STS enabled by default (#1848)

Signed-off-by: pjuarezd <[email protected]>
minio · Nov 14, 2023 · 150885e · 150885e
1 parent 1d55a1a
commit 150885e
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 15 deletions.
diff --git a/docs/STS.md b/docs/STS.md
@@ -33,8 +33,8 @@ using the following steps:
 
 ## Enabling STS functionality
 
-At the moment, the STS feature ships `off` by default. To turn it on, switch `OPERATOR_STS_ENABLED` to `on` in
-the `minio-operator` deployment.
+Operator STS was first introduced on v5.0.0, by default turned off, starting Operator v5.0.11 the STS feature ships `on` by default. 
+On versions > 5.0.0 and < 5.0.11 to turn it on, switch `OPERATOR_STS_ENABLED` to `on` in the `minio-operator` deployment.
 
 ## TLS
 

diff --git a/docs/env-variables.md b/docs/env-variables.md
@@ -2,15 +2,15 @@
 
 Operator behavior can be customized using environment variables in the `minio-operator` deployment. Here is a list of the available environment variables:
 
-| Variable Name | Description                                                                                                                                                                  | Possible values         | default                       |
-| --- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------|
-|MINIO_OPERATOR_CERTIFICATES_VERSION| This forces which certificate api version to use.                                                                                                                 | `v1`,`v1beta1`              | whichever api k8s provides     |
-|MINIO_OPERATOR_RUNTIME | This tells us which runtime we have i.e. (EKS, Rancher, OpenShift, etc.). For example, if `EKS` is set, the CSR signerName to be used will be `"beta.eks.amazonaws.com/app-serving"` | EKS, Rancher, OpenShift |                               |
+| Variable Name | Description                                                                                                                                                                  | Possible values         | default                         |
+| --- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|---------------------------------|
+|MINIO_OPERATOR_CERTIFICATES_VERSION| This forces which certificate api version to use.                                                                                                                 | `v1`,`v1beta1`              | whichever api k8s provides      |
+|MINIO_OPERATOR_RUNTIME | This tells us which runtime we have i.e. (EKS, Rancher, OpenShift, etc.). For example, if `EKS` is set, the CSR signerName to be used will be `"beta.eks.amazonaws.com/app-serving"` | EKS, Rancher, OpenShift |                                 |
 |MINIO_OPERATOR_CSR_SIGNER_NAME| The name to use for the CSR Signer. It will override the default                                                                                                             |                         | `kubernetes.io/kubelet-serving` |
-|SUBNET_BASE_URL| Subnet base URL                                                                                                                                                              |                         | https://subnet.min.io         |
-|OPERATOR_CERT_PASSWD| This is used to decrypt the private key in the TLS certificate for operator, if needed                                                                               |                         ||
+|SUBNET_BASE_URL| Subnet base URL                                                                                                                                                              |                         | https://subnet.min.io           |
+|OPERATOR_CERT_PASSWD| This is used to decrypt the private key in the TLS certificate for operator, if needed                                                                               |                         |                                 |
 |MINIO_OPERATOR_DEPLOYMENT_NAME| This specifies a custom deployment name for Operator                                                                                                                |                         | `minio-operator`                |
-|OPERATOR_STS_ENABLED| This toggles the STS Service on or off                                                                                                                         | `on`, `off`                 | `off`                           |
+|OPERATOR_STS_ENABLED| This toggles the STS Service on or off                                                                                                                         | `on`, `off`                 | `on`                            |
 |MINIO_CONSOLE_DEPLOYMENT_NAME| This is the default name of the console deployment                                                                                                                                |                  | `console`                       |
 |MINIO_CONSOLE_TLS_ENABLE| This toggles the Console TLS on or off                                                                                                                                   | `on`, `off`                 | `off`                           |
-|WATCHED_NAMESPACE| The namespaces which the operator watches for MinIO tenants. Defaults to `""` for all namespaces.                                                                              |                         |                               |
+|WATCHED_NAMESPACE| The namespaces which the operator watches for MinIO tenants. Defaults to `""` for all namespaces.                                                                              |                         |                                 |
diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml
@@ -24,7 +24,9 @@ operator:
   #      value: "OpenShift" 
   #
   # See `Operator environment variables <https://github.com/minio/operator/blob/master/docs/env-variables.md>`__ for a list of all supported values.
-  env: [ ]
+  env:
+    - name: OPERATOR_STS_ENABLED
+      value: "on"
   ###
   # Specify the Operator container image to use for the deployment.
   # ``image.tag`` 

diff --git a/pkg/controller/sts.go b/pkg/controller/sts.go
@@ -387,11 +387,13 @@ func (c *Controller) ValidateServiceAccountJWT(ctx *context.Context, token strin
 	return tokenReviewResult, nil
 }
 
-// IsSTSEnabled Validates if the STS API is turned on, STS is disabled by default
-// **WARNING** This will change and will be default to "on" in operator v5
+// IsSTSEnabled Validates if the STS API is turned on, STS is enabled by default
 func IsSTSEnabled() bool {
 	value, set := os.LookupEnv(STSEnabled)
-	return set && value == "on"
+	if set {
+		return value == "on"
+	}
+	return true
 }
 
 // generateConsoleTLSCert Issues the Operator Console TLS Certificate

diff --git a/resources/base/deployment.yaml b/resources/base/deployment.yaml
@@ -40,7 +40,7 @@ spec:
             - name: MINIO_CONSOLE_TLS_ENABLE
               value: "off"
             - name: OPERATOR_STS_ENABLED
-              value: "off"
+              value: "on"
       affinity:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution: