-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tenant install failed - references non-existent secret key: public.crt #1839
Comments
Sorry guys, yes this is broken. I can reproduce it locally with our kustomize example published by Lenin:
Tomorrow I will continue with it and fix it |
For now testing notes at my repo: https://github.com/cniackz/public/wiki/cert%E2%80%90manager, will fix and move the notes to minio wiki once this is working again. |
Thank you @chancez for reporting this issue 👍 |
@chancez the page I am updating is: https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret where the secret has now to contain |
@cniackz I don't really understand how the operator secret is relevant here. The issue is the TLS secret the tenant pod is mounting. I understand that the operator should have the CA so it can communicate securely with the tenant, that makes sense, but seems orthogonal to the issue of the tenant's volume mount issue. |
Also why |
Okay, after looking at the tenant pod, I see why you're suggesting that. The tenant pod is mounting the Why though? Does the tenant talk to the operator? Why does it need a CA? The docs say
This would mean the operator needs the CA, not the tenant, so again: why is the tenant mounting the operator-ca-tls secret? Additionally, my operator pod doesn't even mount the Here's the tenant secret volume mount for reference:
|
I can confirm the suggested change in the docs fixes it, but I still have the questions about why the why the tenant is mounting the CA instead of the operator. |
Okay, so while this fixes the tenant starting, after making these adjustments, the operator no longer can validate the certificate of the minio tenant. So your suggested fix, fixes the tenant being able to start, but breaks the operator's ability to verify the tenant's certificate.
|
So I tried creating the secret with both
But that wasn't sufficient, the operator is still unable to verify the tenant's certificate. |
In version |
This problem still exists in 5.0.15 |
Yeah still happens in v6.0.3 as well. |
That's because the minio image in v6.0.3 is not recent enough. It should work if you override it with tag |
@rolinh thank you. Thought that the needed fix was there long time ago now that it was declared fixed mid May this year. Thank you very much for the info. |
Expected Behavior
We were using minio-operator 5.0.6 in CI using the operator and tenant helm charts. We configure minio with TLS using cert-manager based on the following the docs. This works correctly.
Current Behavior
After upgrading to 5.0.10 CI started failing while waiting for the minio tenant statefulset to become ready. In the k8s events for the minio tenant statefulset, we see the following warnings:
Possible Solution
Make
public.crt
optional in the volume mount, or remove it entirely.Steps to Reproduce (for bugs)
values.yaml
for minio-tenant that are provided at the bottom of the issueContext
We use minio for testing our product with s3 compatible object storage, and in our Quickstart docs. This issue prevents us from upgrading minio.
Regression
Is this issue a regression? Yes
If Yes, optionally please include minio-operator version caused the regression: It regressed somewhere between 5.0.6 and 5.0.10.
Your Environment
minio-operator
):5.0.10
uname -a
): ubuntu 22.04 via GitHub hosted runnersThe text was updated successfully, but these errors were encountered: