You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, operator trusts certificates from image, a certificate chain published by Kubernetes in operator Pod on /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (
The service CA certificate is published in Openshift in each namespace in a Configmap "openshift-service-ca.crt" and also in the pod, on the path /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, just like ca.crt of internal Kubernetes CA.
Problem is, we use this certificate when exposing tenant internal services, and the operator does not trust the certificate authority by default when contacting metrics endpoint on those tenants ("we get x509: certificate signed by unknown authority errors").
As a workaround we manually copy the certificate of the CA from the ConfigMap to a Secret operator-ca-tls-openshift-service-ca so that operator trust the service endpoint of tenants.
What we propose is to extend the code in GetPodCAFromFile (
) and in addition to using ca.crt, look also for file service-ca.crt and if present, add this CA to trusted authorities as well.
(It should be as simple as this, if not running on Openshift, the file will not be present and in such cases just continue just like current behavior).
The benefit would be easier management of Openshift installation for those who use service CA functionality of Openshift.
The text was updated successfully, but these errors were encountered:
Currently, operator trusts certificates from image, a certificate chain published by Kubernetes in operator Pod on /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (
operator/pkg/apis/minio.min.io/v2/helper.go
Line 106 in c3495a7
Openshift provides a service CA which automates certiificate management for services exposed inside Openshift. (https://docs.openshift.com/container-platform/4.16/security/certificate_types_descriptions/service-ca-certificates.html). We use it successfully with Minio tenants.
The service CA certificate is published in Openshift in each namespace in a Configmap "openshift-service-ca.crt" and also in the pod, on the path /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt, just like ca.crt of internal Kubernetes CA.
Problem is, we use this certificate when exposing tenant internal services, and the operator does not trust the certificate authority by default when contacting metrics endpoint on those tenants ("we get x509: certificate signed by unknown authority errors").
As a workaround we manually copy the certificate of the CA from the ConfigMap to a Secret operator-ca-tls-openshift-service-ca so that operator trust the service endpoint of tenants.
What we propose is to extend the code in GetPodCAFromFile (
operator/pkg/apis/minio.min.io/v2/helper.go
Line 106 in c3495a7
(It should be as simple as this, if not running on Openshift, the file will not be present and in such cases just continue just like current behavior).
The benefit would be easier management of Openshift installation for those who use service CA functionality of Openshift.
The text was updated successfully, but these errors were encountered: