Described installation process not working

[fliegera]

I am following the installation procedure for the operator as described here on my local CRC version 4.15.3 as welll as on a productive system running on 4.13.37

https://min.io/docs/minio/kubernetes/openshift/operations/installation.html

First issue is that the Operator is installed without any Nodeport

This is the spec of the Route that i created according to your documentation. All I get is Applicatin not available even if all pods are running

spec:
  host: operator-console-route-minio-operator.apps-crc.testing
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: http
  wildcardPolicy: None
status:
  ingress:
    - host: operator-console-route-minio-operator.apps-crc.testing
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2024-05-02T19:00:35Z'
      wildcardPolicy: None
      routerCanonicalHostname: router-default.apps-crc.testing

[ramondeklein]

Although the documentation implies that node ports are automatically created, they are not. Nodeports is probably also not how you want to expose your service. You typically expose services in OpenShift via routes, but it looks like the http port always redirects to an HTTPS connection and this fails, because there is no matching route.

You can create the following route instead (it creates a route on HTTPS):

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: minio
  namespace: minio-operator
  labels:
    app.kubernetes.io/instance: minio-operator
    app.kubernetes.io/name: operator
    name: console
    olm.managed: 'true'
    operators.coreos.com/minio-operator.minio-operator: ''
spec:
  host: operator-console-route-minio-operator.apps-crc.testing
  port:
    targetPort: https
  to:
    kind: Service
    name: console
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: Redirect

You can then go to https://operator-console-route-minio-operator.apps-crc.testing and the console should open. You may get errors about invalid certificates, because the certificate won't be valid for your hostname.

We'll revise the documentation for OpenShift deployment. We made some changes and they aren't reflected here yet. I'll also look into the issue why the http port redirects back to https.

[ramondeklein]

The operator service is directing HTTP traffic to HTTPS, because the --cert-dir is specified and certificates are present. The certificate is valid for console.minio-operator.svc and console.minio-operator.svc.cluster.local (deployed in namespace minio-operator) and issued by openshift-service-serving-signer. When TLS is enabled, then non-HTTP traffic is automatically redirected to use HTTPS.

The TLS redirection forwards to the same hostname/port, but with the https scheme. When using port-forwarding, this will result in a port-forward to port 9090 again which is still the HTTP port, so it won't work. I guess, this redirection only works correctly when there is a route on the default ports (HTTP port 80 and HTTPS port 443). If a user goes to http://console.minio-operator.svc.cluster.local/, then it will redirect to https://console.minio-operator.svc.cluster.local/ and it will work fine.

When deploying via the standard Helm script, the --cert-dir is specified, but no certificates are present in the directory. This works fine both on OpenShift and "regular" Kubernetes clusters.

@pjuarezd Is there a reason why the OpenShift deployment deploys with cluster certficates when deploying via the OpenShift console?

@dvaldivia The TLS redirection functionality doesn't make much sense if the host header contains an explicit port. We may want to remove that redirect in those cases and return an error instead.

[pjuarezd]

@ravindk89 we need to do some updates in the docs for Openshift installs