operator icon indicating copy to clipboard operation
operator copied to clipboard
verified publisher icon minio

Described installation process not working

Open fliegera opened this issue 1 year ago • 8 comments

I am following the installation procedure for the operator as described here on my local CRC version 4.15.3 as welll as on a productive system running on 4.13.37

https://min.io/docs/minio/kubernetes/openshift/operations/installation.html

First issue is that the Operator is installed without any Nodeport

This is the spec of the Route that i created according to your documentation. All I get is Applicatin not available even if all pods are running

spec:
  host: operator-console-route-minio-operator.apps-crc.testing
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: http
  wildcardPolicy: None
status:
  ingress:
    - host: operator-console-route-minio-operator.apps-crc.testing
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2024-05-02T19:00:35Z'
      wildcardPolicy: None
      routerCanonicalHostname: router-default.apps-crc.testing

fliegera avatar May 02 '24 19:05 fliegera

Although the documentation implies that node ports are automatically created, they are not. Nodeports is probably also not how you want to expose your service. You typically expose services in OpenShift via routes, but it looks like the http port always redirects to an HTTPS connection and this fails, because there is no matching route.

You can create the following route instead (it creates a route on HTTPS):

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: minio
  namespace: minio-operator
  labels:
    app.kubernetes.io/instance: minio-operator
    app.kubernetes.io/name: operator
    name: console
    olm.managed: 'true'
    operators.coreos.com/minio-operator.minio-operator: ''
spec:
  host: operator-console-route-minio-operator.apps-crc.testing
  port:
    targetPort: https
  to:
    kind: Service
    name: console
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: Redirect

You can then go to https://operator-console-route-minio-operator.apps-crc.testing and the console should open. You may get errors about invalid certificates, because the certificate won't be valid for your hostname.

We'll revise the documentation for OpenShift deployment. We made some changes and they aren't reflected here yet. I'll also look into the issue why the http port redirects back to https.

ramondeklein avatar May 08 '24 12:05 ramondeklein

The operator service is directing HTTP traffic to HTTPS, because the --cert-dir is specified and certificates are present. The certificate is valid for console.minio-operator.svc and console.minio-operator.svc.cluster.local (deployed in namespace minio-operator) and issued by openshift-service-serving-signer. When TLS is enabled, then non-HTTP traffic is automatically redirected to use HTTPS.

The TLS redirection forwards to the same hostname/port, but with the https scheme. When using port-forwarding, this will result in a port-forward to port 9090 again which is still the HTTP port, so it won't work. I guess, this redirection only works correctly when there is a route on the default ports (HTTP port 80 and HTTPS port 443). If a user goes to http://console.minio-operator.svc.cluster.local/, then it will redirect to https://console.minio-operator.svc.cluster.local/ and it will work fine.

When deploying via the standard Helm script, the --cert-dir is specified, but no certificates are present in the directory. This works fine both on OpenShift and "regular" Kubernetes clusters.

@pjuarezd Is there a reason why the OpenShift deployment deploys with cluster certficates when deploying via the OpenShift console?

@dvaldivia The TLS redirection functionality doesn't make much sense if the host header contains an explicit port. We may want to remove that redirect in those cases and return an error instead.

ramondeklein avatar May 13 '24 11:05 ramondeklein

@ravindk89 we need to do some updates in the docs for Openshift installs

pjuarezd avatar May 13 '24 17:05 pjuarezd

Recent docs restructuring changed several things on the OpenShift Operator deploy docs page, such as clarifying that the port forwarding isn't done automatically. Should address that particular confusion.

@ramondeklein @pjuarezd What else should be updated in the OpenShift docs? With the move to Kustomize for deploying and managing, most things should work the same across all the different Kubernetes flavors. Perhaps there are additional details still needed for OpenShift?

feorlen avatar Jun 10 '24 19:06 feorlen

Also I assume we still need to distinguish between Openshift Marketplace, Openshift Operatorhub, and installing via Kustomize/Helm (AKA using the "upstream" methodology)

ravindk89 avatar Jun 10 '24 19:06 ravindk89

The UI procedures with OperatorHub/Marketplace are still the same in the docs. Presumably a bunch of that is going away with the forthcoming platform simplification effort. Although I can't really test those anyway.

feorlen avatar Jun 10 '24 20:06 feorlen

@feorlen If we don't do automatic port forwarding, then we don't have any issues. We may want to suggest to use routes when using OpenShift instead of other methods. Routes seem to be the standard way to do this when using OpenShift (but I'm not an OpenShift expert).

ramondeklein avatar Jun 11 '24 10:06 ramondeklein

@cniackz thoughts on what else is needed in the revised OpenShift Operator docs? Several parts were reworked to be common across all platforms. Specifically, there might be a better way to do port forwarding (routes?)

link: https://min.io/docs/minio/kubernetes/openshift/operations/installation.html

feorlen avatar Jun 11 '24 15:06 feorlen