Updating cert-manager instructions #1842
Conversation
cniackz
requested review from
kanagarajkm,
cesnietor,
pjuarezd,
Praveenrajmani,
feorlen and
dvaldivia
|
@pjuarezd please review this and merge if you think this is the right solution 🙏 and thank you my friend!. |
|
Based on my testing, this does 'fix' the issue with the tenant being unable to start, but this breaks the ability for the operator to verify the tenant's TLS certificate. I suspect the issue is in the original PRs that changed this months ago. As I stated in the comments on my original issue: none of this really makes sense to me. Why does the tenant need the CA? It's the operator that needs the CA, so why is it even being mounted into the tenant pod? I suspect the operator still needs the |
|
Also, instead of relying on 🤞 could we instead have a CI workflow that tests minio with TLS & cert-manager? |
cniackz
force-pushed
the
correct-cert-manager-instructions
branch
from
9d24702 to
fa504f6
Compare
|
@chancez, I believe you're correct on this. Could you please give it another try? I've updated the PR to use 'tls.crt' instead and tested it with our 'cert-manager' example, and it worked in that manner as well. Notice I am getting the |
|
|
@cniackz that isn't it, I wasn't having any problems extracting the CA. In my case I don't even need to do the first step, I already have the CA because I'm managing my own CA, so the first step isn't the issue and the latest changes don't fix the problem. As I also mentioned earlier, there seems to be a potentially misunderstanding of how this is supposed to work, because there's no reason for the tenant to be mounting the CA from the operator-tls-ca file anyways, which is the reason things aren't working. The docs do not need updating at all, the docs are correct, it's the code that needs fixing. To be clear, you shouldn't even need to do this dance of extracting anything from the tenant, I already have the CA. I precreate the operator-tls-ca before I even install my minio-operator and the tenant since I already have the CA ahead of time. With your latest update, when you're extracting the Try configuring some buckets like I provided in the original issue I filed. You should see the operator is unable to make the bucket because of TLS errors. |
|
I finally see your point, yeah. This will require code change to fix that. Ok, I am going to close this PR for now. And find the peace of code that need to be fixed so we don't replicate the CA to the Tenant. Thank you for your time and feedback @chancez |
|
The fix should address this: Operator does need the CA and that is ok, is still needed and docs are fine with it. Now, our current operator is propagating the CA to the Tenant which is what we don't actually need for this particular case. We need to find what part of the code is doing that and perform the change without breaking anything else. <--- TODO!. |
To fix: #1839
Explanation:
Our pods are expecting
operator-ca-tlssecret to containpublic.crtbut in our instructions we are passing downca.crtinstead and hence we see this error:Solution:
Remove the secret from both namespaces and re-generate with proper and expected name
public.crtand then all is back to normal with our cert-manager example we offer in our repo.Additional Information:
cert-managerexample got broken in Operator's version5.0.8under PR #1716About 2 months ago, since then
cert-managerexample isn't working.back then the issue was:
Then that issue got fixed but new one introduced:
And solution is this PR