MinIO Ingress on Kind for testing and learning - cniackz/public GitHub Wiki
Ingress
- Please read these documents:
- https://arunsworld.medium.com/ssl-passthrough-via-kubernetes-ingress-b3eaf3c7c9da
- https://kind.sigs.k8s.io/docs/user/ingress/
- Then deploy this cluster
9443for console443for minio:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 9443
hostPort: 9443
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30081
hostPort: 30081
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30082
hostPort: 30082
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30083
hostPort: 30083
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30084
hostPort: 30084
listenAddress: "127.0.0.1"
protocol: TCP
- Install Ingress NGINX:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
- Now the Ingress is all setup. Wait until is ready to process requests running:
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=90s
- Add
--enable-ssl-passthroughto enable passthrough in ingress-nginx deployment:
apiVersion: apps/v1
kind: Deployment
...
spec:
template:
spec:
containers:
- args:
...
- --enable-ssl-passthrough
- Install Operator
installoperator kustomize
- Install Tenant
installtenant kustomize
- Create Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: tenant-lite
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- minio.tenant-lite.svc.cluster.local
- minio.tenant-lite
secretName: myminio-tls
rules:
- host: minio.tenant-lite.svc.cluster.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio
port:
number: 443
- host: minio.tenant-lite
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myminio-console
port:
number: 9443
- Explanation: It forward a trusted URL to a k8s Service, in this case to minio and console!.
- Buy a domain with TLS or modify your /etc/hosts
127.0.0.1 minio.tenant-lite.svc.cluster.local
127.0.0.1 minio.tenant-lite
- Create a file with this content to trust certificate if you did not buy one:
namespace | secret | key
---------------+--------------------+------------------------
minio-operator | console-sa-secret | ca.crt <--- First put this content
default | cesar-tls | public.crt <------ Then put this content
Example:
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIzMDQxNTE1NTgxN1oXDTMzMDQxMjE1NTgxN1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANdr
qKPav/2/lRUPl+ukVbRyTylWHRbcosRlayebnacvSfFkARHV1qDMj+YL9lqm4Jfh
kTJocPmuuyvli6bS1Pd971M1NGlxR/eohUIXiyDuK9qj3+FkYfm0pFvOx6Hi9+TC
8zKahYHLh17Z5Mbtv9sU+JG9QiQETwKKbx39DqBOAi/xHGh+LEik9+Y5MzK3KOwE
vdrop+HppwUCOUgEcevgHZNVZ46cRrBFeQ/hZJnoOzTHrT70RhDEIpK4V11yKyc0
udS0LCxZGlBBe3bhFzj/n7m5RwAZNQCD0rNBD1e+ZebROQ/r/kOVKrvetYp30E9D
rZhlGbCHGo1L6+iwBUkCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFPP7Q0h2DwlKF9KFO4bPiXNqym+5MBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAB5oH3j9YXCpm0DfuNiU
InlWuHdMsIfcwi/VRsePV/dSr8emd1839ZY8WASjagIYUXH8kwOtDwE4cMfwqpgm
ku8pZCjz39YWZEmydpSY6+fuba2ySJg0eKiZGez2mqN3rwll7ZuVYcwE/Vd07mXC
4yaoosOOB0lWmYn2/9yyKB7R77hEmNp6RjortPnMk8CzLMHIzp0fWuKVvIPMtT5w
UHUNVjy46wupSvjrEnQUIt4bCVPxfdvOuN0CC47irMrf0rlr3D03Jk6fDEivD5SD
54CznFlFqv2C0VHkEL+kc4GT/fTfWr7BZqfYHRLlRMruRLLt5lNVmNxndCQkfNdb
1Jc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIQRV39jF3E4aCdy2tRvRw5RDANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIzMDQxNTE1NTYyOVoXDTI0MDQxNDE1
NTYyOVowWDEVMBMGA1UEChMMc3lzdGVtOm5vZGVzMT8wPQYDVQQDDDZzeXN0ZW06
bm9kZToqLm15bWluaW8taGwudGVuYW50LWxpdGUuc3ZjLmNsdXN0ZXIubG9jYWww
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOban4HEkWcRGqaeatkTvKaIF7ed/D
T9PKU7te8N+RksIZhAwIsEFYsvCfs7x3jdCEXBsiCWHCiFbxOaWNmkMio4IBQzCC
AT8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHwYDVR0jBBgwFoAU8/tDSHYPCUoX0oU7hs+Jc2rKb7kwgegGA1UdEQSB
4DCB3YI/bXltaW5pby1wb29sLTAtezAuLi4zfS5teW1pbmlvLWhsLnRlbmFudC1s
aXRlLnN2Yy5jbHVzdGVyLmxvY2FsgiNtaW5pby50ZW5hbnQtbGl0ZS5zdmMuY2x1
c3Rlci5sb2NhbIIRbWluaW8udGVuYW50LWxpdGWCFW1pbmlvLnRlbmFudC1saXRl
LnN2Y4IqKi5teW1pbmlvLWhsLnRlbmFudC1saXRlLnN2Yy5jbHVzdGVyLmxvY2Fs
gh8qLnRlbmFudC1saXRlLnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUA
A4IBAQCgWbFFtk4X/Kmb410lryqBQSH/BzGlrwFVOU6bDXmTovuS+NVKC9ksq9DD
MTh+pnmGRsleMfBM2CO3pXHKrjXnSHMZejbHzdJlC8PfjBEUpk6pu4rJ5gmLdtP1
P2qU0M73CqQj3UYar8Ivtv+ZQy6Salcle7SelOeUamTgm+6bEwafEEF7sKkMMbHD
nKAKAescqMHczw1tE6mSkieTZVK7qgg93ruMD1ZwM/2oFiEfhtr0DOgU2q7f8s7H
SdgLv/hYscg2cOZ1kmg+WpHWmwKC5eEpyaWL1YcLNaJAMciV/7DuXuB6jCQGgrJr
da3s1vVvi8jHL/a0urhBdicC88cr
-----END CERTIFICATE-----
- Add above file to Keychain Access App if on Mac to trust certs if you did not buy the domain/cert.
- Now you can create the alias as if you were inside the cluster:
Cesars-MacBook-Pro:~ cniackz$ mc alias set myminio https://minio.tenant-lite.svc.cluster.local minio minio123
Added `myminio` successfully.
- And you can access console UI in a trusted certificate:
- https://minio.tenant-lite/login
- User: minio
- Password: minio123