Can't log in to console using RELEASE.2024-04-06T05-26-02Z

[dbason]

Expected Behavior

Able to log in to the console with the root user or a user with consoleAdmin policy

Current Behavior

Console returns a 401 when trying to log in

Steps to Reproduce (for bugs)

1. Deploy a minio tenant using the minio operator on kubernetes
2. Expose the minio tenant using a LB service and create a DNS entry with the appropriate host
3. Navigate to the console page. Enter the root user details. Server returns a 401
4. Use mc tool to create a new user in the tenant and attach consoleAdmin policy to user
5. Enter the new user credentials in the console login page. Server returns a 401
6. mc admin trace shows no logs when trying to log in.

Context

Tenant can be managed using the CLI however we are unable to use the gui to manage the tenant

Regression

Possibly? This is occurring on version RELEASE.2024-04-06T05-26-02Z

Your Environment

Using minio operator 5.0.0.14 running on GKE.
The features config in the tenant is as follows:

features:
    domains:
      minio:
      - https://minio.example.com
      console: https://minio-tenant.example.com:9443

[harshavardhana]

@dbason can you share your tenant yaml ?

[dbason]

spec:
  buckets:
  - name: bucket1
    region: us-east-1
  - name: bucket2
    region: us-east-1
  configuration:
    name: minio-config-secret
  exposeServices:
    console: true
    minio: true
  externalCertSecret:
  - name: api-cert-secret
    type: kubernetes.io/tls
  - name: console-cert-secret
    type: kubernetes.io/tls
  features:
    domains:
      console: https://minio-console.example.com:9443
      minio:
      - https://minio-api.example.com
      - https://minio.test.svc.cluster.local
  image: quay.io/minio/minio:RELEASE.2024-04-06T05-26-02Z
  imagePullPolicy: IfNotPresent
  pools:
  - labels:
      app: minio-tenant
    name: default
    servers: 4
    volumeClaimTemplate:
      metadata:
        name: minio-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
    volumesPerServer: 1
  requestAutoCert: true

[harshavardhana]

I just logged into play.min.io:9443, which is running the latest release.

MINIO_VOLUMES="/disk{1...4}/data"
# Use if you want to run MinIO on a custom port.
MINIO_OPTS="--address play.min.io:9000 --console-address :9001"
# Root user for the server.
MINIO_ROOT_USER=Q3AM3UQ867SPQQA43P2F
# Root secret for the server.
MINIO_ROOT_PASSWORD=zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG
MINIO_SITE_REGION=us-east-1
MINII_REGION_NAME=us-east-1
MINIO_PROMETHEUS_AUTH_TYPE="public"
MINIO_PROMETHEUS_URL=http://services.min.io:9090
#MINIO_PROMETHEUS_JOB_ID="play-minio-dashboard"
MINIO_BROWSER_REDIRECT_URL=https://play.min.io:9443

  features:
    domains:
      console: https://minio-console.example.com:9443
      minio:
      - https://minio-api.example.com
      - https://minio.test.svc.cluster.local

Can you remove these these are meant to be added here not sure what help does this bring.

[dbason]

I'm not sure if they're meant to be there, the documentation is pretty light on this. I'll try removing them.

[dbason]

That resolved the issue, however I think this is still a bug. The domains are part of the tenant helm chart:
https://github.com/minio/operator/blob/master/helm/tenant/templates/tenant.yaml#L98-L103

They seem to be not working as intended unless I'm missing the intention of them somehow.

[harshavardhana]

Yeah please report the issue at minio/operator closing it here.