANs **must** apply to the hostname for their respective parent node. + mv myCA.crt /opt/minio/certs/CAs/ - If the client-specified hostname or IP address does not match any of the configured TLS certificates, the connection typically fails with a certificate validation error. +Place the certificate file for each CA into the ``/CAs`` subdirectory. +Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. +If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. .. _minio-TLS-supported-cipher-suites: @@ -458,170 +242,9 @@ MinIO supports the following TLS 1.2 and 1.3 cipher suites as supported by `Go < - ``TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`` - ``TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`` -.. _minio-TLS-third-party-ca: - -Third-Party Certificate Authorities ------------------------------------ - -.. cond:: k8s - - The MinIO Kubernetes Operator can automatically attach third-party Certificate Authorities when :ref:`deploying ` or :ref:`modifying ` a MinIO Tenant. - - You can add, update, or remove CAs from the tenant at any time. - You must restart the MinIO Tenant for the changes to the configured CAs to apply. - - The Operator places the specified CAs on each MinIO Server pod such that all pods have a consistent set of trusted CAs. - - If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - -.. cond:: linux - - The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. - - Place the CA certificates in the ``/certs/CAs`` folder. - The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) - - .. tab-set:: - - .. tab-item:: Default Certificate Path - - .. code-block:: shell - - mv myCA.crt ${HOME}/certs/CAs - - .. tab-item:: Custom Certificate Path - - The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: - - .. code-block:: shell - - mv myCA.crt /opt/minio/certs/CAs/ - - Place the certificate file for each CA into the ``/CAs`` subdirectory. - Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. - If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - -.. cond:: container - - Start the MinIO container with the :mc-cmd:`minio/minio:latest server --certs-dir ` parameter and specify the path to a directory in which MinIO searches for certificates. - You must mount a local host volume to that path when starting the container to ensure the MinIO Server can access the necessary certificates. - - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, the server searches in the ``/CAs`` path at that specified directory. - For example: - - .. code-block:: shell - - /opts/certs - private.key - public.crt - /CAs - my-ca.crt - - Place the certificate file for each CA into the ``/CAs`` subdirectory. - Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. - If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - -.. cond:: macos - - The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. - - You can place additional trusted Certificate Authority files in the following directory: - - .. code-block:: shell - - ${HOME}/.minio/certs/CAs - - Where ``${HOME}`` is the home directory of the user running the MinIO Server process. - You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. - - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, the server searches in the ``/certs/CAs`` path at that specified directory. - - Place the certificate file for each CA into the ``/CAs`` subdirectory. - Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. - If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - -.. cond:: windows - - The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. - - You can place additional trusted Certificate Authority files in the following directory: - - .. code-block:: shell - - %%USERPROFILE%%\.minio\certs\CAs - - Where ``%%USERPROFILE%%`` is the location of the `User Profile folder `__ of the user running the MinIO Server process. - - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, the server searches in the ``\CAs`` path at that specified directory. - - Place the certificate file for each CA into the ``/CAs`` subdirectory. - Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. - If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. - -Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Certificates ------------------------------------------------------------------------------------------- - -.. cond:: not k8s - - If using Certificates signed by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the MinIO Server. - If the MinIO server does not have the necessary CAs, it may return warnings or errors related to TLS validation when connecting to other services. - - Place the CA certificates in the ``/certs/CAs`` folder. - The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) - - .. tab-set:: - - .. tab-item:: Default Certificate Path - - .. code-block:: shell - - mv myCA.crt ${HOME}/.minio/certs/CAs - - .. tab-item:: Custom Certificate Path - - The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: - - .. code-block:: shell - - mv myCA.crt /opt/minio/certs/CAs/ - - For a self-signed certificate, the Certificate Authority is typically the private key used to sign the cert. - - For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert. - A non-global CA must include the full chain of trust from the intermediate certificate to the root. - - If the provided file is not an X.509 certificate, MinIO ignores it and may return errors for validating certificates signed by that CA. - -.. cond:: k8s - - If deploying MinIO Tenants with certificates minted by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the Operator to ensure it can trust those certificates. - - The Operator may log warnings related to TLS cert validation for Tenants deployed with untrusted certificates. - - The following procedure attaches a secret containing the ``public.crt`` of the Certificate Authority to the MinIO Operator. - You can specify multiple CAs in a single certificate, as long as you maintain the ``BEGIN`` and ``END`` delimiters as-is. - - 1. Create the ``operator-ca-tls`` secret - - The following creates a Kubernetes secret in the MinIO Operator namespace (``minio-operator``). - - .. code-block:: shell - :class: copyable - - kubectl create secret generic operator-ca-tls \ - --from-file=public.crt -n minio-operator - - The ``public.crt`` file must correspond to a valid TLS certificate containing one or more CA definitions. - - 2. Restart the Operator - - Once created, you must restart the Operator to load the new CAs: - - .. code-block:: shell - :class: copyable - - kubectl rollout restart deployments.apps/minio-operator -n minio-operator - - +.. toctree:: + :hidden: - + /operations/network-encryption/enable-minio-tls + /operations/network-encryption/enable-multiple-domain-minio-tls + /operations/cert-manager \ No newline at end of file diff --git a/source/operations/network-encryption/enable-minio-tls.rst b/source/operations/network-encryption/enable-minio-tls.rst new file mode 100644 index 000000000..607e40142 --- /dev/null +++ b/source/operations/network-encryption/enable-minio-tls.rst @@ -0,0 +1,256 @@ +==================== +Enable TLS for MinIO +==================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic. + +.. tab-set:: + :class: parent + + .. tab-item:: Kubernetes + :sync: k8s + + The MinIO Operator supports the following approaches to enabling TLS on a MinIO Tenant: + + - Automatic TLS provisioning using Kubernetes Cluster Signing Certificates + - User-specified TLS using Kubernetes secrets + - Certmanager-managed TLS certificates + + .. tab-item:: Baremetal + :sync: baremetal + + MinIO automatically detects TLS certificates in the configured or default directory and starts with TLS enabled. + +This procedure documents enabling TLS for a single domain in MinIO. +For instructions on TLS for multiple domains, see TODO + +Prerequisites +------------- + +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + You must have access to the Kubernetes cluster, with administrative permissions associated to your ``kubectl`` configuration. + + This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets. + + .. tab-item:: Baremetal + :sync: baremetal + + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. + + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. + + This procedure also assumes SSH or similar shell-level access with administrative permissions to each MinIO host server. + +TLS Certificates +~~~~~~~~~~~~~~~~ + +Provision the necessary TLS certificates with a :ref:`supported cipher suite ` for use by MinIO. + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + See :ref:`minio-tls-kubernetes` for more complete guidance on the supported Tenant TLS configurations. + + .. tab-item:: Baremetal + :sync: k8s + + Provision certificate susing your preferred path, such as through your organizations internal Certificate Authority or by using a well-known global provider such as Digicert or Verisign. + + You can create self-signed certificates using ``openssl`` or the MinIO :minio-git:`certgen ` tool. + + For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + + .. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + + See :ref:`minio-tls-baremetal` for more complete guidance on certificate generation and placement. + + +Procedure +--------- + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + The MinIO Operator supports three methods of TLS certificate management on MinIO Tenants: + + - MinIO automatic TLS certificate generation + - ``cert-manager`` managed TLS certificates + - User managed TLS certificates + + You can use any combination of the above methods to enable and configure TLS. + MinIO strongly recommends using ``cert-manager`` for user-specified certificates for a streamlined management and renewal proces. + + You can also deploy MinIO Tenants without TLS enabled. + + .. tab-set:: + + .. tab-item:: MinIO Auto-TLS + + The following steps apply to both new and existing MinIO Deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.requestAutoCert`` and ``TenantSpec.certConfig`` fields. + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect those fields and their current configuration, if any. + + 2. Create or Modify your Tenant YAML to set the values of ``requestAutoCert`` and ``certConfig`` as necessary. + For example: + + .. code-block:: yaml + + spec: + requestAutoCert: true + certConfig: + commonName: "CN=MinioTenantCommonName" + organizationName: "O=MyOrganizationName" + dnsNames: + - '*.minio-tenant.domain.tld' + + See the :minio-git:`Kustomize Tenant base YAML ` for a baseline template for guidance in creating or modifying your Tenant resource. + + 3. Apply the new Kustomization template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + .. tab-item:: CertManager + + The following steps apply to both new and existing MinIO Deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.externalCertsCecret`` fields + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any. + + 2. Create or Modify your Tenant YAML to reference the appropriate ``cert-manager`` resource. + + For example, the following Tenant YAML fragment references a cert-manager resource ``myminio-tls``: + + .. code-block:: yaml + + apiVersion: minio.min.io/v2 + kind: Tenant + metadata: + name: myminio + namespace: minio-tenant + spec: + ## Disable default tls certificates. + requestAutoCert: false + ## Use certificates generated by cert-manager. + externalCertSecret: + - name: myminio-tls + type: cert-manager.io/v1 + + 3. Apply the new Kustomization Template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + .. tab-item:: User-Managed + + The following steps apply to both new and existing MinIO deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.externalCertSecret`` field. + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any. + + 2. Create or modify your Tenant YAML to reference a secret of type ``kubernetes.io/tls``: + + For example, the following Tenant YAML fragment references a TLS secret which covers the domain on which the MinIO Tenant accepts connections. + + .. code-block:: yaml + + apiVersion: minio.min.io/v2 + kind: Tenant + metadata: + name: myminio + namespace: minio-tenant + spec: + ## Disable default tls certificates. + requestAutoCert: false + ## Use certificates generated by cert-manager. + externalCertSecret: + - name: domain-certificate + type: kubernetes.io/tls + + 3. Apply the new Kustomization Template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + .. tab-item:: Baremetal + :sync: baremetal + + The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS. + MinIO automatically enables TLS upon discovery and validation of certificates. + The search location depends on your MinIO configuration: + + .. tab-set:: + + .. tab-item:: Default Path + + By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: + + .. code-block:: shell + + ${HOME}/.minio/certs + + Where ``${HOME}`` is the home directory of the user running the MinIO Server process. + You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. + + For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process. + If that user has no home directory, use the :guilabel:`Custom Path` option instead. + + .. tab-item:: Custom Path + + You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter. + + For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates. + + .. code-block:: shell + + minio server --certs-dir /opt/minio/certs ... + + The user running the MinIO service *must* have read and write permissions to this directory. + + Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. + + For example: + + .. code-block:: shell + + /path/to/certs + private.key + public.crt + + You can use the MinIO :minio-git:`certgen ` to mint self-signed certificates for evaluating MinIO with TLS enabled. + For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + + .. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + + Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. + Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. + + If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. + You may also need to update URLs used by applications or clients. \ No newline at end of file diff --git a/source/operations/network-encryption/enable-multiple-domain-minio-tls.rst b/source/operations/network-encryption/enable-multiple-domain-minio-tls.rst new file mode 100644 index 000000000..2f4e51242 --- /dev/null +++ b/source/operations/network-encryption/enable-multiple-domain-minio-tls.rst @@ -0,0 +1,266 @@ +==================================== +Enable Multiple Domain TLS for MinIO +==================================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic. + +.. tab-set:: + :class: parent + + .. tab-item:: Kubernetes + :sync: k8s + + The MinIO Operator supports the following approaches to enabling TLS on a MinIO Tenant: + + - Automatic TLS provisioning using Kubernetes Cluster Signing Certificates + - User-specified TLS using Kubernetes secrets + - Certmanager-managed TLS certificates + + The MinIO Operator supports attaching user-specified TLS certificates when :ref:`deploying ` or :ref:`modifying ` the MinIO Tenant. + + These custom certificates support `Server Name Indication (SNI) `__, where the MinIO server identifies which certificate to use based on the hostname specified by the connecting client. + For example, you can generate certificates signed by your organization's preferred Certificate Authority (CA) and attach those to the MinIO Tenant. + Applications which trust that :abbr:`CA (Certificate Authority)` can connect to the MinIO Tenant and fully validate the Tenant TLS certificates. + + .. tab-item:: Baremetal + :sync: baremetal + + MinIO automatically detects TLS certificates in the configured or default directory and starts with TLS enabled. + + The MinIO server supports multiple TLS certificates, where the server uses `Server Name Indication (SNI) `__ to identify which certificate to use when responding to a client request. + When a client connects using a specific hostname, MinIO uses :abbr:`SNI (Server Name Indication)` to select the appropriate TLS certificate for that hostname. + +This procedure documents enabling TLS for multiple domains in MinIO. +For instructions on TLS for single domains, see TODO + +Prerequisites +------------- + +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + You must have access to the Kubernetes cluster, with administrative permissions associated to your ``kubectl`` configuration. + + This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets. + + .. tab-item:: Baremetal + :sync: baremetal + + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. + + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. + + This procedure also assumes SSH or similar shell-level access with administrative permissions to each MinIO host server. + +TLS Certificates +~~~~~~~~~~~~~~~~ + +Provision the necessary TLS certificates with a :ref:`supported cipher suite ` for use by MinIO. + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + See :ref:`minio-tls-kubernetes` for more complete guidance on the supported Tenant TLS configurations. + + .. tab-item:: Baremetal + :sync: baremetal + + Provision certificate susing your preferred path, such as through your organizations internal Certificate Authority or by using a well-known global provider such as Digicert or Verisign. + + You can create self-signed certificates using ``openssl`` or the MinIO :minio-git:`certgen ` tool. + + For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts: + + .. code-block:: shell + + certgen -host "localhost,minio-*.example.net" + + See :ref:`minio-tls-baremetal` for more complete guidance on certificate generation and placement. + +Procedure +--------- + +.. tab-set:: + :class: hidden + + .. tab-item:: Kubernetes + :sync: k8s + + The MinIO Operator supports three methods of TLS certificate management on MinIO Tenants: + + - MinIO automatic TLS certificate generation + - User-specified TLS certificates + - ``cert-manager`` managed TLS certificates + + You can also deploy MinIO Tenants without TLS enabled. + + .. tab-set:: + + .. tab-item:: MinIO Auto-TLS + + The following steps apply to both new and existing MinIO Deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.requestAutoCert`` and ``TenantSpec.certConfig`` fields. + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect those fields and their current configuration, if any. + + 2. Create or Modify your Tenant YAML to set the values of ``requestAutoCert`` and ``certConfig`` as necessary. + For example: + + .. code-block:: yaml + + spec: + requestAutoCert: true + certConfig: + commonName: "CN=MinioTenantCommonName" + organizationName: "O=MyOrganizationName" + dnsNames: + - 'minio-tenant.domain.tld' + - '*.kubernete.cluster.dns.path.tld' + + The ``spec.certConfig.dnsNames`` should contain a list of :abbr:`SAN (Subject Alternate Names)` the TLS certificate covers. + + See the :minio-git:`Kustomize Tenant base YAML ` for a baseline template for guidance in creating or modifying your Tenant resource. + + 3. Apply the new Kustomization template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + .. tab-item:: CertManager + + The following steps apply to both new and existing MinIO Deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.externalCertsCecret`` fields + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any. + + 2. Create or Modify your Tenant YAML to reference the appropriate ``cert-manager`` resources. + + For example, the following Tenant YAML fragment references a cert-manager resource ``myminio-tls``: + + .. code-block:: yaml + + apiVersion: minio.min.io/v2 + kind: Tenant + metadata: + name: myminio + namespace: minio-tenant + spec: + ## Disable default tls certificates. + requestAutoCert: false + ## Use certificates generated by cert-manager. + externalCertSecret: + - name: default-domain + type: cert-manager.io/v1 + - name: internal-domain + type: cert-manager.io/v1 + - name: external-domain + type: cert-manager.io/v1 + + 3. Apply the new Kustomization Template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + + .. tab-item:: User-Specified + + The following steps apply to both new and existing MinIO deployments using ``Kustomize``: + + 1. Review the :ref:`Tenant CRD ` ``TenantSpec.externalCertSecret`` field. + + For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any. + + 2. Create or modify your Tenant YAML to reference a secret of type ``kubernetes.io/tls``: + + For example, the following Tenant YAML fragment references two TLS secrets for each domain for which the MinIO Tenant accepts connections: + + .. code-block:: yaml + + apiVersion: minio.min.io/v2 + kind: Tenant + metadata: + name: myminio + namespace: minio-tenant + spec: + ## Disable default tls certificates. + requestAutoCert: false + ## Use certificates generated by cert-manager. + externalCertSecret: + - name: domain-certificate-1 + type: kubernetes.io/tls + - name: domain-certificate-2 + type: kubernetes.io/tls + + 3. Apply the new Kustomization Template + + Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration. + + .. tab-item:: Baremetal + :sync: baremetal + + The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS. + MinIO automatically enables TLS upon discovery and validation of certificates. + The search location depends on your MinIO configuration: + + .. tab-set:: + + .. tab-item:: Default Path + :sync: baremetal-default + + By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: + + .. code-block:: shell + + ${HOME}/.minio/certs + + Where ``${HOME}`` is the home directory of the user running the MinIO Server process. + You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. + + For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process. + If that user has no home directory, use the :guilabel:`Custom Path` option instead. + + .. tab-item:: Custom Path + :sync: baremetal-custom + + You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter. + + For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates. + + .. code-block:: shell + + minio server --certs-dir /opt/minio/certs ... + + The user running the MinIO service *must* have read and write permissions to this directory. + + Place the certificates in the ``/certs`` folder, creating a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. + While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. + Place the TLS private and public key for that domain in the subfolder. + + .. code-block:: shell + + /path/to/certs + private.key + public.crt + s3-example.net/ + private.key + public.crt + internal-example.net/ + private.key + public.crt diff --git a/source/operations/install-deploy-manage/multi-site-replication.rst b/source/operations/replication/multi-site-replication.rst similarity index 98% rename from source/operations/install-deploy-manage/multi-site-replication.rst rename to source/operations/replication/multi-site-replication.rst index eb5b3a2e3..6bf5b0eb8 100644 --- a/source/operations/install-deploy-manage/multi-site-replication.rst +++ b/source/operations/replication/multi-site-replication.rst @@ -26,10 +26,8 @@ Deployments using an external IDP must use the same configuration across sites. For more information on site replication architecture and deployment concepts, see :ref:`Deployment Architecture: Replicated MinIO Deployments `. -.. cond:: macos or windows or container - - MinIO does not recommend using |platform| hosts for site replication outside of early development, evaluation, or general experimentation. - For production, use :minio-docs:`Linux ` or :minio-docs:`Kubernetes ` +MinIO does not recommend using MacOS, Windows, or non-orchestrated Containerized deployments for site replication outside of early development, evaluation, or general experimentation. +For production, use :minio-docs:`Linux ` or :minio-docs:`Kubernetes ` Overview -------- diff --git a/source/operations/server-side-encryption/configure-minio-kes.rst b/source/operations/server-side-encryption/configure-minio-kes.rst index 45cce14ab..406a48913 100644 --- a/source/operations/server-side-encryption/configure-minio-kes.rst +++ b/source/operations/server-side-encryption/configure-minio-kes.rst @@ -27,70 +27,39 @@ Server-Side Object Encryption with KES .. Conditionals to handle the slight divergences in procedures between platforms. -.. cond:: linux +.. tab-set:: + :class: parent - This procedure provides guidance for deploying MinIO configured to use KES and enable :ref:`Server Side Encryption `. - For instructions on running KES, see the :kes-docs:`KES docs `. + .. tab-item:: Kubernetes + :sync: k8s - As part of this procedure, you will: + This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. + For instructions on running KES, see the :kes-docs:`KES docs `. - #. Create a new |EK| for use with |SSE|. + As part of this procedure, you will: - #. Create or modify a MinIO deployment with support for |SSE| using |KES|. - Defer to the :ref:`Deploy Distributed MinIO ` tutorial for guidance on production-ready MinIO deployments. + #. Create or modify a MinIO deployment with support for |SSE| using |KES|. + Defer to the :ref:`Deploy Distributed MinIO ` tutorial for guidance on production-ready MinIO deployments. - #. Configure automatic bucket-default :ref:`SSE-KMS ` + #. Use the MinIO Operator Console to create or manage a MinIO Tenant. + #. Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using a :kes-docs:`supported Key Management System <#supported-kms-targets>`. + #. Create a new |EK| for use with |SSE|. + #. Configure automatic bucket-default :ref:`SSE-KMS `. -.. cond:: macos or windows + .. tab-item:: Baremetal + :sync: baremetal - This procedure assumes a single local host machine running the MinIO and KES processes. - For instructions on running KES, see the :kes-docs:`KES docs `. - - .. note:: - - For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with your |KMS|. - - For production baremetal environments, see the `MinIO on Linux documentation `__ for tutorials on configuring MinIO with KES and your |KMS|. - - As part of this procedure, you will: - - #. Create a new |EK| for use with |SSE|. - - #. Deploy a MinIO server in :ref:`Single-Node Single-Drive mode ` configured to use the |KES| container for supporting |SSE|. - - #. Configure automatic bucket-default :ref:`SSE-KMS `. - - -.. cond:: container - - This procedure assumes that you use a single host machine to run both the MinIO and KES containers. - For instructions on running KES, see the :kes-docs:`KES docs `. - - As part of this procedure, you will: - - #. Create a new |EK| for use with |SSE|. + This procedure provides guidance for deploying MinIO configured to use KES and enable :ref:`Server Side Encryption `. + For instructions on running KES, see the :kes-docs:`KES docs `. - #. Deploy a MinIO Server container in :ref:`Single-Node Single-Drive mode ` configured to use the |KES| container for supporting |SSE|. + As part of this procedure, you will: - #. Configure automatic bucket-default :ref:`SSE-KMS `. + #. Create a new |EK| for use with |SSE|. - For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with your |KMS|. + #. Create or modify a MinIO deployment with support for |SSE| using |KES|. + Defer to the :ref:`Deploy Distributed MinIO ` tutorial for guidance on production-ready MinIO deployments. - For production baremetal environments, see the `MinIO on Linux documentation `__ for tutorials on configuring MinIO with KES and your |KMS|. - -.. cond:: k8s - - This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation. - For instructions on running KES, see the :kes-docs:`KES docs `. - - As part of this procedure, you will: - - #. Use the MinIO Operator Console to create or manage a MinIO Tenant. - #. Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using a :kes-docs:`supported Key Management System <#supported-kms-targets>`. - #. Create a new |EK| for use with |SSE|. - #. Configure automatic bucket-default :ref:`SSE-KMS `. - - For production baremetal environments, see the `MinIO on Linux documentation `__ for tutorials on configuring MinIO with KES and your |KMS|. + #. Configure automatic bucket-default :ref:`SSE-KMS ` .. important:: @@ -101,43 +70,64 @@ Server-Side Object Encryption with KES Prerequisites ------------- -.. cond:: k8s +Access to MinIO Cluster +~~~~~~~~~~~~~~~~~~~~~~~ + +.. tab-set:: + :class: hidden - MinIO Kubernetes Operator - ~~~~~~~~~~~~~~~~~~~~~~~~~ + .. tab-item:: Kubernetes + :sync: k8s - .. include:: /includes/k8s/common-operator.rst - :start-after: start-requires-operator-plugin - :end-before: end-requires-operator-plugin + You must have access to the Kubernetes cluster, with administrative permissions associated to your ``kubectl`` configuration. + + This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets. - See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator. + .. tab-item:: Baremetal + :sync: baremetal + + This procedure uses :mc:`mc` for performing operations on the MinIO cluster. + Install ``mc`` on a machine with network access to the cluster. + See the ``mc`` :ref:`Installation Quickstart ` for instructions on downloading and installing ``mc``. + + This procedure assumes a configured :mc:`alias ` for the MinIO cluster. .. _minio-sse-vault-prereq-vault: Ensure KES Access to a Supported KMS Target ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. cond:: linux or macos or windows or container +.. tab-set:: + :class: hidden - This procedure assumes an existing KES installation connected to a supported |KMS| installation accessible, both accessible from the local host. - Refer to the installation instructions for your :kes-docs:`supported KMS target <#supported-kms-targets>` to deploy KES and connect it to a KMS solution. - - .. admonition:: KES Operations Require Unsealed Target - :class: important - - Some supported |KMS| targets allow you to seal or unseal the vault instance. - KES returns an error if the configured |KMS| service is sealed. - - If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. - You must unseal the Vault to ensure normal operations. + .. tab-item:: Kubernetes + :sync: k8s + + This procedure assumes an existing :kes-docs:`supported KMS installation <#supported-kms-targets>` accessible from the Kubernetes cluster. + + - For deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the target KMS service. + + - For deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. + This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. + + Defer to the documentation for your chosen KMS solution for guidance on deployment and configuration. + + .. tab-item:: Baremetal + :sync: baremetal + + This procedure assumes an existing KES installation connected to a supported |KMS| installation accessible, both accessible from the local host. + Refer to the installation instructions for your :kes-docs:`supported KMS target <#supported-kms-targets>` to deploy KES and connect it to a KMS solution. - See the documentation for your chosen |KMS| solution for more information on whether unsealing may be required. +.. admonition:: KES Operations Require Unsealed Target + :class: important + + Some supported |KMS| targets allow you to seal or unseal the vault instance. + KES returns an error if the configured |KMS| service is sealed. -.. cond:: k8s + If you restart or otherwise seal your vault instance, KES cannot perform any cryptographic operations against the vault. + You must unseal the Vault to ensure normal operations. - .. include:: /includes/k8s/common-minio-kes.rst - :start-after: start-kes-prereq-hashicorp-vault-desc - :end-before: end-kes-prereq-hashicorp-vault-desc + See the documentation for your chosen |KMS| solution for more information on whether unsealing may be required. Refer to the configuration instruction in the :kes-docs:`KES documentation <>` for your chosen supported |KMS|: @@ -149,76 +139,25 @@ Refer to the configuration instruction in the :kes-docs:`KES documentation <>` f - :kes-docs:`HashiCorp Vault ` - :kes-docs:`Thales CipherTrust Manager (formerly Gemalto KeySecure) ` +Procedure +--------- -.. cond:: linux or macos or windows - - Deploy or Ensure Access to a MinIO Deployment - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - .. include:: /includes/common/common-minio-kes.rst - :start-after: start-kes-new-existing-minio-deployment-desc - :end-before: end-kes-new-existing-minio-deployment-desc - -.. cond:: container - - Install Podman or a Similar Container Management Interface - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - .. include:: /includes/container/common-deploy.rst - :start-after: start-common-prereq-container-management-interface - :end-before: end-common-prereq-container-management-interface - -.. The included file has the correct header structure. - There are slight divergences between platforms so this ends up being easier compared to cascading conditionals to handle little nitty-gritty differences. - -.. |namespace| replace:: minio-kes-vault - -.. cond:: container - - .. |kescertpath| replace:: ~/minio-kes-vault/certs - .. |kesconfigpath| replace:: ~/minio-kes-vault/config - .. |kesconfigcertpath| replace:: /certs/ - .. |miniocertpath| replace:: ~/minio-kes-vault/certs - .. |minioconfigpath| replace:: ~/minio-kes-vault/config - .. |miniodatapath| replace:: ~/minio-kes-vault/minio - - .. include:: /includes/container/steps-configure-minio-kes-hashicorp.rst - -.. cond:: linux - - .. |kescertpath| replace:: /opt/kes/certs - .. |kesconfigpath| replace:: /opt/kes/config - .. |kesconfigcertpath| replace:: /opt/kes/certs/ - .. |miniocertpath| replace:: /opt/minio/certs - .. |minioconfigpath| replace:: /opt/minio/config - .. |miniodatapath| replace:: ~/minio - - .. include:: /includes/linux/steps-configure-minio-kes-hashicorp.rst - -.. cond:: macos - - .. |kescertpath| replace:: ~/minio-kes-vault/certs - .. |kesconfigpath| replace:: ~/minio-kes-vault/config - .. |kesconfigcertpath| replace:: ~/minio-kes-vault/certs - .. |miniocertpath| replace:: ~/minio-kes-vault/certs - .. |minioconfigpath| replace:: ~/minio-kes-vault/config - .. |miniodatapath| replace:: ~/minio-kes-vault/minio - - .. include:: /includes/macos/steps-configure-minio-kes-hashicorp.rst +This procedure provides instructions for configuring and enabling Server-Side Encryption using your selected `supported KMS solution `__ in production environments. +Specifically, this procedure assumes the following: -.. cond:: k8s +- An existing production-grade KMS target +- One or more KES servers connected to the KMS target +- One or more hosts for a new or existing MinIO deployment - .. include:: /includes/k8s/steps-configure-minio-kes-hashicorp.rst +.. tab-set:: + :class: hidden -.. cond:: windows + .. tab-item:: Kubernetes + :sync: k8s - .. |kescertpath| replace:: C:\\minio-kes-vault\\certs - .. |kesconfigpath| replace:: C:\\minio-kes-vault\\config - .. |kesconfigcertpath| replace:: C:\\minio-kes-vault\\certs\\ - .. |miniocertpath| replace:: C:\\minio-kes-vault\\certs - .. |minioconfigpath| replace:: C:\\minio-kes-vault\\config - .. |miniodatapath| replace:: C:\\minio-kes-vault\\minio + .. include:: /includes/k8s/steps-configure-minio-kes-hashicorp.rst - .. include:: /includes/windows/steps-configure-minio-kes-hashicorp.rst + .. tab-item:: Baremetal + :sync: baremetal -.. Procedure for K8s only, for adding KES to an existing Tenant + .. include:: /includes/linux/steps-configure-minio-kes-hashicorp.rst diff --git a/source/reference/baremetal.rst b/source/reference/baremetal.rst new file mode 100644 index 000000000..295fc31f9 --- /dev/null +++ b/source/reference/baremetal.rst @@ -0,0 +1,15 @@ +=================== +Baremetal Reference +=================== + +.. default-domain:: minio + +This page acts as an index for MinIO Baremetal references. + +.. toctree:: + :titlesonly: + + /reference/minio-mc + /reference/minio-mc-admin + /reference/minio-server/minio-server + /reference/minio-mc-deprecated \ No newline at end of file diff --git a/source/reference/kubernetes.rst b/source/reference/kubernetes.rst new file mode 100644 index 000000000..4a51d105b --- /dev/null +++ b/source/reference/kubernetes.rst @@ -0,0 +1,15 @@ +==================== +Kubernetes Reference +==================== + +.. default-domain:: minio + +This page acts as an index for MinIO-specific Kubernetes references. + +.. toctree:: + :titlesonly: + + /reference/operator-crd + /reference/operator-environment-variables + /reference/operator-chart-values + /reference/tenant-chart-values \ No newline at end of file diff --git a/source/reference/minio-mc-admin/mc-admin-update.rst b/source/reference/minio-mc-admin/mc-admin-update.rst index afe946428..be4d8c9b2 100644 --- a/source/reference/minio-mc-admin/mc-admin-update.rst +++ b/source/reference/minio-mc-admin/mc-admin-update.rst @@ -105,4 +105,4 @@ Binary Compression :mc-cmd:`mc admin update` compresses the binary before sending to all nodes in the deployment. -This feature does not apply to :ref:`systemctl managed deployments `. \ No newline at end of file +This feature does not apply to :ref:`systemctl managed deployments `. \ No newline at end of file diff --git a/source/reference/minio-mc-admin/mc-admin-user-info.rst b/source/reference/minio-mc-admin/mc-admin-user-info.rst index 260ae3821..40e2c6545 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-info.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-info.rst @@ -114,7 +114,7 @@ For a :ref:`third-party ` identity service s View Policies from Group Membership ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Use :mc-cmd:`mc admin user info` with :std:option:`--json ` to view the policies inherited from a user's :ref:`group memberships `: +Use :mc-cmd:`mc admin user info` with :option::`--json ` to view the policies inherited from a user's :ref:`group memberships `: .. code-block:: shell :class: copyable diff --git a/source/reference/minio-mc/mc-ilm-rule-ls.rst b/source/reference/minio-mc/mc-ilm-rule-ls.rst index bd408b74f..69c3c62fb 100644 --- a/source/reference/minio-mc/mc-ilm-rule-ls.rst +++ b/source/reference/minio-mc/mc-ilm-rule-ls.rst @@ -148,7 +148,7 @@ Use :mc:`mc ilm rule ls` to list a bucket's lifecycle management rules: Show Policy Modification Time ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Use :mc:`mc ilm rule ls` with :std:option:`--json ` to show the time the policy for a bucket was last updated. +Use :mc:`mc ilm rule ls` with :option::`--json ` to show the time the policy for a bucket was last updated. .. code-block:: shell :class: copyable diff --git a/source/reference/minio-mc/mc-stat.rst b/source/reference/minio-mc/mc-stat.rst index ee35a723f..472fae455 100644 --- a/source/reference/minio-mc/mc-stat.rst +++ b/source/reference/minio-mc/mc-stat.rst @@ -137,6 +137,13 @@ Parameters - :mc-cmd:`~mc stat --rewind` - :mc-cmd:`~mc stat --recursive` +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + Examples -------- diff --git a/source/url-excludes.yaml b/source/url-excludes.yaml deleted file mode 100644 index 17605168a..000000000 --- a/source/url-excludes.yaml +++ /dev/null @@ -1,235 +0,0 @@ -tag: linux -excludes: -- 'operations/install-deploy-manage/deploy-minio-tenant.rst' -- 'operations/install-deploy-manage/modify-minio-tenant.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/install-deploy-manage/expand-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-operator.rst' -- 'operations/install-deploy-manage/delete-minio-tenant.rst' -- 'operations/install-deploy-manage/minio-operator-console.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/deploy-manage-tenants.rst' -- 'operations/cert-manager.rst' -- 'operations/cert-manager/cert-manager-operator.rst' -- 'operations/cert-manager/cert-manager-tenants.rst' -- 'developers/sts-for-operator.rst' -- 'reference/kubectl-minio-plugin.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-delete.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-init.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-proxy.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-create.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-delete.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-expand.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-info.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-list.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-report.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant-upgrade.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst' -- 'reference/kubectl-minio-plugin/kubectl-minio-version.rst' -- 'reference/operator-crd.rst' -- 'reference/operator-chart-values.rst' -- 'reference/operator-environment-variables.rst' -- 'reference/tenant-chart-values.rst' ---- -tag: macos -excludes: -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/install-deploy-manage/modify-minio-tenant.rst' -- 'operations/install-deploy-manage/expand-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-operator.rst' -- 'operations/install-deploy-manage/delete-minio-tenant.rst' -- 'operations/install-deploy-manage/minio-operator-console.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/deploy-manage-tenants.rst' -- 'operations/cert-manager.rst' -- 'operations/cert-manager/cert-manager-operator.rst' -- 'operations/cert-manager/cert-manager-tenants.rst' -- 'reference/kubectl-minio-plugin*' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/operator-crd.rst' -- 'reference/operator-chart-values.rst' -- 'reference/operator-environment-variables.rst' -- 'reference/tenant-chart-values.rst' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: windows -excludes: -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/install-deploy-manage/multi-site-replication.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant.rst' -- 'operations/install-deploy-manage/modify-minio-tenant.rst' -- 'operations/install-deploy-manage/expand-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-operator.rst' -- 'operations/install-deploy-manage/delete-minio-tenant.rst' -- 'operations/install-deploy-manage/minio-operator-console.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/deploy-manage-tenants.rst' -- 'operations/cert-manager.rst' -- 'operations/cert-manager/cert-manager-operator.rst' -- 'operations/cert-manager/cert-manager-tenants.rst' -- 'reference/kubectl-minio-plugin*' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/operator-crd.rst' -- 'reference/operator-chart-values.rst' -- 'reference/operator-environment-variables.rst' -- 'reference/tenant-chart-values.rst' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: container -excludes: -- 'operations/install-deploy-manage/deploy-minio-tenant.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'operations/install-deploy-manage/modify-minio-tenant.rst' -- 'operations/install-deploy-manage/expand-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-tenant.rst' -- 'operations/install-deploy-manage/upgrade-minio-operator.rst' -- 'operations/install-deploy-manage/delete-minio-tenant.rst' -- 'operations/install-deploy-manage/minio-operator-console.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/multi-site-replication.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/deploy-manage-tenants.rst' -- 'operations/cert-manager.rst' -- 'operations/cert-manager/cert-manager-operator.rst' -- 'operations/cert-manager/cert-manager-tenants.rst' -- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' -- 'operations/install-deploy-manage/deploy-operator-kustomize.rst' -- 'reference/kubectl-minio-plugin*' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'reference/operator-crd.rst' -- 'reference/operator-chart-values.rst' -- 'reference/operator-environment-variables.rst' -- 'reference/tenant-chart-values.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: k8s -excludes: -- 'operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'developers/dotnet/*' -- 'developers/go/*' -- 'developers/haskell/*' -- 'developers/java/*' -- 'developers/javascript/*' -- 'developers/python/*' -- 'developers/security-token-service/*' -- 'developers/minio-drivers.rst' -- 'developers/security-token-service.rst' -- 'developers/transforms-with-object-lambda.rst' -- 'integrations/*' ---- -tag: openshift -excludes: -- 'operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: eks -excludes: -- 'operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: gke -excludes: -- 'operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' ---- -tag: aks -excludes: -- 'operations/install-deploy-manage/deploy-minio-single-node-single-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-single-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst' -- 'operations/install-deploy-manage/deploy-operator-helm.rst' -- 'operations/install-deploy-manage/upgrade-minio-deployment.rst' -- 'operations/install-deploy-manage/expand-minio-deployment.rst' -- 'operations/install-deploy-manage/decommission-server-pool.rst' -- 'operations/install-deploy-manage/migrate-fs-gateway.rst' -- 'operations/manage-existing-deployments.rst' -- 'reference/minio-server*' -- 'reference/minio-mc*' -- 'reference/deprecated/*' -- 'reference/s3-api-compatibility.rst' -- 'developers/*' -- 'integrations/*' \ No newline at end of file diff --git a/stage.sh b/stage.sh new file mode 100755 index 000000000..b0628cf8f --- /dev/null +++ b/stage.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +source staging.env +BRANCH=$(git rev-parse --symbolic-full-name --abbrev-ref HEAD) + +function main() { + + echo "Staging to $STAGEHOST:" + rsync --mkpath -rv --delete -e "ssh -i $SSHKEY -p $SSHPORT" build/$BRANCH/mindocs/* $STAGEUSER@$STAGEHOST:/var/www/html/$STAGEPROJECT/$BRANCH + echo "Staging complete" + echo "Staged to http://$STAGEHOST:$STAGEPORT/$STAGEPROJECT/$BRANCH/html/index.html" + +} + + main "$@" diff --git a/staging.env b/staging.env new file mode 100644 index 000000000..592eb4a2d --- /dev/null +++ b/staging.env @@ -0,0 +1,6 @@ +SSHPORT=22 +STAGEUSER=docs +STAGEHOST=35.224.151.164 +STAGEPORT=80 +STAGEPROJECT=community-docs #use your repo name here +SSHKEY=~/.ssh/minio_docs_ed25519 diff --git a/sync-minio-version.sh b/sync-minio-version.sh new file mode 100755 index 000000000..fbbdb150e --- /dev/null +++ b/sync-minio-version.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -e + +function main() { + + if test -f /tmp/downloads-minio.json; then + rm /tmp/downloads-minio.json + fi + + curl --retry 10 -Ls https://min.io/assets/downloads-minio.json -o /tmp/downloads-minio.json + + if test -f /tmp/downloads-minio.json; then + echo "Populated downloads-minio.json from latest, proceeding" + fi + +# AMD64 arch + + MINIOAMD64=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".amd64.Binary.download') + DEB=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".amd64.DEB.download') + RPM=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".amd64.RPM.download') + +# ARM64 arch + + MINIOARM64=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".arm64.Binary.download') + DEBARM64=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".arm64.DEB.download') + RPMARM64=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".arm64.RPM.download') + +# ppc64le arch + + MINIOPPC64LE=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".ppc64le.Binary.download') + DEBPPC64LE=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".ppc64le.DEB.download') + RPMPPC64LE=$(cat /tmp/downloads-minio.json | jq '.Linux."MinIO Server".ppc64le.RPM.download') + + + MINIO=$(curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/minio/releases/latest | sed "s/https:\/\/github.com\/minio\/minio\/releases\/tag\///") + + kname=$(uname -s) + + case "${kname}" in \ + "Darwin") \ + sed -i "" "s|MINIOLATEST|${MINIO}|g" source/conf.py; \ + sed -i "" "s|DEBURL|${DEB}|g" source/conf.py; \ + sed -i "" "s|RPMURL|${RPM}|g" source/conf.py; \ + sed -i "" "s|MINIOURL|${MINIOAMD64}|g" source/conf.py; \ + sed -i "" "s|DEBARM64URL|${DEBARM64}|g" source/conf.py; \ + sed -i "" "s|RPMARM64URL|${RPMARM64}|g" source/conf.py; \ + sed -i "" "s|MINIOARM64URL|${MINIOARM64}|g" source/conf.py; \ + sed -i "" "s|DEBPPC64LEURL|${DEBPPC64LE}|g" source/conf.py; \ + sed -i "" "s|RPMPPC64LEURL|${RPMPPC64LE}|g" source/conf.py; \ + sed -i "" "s|MINIOPPC64LEURL|${MINIOPPC64LE}|g" source/conf.py; \ + ;; \ + *) \ + sed -i "s|MINIOLATEST|${MINIO}|g" source/conf.py; \ + sed -i "s|DEBURL|${DEB}|g" source/conf.py; \ + sed -i "s|RPMURL|${RPM}|g" source/conf.py; \ + sed -i "s|MINIOURL|${MINIOAMD64}|g" source/conf.py; \ + sed -i "s|DEBARM64URL|${DEBARM64}|g" source/conf.py; \ + sed -i "s|RPMARM64URL|${RPMARM64}|g" source/conf.py; \ + sed -i "s|MINIOARM64URL|${MINIOARM64}|g" source/conf.py; \ + sed -i "s|DEBPPC64LEURL|${DEBPPC64LE}|g" source/conf.py; \ + sed -i "s|RPMPPC64LEURL|${RPMPPC64LE}|g" source/conf.py; \ + sed -i "s|MINIOPPC64LEURL|${MINIOPPC64LE}|g" source/conf.py; \ + ;; \ + esac + +} + +main From 7be895e89d0e494a240a9fed07bbfff03cf136a5 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Fri, 8 Nov 2024 22:20:33 -0500 Subject: [PATCH 2/2] more work --- source/operations/network-encryption.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source/operations/network-encryption.rst b/source/operations/network-encryption.rst index 718d21b7f..a8acd1ebd 100644 --- a/source/operations/network-encryption.rst +++ b/source/operations/network-encryption.rst @@ -67,7 +67,9 @@ cert-manager Certificate Management For instructions for deploying the MinIO Operator and tenants using cert-manager, refer to the :ref:`cert-manager page `. Manual Certificate Management - The Tenant CRD spec ``spec.externalCertsSecret`` supports specifying either ``opaque`` or ``kubernetes.io/tls`` type :kube-docs:`secrets ` containing the ``private.key`` and ``public.crt`` to use for TLS. + The Tenant CRD spec ``spec.externalCertsSecret`` supp .. include:: /includes/common/common-configure-keycloak-identity-management.rst + :start-after: start-configure-keycloak-minio-cli + orts specifying either ``opaque`` or ``kubernetes.io/tls`` type :kube-docs:`secrets ` containing the ``private.key`` and ``public.crt`` to use for TLS. You can specify multiple certificates to support Tenants which have multiple assigned hostnames.