-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
master/v4.0.0/c40ab9c operator does not appear to create a functional console #479
Comments
logs make it look like an rbac setup issue:
|
Hi @jhoblitt, for number 3. right now you need to have a Resource quota so that an available storage class can be selected.
then applying it like
The number EDIT: With current operator, there is no need to create a resourcequota by yourself. |
@cesnietor I think we removed that requirement recently, does the |
@cesnietor Sure. I killed the operator pod to reset the logging: $ kubectl delete ns minio-tenant-1
namespace "minio-tenant-1" deleted
$ kubectl create ns minio-tenant-1
namespace/minio-tenant-1 created
$ cat rquota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: default-storagequota
namespace: minio-tenant-1
spec:
hard:
standard.storageclass.storage.k8s.io/requests.storage: "9223372036854775807"
$ kubectl apply -f rquota.yaml
resourcequota/default-storagequota created
$ kubectl -n minio-operator delete pod minio-operator-79fb7887b4-tt4xm
pod "minio-operator-79fb7887b4-tt4xm" deleted
$ kubectl minio tenant create \
> minio-tenant-1 \
> --servers 3 \
> --volumes 12 \
> --capacity 1Ti \
> --namespace minio-tenant-1 \
> --storage-class local-storage
W0219 12:59:32.673903 1098279 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Tenant 'minio-tenant-1' created in 'minio-tenant-1' Namespace
Username: admin
Password: 3673b98d-0477-4d04-b8a5-a6c44c0b8df9
Note: Copy the credentials to a secure location. MinIO will not display these again.
+-------------+------------------------+----------------+--------------+--------------+
| APPLICATION | SERVICE NAME | NAMESPACE | SERVICE TYPE | SERVICE PORT |
+-------------+------------------------+----------------+--------------+--------------+
| MinIO | minio | minio-tenant-1 | ClusterIP | 443 |
| Console | minio-tenant-1-console | minio-tenant-1 | ClusterIP | 9443 |
+-------------+------------------------+----------------+--------------+--------------+
# wait a bit
$ kubectl -n minio-tenant-1 get pod
No resources found in minio-tenant-1 namespace.
$ kubectl -n minio-operator logs minio-operator-79fb7887b4-7ddbx | grep -v deprecated
I0219 19:58:01.120593 1 main.go:72] Starting MinIO Operator
I0219 19:58:01.354854 1 main.go:139] caBundle on CRD updated
I0219 19:58:01.355839 1 main-controller.go:250] Setting up event handlers
I0219 19:58:01.355897 1 main-controller.go:634] Starting Tenant controller
I0219 19:58:01.355903 1 main-controller.go:637] Waiting for informer caches to sync
I0219 19:58:01.365780 1 main-controller.go:598] operator TLS secret not found%!(EXTRA string=secrets "operator-tls" not found)
I0219 19:58:01.379457 1 csr.go:217] Start polling for certificate of csr/operator-minio-operator-csr, every 5s, timeout after 20m0s
I0219 19:58:01.456000 1 main-controller.go:642] Starting workers
E0219 19:59:38.269921 1 main-controller.go:720] error syncing 'minio-tenant-1/minio-tenant-1': secrets "operator-tls" not found
E0219 19:59:48.250049 1 main-controller.go:720] error syncing 'minio-tenant-1/minio-tenant-1': secrets "operator-tls" not found
E0219 20:00:48.254844 1 main-controller.go:720] error syncing 'minio-tenant-1/minio-tenant-1': secrets "operator-tls" not found
|
@cesnietor @dvaldivia sorry, I got confused as to which issue this was. I'll try the console and report back. |
Looks like no change: $ kubectl -n minio-tenant-1 get resourcequota
NAME AGE REQUEST LIMIT
default-storagequota 4m40s standard.storageclass.storage.k8s.io/requests.storage: 0/9223372036854775807
$ kubectl -n minio-operator get pods
NAME READY STATUS RESTARTS AGE
console-7494c75898-6b7ft 1/1 Running 0 122m
minio-operator-79fb7887b4-7ddbx 1/1 Running 0 7m15s
$ kubectl -n minio-operator delete pod console-7494c75898-6b7ft
pod "console-7494c75898-6b7ft" deleted
$ kubectl -n minio-operator get pod
NAME READY STATUS RESTARTS AGE
console-7494c75898-krpx4 1/1 Running 0 11s
minio-operator-79fb7887b4-7ddbx 1/1 Running 0 7m39s
[chonchon] ~/github/k8s-cookbook/chonchon/minio $ kubectl minio proxy
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: eyJhbGciOiJSUzI1NiIsImtpZCI6IndXcVZrTnJoTGhDQjN0ZWQ1a1A0d3RrZjM5aGYxTDRHSXBpZ3F5SDZ4VDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaW5pby1vcGVyYXRvciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjb25zb2xlLXNhLXRva2VuLWMycDlzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNvbnNvbGUtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2ZDExOWIyYS1kMDA0LTQzMGUtYjA3My05ZWI4NjQxOWZmODYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW8tb3BlcmF0b3I6Y29uc29sZS1zYSJ9.LD_TQWTTSwRClsxJNXlUk7pMnP1lO_lTJ7Po8ZEMtTnPTdzV_O4bGj8J7WyTYQoIJlw1_fAoo8FV_Bc8cFMK-uah4BazF3cRcLu73q9JEUMKnKK7OnvMMc1qiLLK0g9d0Kn5-vxV7obEftiAQ2Hn1OUIJN0RH1yE05oFjULiLvkAEfHK7t2M2bNbmHVGnn-4hkRjRTumJIu66OdCEuFJ1Hoi1iw83uNJ7yigZ0q8tD9n-HlF9WZsQdItuNU_2u-r_CfVKO-f3h8o5NclnkC9YbPHvDHTKXwjurDMex7VObrhdFz9KBqRACSjqZ-lWiMkK_wPtx07bAk6SqiWGN94VQ
Forwarding from 127.0.0.1:9090 -> 9090
Forwarding from [::1]:9090 -> 9090
Handling connection for 9090
Handling connection for 9090
Handling connection for 9090
^C
$ kubectl -n minio-operator logs console-7494c75898-krpx4
2021-02-19 20:05:31.263648 I | 2021/02/19 20:05:31 server.go:129: Serving console at http://[::]:9090
2021-02-19 20:05:58.903145 I | 2021/02/19 20:05:58 token.go:145: cipher: message authentication failed
2021-02-19 20:05:58.903164 I | 2021/02/19 20:05:58 token.go:93: encrypted session token claims not in the right format
2021-02-19 20:05:58.903171 I | 2021/02/19 20:05:58 configure_console.go:78: session token internal data is malformed
2021-02-19 20:06:04.542710 I | 2021/02/19 20:06:04 error.go:44: original error: tenants.minio.min.io is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot list resource "tenants" in API group "minio.min.io" at the cluster scope
2021-02-19 20:06:07.200584 I | 2021/02/19 20:06:07 error.go:44: original error: nodes is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot list resource "nodes" in API group "" at the cluster scope
2021-02-19 20:06:11.125867 I | 2021/02/19 20:06:11 error.go:44: original error: resourcequotas "t-storagequota" is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot get resource "resourcequotas" in API group "" in the namespace "t"
2021-02-19 20:06:14.783173 I | 2021/02/19 20:06:14 error.go:44: original error: resourcequotas "minio-tenan-storagequota" is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot get resource "resourcequotas" in API group "" in the namespace "minio-tenan"
2021-02-19 20:06:15.910201 I | 2021/02/19 20:06:15 error.go:44: original error: resourcequotas "minio-tenant-storagequota" is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot get resource "resourcequotas" in API group "" in the namespace "minio-tenant"
2021-02-19 20:06:18.434332 I | 2021/02/19 20:06:18 error.go:44: original error: resourcequotas "minio-tenant1-storagequota" is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot get resource "resourcequotas" in API group "" in the namespace "minio-tenant1"
2021-02-19 20:06:26.678440 I | 2021/02/19 20:06:26 error.go:44: original error: resourcequotas "minio-tenant-1-storagequota" is forbidden: User "system:serviceaccount:minio-operator:console-sa" cannot get resource "resourcequotas" in API group "" in the namespace "minio-tenant-1" |
@jhoblitt the main error is the following
How did you install the operator? It sounds like the service account |
@dvaldivia I replaced the krew synlimk for kubectl minio delete -n minio-operator
kubectl delete ns minio-operator
kubectl create ns minio-operator
kubectl minio init -n minio-operator --image=jhoblitt/minio-operator:v3.0.29-70-gc40ab9c-2 Do you think this might be caused by #473 leaving resources behind? |
it's possible @jhoblitt, do you wanna try installing via
|
@jhoblitt So I've tried the commands with kubectl plugin and indeed the some resources like service accounts are not created correctly.
In the meantime you can run it as @dvaldivia said or try with kustomize by modifying the kustomization.yaml for your image.
And then run
We'll track the issue with the kubectl plugin but you can try to use that in the meantime, hope it helps. |
what @cesnietor proposes is a good solution |
the main reason might be cause plugin is attached to version
And building with master which is ahead of 3.0.29 @dvaldivia we need to update plugin only and test. (once new release is ready). |
@dvaldivia Sure, I can try to to install with @cesnietor note that I am not installing the plugin with krew. I am just copying in my build of the plugin from master to into the krew bin dir.
Maybe it would be a good idea to add a version sub-command to the plugin?
|
if you want to deploy the latest, you could build your own container
and then clone this repo, modify
|
@dvaldivia I am aware and that's what I did this morning. From the initial ticket I'm using |
@jhoblitt the issue for the serviceaccount is a clusterrolebinding which was not being set to the defined namespace. this is being addressed in the pr above ^. |
@jhoblitt hi, for issue #1 if UI is loading on screen that means requests are correctly routed to the service via the ingress controller (at least the client was able to download the js), can you show here the output of:
also that initial screen that shows the 503, does it keeps loading forever? Were you able to authenticate using the k8s service account token? how did you get to the second screen? |
@cesnietor I've build your PR and pushed it to docker hub as @Alevsk Re #1. I just checked and it is still showing the same page with the "503" message on it and a spinning circle symbol. And I see where you going... the service name is wrong. $ kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cert-manager cert-manager ClusterIP 10.43.169.25 <none> 9402/TCP 10d
cert-manager cert-manager-webhook ClusterIP 10.43.249.198 <none> 443/TCP 10d
default kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 10d
ingress-nginx ingress-nginx-controller LoadBalancer 10.43.211.179 139.229.160.56 80:32662/TCP,443:30699/TCP 10d
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.43.29.220 <none> 443/TCP 10d
kube-system kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 10d
kube-system metrics-server ClusterIP 10.43.138.226 <none> 443/TCP 10d
minio-operator console ClusterIP 10.43.215.65 <none> 9090/TCP,9443/TCP 6h10m
minio-operator operator ClusterIP 10.43.28.102 <none> 4222/TCP,4233/TCP 6h10m This is extremely strange... what is the ingress has to be pointed at nothing now. If I do an f5 reload in FF I get a gateway error... so this must be some sort of browser caching. |
@Alevsk Good call. #1 was an id10t error (and some crazy browser caching of a tenant console). Fixing the ingress resource got it working.
|
Closing this issue since all issues are being resolved in PR #485, please reopen or file new issue if the bug persists. |
@dvaldivia / @cesnietor / @Alevsk I have tried installing the operator using kustomize from 9ab6c08 with the operator image tag as the only modification. Doing it this way means the JWT token isn't fished out for you but it looks like is However, using kustomize directly means that the fix from #485 isn't picked up at all:
I will try again with |
@cesnietor It appears #485 caused a new problem. I am unable to re-open this ticket. Would you like to open a new issue? I rebuilt
The good news is that issue 2) is resolved: However, issue 3 is still present but with a different log messages:
|
@jhoblitt does the namespace |
@cesnietor Aww, creating a namespace with kubectl does get the console past that error. That's something is something I would normally expect a gui wizard to take care of. I'm not sure why kustomize failed to generate working resources. I'm guessing that the clusterrolebinding having |
This is about as far as I can go with the console for the moment as I've got 3 physical nodes to test with. minio/console#610 I may have to spin up VMs. |
@jhoblitt did you also specify the namespace on the kustomization yaml? not only the image?
Please let me know if setting the namespace on kustomization yaml works, else could you please paste your kustomization.yaml (hiding any specific things) in case there is something different I'm missing. |
Expected Behavior
A working console.
Current Behavior
kubectl minio proxy
command (this is somewhat inconvenient for me as I normal run administrative commands from a remote host but I resorted to installing the kubectl plugin on a local desktop). However, after logging in with the supplied jwt token this error message is displayed:Steps to Reproduce (for bugs)
Your Environment
minio-operator
): c40ab9cThe text was updated successfully, but these errors were encountered: