Skip to content

Commit

Permalink
Minor fixes for several smaller issues (#1380)
Browse files Browse the repository at this point in the history
- Adds missing config settings throughout storage class page.
    
  Closes #1349
    
- Adds instructions for adding certificates for connecting by sftp.
    
  Closes #1354
    
- Corrects information about which key to use for self-signed CAs.
    
  Closes #1358
    
- Moves `context` to optional for batch key rotate jobs.
    
  Closes #1356

- clean up missing ref links causing build warnings.
  • Loading branch information
djwfyi authored Dec 4, 2024
1 parent 774f4d5 commit cfaedc8
Show file tree
Hide file tree
Showing 6 changed files with 62 additions and 21 deletions.
7 changes: 3 additions & 4 deletions source/administration/batch-framework-job-keyrotate.rst
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,6 @@ Required Fields
* - ``key:``
- Only for use with the ``sse-kms`` type.
The key to use to unseal the key vault.
* - ``context:``
- Only for use with the ``sse-kms`` type.
The context within which to perform actions.


Optional Fields
~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -73,6 +69,9 @@ For **flag based filters**
- A date in ``YYYY-MM-DD`` format.

Keys rotate only for objects created prior to the date.
* - ``context:``
- Only for use with the ``sse-kms`` type.
The context within which to perform actions.
* - ``tags:``
- Rotate keys only for objects with tags that match the specified ``key:`` and ``value:``.
* - ``metadata:``
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,8 @@ Procedure

This procedure requires repeating steps for each MinIO deployment participating in the multi-site replication configuration. Depending on the number of deployments, this procedure may require significant time and care in implementation. MinIO recommends reading through the procedure *before* attempting to implement the documented steps.

- :ref:`Configure Multi-Site Bucket Replication Using the Command Line <minio-bucket-replication-multi-site-minio-cli-procedure>`
- :ref:`Create Replication Remote Targets <minio-bucket-replication-multi-site-minio-cli-create-remote-targets>`
- Configure Multi-Site Bucket Replication Using the Command Line

- :ref:`Create New Bucket Replication Rules <minio-bucket-replication-multi-site-minio-cli-create-replication-rules>`
- :ref:`Validate the Replication Configuration <minio-bucket-replication-multi-site-minio-cli-verify-replication-config>`

Expand All @@ -129,8 +129,6 @@ This procedure assumes each alias corresponds to a user with the :ref:`necessary
:mc:`mc replicate add` automatically creates the necessary replication targets, removing the need for using the deprecated ``mc admin remote bucket add`` command.
This procedure only documents the procedure as of that release.

.. _minio-bucket-replication-multi-site-minio-cli-create-remote-targets:

.. _minio-bucket-replication-multi-site-minio-cli-create-replication-rules:

1) Create New Bucket Replication Rules
Expand Down
1 change: 0 additions & 1 deletion source/administration/minio-console.rst
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,6 @@ Once logged in to the MinIO Console, users can perform many kinds of tasks.
- :ref:`Manage objects <minio-console-managing-objects>` by browsing existing objects, uploading objects, or modifying bucket settings.
- :ref:`Review or modify identity and security <minio-console-security-access>` with access keys, policies, and Identity Provider settings.
- :ref:`Monitor the health and activities <minio-console-managing-deployment>` with metrics and notifications.
- :ref:`Manage your deployment's license <minio-console-subscription>`

.. toctree::
:titlesonly:
Expand Down
46 changes: 46 additions & 0 deletions source/includes/linux/file-transfer-protocol-not-k8s.rst
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,52 @@ Once the MinIO Server verifies the client's certificate, the user can connect to
sftp -P <SFTP port> <server IP>
Procedure
+++++++++

The following procedure generates two key-value pairs, signs one with the other, then uses the resulting signed key to log in to the SFTP server.

1. Generate a key-value pair for the MinIO Server

.. code-block:: bash
:class: copyable
ssh-keygen -f ./ca_user_key
2. Generate a key-value pair for the user

.. code-block:: bash
:class: copyable
ssh-keygen -f ./minioadmin
Replace ``minioadmin`` with the user accessing the MinIO Server by SFTP.

3. Sign the user key-value pair key with the MinIO Server key-value pair key

.. code-block:: bash
:class: copyable
ssh-keygen -s ca_user_key -I minioadmin -n minioadmin -V +30d -z 1 minioadmin.pub
Move the ``minioadmin.pub`` key to the same directory as ``minioadmin`` key-value pair, such as ``~/.ssh/meaningful-directory``.

4. Start or restart the MinIO Server passing the generated public keys

.. code-block:: bash
:class: copyable
minio server --sftp="address=:8022" --sftp="ssh-private-key=/path/to/ca_user_key" --sftp="trusted-user-ca-key=/path/to/ca_user_key.pub"
5. Connect to the MinIO Server by sftp

.. code-block:: bash
:class: copyable
sftp -i ./minioadmin -oPort=8022 minioadmin@localhost
Require service account or LDAP for authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
12 changes: 7 additions & 5 deletions source/operations/network-encryption.rst
Original file line number Diff line number Diff line change
Expand Up @@ -585,7 +585,13 @@ Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Ce
mv myCA.crt /opt/minio/certs/CAs/
For a self-signed certificate, the Certificate Authority is typically the private key used to sign the cert.
.. important::

Do not use or share the private key of the self-signed certificate.
Only the public certificate should be shared or distributed for trust purposes.

For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert.
A non-global CA must include the full chain of trust from the intermediate certificate to the root.

For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert.
A non-global CA must include the full chain of trust from the intermediate certificate to the root.
Expand Down Expand Up @@ -621,7 +627,3 @@ Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Ce
:class: copyable
kubectl rollout restart deployments.apps/minio-operator -n minio-operator
11 changes: 4 additions & 7 deletions source/reference/minio-server/settings/storage-class.rst
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,8 @@ Standard Storage Class
.. tab-item:: Configuration Setting
:sync: config

.. include:: /includes/common-mc-admin-config.rst
:start-after: start-minio-settings-no-config-option
:end-before: end-minio-settings-no-config-option
.. mc-conf:: storage_class standard
:delimiter: " "

The :ref:`parity level <minio-ec-parity>` for the deployment.
MinIO shards objects written with the default ``STANDARD`` storage class using this parity value.
Expand Down Expand Up @@ -113,9 +112,8 @@ Reduced Redundancy Storage Class
.. tab-item:: Configuration Setting
:sync: config

.. include:: /includes/common-mc-admin-config.rst
:start-after: start-minio-settings-no-config-option
:end-before: end-minio-settings-no-config-option
.. mc-conf:: storage_class rrs
:delimiter: " "

The :ref:`parity level <minio-ec-parity>` for objects written with the ``REDUCED`` storage class.

Expand All @@ -133,7 +131,6 @@ Defaults to ``EC:0`` for deployments of erasure set size of 1.
Parity Retention Optimization
-----------------------------


.. tab-set::

.. tab-item:: Environment Variable
Expand Down

0 comments on commit cfaedc8

Please sign in to comment.