console
console copied to clipboard
minio
Minio console cannot be exposed trough k8s ingress and NGINX gateway
I am using the latest minio release (RELEASE.2022-04-26T01-20-24Z) that introduces MINIO_BROWSER_REDIRECT_URL env variable (https://github.com/minio/minio/pull/14761).
Since we deploy the minio console on the k8s cluster behind the ingress and NGINX reverse proxy I have to rewrite the NGINX config in the following way:
location ~* ^/console {
proxy_pass http://localhost:9001;
}
When I try to get minio console I see the following:
How to reproduce:
Run MinIO Like
MINIO_BROWSER_REDIRECT_URL="http://localhost:8000/console" CI=true ./minio server /tmp/dskx{1...4} --address :9000 --console-address :9001
start nginx with the following config:
events { worker_connections 1024; }
http {
server {
listen 8000;
location ~* ^/console {
proxy_pass http://localhost:9001;
}
}
}
Visit http://localhost:8000/console
I am experiencing the same problem via docker-compose and putting minio behind nginx. The only solution so far is to expose minio at / location.
Does rolling back to previous versions fix this issue? If so, can anyone point out which version (or docker image) I should use?
Issue reproduced with the Helm chart and an Ingress using path: /minio(/|$)(.*) and the nginx.ingress.kubernetes.io/rewrite-target: /$2 annotation.
Works as expected when using path: /
I was able to successfully serve the UI on a subpath (k8s ingress) using:
extraEnvVars:
- name: MINIO_CONSOLE_SUBPATH
value: "/minio/"
- name: MINIO_BROWSER_REDIRECT_URL
value: "https://your-minio-dns.com/minio/"
(note the second MINIO_CONSOLE_SUBPATH environment variable, in addition to the MINIO_BROWSER_REDIRECT_URL, see https://github.com/minio/console/pull/1854)
and setting the ingress with:
path: /minio/(.*)
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
You should only need one environment variable here @dvaldivia why do we need two?
Update:
With image RELEASE.2022-04-29T01-27-09Z, only MINIO_BROWSER_REDIRECT_URL seems necessary.
However, to access the UI, the full login path (http://minio-dns.com/subpath/login) has to be explicitely entered (only entering http://minio-dns.com/subpath/ redirects to http://minio-dns.something/subpath/subpath/login. The same doubling of the subpath occurs after clicking on the logout button in the UI which redirects to the login url.
I removed MINIO_CONSOLE_SUBPATH in favor of MINIO_BROWSER_REDIRECT_URL @harshavardhana
The redirect you are seeing @gcalmettes sounds to me like a bug on our end, I'll investigate
@dvaldivia If that helps, below is a local docker-compose setup with which you can easily reproduce the redirection issue:
-
docker-compose.yml
version: '3.9'
services:
nginx:
image: nginx
networks:
- minio-local
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
ports:
- 80:80
depends_on:
- minio
minio:
image: minio/minio:RELEASE.2022-05-04T07-45-27Z
networks:
- minio-local
command: server /data --console-address ":9001"
ports:
- 9000:9000
- 9001:9001
environment:
MINIO_ROOT_USER: minio
MINIO_ROOT_PASSWORD: minio123
MINIO_BROWSER_REDIRECT_URL: "http://localhost/console"
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
interval: 30s
timeout: 10s
retries: 5
networks:
minio-local:
driver: bridge
-
nginx.conf(to be placed in the same folder than thedocker-compose.yml)
events {}
http {
server {
listen 80;
listen [::]:80;
location / {
rewrite /console(/|$)(.*) /$2 break;
proxy_pass http://minio:9001/;
proxy_redirect off;
}
}
}
- If you go to
http://localhost/console/login:point_right: everything works fine - If you click on
logoutafter having logged-in :point_right: you're redirected tohttp://localhost/console/console/login - If you go to
http://localhost/console(without the login full path) :point_right: you're redirected tohttp://localhost/console/console/login
https://github.com/minio/console/issues/1908#issuecomment-1113943129 ""gcalmettes commented [on 30 Apr] However, to access the UI, the full login path (http://minio-dns.com/subpath/login) has to be explicitely entered (only entering http://minio-dns.com/subpath/ redirects to http://minio-dns.something/subpath/subpath/login. The same doubling of the subpath occurs after clicking on the logout button in the UI which redirects to the login url""
I also confirm the above using K8s ingress, NGINX gateway, and a subpath (/minio/). In addition, files cannot be downloaded using the UI. This occurs, because the request does not have the subpath appended. Capturing the download request URL, adding the subpath, and then pasting it into the address bar works to download the file.
E.g. https://(domain)/api/v1/buckets/default/objects/download?prefix=EJFIOWEFHFH2914RHFFADSODJA should be generated by the MinIO console UI as: https://(domain)/(subpath)/api/v1/buckets/default/objects/download?prefix=EJFIOWEFHFH2914RHFFADSODJA
Hello, i confirm we got same problems with latest versions:
-subpath/login is not working if not "explicitely entered" to access the web ui console (it redirects to /subpath/subpath/login). -files cannot be downloaded using the UI, because the request ignores the subpath. This is the only api actually doing this we found, for example uploading files is working and the correct subpath is used. Adding the correct subpath on the download request will make it working, granted you do it before the token expires.
Any updates on the issues and this thread?
Thanks
Not a best practice if you want fix download API Error when I setting up of one domain mapping to minio (s3 api | console) in istio virtual service CRD I add the specify URL "/api/v1/buckets/" redirect to "/api/v1/buckets/" and the console download Object can work!
Another confirmation here, running into this issue. I have also not been able to work around the issue with some of the latest versions using nginx reverse proxy in front when attempting to expose minio console on a subpath. Any known workarounds with the latest version?
I have the same issue.
I run MinIO on a on premise Kubernetes cluster with Traefik as reverse proxy.
I have followed this documentation to install MinIO and try to set up Traefik as reverse proxy for the Operator Console and the Object Storage Console. I was unable to set up the Operator Console in a sub path like https://acme.org/minio.
Even though the env variables MINIO_BROWSER_REDIRECT_URL and CONSOLE_SUBPATH were set in the main console pod, the apis did not use either of these two env variables.
I give here the traefik configuration that “work” for me.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: minio-console-https
namespace: default
spec:
entryPoints:
- https
routes:
## For Minio Operator Console
- kind: Rule
match: Host(`minio.acme.org`)
middlewares:
- name: minio-secure-mid
namespace: default
services:
- kind: Service
name: console
port: 9090
namespace: minio-operator
## For Minio Object Store Console
- kind: Rule
match: Host(`object-storage.acme.org`) && PathPrefix(`/tenant`)
middlewares:
- name: minio-object-storage-tenant-mid
namespace: default
services:
- kind: Service
name: tenant-console
port: 9090
namespace: default
tls:
certResolver: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: minio-object-storage-tenant-mid
namespace: default
spec:
stripPrefix:
prefixes:
- /tenant
Dont forget to enabled the allowCrossNamespace = true in the Traefik configuration.
I was able to successfully serve the UI on a subpath (k8s ingress) using:
extraEnvVars: - name: MINIO_CONSOLE_SUBPATH value: "/minio/" - name: MINIO_BROWSER_REDIRECT_URL value: "https://your-minio-dns.com/minio/"(note the second
MINIO_CONSOLE_SUBPATHenvironment variable, in addition to theMINIO_BROWSER_REDIRECT_URL, see #1854)and setting the ingress with:
path: /minio/(.*) annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1
Thank you so much for this, I spent half a day trying to solve this
