Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Console TLS incompatible with cert-manager certificate #1439

Closed
JonMerlevede opened this issue Feb 7, 2023 · 6 comments · Fixed by #1800
Closed

Console TLS incompatible with cert-manager certificate #1439

JonMerlevede opened this issue Feb 7, 2023 · 6 comments · Fixed by #1800
Assignees

Comments

@JonMerlevede
Copy link

JonMerlevede commented Feb 7, 2023

I am setting MINIO_CONSOLE_TLS_ENABLE=on and generate the operator-console-tls secret using cert manager. The operator pod logs indicate that console TLS is enabled. I can see that the certificates are mounted into the console pod. However, the console pod does not start listening to HTTPS requests.

Expected Behavior

The console pod listens to HTTPS requests

Current Behavior

tls.crt and tls.key are mounted into the Console pod, but the console process does not listen to HTTPS requests.

Possible Solution

Update console process to check for the presence of the tls.crt and tls.key files in addition to the files public.crt and private.key.

Steps to Reproduce (for bugs)

  1. Set MINIO_CONSOLE_TLS_ENABLE=on
  2. Define operator-console-tls with tls.crt and tls.key keys (optionally ca.crt)
  3. Start the operator

Context

I currently have to copy the contents of the secret generated by cert-manager into another secret with keys public.crt and private.key.

Your Environment

  • Version used (minio-operator): v4.5.8
  • Environment name and version: OKD 4.11.0
@JonMerlevede JonMerlevede changed the title Console TLS incompatible with cert-manager certificate secret Console TLS incompatible with cert-manager certificate Feb 7, 2023
@cniackz
Copy link
Contributor

cniackz commented Oct 6, 2023

Thank you guys, I have read the issue. Will try to understand better and look for a solution to this, starting today!.

@cniackz
Copy link
Contributor

cniackz commented Oct 6, 2023

You don't have to enable MINIO_CONSOLE_TLS_ENABLE as this will generate a self signed certificate in our end and will overwrite your certificate when expired. Please keep it off.

@cniackz
Copy link
Contributor

cniackz commented Oct 6, 2023

The name of the secret has to be console-tls and data has to contain private.key and public.crt for console pod to serve in 9443:

Serving operator at http://[::]:9090
Serving operator at https://[::]:9443

@cniackz
Copy link
Contributor

cniackz commented Oct 6, 2023

Ok I see it now, this is an issue for:

  • "kubernetes.io/tls"
  • "cert-manager.io/v1alpha2"
  • "cert-manager.io/v1"

Even when the cert is uploaded in the pod:

bash-4.4$ ls
CAs  tls.crt  tls.key

Console Pod is not serving in port 9443 for above scenarios but it is only working for Opaque Secrets...

So yes, it is a bug!.

I need more time to fix this and root cause this issue, but as of now, I believe the problem is somewhere in operator/api/server.go where we prepare for TLS communication, will debug this further.

@cniackz
Copy link
Contributor

cniackz commented Oct 7, 2023

With changes in 1800 PR, we are including tls.crt and tls.key let's wait for the review process to get this merged!.

@cniackz
Copy link
Contributor

cniackz commented Oct 10, 2023

@JonMerlevede the issue has been fixed, please give it a try and let us know if you still see the problem on your side! 👍
And thank you for opening this issue!!! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants