Provisioned Tenant from Operator Istio sidecar issues #1995
Comments
|
Since you are running operator and tenant on Istio, do you still have pre-packaged minio tls enabled? Did you turn it off? Also do you have authorization policy set to allow operator namespace to link to tenant namespace? |
|
I do still have it enabled but per all these old issues that fixed service labels I assumed that was OK: #749 The issue really is the way the init containers work with the service mesh due to the the proxy not being up to deal with the traffic. I can't tell from the tenant if the init container is required or of it could optionally be disabled. Maybe I just have to deal with this until SidecarContainers feature gate is GA in K8s |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If I have istio sidecars on for both Minio Operator and Tenant objects, whent he Tenant pods get created the validate-arguments init container fails because the mTLS tunnel isn't up yet. This maybe more of a feature request then a bug (or just documentation) can the validate-arguments init container be disabled or re-configured when istio sidecars are injected?
Expected Behavior
Tenant pods should come up with Istio enabled
Current Behavior
validate-arguments crash loop because they can't connect to the pod
Possible Solution
Disable init containers on Tenant deployments when istio sidecars are injected (manually via Tenant or Operator config)
Steps to Reproduce (for bugs)
Context
Trying to run Minio with Istio mTLS
Regression
No
Your Environment
minio-operator): 5.0.12uname -a): Linux 6.5.0-18-generic Ability to set custom MINIO_STORAGE_CLASS_STANDARD environment variable in the container #18~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Feb 7 11:40:03 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: