-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant pods fail after certificate renewal: certificate signed by unknown authority #2058
Comments
AR @cniackz please test this in openshift and see if you can reproduce; then talk to our expert @pjuarezd and get some advice/help. Also maybe this can be of help: because https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret is as per design a manual thing we need to do on every renewal... |
Hey guys, I have an idea. Why are you using Check this out: spec:
## Disable default TLS certificates.
requestAutoCert: false Could you please try disabling it and use our example, or something similar? This will still require manual steps while performing this process, but at least you won't rely on Operator certificates anymore, only on cert-manager. Once we have a working solution for the rotation, this shouldn't cause any further problems. Also, if you get a chance, please try the ideas from the following PRs and let us know if they work for you in OpenShift: |
Hi @cniackz, the reason we are merging the
So in order to get valid certificates for inter-pod communication (meaning between multiple MinIO cluster member pods) we need |
Our minio tenant pods fail regularly whenever the internal certificate was renewed by the operator:
It appears that minio doesn't process any changes made to the CA files while the certs were renewed.
In our specific deployment we've combined the
requestAutoCert: true
setting with anexternalCertSecret
which is an external cert-manager issued LetsEncrypt certificate that we use to achieve E2E encryption via a passthrough Ingress object. I'm not sure if this contributes to the issue.When
curl
ing the endpoint manually, you can see that it's already serving the renewed certificate (valid from Mar 28 16:51:34 2024 GMT):which matches the renewed CA within the container:
I suspect, this is the CA that should be used by minio, however it seems like minio is still using an outdated one from memory to verify requests to its cluster members, as the error message
tls: failed to verify certificate: x509: certificate signed by unknown authority
suggests. It looks like the renewed certificate file itself was read from disk, but the CA file wasn't.Of course, the
/tmp/certs/CAs/
directory also contains the Root CA of the Letsencrypt authority R3 (externalCertSecret
), but that'll only become an issue when that specific certificate is renewed in a couple of weeks. So we'll ignore it for now.Expected Behavior
Minio should automatically process certificate renewals and all tenant pods must process changes made to the CA files as well.
Current Behavior
This issue can be resolved temporarily (until next certificate renewal) by restarting the minio service with the
mc
CLI:This proves that this isn't an issue with the certificates themselves, but with minio not processing the renewed certs correctly, as this command doesn't alter the certificate files at all. They are probably just re-read from disk when the service is restarted.
Possible Solution
n.a.
Steps to Reproduce (for bugs)
/status/healthMessage
isService Unavailable
Context
Regression
Your Environment
minio-operator
): minio-operator v5.0.13uname -a
): n.a.The text was updated successfully, but these errors were encountered: