Tenant Helm Chart: Bucket DNS support incomplete

[stephan2012]

Is your feature request related to a problem? Please describe.
The Tenant Helm chart supports enabling the bucketDNS feature but only provides the Ingress configuration for the canonical domain. Kubernetes Ingresses support wildcards in hostnames nowadays, so a wildcard endpoint should be configured besides the canonical one.

Describe the solution you'd like
Add the wildcard hostname as the second path in the API Ingress.

Describe alternatives you've considered
There are no alternatives since the current implementation is semantically incomplete.

Additional context
Combined without automatic DNS configuration (e.g., external-dns), the Helm chart heads towards a plug-and-play solution.

Kindly let me know if you're interested in a PR.

[jiuker]

helm install minio --set ingress.api.host=*.minio.local should be fine to you. @stephan2012 Or you want it set by default?

[stephan2012]

Using just the wildcard expression may work depending on the Ingress Controller implementation. However, the Ingress specs explicitly state that *.foo.com does not match foo.com.

[stephan2012]

By the way, it makes sense to automatically enable a wildcard host if bucket DNS is enabled.

[jiuker]

By the way, it makes sense to automatically enable a wildcard host if bucket DNS is enabled.

I didn't get your point. Ingress config with hosts that is users DNS. How to do that with helm charts automatically? @stephan2012

[stephan2012]

@jiuker Please check https://github.com/kubernetes-sigs/external-dns

[jiuker]

@stephan2012 I can see it will config with that "external-dns.alpha.kubernetes.io/hostname=nginx.example.org. which need a hostname anyway. So what did I missed?

[stephan2012]

For Ingresses, external-dns do not require an annotation.

I can see it will config with that "external-dns.alpha.kubernetes.io/hostname=nginx.example.org. which need a hostname anyway. So what did I missed?

There are two different topics here: Usually, a service like external-dns or an administrator needs to create DNS records so that external systems know where to route traffic. While this usually is a requirement, it is not the scope of this issue.

This issue addresses the other part: Configuring the Ingress Controller. To fully support Bucket DNS besides paths, we need two different host records in the Ingress: One is the canonical service name (e.g., minio.my.domain), the other is a wildcard name (*.minio.my.domain). As referenced above, the Kubernetes Ingress specs explicitly state that the wildcard hostname does not match the canonical hostname, so we must list both in the Ingress.

[alistarle]

@stephan2012 I agree with the issue, I achieve to mitigate it using the extraResources features, but here is the PR who seems to fix the issue with a more elegant way.

Here is my workaroud, with an example of nginx ingress controller:

    extraResources:
    - |
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        annotations:
          kubernetes.io/tls-acme: "true"
        name: myminio-wildcard
        namespace: minio
      spec:
        ingressClassName: nginx
        rules:
        - host: "*.myminio.mydomain.com"
          http:
            paths:
            - backend:
                service:
                  name: minio
                  port:
                    name: http-minio
              path: /
              pathType: Prefix
        tls:
        - hosts:
          - "*.myminio.mydomain.com"
          secretName: myminio-wildcard-tls

[stephan2012]

Thank you, @alistarle! 😃