diff --git a/cmd/config-current.go b/cmd/config-current.go index dac6f1d89..12a58ad57 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -94,7 +94,7 @@ func initHelp() { }, config.HelpKV{ Key: config.KmsVaultSubSys, - Description: "enable external HashiCorp Vault for KMS", + Description: "enable external HashiCorp Vault key management service", }, config.HelpKV{ Key: config.LoggerWebhookSubSys, @@ -138,22 +138,22 @@ func initHelp() { }, config.HelpKV{ Key: config.NotifyMySQLSubSys, - Description: "publish bucket notifications to MySQL endpoints", + Description: "publish bucket notifications to MySQL databases", MultipleTargets: true, }, config.HelpKV{ Key: config.NotifyPostgresSubSys, - Description: "publish bucket notifications to Postgres endpoints", + Description: "publish bucket notifications to Postgres databases", MultipleTargets: true, }, config.HelpKV{ - Key: config.NotifyRedisSubSys, - Description: "publish bucket notifications to Redis endpoints", + Key: config.NotifyESSubSys, + Description: "publish bucket notifications to Elasticsearch endpoints", MultipleTargets: true, }, config.HelpKV{ - Key: config.NotifyESSubSys, - Description: "publish bucket notifications to Elasticsearch endpoints", + Key: config.NotifyRedisSubSys, + Description: "publish bucket notifications to Redis datastores", MultipleTargets: true, }, } diff --git a/cmd/config/config.go b/cmd/config/config.go index 5fb87d28a..165855714 100644 --- a/cmd/config/config.go +++ b/cmd/config/config.go @@ -491,8 +491,14 @@ func (c Config) GetKVS(s string, defaultKVS map[string]KVS) (Targets, error) { if !strings.HasPrefix(hkv.Key, subSysPrefix) { continue } + if c[hkv.Key][Default].Empty() { + targets = append(targets, Target{ + SubSystem: hkv.Key, + KVS: defaultKVS[hkv.Key], + }) + } for k, kvs := range c[hkv.Key] { - for _, dkv := range defaultKVS[subSysPrefix] { + for _, dkv := range defaultKVS[hkv.Key] { _, ok := kvs.Lookup(dkv.Key) if !ok { kvs.Set(dkv.Key, dkv.Value) diff --git a/cmd/config/etcd/help.go b/cmd/config/etcd/help.go index 9584411f3..8009709d1 100644 --- a/cmd/config/etcd/help.go +++ b/cmd/config/etcd/help.go @@ -28,13 +28,13 @@ var ( }, config.HelpKV{ Key: PathPrefix, - Description: `default etcd path prefix to populate all IAM assets eg: "customer/"`, + Description: `namespace prefix to isolate tenants e.g. "customer1/"`, Optional: true, Type: "path", }, config.HelpKV{ Key: CoreDNSPath, - Description: `default etcd path location to populate bucket DNS srv records eg: "/skydns"`, + Description: `shared bucket DNS records, default is "/skydns"`, Optional: true, Type: "path", }, diff --git a/cmd/config/identity/ldap/help.go b/cmd/config/identity/ldap/help.go index e0882c01e..1129c9eb6 100644 --- a/cmd/config/identity/ldap/help.go +++ b/cmd/config/identity/ldap/help.go @@ -28,36 +28,36 @@ var ( }, config.HelpKV{ Key: UsernameFormat, - Description: `AD/LDAP format of full username DN e.g. "uid={username},cn=accounts,dc=myldapserver,dc=com"`, + Description: `username bind DNs e.g. "uid=%s,cn=accounts,dc=myldapserver,dc=com"`, Type: "string", }, config.HelpKV{ Key: GroupSearchFilter, - Description: `search filter to find groups of a user (optional) e.g. "(&(objectclass=groupOfNames)(member={usernamedn}))"`, + Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"`, Optional: true, Type: "string", }, config.HelpKV{ Key: GroupNameAttribute, - Description: `attribute of search results to use as group name (optional) e.g. "cn"`, + Description: `search attribute for group name e.g. "cn"`, Optional: true, Type: "string", }, config.HelpKV{ Key: GroupSearchBaseDN, - Description: `base DN in AD/LDAP hierarchy to use in search requests (optional) e.g. "dc=myldapserver,dc=com"`, + Description: `group search base DNs e.g. "dc=myldapserver,dc=com"`, Optional: true, Type: "string", }, config.HelpKV{ Key: STSExpiry, - Description: `AD/LDAP STS credentials validity duration e.g. "1h"`, + Description: `temporary credentials validity duration in s,m,h,d. Default is "1h"`, Optional: true, Type: "duration", }, config.HelpKV{ Key: TLSSkipVerify, - Description: "enable this to disable client verification of server certificates", + Description: `trust server TLS without verification, defaults to "on" (verify)`, Optional: true, Type: "on|off", }, diff --git a/cmd/config/identity/openid/help.go b/cmd/config/identity/openid/help.go index 6f687b4df..280135823 100644 --- a/cmd/config/identity/openid/help.go +++ b/cmd/config/identity/openid/help.go @@ -28,13 +28,13 @@ var ( }, config.HelpKV{ Key: ClientID, - Description: `client identifier of the authenticating party at the identity provider`, + Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"`, Type: "string", Optional: true, }, config.HelpKV{ Key: ClaimPrefix, - Description: `openid JWT claim namespace prefix e.g. "customer"`, + Description: `JWT claim namespace prefix e.g. "customer1"`, Optional: true, Type: "string", }, diff --git a/cmd/config/notify/help.go b/cmd/config/notify/help.go index 25db5bc95..92a088943 100644 --- a/cmd/config/notify/help.go +++ b/cmd/config/notify/help.go @@ -21,8 +21,46 @@ import ( "github.com/minio/minio/pkg/event/target" ) +const ( + formatComment = `'namespace' reflects current bucket/object list and 'access' reflects a journal of object operations, defaults to 'namespace'` + queueDirComment = `staging dir for undelivered messages e.g. '/home/events'` + queueLimitComment = `maximum limit for undelivered messages, defaults to '10000'` +) + // Help template inputs for all notification targets var ( + HelpWebhook = config.HelpKVS{ + config.HelpKV{ + Key: target.WebhookEndpoint, + Description: "webhook server endpoint e.g. http://localhost:8080/minio/events", + Type: "url", + }, + config.HelpKV{ + Key: target.WebhookAuthToken, + Description: "opaque string or JWT authorization token", + Optional: true, + Type: "string", + }, + config.HelpKV{ + Key: target.WebhookQueueDir, + Description: queueDirComment, + Optional: true, + Type: "path", + }, + config.HelpKV{ + Key: target.WebhookQueueLimit, + Description: queueLimitComment, + Optional: true, + Type: "number", + }, + config.HelpKV{ + Key: config.Comment, + Description: config.DefaultComment, + Optional: true, + Type: "sentence", + }, + } + HelpAMQP = config.HelpKVS{ config.HelpKV{ Key: target.AmqpURL, @@ -37,7 +75,7 @@ var ( }, config.HelpKV{ Key: target.AmqpExchangeType, - Description: "kind of AMQP exchange type", + Description: "AMQP exchange type", Optional: true, Type: "string", }, @@ -49,49 +87,49 @@ var ( }, config.HelpKV{ Key: target.AmqpMandatory, - Description: "set this to 'on' for server to return an unroutable message with a Return method. If this flag is 'off', the server silently drops the message", + Description: "quietly ignore undelivered messages when set to 'off', default is 'on'", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.AmqpDurable, - Description: "set this to 'on' for queue to survive broker restarts", + Description: "persist queue across broker restarts when set to 'on', default is 'off'", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.AmqpNoWait, - Description: "when no_wait is 'on', declare without waiting for a confirmation from the server", + Description: "non-blocking message delivery when set to 'on', default is 'off'", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.AmqpInternal, - Description: "set this to 'on' for exchange to be not used directly by publishers, but only when bound to other exchanges", + Description: "set to 'on' for exchange to be not used directly by publishers, but only when bound to other exchanges", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.AmqpAutoDeleted, - Description: "set this to 'on' for queue that has had at least one consumer is deleted when last consumer unsubscribes", + Description: "auto delete queue when set to 'on', when there are no consumers", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.AmqpDeliveryMode, - Description: "delivery queue implementation use non-persistent (1) or persistent (2)", + Description: "set to '1' for non-persistent or '2' for persistent queue", Optional: true, Type: "number", }, config.HelpKV{ Key: target.AmqpQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ Key: target.AmqpQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Description: queueLimitComment, Optional: true, Type: "number", }, @@ -135,45 +173,45 @@ var ( }, config.HelpKV{ Key: target.KafkaSASL, - Description: "set this to 'on' to enable SASL authentication", + Description: "set to 'on' to enable SASL authentication", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.KafkaTLS, - Description: "set this to 'on' to enable TLS", + Description: "set to 'on' to enable TLS", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.KafkaTLSSkipVerify, - Description: "set this to 'on' to disable client verification of server certificate chain", + Description: `trust server TLS without verification, defaults to "on" (verify)`, Optional: true, Type: "on|off", }, config.HelpKV{ - Key: target.KafkaQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Key: target.KafkaClientTLSCert, + Description: "path to client certificate for mTLS auth", Optional: true, Type: "path", }, config.HelpKV{ - Key: target.KafkaQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Key: target.KafkaClientTLSKey, + Description: "path to client key for mTLS auth", Optional: true, - Type: "number", + Type: "path", }, config.HelpKV{ - Key: target.KafkaClientTLSCert, - Description: "Set path to client certificate", + Key: target.KafkaQueueDir, + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ - Key: target.KafkaClientTLSKey, - Description: "Set path to client key", + Key: target.KafkaQueueLimit, + Description: queueLimitComment, Optional: true, - Type: "path", + Type: "number", }, config.HelpKV{ Key: config.Comment, @@ -191,48 +229,48 @@ var ( }, config.HelpKV{ Key: target.MqttTopic, - Description: "name of the MQTT topic to publish on, e.g. `minio`", + Description: "name of the MQTT topic to publish", Type: "string", }, config.HelpKV{ Key: target.MqttUsername, - Description: "username to connect to the MQTT server", + Description: "MQTT username", Optional: true, Type: "string", }, config.HelpKV{ Key: target.MqttPassword, - Description: "password to connect to the MQTT server", + Description: "MQTT password", Optional: true, Type: "string", }, config.HelpKV{ Key: target.MqttQoS, - Description: "set the Quality of Service Level for MQTT endpoint", + Description: "set the quality of service priority, defaults to '0'", Optional: true, Type: "number", }, config.HelpKV{ Key: target.MqttKeepAliveInterval, - Description: "keep alive interval for MQTT connections", + Description: "keep-alive interval for MQTT connections in s,m,h,d", Optional: true, Type: "duration", }, config.HelpKV{ Key: target.MqttReconnectInterval, - Description: "reconnect interval for MQTT connections", + Description: "reconnect interval for MQTT connections in s,m,h,d", Optional: true, Type: "duration", }, config.HelpKV{ Key: target.MqttQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ Key: target.MqttQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Description: queueLimitComment, Optional: true, Type: "number", }, @@ -244,171 +282,61 @@ var ( }, } - HelpES = config.HelpKVS{ - config.HelpKV{ - Key: target.ElasticURL, - Description: "Elasticsearch server's address, with optional authentication info", - Type: "url", - }, - config.HelpKV{ - Key: target.ElasticFormat, - Description: "set this to `namespace` or `access`, defaults to 'namespace'", - Type: "namespace*|access", - }, - config.HelpKV{ - Key: target.ElasticIndex, - Description: "the name of an Elasticsearch index in which MinIO will store document", - Type: "string", - }, - config.HelpKV{ - Key: target.ElasticQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", - Optional: true, - Type: "path", - }, - config.HelpKV{ - Key: target.ElasticQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", - Optional: true, - Type: "number", - }, - config.HelpKV{ - Key: config.Comment, - Description: config.DefaultComment, - Optional: true, - Type: "sentence", - }, - } - - HelpWebhook = config.HelpKVS{ - config.HelpKV{ - Key: target.WebhookEndpoint, - Description: "webhook server endpoint e.g. http://localhost:8080/minio/events", - Type: "url", - }, - config.HelpKV{ - Key: target.WebhookAuthToken, - Description: "authorization token used for webhook server endpoint", - Optional: true, - Type: "string", - }, - config.HelpKV{ - Key: target.WebhookQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", - Optional: true, - Type: "path", - }, - config.HelpKV{ - Key: target.WebhookQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", - Optional: true, - Type: "number", - }, - config.HelpKV{ - Key: config.Comment, - Description: config.DefaultComment, - Optional: true, - Type: "sentence", - }, - } - - HelpRedis = config.HelpKVS{ - config.HelpKV{ - Key: target.RedisAddress, - Description: "Redis server's address. For example: `localhost:6379`", - Type: "address", - }, - config.HelpKV{ - Key: target.RedisFormat, - Description: "specifies how data is populated, a hash is used in case of `namespace` format and a list in case of `access` format, defaults to 'namespace'", - Type: "namespace*|access", - }, - config.HelpKV{ - Key: target.RedisKey, - Description: "name of the Redis key under which events are stored", - Type: "string", - }, + HelpPostgres = config.HelpKVS{ config.HelpKV{ - Key: target.RedisPassword, - Description: "Redis server's password", - Optional: true, + Key: target.PostgresConnectionString, + Description: "Postgres server connection-string", Type: "string", }, config.HelpKV{ - Key: target.RedisQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", - Optional: true, - Type: "path", - }, - config.HelpKV{ - Key: target.RedisQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", - Optional: true, - Type: "number", - }, - config.HelpKV{ - Key: config.Comment, - Description: config.DefaultComment, - Optional: true, - Type: "sentence", - }, - } - - HelpPostgres = config.HelpKVS{ - config.HelpKV{ - Key: target.PostgresConnectionString, - Description: "connection string parameters for the PostgreSQL server", + Key: target.PostgresTable, + Description: "DB table name to store/update events, table is auto-created", Type: "string", }, config.HelpKV{ Key: target.PostgresFormat, - Description: "specifies how data is populated, `namespace` format and `access` format, defaults to 'namespace'", + Description: formatComment, Type: "namespace*|access", }, - config.HelpKV{ - Key: target.PostgresTable, - Description: "table name in which events will be stored/updated. If the table does not exist, the MinIO server creates it at start-up", - Type: "string", - }, config.HelpKV{ Key: target.PostgresHost, - Description: "host name of the PostgreSQL server. Defaults to `localhost`. IPv6 host should be enclosed with `[` and `]`", + Description: "Postgres server hostname (used only if `connection_string` is empty)", Optional: true, Type: "hostname", }, config.HelpKV{ Key: target.PostgresPort, - Description: "port on which to connect to PostgreSQL server, defaults to `5432`", + Description: "Postgres server port, defaults to `5432` (used only if `connection_string` is empty)", Optional: true, Type: "port", }, config.HelpKV{ Key: target.PostgresUsername, - Description: "database username, defaults to user running the MinIO process if not specified", + Description: "database username (used only if `connection_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.PostgresPassword, - Description: "database password", + Description: "database password (used only if `connection_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.PostgresDatabase, - Description: "postgres Database name", + Description: "database name (used only if `connection_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.PostgresQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ Key: target.PostgresQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Description: queueLimitComment, Optional: true, Type: "number", }, @@ -423,58 +351,58 @@ var ( HelpMySQL = config.HelpKVS{ config.HelpKV{ Key: target.MySQLDSNString, - Description: "data source name connection string for the MySQL server", + Description: "MySQL data-source-name connection string", Type: "string", }, config.HelpKV{ Key: target.MySQLTable, - Description: "table name in which events will be stored/updated. If the table does not exist, the MinIO server creates it at start-up", + Description: "DB table name to store/update events, table is auto-created", Type: "string", }, config.HelpKV{ Key: target.MySQLFormat, - Description: "specifies how data is populated, `namespace` format and `access` format, defaults to 'namespace'", + Description: formatComment, Type: "namespace*|access", }, config.HelpKV{ Key: target.MySQLHost, - Description: "host name of the MySQL server (used only if `dsnString` is empty)", + Description: "MySQL server hostname (used only if `dsn_string` is empty)", Optional: true, Type: "hostname", }, config.HelpKV{ Key: target.MySQLPort, - Description: "port on which to connect to the MySQL server (used only if `dsn_string` is empty)", + Description: "MySQL server port (used only if `dsn_string` is empty)", Optional: true, Type: "port", }, config.HelpKV{ Key: target.MySQLUsername, - Description: "database user-name (used only if `dsnString` is empty)", + Description: "database username (used only if `dsn_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.MySQLPassword, - Description: "database password (used only if `dsnString` is empty)", + Description: "database password (used only if `dsn_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.MySQLDatabase, - Description: "database name (used only if `dsnString` is empty)", + Description: "database name (used only if `dsn_string` is empty)", Optional: true, Type: "string", }, config.HelpKV{ Key: target.MySQLQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ Key: target.MySQLQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Description: queueLimitComment, Optional: true, Type: "number", }, @@ -494,92 +422,98 @@ var ( }, config.HelpKV{ Key: target.NATSSubject, - Description: "NATS subject that represents this subscription", + Description: "NATS subscription subject", Type: "string", }, config.HelpKV{ Key: target.NATSUsername, - Description: "username to be used when connecting to the server", + Description: "NATS username", Optional: true, Type: "string", }, config.HelpKV{ Key: target.NATSPassword, - Description: "password to be used when connecting to a server", + Description: "NATS password", Optional: true, Type: "string", }, config.HelpKV{ Key: target.NATSToken, - Description: "token to be used when connecting to a server", + Description: "NATS token", Optional: true, Type: "string", }, config.HelpKV{ - Key: target.NATSSecure, - Description: "set this to 'on', enables TLS secure connections that skip server verification (not recommended)", + Key: target.NATSTLS, + Description: "set to 'on' to enable TLS", + Optional: true, + Type: "on|off", + }, + config.HelpKV{ + Key: target.NATSTLSSkipVerify, + Description: `trust server TLS without verification, defaults to "on" (verify)`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.NATSPingInterval, - Description: "client ping commands interval to the server, disabled by default", + Description: "client ping commands interval in s,m,h,d. Disabled by default", Optional: true, Type: "duration", }, config.HelpKV{ Key: target.NATSStreaming, - Description: "set this to 'on', to use streaming NATS server", + Description: "set to 'on', to use streaming NATS server", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.NATSStreamingAsync, - Description: "set this to 'on', to enable asynchronous publish, process the ACK or error state", + Description: "set to 'on', to enable asynchronous publish", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.NATSStreamingMaxPubAcksInFlight, - Description: "specifies how many messages can be published without getting ACKs back from NATS streaming server", + Description: "number of messages to publish without waiting for ACKs", Optional: true, Type: "number", }, config.HelpKV{ Key: target.NATSStreamingClusterID, - Description: "unique ID for the NATS streaming cluster", + Description: "unique ID for NATS streaming cluster", Optional: true, Type: "string", }, config.HelpKV{ - Key: target.NATSQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Key: target.NATSCertAuthority, + Description: "path to certificate chain of the target NATS server", Optional: true, - Type: "number", + Type: "string", }, config.HelpKV{ - Key: target.NATSQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Key: target.NATSClientCert, + Description: "client cert for NATS mTLS auth", Optional: true, - Type: "path", + Type: "string", }, config.HelpKV{ - Key: target.NATSCertAuthority, - Description: "certificate chain of the target NATS server if self signed certs were used", + Key: target.NATSClientKey, + Description: "client cert key for NATS mTLS auth", Optional: true, Type: "string", }, config.HelpKV{ - Key: target.NATSClientCert, - Description: "TLS Cert used for NATS configured to require client certificates", + Key: target.NATSQueueDir, + Description: queueDirComment, Optional: true, - Type: "string", + Type: "path", }, config.HelpKV{ - Key: target.NATSClientKey, - Description: "TLS Key used for NATS configured to require client certificates", + Key: target.NATSQueueLimit, + Description: queueLimitComment, Optional: true, - Type: "string", + Type: "number", }, config.HelpKV{ Key: config.Comment, @@ -597,30 +531,108 @@ var ( }, config.HelpKV{ Key: target.NSQTopic, - Description: "NSQ topic unique per target", + Description: "NSQ topic", Type: "string", }, config.HelpKV{ Key: target.NSQTLS, - Description: "set this to 'on', to enable TLS negotiation", + Description: "set to 'on' to enable TLS", Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.NSQTLSSkipVerify, - Description: "set this to 'on', to disable client verification of server certificates", + Description: `trust server TLS without verification, defaults to "on" (verify)`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: target.NSQQueueDir, - Description: "local directory where events are stored e.g. '/home/events'", + Description: queueDirComment, Optional: true, Type: "path", }, config.HelpKV{ Key: target.NSQQueueLimit, - Description: "enable persistent event store queue limit, defaults to '10000'", + Description: queueLimitComment, + Optional: true, + Type: "number", + }, + config.HelpKV{ + Key: config.Comment, + Description: config.DefaultComment, + Optional: true, + Type: "sentence", + }, + } + + HelpES = config.HelpKVS{ + config.HelpKV{ + Key: target.ElasticURL, + Description: "Elasticsearch server's address, with optional authentication info", + Type: "url", + }, + config.HelpKV{ + Key: target.ElasticIndex, + Description: `Elasticsearch index to store/update events, index is auto-created`, + Type: "string", + }, + config.HelpKV{ + Key: target.ElasticFormat, + Description: formatComment, + Type: "namespace*|access", + }, + config.HelpKV{ + Key: target.ElasticQueueDir, + Description: queueDirComment, + Optional: true, + Type: "path", + }, + config.HelpKV{ + Key: target.ElasticQueueLimit, + Description: queueLimitComment, + Optional: true, + Type: "number", + }, + config.HelpKV{ + Key: config.Comment, + Description: config.DefaultComment, + Optional: true, + Type: "sentence", + }, + } + + HelpRedis = config.HelpKVS{ + config.HelpKV{ + Key: target.RedisAddress, + Description: "Redis server's address. For example: `localhost:6379`", + Type: "address", + }, + config.HelpKV{ + Key: target.RedisKey, + Description: "Redis key to store/update events, key is auto-created", + Type: "string", + }, + config.HelpKV{ + Key: target.RedisFormat, + Description: formatComment, + Type: "namespace*|access", + }, + config.HelpKV{ + Key: target.RedisPassword, + Description: "Redis server password", + Optional: true, + Type: "string", + }, + config.HelpKV{ + Key: target.RedisQueueDir, + Description: queueDirComment, + Optional: true, + Type: "path", + }, + config.HelpKV{ + Key: target.RedisQueueLimit, + Description: queueLimitComment, Optional: true, Type: "number", }, diff --git a/cmd/config/notify/legacy.go b/cmd/config/notify/legacy.go index a99cb10c0..bd39a9fff 100644 --- a/cmd/config/notify/legacy.go +++ b/cmd/config/notify/legacy.go @@ -422,7 +422,11 @@ func SetNotifyNATS(s config.Config, natsName string, cfg target.NATSArgs) error Value: cfg.ClientKey, }, config.KV{ - Key: target.NATSSecure, + Key: target.NATSTLS, + Value: config.FormatBool(cfg.Secure), + }, + config.KV{ + Key: target.NATSTLSSkipVerify, Value: config.FormatBool(cfg.Secure), }, config.KV{ diff --git a/cmd/config/notify/parse.go b/cmd/config/notify/parse.go index cc5f181a0..906e76abf 100644 --- a/cmd/config/notify/parse.go +++ b/cmd/config/notify/parse.go @@ -85,7 +85,7 @@ func RegisterNotificationTargets(cfg config.Config, doneCh <-chan struct{}, root return nil, err } - natsTargets, err := GetNotifyNATS(cfg[config.NotifyNATSSubSys]) + natsTargets, err := GetNotifyNATS(cfg[config.NotifyNATSSubSys], rootCAs) if err != nil { return nil, err } @@ -840,6 +840,14 @@ var ( Key: target.NATSToken, Value: "", }, + config.KV{ + Key: target.NATSTLS, + Value: config.EnableOff, + }, + config.KV{ + Key: target.NATSTLSSkipVerify, + Value: config.EnableOff, + }, config.KV{ Key: target.NATSCertAuthority, Value: "", @@ -852,10 +860,6 @@ var ( Key: target.NATSClientKey, Value: "", }, - config.KV{ - Key: target.NATSSecure, - Value: config.EnableOff, - }, config.KV{ Key: target.NATSPingInterval, Value: "0", @@ -888,7 +892,7 @@ var ( ) // GetNotifyNATS - returns a map of registered notification 'nats' targets -func GetNotifyNATS(natsKVS map[string]config.KVS) (map[string]target.NATSArgs, error) { +func GetNotifyNATS(natsKVS map[string]config.KVS, rootCAs *x509.CertPool) (map[string]target.NATSArgs, error) { natsTargets := make(map[string]target.NATSArgs) for k, kv := range mergeTargets(natsKVS, target.EnvNATSEnable, DefaultNATSKVS) { enableEnv := target.EnvNATSEnable @@ -934,9 +938,14 @@ func GetNotifyNATS(natsKVS map[string]config.KVS) (map[string]target.NATSArgs, e return nil, err } - secureEnv := target.EnvNATSSecure + tlsEnv := target.EnvNATSTLS + if k != config.Default { + tlsEnv = tlsEnv + config.Default + k + } + + tlsSkipVerifyEnv := target.EnvNATSTLSSkipVerify if k != config.Default { - secureEnv = secureEnv + config.Default + k + tlsSkipVerifyEnv = tlsSkipVerifyEnv + config.Default + k } subjectEnv := target.EnvNATSSubject @@ -989,10 +998,12 @@ func GetNotifyNATS(natsKVS map[string]config.KVS) (map[string]target.NATSArgs, e ClientCert: env.Get(clientCertEnv, kv.Get(target.NATSClientCert)), ClientKey: env.Get(clientKeyEnv, kv.Get(target.NATSClientKey)), Token: env.Get(tokenEnv, kv.Get(target.NATSToken)), - Secure: env.Get(secureEnv, kv.Get(target.NATSSecure)) == config.EnableOn, + TLS: env.Get(tlsEnv, kv.Get(target.NATSTLS)) == config.EnableOn, + TLSSkipVerify: env.Get(tlsSkipVerifyEnv, kv.Get(target.NATSTLSSkipVerify)) == config.EnableOn, PingInterval: pingInterval, QueueDir: env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)), QueueLimit: queueLimit, + RootCAs: rootCAs, } streamingEnableEnv := target.EnvNATSStreaming diff --git a/cmd/config/policy/opa/help.go b/cmd/config/policy/opa/help.go index 71a479bae..7090b09b6 100644 --- a/cmd/config/policy/opa/help.go +++ b/cmd/config/policy/opa/help.go @@ -23,12 +23,12 @@ var ( Help = config.HelpKVS{ config.HelpKV{ Key: URL, - Description: `OPA HTTP API endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, + Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, Type: "url", }, config.HelpKV{ Key: AuthToken, - Description: "authorization token for OPA HTTP API endpoint", + Description: "authorization token for OPA endpoint", Optional: true, Type: "string", }, diff --git a/cmd/crypto/help.go b/cmd/crypto/help.go index 371437e2b..cec771241 100644 --- a/cmd/crypto/help.go +++ b/cmd/crypto/help.go @@ -23,44 +23,44 @@ var ( Help = config.HelpKVS{ config.HelpKV{ Key: KMSVaultEndpoint, - Description: `HashiCorp Vault API endpoint e.g. "http://vault-endpoint-ip:8200"`, + Description: `API endpoint e.g. "http://vault-endpoint-ip:8200"`, Type: "url", }, config.HelpKV{ Key: KMSVaultKeyName, - Description: `transit key name used in vault policy, must be unique name e.g. "my-minio-key"`, + Description: `unique transit key name e.g. "my-minio-key"`, Type: "string", }, config.HelpKV{ Key: KMSVaultAuthType, - Description: `authentication type to Vault API endpoint e.g. "approle"`, + Description: `supported auth type(s) ["approle"], defaults to "approle"`, Type: "string", }, config.HelpKV{ Key: KMSVaultAppRoleID, - Description: `unique role ID created for AppRole`, + Description: `unique role ID for approle`, Type: "string", }, config.HelpKV{ Key: KMSVaultAppRoleSecret, - Description: `unique secret ID created for AppRole`, + Description: `unique secret ID for approle`, Type: "string", }, config.HelpKV{ Key: KMSVaultNamespace, - Description: `only needed if AppRole engine is scoped to Vault Namespace e.g. "ns1"`, + Description: `optional KMS namespace e.g. "customer1"`, Optional: true, Type: "string", }, config.HelpKV{ Key: KMSVaultKeyVersion, - Description: `KMS Vault key version`, + Description: `optional key version number`, Optional: true, Type: "number", }, config.HelpKV{ Key: KMSVaultCAPath, - Description: `path to PEM-encoded CA cert files to use mTLS authentication (optional) e.g. "/home/user/custom-certs"`, + Description: `optional path to PEM-encoded CA certs e.g. "/home/user/custom-certs"`, Optional: true, Type: "path", }, diff --git a/cmd/logger/help.go b/cmd/logger/help.go index bd6310c21..e625c4cca 100644 --- a/cmd/logger/help.go +++ b/cmd/logger/help.go @@ -23,12 +23,12 @@ var ( Help = config.HelpKVS{ config.HelpKV{ Key: Endpoint, - Description: `HTTP logger endpoint e.g. "http://localhost:8080/minio/logs/server"`, + Description: `HTTP(s) endpoint e.g. "http://localhost:8080/minio/logs/server"`, Type: "url", }, config.HelpKV{ Key: AuthToken, - Description: "authorization token for logger endpoint", + Description: `opaque string or JWT authorization token`, Optional: true, Type: "string", }, @@ -43,12 +43,12 @@ var ( HelpAudit = config.HelpKVS{ config.HelpKV{ Key: Endpoint, - Description: `HTTP Audit logger endpoint e.g. "http://localhost:8080/minio/logs/audit"`, + Description: `HTTP(s) endpoint e.g. "http://localhost:8080/minio/logs/audit"`, Type: "url", }, config.HelpKV{ Key: AuthToken, - Description: "authorization token for audit logger endpoint", + Description: `opaque string or JWT authorization token`, Optional: true, Type: "string", }, diff --git a/docs/bucket/notifications/README.md b/docs/bucket/notifications/README.md index 6f2aec1bc..1aa0498f4 100644 --- a/docs/bucket/notifications/README.md +++ b/docs/bucket/notifications/README.md @@ -486,13 +486,13 @@ To update the configuration, use `mc admin config get` command to get the curren ```sh $ mc admin config get myminio/ notify_nats -notify_nats:1 password="yoursecret" streaming_max_pub_acks_in_flight="10" subject="" address="0.0.0.0:4222" token="" username="yourusername" ping_interval="0" queue_limit="0" secure="off" streaming_async="on" queue_dir="" streaming_cluster_id="test-cluster" streaming_enable="on" +notify_nats:1 password="yoursecret" streaming_max_pub_acks_in_flight="10" subject="" address="0.0.0.0:4222" token="" username="yourusername" ping_interval="0" queue_limit="0" tls="off" tls_skip_verify="off" streaming_async="on" queue_dir="" streaming_cluster_id="test-cluster" streaming_enable="on" ``` Use `mc admin config set` command to update the configuration for the deployment.Restart MinIO server to reflect config changes. `bucketevents` is the subject used by NATS in this example. ```sh -$ mc admin config set myminio notify_nats:1 password="yoursecret" streaming_max_pub_acks_in_flight="10" subject="" address="0.0.0.0:4222" token="" username="yourusername" ping_interval="0" queue_limit="0" secure="off" streaming_async="on" queue_dir="" streaming_cluster_id="test-cluster" streaming_enable="on" +$ mc admin config set myminio notify_nats:1 password="yoursecret" streaming_max_pub_acks_in_flight="10" subject="" address="0.0.0.0:4222" token="" username="yourusername" ping_interval="0" queue_limit="0" tls="off" streaming_async="on" queue_dir="" streaming_cluster_id="test-cluster" streaming_enable="on" ``` MinIO server also supports [NATS Streaming mode](http://nats.io/documentation/streaming/nats-streaming-intro/) that offers additional functionality like `At-least-once-delivery`, and `Publisher rate limiting`. To configure MinIO server to send notifications to NATS Streaming server, update the MinIO server configuration file as follows: diff --git a/docs/logging/README.md b/docs/logging/README.md index 3313f2725..6e97140ec 100644 --- a/docs/logging/README.md +++ b/docs/logging/README.md @@ -16,11 +16,11 @@ HTTP target logs to a generic HTTP endpoint in JSON format and is not enabled by Assuming `mc` is already [configured](https://docs.min.io/docs/minio-client-quickstart-guide.html) ``` mc admin config get myminio/ logger_webhook -logger_webhook:target1 auth_token="" endpoint="" +logger_webhook:name1 auth_token="" endpoint="" ``` ``` -mc admin config set myminio logger_webhook:target1 auth_token="" endpoint="http://endpoint:port/path" +mc admin config set myminio logger_webhook:name1 auth_token="" endpoint="http://endpoint:port/path" mc admin service restart myminio ``` @@ -38,11 +38,11 @@ minio server /mnt/data Assuming `mc` is already [configured](https://docs.min.io/docs/minio-client-quickstart-guide.html) ``` mc admin config get myminio/ audit_webhook -audit_webhook:target1 auth_token="" endpoint="" +audit_webhook:name1 auth_token="" endpoint="" ``` ``` -mc admin config set myminio audit_webhook:target1 auth_token="" endpoint="http://endpoint:port/path" +mc admin config set myminio audit_webhook:name1 auth_token="" endpoint="http://endpoint:port/path" mc admin service restart myminio ``` diff --git a/pkg/event/target/nats.go b/pkg/event/target/nats.go index 2b0308379..c840b49af 100644 --- a/pkg/event/target/nats.go +++ b/pkg/event/target/nats.go @@ -18,6 +18,8 @@ package target import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "errors" "net/url" @@ -37,7 +39,8 @@ const ( NATSUsername = "username" NATSPassword = "password" NATSToken = "token" - NATSSecure = "secure" + NATSTLS = "tls" + NATSTLSSkipVerify = "tls_skip_verify" NATSPingInterval = "ping_interval" NATSQueueDir = "queue_dir" NATSQueueLimit = "queue_limit" @@ -57,7 +60,8 @@ const ( EnvNATSUsername = "MINIO_NOTIFY_NATS_USERNAME" EnvNATSPassword = "MINIO_NOTIFY_NATS_PASSWORD" EnvNATSToken = "MINIO_NOTIFY_NATS_TOKEN" - EnvNATSSecure = "MINIO_NOTIFY_NATS_SECURE" + EnvNATSTLS = "MINIO_NOTIFY_NATS_TLS" + EnvNATSTLSSkipVerify = "MINIO_NOTIFY_NATS_TLS_SKIP_VERIFY" EnvNATSPingInterval = "MINIO_NOTIFY_NATS_PING_INTERVAL" EnvNATSQueueDir = "MINIO_NOTIFY_NATS_QUEUE_DIR" EnvNATSQueueLimit = "MINIO_NOTIFY_NATS_QUEUE_LIMIT" @@ -80,6 +84,8 @@ type NATSArgs struct { Username string `json:"username"` Password string `json:"password"` Token string `json:"token"` + TLS bool `json:"tls"` + TLSSkipVerify bool `json:"tlsSkipVerify"` Secure bool `json:"secure"` CertAuthority string `json:"certAuthority"` ClientCert string `json:"clientCert"` @@ -93,6 +99,8 @@ type NATSArgs struct { Async bool `json:"async"` MaxPubAcksInflight int `json:"maxPubAcksInflight"` } `json:"streaming"` + + RootCAs *x509.CertPool `json:"-"` } // Validate NATSArgs fields @@ -140,8 +148,10 @@ func (n NATSArgs) connectNats() (*nats.Conn, error) { if n.Token != "" { connOpts = append(connOpts, nats.Token(n.Token)) } - if n.Secure { + if n.Secure || n.TLS && n.TLSSkipVerify { connOpts = append(connOpts, nats.Secure(nil)) + } else if n.TLS { + connOpts = append(connOpts, nats.Secure(&tls.Config{RootCAs: n.RootCAs})) } if n.CertAuthority != "" { connOpts = append(connOpts, nats.RootCAs(n.CertAuthority))