Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS not working for operator console when deployed with Helm chart #1984

Closed
MichaelGehling opened this issue Feb 15, 2024 · 3 comments · Fixed by #2059
Closed

HTTPS not working for operator console when deployed with Helm chart #1984

MichaelGehling opened this issue Feb 15, 2024 · 3 comments · Fixed by #2059
Assignees
@cniackz
Labels
bug Something isn't working community

Comments

@MichaelGehling
Copy link

Expected Behavior

When I install minio via helm chart from https://operator.min.io/, I would expect an easy way to make HTTPS working for the operator console.

Current Behavior

  1. Currently, the template for the ingress controller (console-ingress.yaml) contains hardcoded http as the target port of the console.
  2. Additionally, the values.yaml does not give any hint how the tls-certificates volume must be configured and mounted, so that the console works properly via https.

Possible Solution

  1. Provide a configuration value to switch between "http" and "https" in the ingress controller template (console-ingress.yaml)
  2. Extend in the values.yaml the volumes and volumeMounts sections with the proper configuration (commented if not wanted as default). Here is the configuration that worked for me:

volumes:
- name: tmp
emptyDir: {}
# This is crucial for HTTPS
- name: tls-certificates
projected:
defaultMode: 420
sources:
- secret:
items:
- key: public.crt
path: public.crt
- key: public.crt
path: CAs/public.crt
- key: private.key
path: private.key
- key: tls.crt
path: tls.crt
- key: tls.crt
path: CAs/tls.crt
- key: tls.key
path: tls.key
name: console-tls
optional: true

volumeMounts:
- name: tmp
readOnly: false
mountPath: /tmp/certs/CAs
# This is crucial for HTTPS
- name: tls-certificates
readOnly: true
mountPath: /tmp/certs

Context

I must use HTTPS for cluster internal communication.
It was pretty hard to figure out how to do it for the minio operator console!

To mount the volumes, it can be done via a custom-values.yaml, but finding the correct configuration was a hassle.

For changing the ingress controller to target the https port instead of the http port, I had to add a patch command after the deployment in my deplyoment script.
Here it is for anybody with the same problem:
kubectl patch ingress minio-operator-console --type=json -p='[{"op": "replace", "path": "/spec/rules/0/http/paths/0/backend/service/port/name", "value": "https"}]' -n minio-operator

Your Environment

  • Version used (minio-operator): v5.0.12
  • Environment name and version: Kubernetes v1.26.7
@cniackz cniackz self-assigned this Mar 10, 2024
@cniackz cniackz mentioned this issue Mar 10, 2024
Closed
@cniackz
Copy link
Contributor

cniackz commented Mar 10, 2024
edited
Loading

There is a PR coming that may fix this issue

#2026

@dvaldivia
Copy link
Collaborator

could you elaborate further? I believe by setting .Values.tenant.certificate.requestAutoCert or Values.tenant.certificate.externalCertSecret the right port name is selected on the chart

@cniackz
Copy link
Contributor

cniackz commented Apr 5, 2024

I think I see the issue now:

  rules:
    - host: {{ .Values.console.ingress.host }}
      http:
        paths:
          - path: {{ .Values.console.ingress.path }}
            pathType: {{ .Values.console.ingress.pathType }}
            backend:
              service:
                name: "console"
                port:
                  name: http <------- here

We are indeed hardcoding service.port.name to http. I would rather use service.port.number as that will allow and give flexibility to pick between HTTPs or HTTP with single field. For example, in my testing, operator can use HTTP by using the port number:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minio-operator
  namespace: minio-operator
spec:
  rules:
    - host: "minio.operator"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: console
                port:
                  number: 9090

While at the same time, tenant can use HTTPS by using port number as well:

spec:
  tls:
    - hosts:
        - minio.tenant-lite.svc.cluster.local
        - minio.tenant-lite
      secretName: myminio-tls
  rules:
    - host: minio.tenant-lite.svc.cluster.local
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: minio
                port:
                  number: 443
    - host: minio.tenant-lite
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myminio-console
                port:
                  number: 9443

So in conclusion, I will look the way to change from service.port.name to service.port.number to fix this issue. Documentation regarding the port type can be found at: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

@cniackz cniackz added bug Something isn't working and removed triage labels Apr 5, 2024
@cniackz cniackz mentioned this issue Apr 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cniackz cniackz

Labels
bug Something isn't working community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

To use port number instead of port name cniackz/operator
Issue 1984
3 participants
@cniackz @MichaelGehling @dvaldivia