-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minio web console auth issues when port-forwarding a local minikube k8s minio instance #2539
Comments
more context: port-forwarding various kafka, redis and flink ports from the same minikube all work fine w/o issue in our setup. it's just this latest minio console. moreover, forwarding minio's api port (9000) and using mc locally in the host context against the api port *9000) works fine w/o any forward breaks. |
Forwarding won't work as MinIO Console UI requires websockets. Moving this to relevant repo for more guidance.. |
interesting. did the older version not use websockets? |
yes, there have been some changes to the bucket browser that started using WebSockets for more efficient (responsive) UI. So I don't know if port-forwarding handles these scenarios properly, as it's not meant to be used for production. |
it seems there's only issues when loading the login page based on more testing. for my setup, i've refined the workaround to just need one restart:
|
i agree that port-forwarding isn't for production use. the use case minio satisfies for us right now is stubbing s3 for local development which hopefully is a valid minio use case. |
I also have websocket-related issues, on a console deployed via Minio Operator and Tenant I see the following error in my pod: While I understand port-forwarding and websockets together may not be meant for production use, I have done nothing but follow the documentation, which is essentially "pop up an operator, use the krew plugin to proxy your traffic, create a tenant and enjoy". The documentation should probably be updated to reflect the fact that issues should be expected when using port-forwarding |
@clovis-dugue that's a fair ask. I missed this discussion as I typically monitor @harshavardhana am I right in thinking that moving forward, we'll need to use ingress to get this to work? that is, |
I'll note that this might be an issue related mostly to containerized K8s setups - asking internally, we haven't seen it come up yet in fully-deployed upstream Kubernetes. If that's the case, we might need to add a warning in about this behavior and the workaround. Documenting nginx/traefik ingress will take a little longer. |
I've tested it with kubeadm/kubernetes on aws using aws nlb->haproxy-ingress->minio-operator->minio-console and websocket based communication not worked and got the "error upgrade connection.." message in the console log |
@ravindk89 I just encountered this issue on vanilla k8s on vSphere (capi based setup, not containerized). I think an ingress will be needed to work around this issue. |
I verified the issue on K3s as well, unfortunately. We're going to update our docs with some guidance this week, mostly to drop port-forwarding as an option and recommend ingress. Documenting ingress will take longer - we have resources for Nginx, but not Traefik right now. We appreciate everyone's patience while we push forward. |
As a simple workaround, We deploy the Operator Console and Tenant Consoles w/ nodeports. You can use these to access the services directly. For example: kubectl get svc/console -n minio-operator -o json | jq -r '.spec.ports' ✔ default ⎈
[
{
"name": "http",
"nodePort": 31055,
"port": 9090,
"protocol": "TCP",
"targetPort": 9090
},
{
"name": "https",
"nodePort": 31388,
"port": 9443,
"protocol": "TCP",
"targetPort": 9443
}
] kubectl get svc/miniodc-console -n miniodc -o json | jq -r '.spec.ports' PIPE|3 ✘ default ⎈
[
{
"name": "https-console",
"nodePort": 30496,
"port": 9443,
"protocol": "TCP",
"targetPort": 9443
}
] In both cases, you can connect to a worker node via the nodePorts and access the underlying service. I'm not sure what node actually matters. I was able to access it regardless, so this is likely what the docs will reference in the short term. w.r.t. the Operator login, you can retrieve the JWT by reading the kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r '.data.token' | base64 -d |
As per minio/console#2539 , the websocket behavior integrated as part of Console 0.22.1 (minio/console#2419) seems to break port-forwarding behavior. There's no easy fix for this. NodePorts are a workaround, but slightly kludgy. Ingress is the better long-term solution, but requires more work. This is a stopgap: - For Operator, point users towards NodePorts if port-forwarding fails - For Tenant Console, simply drop port-forwarding entirely and point only at Ingress/LB Out of scope but in progress is Ingress guidance for Nginx and Traefik so we can close the loop on this.
the root cause is the |
This seems to have to do with |
Looks like an upstream issue at this point |
@jinyius once you enable port forwarding, can you try this on another terminal?
I tried this on kind. Not sure if this will work in minikube |
Not directly addressing the issue, but a good alternative workaround to the port forwarding loop it is to simply expose the |
do you know which version is safe to use? I observed the same at the weekend in k3s @jinyius |
Have the same issue on k3s cluster with ingress. In case of ingress: Error is misleading.
If using proxy either kubectl minio proxy or usual kubectl proxy -> page just hangs and timeouts - no red banner. In console logs errors are the same. |
I downgraded to Helm Chart version I struggled to connect with version Helm values with chart version
|
@jarlefosen I couldn't find helm chart 4.1.0 because latest seem to be 4.0.15 https://github.com/minio/minio/blob/RELEASE.2022-10-24T18-35-07Z/helm/minio/Chart.yaml however, changing image to image:
repository: quay.io/minio/minio
tag: RELEASE.2022-09-17T00-09-45Z
pullPolicy: IfNotPresent solved my issues with port forwarding so thank you very much, clearly something is wrong after this date, this websockets issue is gonna bite more people due to software supply chain issue of |
The issue has been resolved (see #2799 and minio/minio#17123) and released in RELEASE.2023-05-04T21-44-30Z. environment:
MINIO_BROWSER_LOGIN_ANIMATION: off |
I'm really glad I'm already subscribed to this issue, because I would never make a connection between a broken login page due to network errors and disabling an animation. 😂 Thanks for looking into it! |
Even adding that environment variable to my deployment, I still encounter connection issues. Are we sure that was the culprit? |
Closing since this would be solved on kubernetes/kubectl#1368. Waiting for resolution of it. We provided a workaround which is disabling the animation via an environment variable. |
For some reason environment:
MINIO_BROWSER_LOGIN_ANIMATION: 'off' |
Fixes #98 Disable the MinIO web UI login animation to avoid a web socket port forwarding bug: minio/console#2539.
Fixes #998 Disable the MinIO web UI login animation to avoid a web socket port forwarding bug: minio/console#2539.
Fixes #998 Disable the MinIO web UI login animation to avoid a web socket port forwarding bug: minio/console#2539.
@callingmedic911 Holy 👍 |
Steps to Reproduce (for bugs)
kubectl port-forward pod/myminio-blah-blah 9001
Expected Behavior
web console loads fine and is usable
Current Behavior
web console loads, but acts oddly due to port-forwarding issues
Possible Solution
my coworker and i believe there's something going on w/ the minio web ui's around the login screen and authentication that causes the port-forwarding to break. we've gotten around this by brute-forcing the port forward to restart explicitly and manually during authentication. eventually, with enough port-forward restarts, it succeeds. once the browser session is authenticated, there are no port-forwarding issues.
workaround
while true; do kubectl port-forward pod/myminio-blah-blah 9001; done
Context
we use minio locally as a fake s3 for local flink development. we use eks in prod for flink, so we use minikube for a local k8s env and so we try to keep all flink development parts in the local minikube setup
Regression
yes. port-forwarding worked fine using the super-old helm chart: https://github.com/minio/charts
we noticed that this version doesn't have a split console and api port. it just has port 9000 that suffices for both endpoints. we had to version bump b/c this old version of minio has bugs that prevents proper s3 expectations.
Your Environment
minio --version
):Server setup and configuration:
we tried using replicated and standalone setups for our minio install
Operating System and version (
uname -a
):NOTE: we replicated this using both an m1 and intel mac. the m1 mac uses minikube over docker and the intel mac uses minikube over hyperkit.
The text was updated successfully, but these errors were encountered: