Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MINIO_BROWSER_REDIRECT_URL broken? in helm chart and kustomization #1887

Closed
divramod opened this issue Nov 24, 2023 · 1 comment
Closed

MINIO_BROWSER_REDIRECT_URL broken? in helm chart and kustomization #1887

divramod opened this issue Nov 24, 2023 · 1 comment
Labels
community triage

Comments

@divramod
Copy link

divramod commented Nov 24, 2023
edited
Loading

Expected Behavior

  • when i set the MINIO_BROWSER_REDIRECT_URL env, it should take effect and change the shareable link in the console

Current Behavior

  • when setting the MINIO_BROWSER_REDIRECT_URL in the helm chart config secret or the kustomization tenant env part or a kustomize config secret it will not take effect in the console
  • i tried it with different image versions and different approaches to set the env
image: quay.io/minio/minio:RELEASE.2023-11-15T20-43-25Z
image: quay.io/minio/minio:RELEASE.2023-05-04T21-44-30Z

Possible Solution

  • downgrade to a running version (i haven't found one, can someone maybe point me to a running version for MINIO_BROWSER_REDIRECT_URL)
  • if the problem lies within the console, can i somehow downgrade the console or set the env in another way?

Steps to Reproduce (for bugs)

  1. apply version 2023-11-15 with helm chart or kustomization
  2. login
  3. upload a file
  4. try to share it
  5. have a look at the sharable link, which looks like this for me https://minio.my-sys.svc.cluster.local/hello/world/Screenshot%202023-11-21%20at%2004.17.06.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=2FAHQ8000OLBM2QU6DO2%2F20231124%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231124T062642Z&X-Amz-Expires=604800&X-Amz-Security-Token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyRkFIUTgwMDBPTEJNMlFVNkRPMiIsImV4cCI6MTcwMDg1MDA5MSwicGFyZW50IjoiY29uc29sZSJ9.4KzSELvaSRvQXO1mmOXpKzHFgeutK50DVuuisvC2SclnESq5FNkKyFyd9hmBgGQlIOzgBOLf5btWLjYiynmwyA&X-Amz-SignedHeaders=host&versionId=6ff09fa2-d5e2-4b95-b734-30d29c9df764&X-Amz-Signature=8e059c7f6e4109bc235cd9ce2b9e7268f1f4552cd3eaba4f102d1633b7f79acc but should look like this https://minio-console.my-domain.io ...

Context

  • i want to provide a shareable file link to the user so that he can display/download a file from minio
  • i tried some different approaches in the secret cfg to set the env (with quotationmarks, without, with single ones), but nothing was taking effect

Regression

  • RELEASE.2023-11-15T20-43-25Z

Your Environment

  • Version used (minio-operator): v5.0.11
  • Environment name and version (e.g. k3s v1.26.4+k3s1):
  • Server type and version: hetzner hcloud cpx51
  • Operating System and version (uname -a): ubuntu 22.04

helm

helm: secret artifact

apiVersion: v1
kind: Secret
metadata:
  name: ven-minio-cfg
  namespace: io-sys
stringData:
  config.env: |-
    export MINIO_ROOT_USER="minio"
    export MINIO_ROOT_PASSWORD="minio123"
    export MINIO_BROWSER_REDIRECT_URL=https://minio-console.my-domain.io

helm: applied cfg secret

apiVersion: v1
data:
  config.env: base64_string with content of the secret
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"ven-minio-cfg","namespace":"io-sys"},"stringData":{"config.env":"export MINIO_ROOT_USER=\"minio\"\nexport MINIO_ROOT_PASSWORD=\"minio123\"\nexport MINIO_BROWSER_REDIRECT_URL=https://minio-console.my-domain.io"}}
  creationTimestamp: "2023-11-24T06:36:34Z"
  name: ven-minio-cfg
  namespace: io-sys
  resourceVersion: "4490854"
  uid: 133b6b96-33ef-4e20-9b2f-1d2d911d4f2e
type: Opaque

helm: chart overwrite.yaml

existingSecret:
  name: ven-minio-cfg
tenant:
  name: ven-minio
  configuration:
    name: ven-minio-cfg
    # name: myminio-env-configuration
  # certificate:
  #   externalCaCertSecret:
  #     - name: minio.my-domain.io
  #       type: kubernetes.io/tls
  #     - name: minio-console.my-domain.io
  #       type: kubernetes.io/tls
  pools:
    - servers: 2
      name: pool-0
      size: 20Gi
      storageClassName: hcloud-volumes
      volumesPerServer: 2
  metrics:
    enabled: true
  features:
    bucketDNS: true
    # domains:
    #   minio:
    #     - "minio.my-domain.io"
    #   console: "minio-console.my-domain.io"
    enableSFTP: true
  buckets:
    - name: test
      objectLock: false
      region: us-east-1
ingress:
  api:
    enabled: true
    ingressClassName: nginx
    labels: { }
    annotations:
      cert-manager.io/cluster-issuer: 'letsencrypt-prod'
      kubernetes.io/tls-acme: 'true'
      nginx.ingress.kubernetes.io/enable-access-log: 'true'
      nginx.ingress.kubernetes.io/enable-rewrite-log: 'true'
      # nginx.ingress.kubernetes.io/proxy-body-size: 4096m
      # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    tls:
      - hosts:
          - minio.my-domain.io
        secretName: minio.my-domain.io
    host: minio.my-domain.io
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: nginx
    labels: { }
    annotations:
      cert-manager.io/cluster-issuer: 'letsencrypt-prod'
      kubernetes.io/tls-acme: 'true'
      nginx.ingress.kubernetes.io/enable-access-log: 'true'
      nginx.ingress.kubernetes.io/enable-rewrite-log: 'true'
      nginx.ingress.kubernetes.io/proxy-body-size: 4096m
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    tls:
      - hosts:
          - minio-console.my-domain.io
        secretName: minio-console.my-domain.io
    host: minio-console.my-domain.io
    path: /
    pathType: Prefix

helm: template output

# THIS IS NOT USED, BECAUSE I CHANGED THE CONFIGURATION SECRET NAME?
# Source: tenant/templates/tenant-configuration.yaml
apiVersion: v1
kind: Secret
metadata:
  name: myminio-env-configuration
type: Opaque
stringData:
  config.env: |-
    export MINIO_ROOT_USER="minio"
    export MINIO_ROOT_PASSWORD="minio123"
---
# Source: tenant/templates/api-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ven-minio
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/enable-access-log: "true"
    nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - "minio.my-domain.io"
      secretName: minio.my-domain.io
  rules:
    - host: minio.my-domain.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: minio
                port:
                  name: https-minio
---
# Source: tenant/templates/console-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ven-minio-console
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/enable-access-log: "true"
    nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 4096m
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - "minio-console.my-domain.io"
      secretName: minio-console.my-domain.io
  rules:
    - host: minio-console.my-domain.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ven-minio-console
                port:
                  name: https-console
---
# Source: tenant/templates/tenant.yaml
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: ven-minio
  ## Optionally pass labels to be applied to the statefulset pods
  labels:
    app: minio
  ## Annotations for MinIO Tenant Pods
  annotations:
    prometheus.io/path: /minio/v2/metrics/cluster
    prometheus.io/port: "9000"
    prometheus.io/scrape: "true"
    prometheus.io/scheme: "http"
spec:
  image: "quay.io/minio/minio:RELEASE.2023-11-15T20-43-25Z"
  imagePullPolicy: IfNotPresent
  ## Secret with default environment variable configurations
  configuration:
    name: ven-minio-cfg
  pools:
    - servers: 2
      name: pool-0
      volumesPerServer: 2
      volumeClaimTemplate:
        metadata:
          name: data
        spec:
          storageClassName: hcloud-volumes
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 20Gi
  mountPath: /export
  subPath: /data
  requestAutoCert: true
  features:
    bucketDNS: true
    enableSFTP: true
  buckets:
    - name: test
      objectLock: false
      region: us-east-1
  podManagementPolicy: Parallel
  prometheusOperator: false

kustomize

kustomize applied tenant 1 pod

spec:
  containers:
  - args:
    - server
    - --certs-dir
    - /tmp/certs
    - --console-address
    - :9443
    env:
    - name: MINIO_BROWSER
      value: "on"
    - name: MINIO_BROWSER_REDIRECT_URL
      value: https://minio-console.my-domain.io
    - name: MINIO_CONFIG_ENV_FILE
      value: /tmp/minio/config.env
    - name: MINIO_DNS_WEBHOOK_ENDPOINT
      value: http://127.0.0.1:4222/webhook/v1/bucketsrv/my-sys/ven-minio
    - name: MINIO_DOMAIN
      value: my-sys.svc.cluster.local
    - name: MINIO_OPERATOR_VERSION
      value: 5.0.11
    - name: MINIO_PROMETHEUS_JOB_ID
      value: minio-job
    - name: MINIO_SERVER_URL
      value: https://minio.my-sys.svc.cluster.local:443
    - name: MINIO_UPDATE
      value: "on"
    - name: MINIO_UPDATE_MINISIGN_PUBKEY
      value: RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
    image: quay.io/minio/minio:RELEASE.2023-11-15T20-43-25Z

cluster config kustomize

apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: ven-minio
  namespace: my-sys
  ## Optionally pass labels to be applied to the statefulset pods
  labels:
    app: minio
  ## Optionally pass annotations to be applied to the statefulset pods
  annotations:
    prometheus.io/path: /minio/v2/metrics/cluster
    prometheus.io/port: "9000"
    prometheus.io/scrape: "true"

## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
## If not specified, the Tenant pods will be dispatched by default scheduler.
# scheduler:
#  name: my-custom-scheduler

spec:
  features:
    ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
    ## accessible as DNS entries of form `<bucketname>.minio.namespace.svc.cluster.local`
    ## This feature is turned off by default
    bucketDNS: true
    ## Specify a list of domains used to access MinIO and Console
    domains: { }
    ## Enable access via SFTP
    ## This feature is turned off by default
    # enableSFTP: false
  ## Create users in the Tenant using this field. Make sure to create secrets per user added here.
  ## Secret should follow the format used in `minio-creds-secret`.
  users:
    - name: ven-minio-user-console
  ## Create buckets using the console user
  # buckets:
  #   - name: "test-bucket1"
  #     region: "us-east-1"
  #     objectLock: true
  #   - name: "test-bucket2"
  #     region: "us-east-1"
  #     objectLock: true
  ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
  ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
  ## not provided. DNS name format is *.minio.default.svc.cluster.local
  certConfig: { }
  ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
  ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
  ## for details.
  podManagementPolicy: Parallel
  ## Secret with credentials and configurations to be used by MinIO Tenant.
  configuration:
    name: ven-minio-cfg
  ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
  env:
    - name: MINIO_BROWSER_REDIRECT_URL
      value: "https://minio-console.my-domain.io"
    # - name: MINIO_SERVER_URL
    #   value: https://minio.my-domain.io
    - name: MINIO_BROWSER
      value: on
    # - name: MINIO_ROOT_USER
    #   value: minio
    # - name: MINIO_ROOT_PASSWORD
    #   value: minio123
  ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
  ## services created by the operator.
  serviceMetadata:
    minioServiceLabels: { }
    minioServiceAnnotations: { }
    consoleServiceLabels: { }
    consoleServiceAnnotations: { }
  ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
  ## This is applied to MinIO pods only.
  ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
  priorityClassName: ""
  ## Use this field to provide one or more external CA certificates. This is used by MinIO
  ## to verify TLS connections with other applications.
  ## Certificate secret files will be mounted under /tmp/certs/CAs folder, supported types:
  ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
  ##
  ## ie:
  ##
  ##  externalCaCertSecret:
  ##    - name: ca-certificate-1
  ##      type: Opaque
  ##    - name: ca-certificate-2
  ##      type: Opaque
  ##    - name: ca-certificate-3
  ##      type: Opaque
  ##
  ## Create secrets as explained here:
  ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
  externalCaCertSecret: [ ]
  ## Use this field to provide one or more Secrets with external certificates. This can be used to configure
  ## TLS for MinIO Tenant pods.
  ## Certificate secret files will be mounted under /tmp/certs folder, supported types:
  ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
  ##
  ## ie:
  ##
  ##  externalCertSecret:
  ##    - name: domain-certificate-1
  ##      type: kubernetes.io/tls
  ##    - name: domain-certificate-2
  ##      type: kubernetes.io/tls
  ##    - name:domain-certificate-3
  ##      type: kubernetes.io/tls
  ##
  ## Create secrets as explained here:
  ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
  externalCertSecret: [ ]
  ## Use this field to provide client certificates for MinIO & KES. This can be used to configure
  ## mTLS for MinIO and your KES server. Files will be mounted under /tmp/certs folder, supported types:
  ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
  ## ie:
  ##
  ##  externalClientCertSecret:
  ##    name: mtls-certificates-for-tenant
  ##    type: Opaque
  ##
  ## Create secrets as explained here:
  ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
  # externalClientCertSecret: {}
  ##
  ## Use this field to provide additional client certificate for the MinIO Tenant
  ## Certificate secret files will be mounted under /tmp/certs folder, supported types:
  ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
  ##
  ## mount path inside container:
  ##
  ##	certs
  ##		|
  ##		+ client-0
  ##		|			+ client.crt
  ##		|			+ client.key
  ##		+ client-1
  ##		|			+ client.crt
  ##		|			+ client.key
  ##		+ client-2
  ##		|			+ client.crt
  ##		|			+ client.key
  ## ie:
  ##
  ##    externalClientCertSecrets:
  ##      - name: client-certificate-1
  ##        type: kubernetes.io/tls
  ##      - name: client-certificate-2
  ##        type: kubernetes.io/tls
  ##      - name:client-certificate-3
  ##        type: kubernetes.io/tls
  ##
  ## Create secrets as explained here:
  ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
  externalClientCertSecrets: [ ]
  ## Registry location and Tag to download MinIO Server image
  image: quay.io/minio/minio:RELEASE.2023-11-15T20-43-25Z
  # image: quay.io/minio/minio:RELEASE.2023-05-04T21-44-30Z
  imagePullSecret: { }
  ## Mount path where PV will be mounted inside container(s).
  mountPath: /export
  ## Sub path inside Mount path where MinIO stores data.
  ## WARNING:
  ## We recommend you to keep the same mountPath and the same subPath once the
  ## Tenant has been deployed over your different PVs.
  ## This is because if you change these values once Tenant is deployed, then
  ## you will end up with multiple paths for different buckets. So please, be
  ## very careful to keep same value for the life of the Tenant.
  subPath: ""
  ## Service account to be used for all the MinIO Pods
  serviceAccountName: ""
  ## Specification for MinIO Pool(s) in this Tenant.
  pools:
    ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
    ## For standalone mode, supply 1. For distributed mode, supply 4 or more.
    ## Note that the operator does not support upgrading from standalone to distributed mode.
    - servers: 2
      ## custom name for the pool
      name: pool-0
      ## Specify one or more Pod Topology Spread Constraints to apply to pods deployed in the MinIO pool.
      ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints
      topologySpreadConstraints: [ ]
      ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
      volumesPerServer: 2
      ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
      ## eligible to run on a node, the node must have each of the
      ## indicated key-value pairs as labels.
      ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
      nodeSelector: { }
      ## Used to specify a toleration for a pod
      tolerations: [ ]
      ## Affinity settings for MinIO pods. Read more about affinity
      ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
      affinity:
        nodeAffinity: { }
        podAffinity: { }
        podAntiAffinity: { }
      ## Configure resource requests and limits for MinIO containers
      resources: { }
      ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO Tenant in this
      ## Pool.
      volumeClaimTemplate:
        apiVersion: v1
        kind: persistentvolumeclaims
        metadata: { }
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 20Gi
          storageClassName: hcloud-volumes
        status: { }
      ## Configure Pod's security context
      ## We recommend to skip the recursive permission change by using
      ## fsGroupChangePolicy as OnRootMismatch because it can be pretty
      ## expensive for larger volumes with lots of small files.
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
      ## Configure container security context
      containerSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
  ## Enable automatic Kubernetes based certificate generation and signing as explained in
  ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
  requestAutoCert: true
  ## Prometheus setup for MinIO Tenant.
  #  prometheus:
  #    image: "" # defaults to quay.io/prometheus/prometheus:latest
  #    env: [ ]
  #    sidecarimage: "" # defaults to alpine
  #    initimage: "" # defaults to busybox:1.33.1
  #    diskCapacityGB: 1
  #    storageClassName: standard
  #    annotations: { }
  #    labels: { }
  #    nodeSelector: { }
  #    affinity:
  #      nodeAffinity: { }
  #      podAffinity: { }
  #      podAntiAffinity: { }
  #    resources: { }
  #    serviceAccountName: ""
  #    securityContext:
  #      runAsUser: 1000
  #      runAsGroup: 1000
  #      runAsNonRoot: true
  #      fsGroup: 1000
  ## Prometheus Operator's Service Monitor for MinIO Tenant Pods.
  # prometheusOperator:
  #   labels:
  #     app: minio-sm
  ## Audit Logs will be deprecated soon, commenting out for now!.
  ## LogSearch API setup for MinIO Tenant.
  # log:
  #   image: "" # defaults to minio/operator:v5.0.11
  #   env: [ ]
  #   resources: { }
  #   nodeSelector: { }
  #   affinity:
  #     nodeAffinity: { }
  #     podAffinity: { }
  #     podAntiAffinity: { }
  #   tolerations: [ ]
  #   annotations: { }
  #   labels: { }
  #   audit:
  #     diskCapacityGB: 1
  #   ## Postgres setup for LogSearch API
  #   db:
  #     image: "" # defaults to library/postgres
  #     env: [ ]
  #     initimage: "" # defaults to busybox:1.33.1
  #     volumeClaimTemplate:
  #       metadata: { }
  #       spec:
  #         storageClassName: standard
  #         accessModes:
  #           - ReadWriteOnce
  #         resources:
  #           requests:
  #             storage: 1Gi
  #     resources: { }
  #     nodeSelector: { }
  #     affinity:
  #       nodeAffinity: { }
  #       podAffinity: { }
  #       podAntiAffinity: { }
  #     tolerations: [ ]
  #     annotations: { }
  #     labels: { }
  #     serviceAccountName: ""
  #     securityContext:
  #       runAsUser: 999
  #       runAsGroup: 999
  #       runAsNonRoot: true
  #       fsGroup: 999
  #   serviceAccountName: ""
  #   securityContext:
  #     runAsUser: 1000
  #     runAsGroup: 1000
  #     runAsNonRoot: true
  #     fsGroup: 1000
@divramod
Copy link
Author

i used the wrong url. it needs to be MINIO_SERVER_URL 🤣

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@divramod