search

quarkiverse / quarkus-minio

Minio (https://min.io) Client Quarkus Extension
Apache License 2.0
18 stars 24 forks source link

QUESTION: Minio operator #305

Closed TartanLeGrand closed 4 months ago

TartanLeGrand commented 8 months ago

Have you managed to use the minio operator and certificates to use https via minio and quarkus native?

Thanks for your help 😄

jtama commented 8 months ago

Hi, I am not sure I fully understand you're question. Are you talking about the k8s operator ? What is exactly you want to achieve ?

TartanLeGrand commented 8 months ago

Hello @jtama,

I set up a minio operator on kubernetes to use it under kub. I have my minio which is created with the certificates etc. but unfortunately when I try to connect to the service with https://my-minio-hl.my-namespace.svc.cluster.local:9000 it gives me an error javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested load.

My minio tenant has the requestAutoCert: true option and I have set "quarkus.ssl.native=true" because I am in native mode.

It seems to me that minio does generate certificates via kubernetes and it seems to me that Quarkus does access the store to validate the certificate.

Reference a comment in the doc:

## Enable automatic Kubernetes based certificate generation and signing as explained in
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster

I just can't understand why I can't connect to the service via the https service url when the certificate is a kubernetes based certificate.

jtama commented 8 months ago

If the certificate is a valid one you don't have anything to do. If not you have to pass it to your native image.

Have you tries running your app in jre mode ?

TartanLeGrand commented 8 months ago

Yes and I got the same error : javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

jtama commented 8 months ago

So your problem isn't with native. I would suggest you to validate the certificate, before even trying to solve this on the java side. 1) You can have a valid certificate, and you'll have nothing else to do 2) You can't, on which case you will have to provide it via keystore or similar to your runtime

I will close the issue on this repo, but fill free to add comment when you succeed in your task.

TartanLeGrand commented 8 months ago

Ok, it's because I add the :9000 port behind my url of headless service. Now I have an other issue on the headless service, quarkus try to connect to the HTTPS port like https://my-minio-hl.my-namespace.svc.cluster.local/10.1.1.1:443istead of https://my-minio-hl.my-namespace.svc.cluster.local/10.1.1.1:9000.

Have you any idea @jtama ? 🤔

TartanLeGrand commented 8 months ago

https://github.com/quarkiverse/quarkus-minio/pull/306

jtama commented 8 months ago

Have you tried specifying the url with the 9000 port ?

TartanLeGrand commented 8 months ago

Yes 👍 But with the 9000 the cert is not recognised ... with the 443 too but without yes but it's cannot connect to the ex: 10.2.2.2:443 😄

jtama commented 8 months ago

So let me just sum up to be sure I fully understand : If you do the following setup `quarkus.minio.url=https://my-svc:9000' it fails.

TartanLeGrand commented 8 months ago

Assuming that the service is under my-conf.svc and that 3 ips are below with 10.1.1.*:9000.

Here are my tests:

  1. The first test is on https://my-conf.svc:9000 certificate error.

  2. The second test is on https://my-conf.svc:443 certificate error.

  3. https://my-conf.svc good for the certificate but tries to connect on 10.1.1.*:443

jtama commented 4 months ago

Closed by #319