search

minio / operator

Simple Kubernetes Operator for MinIO clusters :computer:
https://min.io/docs/minio/kubernetes/upstream/index.html
GNU Affero General Public License v3.0
1.21k stars 452 forks source link

Operator v5.0.10 behind Nginx - http #1933

Open aceeric opened 9 months ago

aceeric commented 9 months ago

There are several issues/PRs in the repo talking about accessing the console behind Nginx:

They all use TLS. In my case I just wanted to drop the Operator into my basic cluster and quickly look at the Operator Console. I'm running RKE2 v1.28.2+rke2r1 with the built-in RKE2 Nginx add-on disabled and community ingress-nginx helm chart version 4.6.1, app version 1.7.1 installed instead with no special configs. I'm deploying the Minio operator helm chart with values:

console:
  env:
  - name: MINIO_CONSOLE_SUBPATH
    value: "/minio/"
  - name: MINIO_BROWSER_REDIRECT_URL
    value: "http://ip-10-104-22-233.myco.org/minio/"
  ingress:
    enabled: true
    host: ip-10-104-22-233.myco.org
    path: /minio/(.*)
    pathType: ImplementationSpecific
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: /$1

... based on the various tickets and other guidance I've been able to find.

Trying to access http://ip-10-104-22-233.myco.org/minio results in the redirects all looking for "root" urls. E.g.: http://ip-10-104-22-233.mycorp.org/styles/root-styles.css which the Ingress ignores. If I hand-modify that as a test for example to http://ip-10-104-22-233.mycorp.org/minio/styles/root-styles.css then:

body {
  margin: 0;
  background-color: #fff;
  font-family: "Inter", sans-serif;
  -webkit-font-smoothing: antialiased;
  -moz-osx-font-smoothing: grayscale;
}

#preload {
  display: none;
}

#loader-block {
  display: flex;
  flex-direction: column;
  width: 100%;
  height: 100vh;
  justify-content: center;
  align-items: center;
}

P.S.: If kubectl -n minio-operator port-forward svc/console 9090 then in the browser http://localhost:9090 redirects to http://localhost:9090/login and the page properly displays.

Is it possible that the Nginx behavior referenced by all the tickets is only supported for HTTPS?

P.S. I've also tried omitting the nginx.ingress.kubernetes.io/use-regex: "true" annotation and setting pathType: Prefix and other things but - no luck.

Thanks.

UPDATED I just re-tried this workflow with cert-manager and a self-cigned cert on the ingress and experienced the same thing:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    meta.helm.sh/release-name: minio-operator
    meta.helm.sh/release-namespace: minio-operator
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/use-regex: "true"
  creationTimestamp: "2024-01-05T18:15:52Z"
  generation: 7
  labels:
    app.kubernetes.io/managed-by: Helm
  name: minio-operator-console
  namespace: minio-operator
  resourceVersion: "20338"
  uid: a62d5c10-b53b-4407-8da8-5fb54f4d05bc
spec:
  rules:
  - host: ip-10-104-22-233.myco.org
    http:
      paths:
      - backend:
          service:
            name: console
            port:
              name: http
        path: /minio/(.*)
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - ip-10-104-22-233.myco.org
    secretName: minio-operator-console
status:
  loadBalancer:
    ingress:
    - ip: 10.43.107.149
bexsoft commented 9 months ago

Moving this issue to an appropriate repository