Console under subpath (traefik)

[ahuarte47]

I'm trying to use TRAEFIK as a reverse proxy for Minio console (Tenant) adding the subpath "miniodef".

This is my manifest to define the ingress resource:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: minio-tenant-miniodef-server-ingressroute
  namespace: minio-tenant-miniodef
  annotations:
    ingress.kubernetes.io/rewrite-target: /
    ingress.kubernetes.io/protocol: https # Traefik
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: PathPrefix(`/miniodef/`)
      priority: 10
      services:
        - name: miniodef-console
          port: 9443
  tls: {}

Expected Behavior

https://localhost:9121/miniodef/ should show the console UI

Current Behavior

https://localhost:9121/miniodef/ shows blank page because of urls of console files do not have the subpath:

for example:
https://localhost:9121/styles/root-styles.css
should be:
https://localhost:9121/miniodef/styles/root-styles.css

Possible Solution

Should I set MINIO_SERVER_URL, MINIO_BROWSER_REDIRECT_URL or OPERATOR_SUBPATH environment variables in the custom tenant values.yaml.

Your Environment

• MinIO version used (minio --version): 6.0.1 Operator + Tenant
• Server setup and configuration: MinIO Operator + Tenant using Helm 6.0.1 in minikube
• Operating System and version (uname -a): Ubuntu Linux 20.04

[cesnietor]

@ahuarte47 You need to specify MINIO_BROWSER_REDIRECT_URL as defined in the docs?

[ahuarte47]

Hi, this is my custom values.yml for deploying the MinIO tenant:

# -- Set the credentials,
# WARNING: '.secrets' is deprecated since v6.0.1 and will be removed in next minor release (i.e. v5.1.0).
# WARNING: Please use '.tenant.configSecret' instead.
#
secrets:
  name: miniodev-env-configuration
  accessKey: minio
  secretKey: minio123

# Root key for MinIO Tenant Chart
tenant:
  # -- The Tenant name,
  # Change this to match your preferred MinIO Tenant name.
  name: miniodef

  # -- The Kubernetes secret name that contains MinIO environment variable configurations.
  # The secret is expected to have a key named config.env containing environment variables exports.
  configuration:
    name: miniodev-env-configuration

  pools:
    # -- The number of MinIO Tenant Pods / Servers in this pool.
    # For standalone mode, supply 1. For distributed mode, supply 4 or more.
    # Note that the operator does not support upgrading from standalone to distributed mode.
    - servers: 1
      # Custom name for the pool.
      name: pool-0
      # The number of volumes attached per MinIO Tenant Pod / Server.
      volumesPerServer: 1
      # The capacity per volume requested per MinIO Tenant Pod.
      size: 5Gi
      # The storageClass to associate with volumes generated for this pool.
      # If using...
      # + DirectPV CSI driver
      #   Docs: https://github.com/minio/directpv
      # + Amazon Elastic Block Store (EBS) CSI driver
      #   Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
      #   Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
      #
      storageClassName: standard

  # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
  env:
    - name: MINIO_BROWSER_REDIRECT_URL
      value: https://localhost:9121/miniodef

None changes in my issue.

[frippe75]

I tried placing minio-console behind an NGINX-ingress-controller and trying to grasp the
https://min.io/docs/minio/linux/administration/minio-console.html#id5

Deployments behind network routing components which require static ports for routing rules may require setting a >static MinIO Console port. For example, load balancers, reverse proxies, or Kubernetes ingress may by default block or >exhibit unexpected behavior with the the dynamic redirection behavior.

And

MINIO_BROWSER_REDIRECT_URL

The externally resolvable hostname for the MinIO Console used by the configured external identity manager for returning the authentication response.MINIO_BROWSER_REDIRECT_URL

[frippe75]

So I guess setting this to my DNS name

env:
    - name: MINIO_BROWSER_REDIRECT_URL
      value: https://minio-console.example.com

[ahuarte47]

I am configuring this variable in values.yaml (I am deploying minio using the official Helm Chart), but with none success:

env:
    - name: MINIO_BROWSER_REDIRECT_URL
      value: https://localhost:9121/miniodef

[frippe75]

Wonder if passing the "ingress" property/key during helm install would resolve this.. will have a go.

ingress:
  api:
    enabled: true
    ingressClassName: "nginx"
    labels: 
      app: minio-api
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    tls:
      - secretName: minio-api-cert-tls
        hosts:
          - minio.home.xxx.com
    host: minio.home.xxx.com
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: "nginx"
    labels: 
      app: minio-console
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    tls:
      - secretName: minio-console-cert-tls
        hosts:
          - minio-console.home.xxx.com
    host: minio-console.home.xxx.com
    path: /
    pathType: Prefix

[frippe75]

Actually adding the following annotation solved it for me...
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # Ensure HTTPS is used to communicate with the service

[ahuarte47]

Thanks @frippe75 for your ideas, the key is to figure out how to translate that NGINX configuration to TRAEFIK. I tried several options with none success.

I got ArgoCD & ArgoWorkflows working behind traefik. I changed their baseHref value to a subpath. For example, for ArgoCD:

configs:
  params:
    # -- New base href, service is running behind reverse proxy under subpath different from default ("/")
    server.basehref: "/argocd/"

But I do not know if minio-console needs something similar.