-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
6.0.1 sidecar fails readiness probe with TLS enabled. #2239
Comments
I'd also like to note this is at least the 2nd time the operator had a regression related to usage of TLS. I previously hit a regression with how the operator configure minio with TLS in #1839. Perhaps there should be a e2e test that installs minio configured with TLS via minio-operator with cert-manager to help catch these regressions. |
we'll check, we might have already identified the issue. |
When TLS is enabled on the MinIO endpoint, then the sidecar runs a health check on When there is only a single certificate, then MinIO will always respond with that certificate (even if the SNI server name doesn't match). When there are multiple certificates, then MinIO will try to match the SNI server name to any over the registered certificates and returns the first certificate that matches the SNI server name. If none of the certificates match, then it doesn't return any certificate and the TLS handshake is aborted. That is exactly what is happening here. There is an auto generated certificate (signed by the cluster's CA) for |
I have issued minio/pkg#126 to return the default certificate in case none of the certificates match. That would solve this issue. I also submitted a #2257 for the operator, so it will provide the proper server-name in the request and prevent failure. Either an update of MinIO or MinIO operator should fix the problem. |
I just installed operator 6.0.2 and RELEASE.2024-08-17T01-24-54Z - which both should have the fix, but I'm still getting the error "HTTP request failed: Get "https://localhost:9000": remote error: tls: internal error" |
@harshavardhana Can I tag a v3.0.12 release for |
yep, running without auto-cert. Adding localhost to the cert worked. |
|
its not the only issue with TLS I had with minio, also UI did not work on non 9000 port/with tls at least 2 happy path e2e tests with TLS would be perfect (one for API and one for UI) |
It's fairly similar to #2198 but in 6.0.1. Basically I'm seeing the sidecar fail it's readiness probes in a fresh install of 6.0.1 in our CI.
I'm hitting this issue where the sidecar starts but never becomes ready on a fresh install of 6.0.1 in our CI as well.
If I describe the pod I can see the readiness check is failing with HTTP 500:
So I can confirm it's at least starting it's probeServer here: https://github.com/minio/operator/blob/master/sidecar/pkg/sidecar/sidecar_utils.go#L86-L116
Based on this, it must be erroring on one of these calls: https://github.com/minio/operator/blob/master/sidecar/pkg/sidecar/probes_handlers.go#L64-L76 but there's no logging so it's hard to tell since k8s doesn't log the response body for probe failures.
However, I think I figured it out: It's probably because we're using TLS:
https://github.com/minio/operator/blob/master/sidecar/pkg/sidecar/probes_handlers.go#L64 hardcodes the port to 9000 but the minio server listens on port 9443 when TLS is enabled. The sidecar needs to be configured to use the correct port when TLS is configured.
Expected Behavior
minio sidecar should be ready with TLS enabled.
Current Behavior
minio sidecar fails readiness probes with TLS enabled.
Possible Solution
Update the readiness probe logic of the sidecar to use the correct minio port when TLS is enabled.
Steps to Reproduce (for bugs)
Install minio-operator and tenant 6.0.1 with the following helm values:
Context
Cannot install minio via operator 6.0.1
Regression
yes
Worked: v5.0.16
Broken: v6.0.1
Your Environment
minio-operator
): v6.0.1uname -a
): KIND 0.23.0values.yaml
provided aboveThe text was updated successfully, but these errors were encountered: