operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon minio

Document TLS Certificates flow with Cert Manager

Open pjuarezd opened this issue 1 year ago • 8 comments
trafficstars

pjuarezd avatar Apr 18 '24 22:04 pjuarezd

@pjuarezd, @shtripat and I already approved. However, I noticed the title is marked as 'WIP.' Should we wait for further changes, or should we proceed with merging now? Please let us know and update the title accordingly. By the way, thank you for documenting this for us; it is very helpful already!

cniackz avatar Apr 20 '24 03:04 cniackz

@pjuarezd, @shtripat and I already approved. However, I noticed the title is marked as 'WIP.' Should we wait for further changes, or should we proceed with merging now? Please let us know and update the title accordingly. By the way, thank you for documenting this for us; it is very helpful already!

I am missing the KES certificates, but I think is better to merge this one, and will open another for KES.

pjuarezd avatar Apr 20 '24 03:04 pjuarezd

@pjuarezd I edited the instructions, although there are some parts I don't fully understand. Please feel free to correct anything. 😄

feorlen avatar Apr 22 '24 20:04 feorlen

Not sure if it's ready for review again. Please mention is we need to review again...

ramondeklein avatar Apr 23 '24 14:04 ramondeklein

@pjuarezd I made some additional edits for spelling, etc in all the markdown files.

feorlen avatar Apr 23 '24 18:04 feorlen

Not sure if it's ready for review again. Please mention is we need to review again...

Sorry for the delay, some test were failing and had to fix them, yes, it is ready for review now

pjuarezd avatar Apr 24 '24 03:04 pjuarezd

Im unable to login for some reason after following the steps. Let me know if this is unique to my local setup please? image

allanrogerr avatar Apr 26 '24 18:04 allanrogerr

Im unable to login for some reason after following the steps. Let me know if this is unique to my local setup please?

This is a bug my friend, MinIO Operator is not trusting CA certificates when stored in secrets with prefix operator-ca-tls-, like one in this guide operator-ca-tls-tenan-1, Operator only trusts CA's in the secret ``operator-ca-tls`.

If you look in the Operator logs you will notice the Operator could not create the user:

I0426 20:09:29.809181       1 event.go:364] Event(v1.ObjectReference{Kind:"Tenant", Namespace:"tenant-1", Name:"myminio", UID:"c9b76b22-93fb-43db-9513-6d9c78192d26", APIVersion:"minio.min.io/v2", ResourceVersion:"13640", FieldPath:""}): type: 'Warning' reason: 'UsersCreatedFailed' Users creation failed: context deadline exceeded

Look at your tenant, it should be having a State Provisioning initial users

kubectl get Tenant -n tenant-1
NAME      STATE                        AGE
myminio   Provisioning initial users   20m

I Need to work on this bug in other PR

pjuarezd avatar Apr 26 '24 20:04 pjuarezd

Im unable to login for some reason after following the steps. Let me know if this is unique to my local setup please?

This is a bug my friend, MinIO Operator is not trusting CA certificates when stored in secrets with prefix operator-ca-tls-, like one in this guide operator-ca-tls-tenan-1, Operator only trusts CA's in the secret ``operator-ca-tls`.

If you look in the Operator logs you will notice the Operator could not create the user:

I0426 20:09:29.809181       1 event.go:364] Event(v1.ObjectReference{Kind:"Tenant", Namespace:"tenant-1", Name:"myminio", UID:"c9b76b22-93fb-43db-9513-6d9c78192d26", APIVersion:"minio.min.io/v2", ResourceVersion:"13640", FieldPath:""}): type: 'Warning' reason: 'UsersCreatedFailed' Users creation failed: context deadline exceeded

Look at your tenant, it should be having a State Provisioning initial users

kubectl get Tenant -n tenant-1
NAME      STATE                        AGE
myminio   Provisioning initial users   20m

I Need to work on this bug in other PR

This other PR https://github.com/minio/operator/pull/2133 trust certificates in all secrets with prefix operator-ca-tls and fixes the last problem to solve to merge this PR.

pjuarezd avatar May 23 '24 23:05 pjuarezd

Still facing this @pjuarezd ...

Fixed here https://github.com/minio/operator/pull/2079/commits/1316212ef3062d879f939ddf71d0481c70864e1b, it was a wrong DNS name

pjuarezd avatar May 29 '24 01:05 pjuarezd

Still facing this @pjuarezd ...

Fixed here 1316212, it was a wrong DNS name

@allanrogerr had a chance to test this? do you have any other insight?

pjuarezd avatar Jun 04 '24 18:06 pjuarezd

I still deploy tenants using Helm...

@ramondeklein If you are interested in trying Kustomize, I have some almost finished docs in this PR: https://github.com/minio/docs/pull/1219 Always helpful to find another person to test procedures 😁

feorlen avatar Jun 06 '24 21:06 feorlen

@feorlen Please let me review when you're done. I'll be OOO until Monday, but would be glad to test it...

ramondeklein avatar Jun 06 '24 21:06 ramondeklein