Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

same JWT not work for login operator console, get 401 unauthenticated for invalid credentials #1422

Closed
qwegas opened this issue Jan 29, 2023 · 17 comments
Closed

same JWT not work for login operator console, get 401 unauthenticated for invalid credentials #1422

qwegas opened this issue Jan 29, 2023 · 17 comments
Assignees
@allanrogerr
Labels
community question Further information is requested triage

Comments

@qwegas
Copy link

qwegas commented Jan 29, 2023

just install and create a nodeport svc to login it

helm install minio-operator  operator-4.5.8.tgz -n minio-operator --create-namespace

apply

apiVersion: v1
kind: Service
metadata:
  name: console-nodeport
  namespace: minio-operator
spec:
  ports:
  - name: http
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app.kubernetes.io/instance: minio-operator-console
    app.kubernetes.io/name: operator
  type: NodePort

---

apiVersion: v1
kind: Secret
metadata:
  name: console-sa-secret
  namespace: minio-operator
  annotations:
    kubernetes.io/service-account.name: console-sa
type: kubernetes.io/service-account-token

get jwt

kubectl -n minio-operator  get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode

image

and then failed
image

console log

Serving operator at http://[::]:9090
ErrorWithContext:Get "https://dl.min.io/server/minio/release/linux-amd64/": dial tcp: lookup dl.min.io on 10.43.0.10:53: server misbehaving
ErrorWithContext:Get "https://dl.min.io/server/minio/release/linux-amd64/": dial tcp: lookup dl.min.io on 10.43.0.10:53: server misbehaving
ErrorWithContext:Get "https://dl.min.io/server/minio/release/linux-amd64/": dial tcp: lookup dl.min.io on 10.43.0.10:53: server misbehaving
ErrorWithContext:Get "https://dl.min.io/server/minio/release/linux-amd64/": dial tcp: lookup dl.min.io on 10.43.0.10:53: server misbehaving

Your Environment

  • Version used (minio-operator): 4.5.8
  • Environment name and version (e.g. kubernetes v1.17.2): 1.23.6
  • Server type and version:
  • Operating System and version (uname -a):
  • Link to your deployment file:
@qwegas
Copy link
Author

qwegas commented Jan 29, 2023

use 4.5.7 save my life

@qwegas qwegas closed this as completed Jan 29, 2023
@qwegas qwegas reopened this Jan 29, 2023
@qwegas
Copy link
Author

qwegas commented Jan 29, 2023
edited

same problem in 4.5.7
At the first time,it can login the operator console

  • and then install tenant by helm
  • maybe the login timeout and refresh to the login page.
  • use same jwt to login
  • get same error
  • even reinstall the helm chart can't fix the problem

image

image

image

@qwegas qwegas changed the title login operator console get 401 unauthenticated for invalid credentials same JWT not work for login operator console, get 401 unauthenticated for invalid credentials Jan 29, 2023
@z666k
Copy link

z666k commented Mar 17, 2023

I also get such a problem,my version :
k8s: 1.23.17
minio: 4.5.8
install style: kubectl minio init --console-tls

企业微信截图_16790386417936

@stale
Copy link

stale bot commented Jun 17, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 17, 2023
@yaohwu
Copy link

yaohwu commented Jul 4, 2023

got same 401 error after following https://min.io/docs/minio/kubernetes/upstream/operations/installation.html doc and creating a minio tenant.

Token maybe be invalid after sometime or creating a tenant or other actions that I don't know.

image image

kubectl minio version
v5.0.6

image

Even using
kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r '.data.token' | base64 -d
to get the token but the 401 happened again.

@stale stale bot removed the stale label Jul 4, 2023
@yaohwu
Copy link

yaohwu commented Jul 4, 2023

got same error even after kubectl minio delete and kubectl minio init

@yaohwu
Copy link

yaohwu commented Jul 4, 2023

Here is the logs

E: 2023/07/04 09:08:40 Unable to load certs: unable to create certs CA directory at /tmp/certs/CAs: failed with mkdir /tmp/certs/CAs: read-only file system
Serving operator at http://[::]:9090
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value

From the key word,it maye be same with #1534.

@yaohwu
Copy link

yaohwu commented Jul 4, 2023

Unable to load certs: unable to create certs CA directory at /tmp/certs/CAs: failed with mkdir

apiVersion: v1
kind: Service
metadata:
  name: operator-minio-external
spec:
  type: NodePort
  ports:
  - nodePort: 31909
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app.kubernetes.io/name: operator

Using this to create a NodePort, get same error 401

@asura-10
Copy link

Here is the logs

E: 2023/07/04 09:08:40 Unable to load certs: unable to create certs CA directory at /tmp/certs/CAs: failed with mkdir /tmp/certs/CAs: read-only file system
Serving operator at http://[::]:9090
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value
Unable to validate the session token Anonymous: invalid character 'A' looking for beginning of value

From the key word,it maye be same with #1534.

To use Chrome's incognito mode, give a shot

@allanrogerr
Copy link
Contributor

4.5.8 @qwegas This is not how a NodePort is defined. You are missing .spec.ports[].nodePort Please observe the following sample:

apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: minio-operator
    meta.helm.sh/release-namespace: minio-operator
  creationTimestamp: "0001-01-01T01:01:01Z"
  labels:
    app.kubernetes.io/instance: minio-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: operator
    app.kubernetes.io/version: v4.5.8
    helm.sh/chart: operator-4.5.8
  name: console
  namespace: minio-operator
  resourceVersion: "1333"
  uid: 1-2-3-4-5
spec:
  clusterIP: x.x.x.x
  clusterIPs:
  - x.x.x.x
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    nodePort: 31000
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app.kubernetes.io/instance: minio-operator-console
    app.kubernetes.io/name: operator
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

@allanrogerr
Copy link
Contributor

The secret should also be autogenerated by the minio-operator. Please do not modify it.

@allanrogerr
Copy link
Contributor

Here is a complete example:

Install k3s. Print versions.

curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - --snapshotter=fuse-overlayfs
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
k3s --version

Output

k3s version v1.27.6+k3s1 (bd04941a)
go version go1.20.8

sudo systemctl status k3s.service

Output

● k3s.service - Lightweight Kubernetes
     Loaded: loaded (/etc/systemd/system/k3s.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-10-12 19:00:40 UTC; 26min ago

Install helm

wget https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz
tar -zxvf helm-v3.6.3-linux-amd64.tar.gz
sudo mv linux-amd64/helm /usr/local/bin/helm
helm version

Output

version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}

Install minio-operator. Print version.

curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/operator-4.5.8.tgz
tar -xvf operator-4.5.8.tg
helm install --namespace minio-operator --create-namespace minio-operator operator-4.5.8.tgz -f operator/values.yaml
helm inspect chart operator

Output

apiVersion: v2
appVersion: v4.5.8
description: A Helm chart for MinIO Operator
home: https://min.io
icon: https://min.io/resources/img/logo/MINIO_wordmark.png
keywords:
- storage
- object-storage
- S3
maintainers:
- email: dev@minio.io
  name: MinIO, Inc
name: operator
sources:
- https://github.com/minio/operator
type: application
version: 4.5.8

Validate minio-operator running

kubectl get pods -n minio-operator

Output

NAME                              READY   STATUS    RESTARTS   AGE
minio-operator-7d988dd6b6-lckt4   1/1     Running   0          24m
console-5756b69c9f-8s8d8          1/1     Running   0          24m
minio-operator-7d988dd6b6-swvnj   1/1     Running   0          24m

Add Nodeport to service

kubectl patch service -n minio-operator console --type='merge' -p '{"spec":{"type": "NodePort", "ports":[{"name": "http", "port": 9090, "nodePort": 31000}]}}'
kubectl -n minio-operator get svc/console -o yaml

Output (redacted)

apiVersion: v1
kind: Service
...
spec:
  clusterIP: x.x.x.x
  clusterIPs:
  - x.x.x.x
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    nodePort: 31000
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app.kubernetes.io/instance: minio-operator-console
    app.kubernetes.io/name: operator
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Get jwt and login

kubectl -n minio-operator get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode
image image

@allanrogerr
Copy link
Contributor

@yaohwu Your NodePort is not correctly defined as well. Please see above examples.

@allanrogerr allanrogerr self-assigned this Oct 12, 2023
@yaohwu
Copy link

yaohwu commented Oct 25, 2023

@yaohwu Your NodePort is not correctly defined as well. Please see above examples.

thanks and I will try it in the next few days

@allanrogerr
Copy link
Contributor

@yaohwu Any luck?

@yaohwu
Copy link

yaohwu commented Nov 30, 2023

Well I try the above examples and it works as of now. But as what I said before, I am worried about that it will be 401 after sometime. I will feedback if some issues happened

Token maybe be invalid after sometime or creating a tenant or other actions that I don't know.

@allanrogerr
Copy link
Contributor

@yaohwu Does this work?

The minio-operator console's jwt will not change unless you recreate console-sa-secret for some reason. However, its purpose is only to provision the tenants. Once the tenants are created, you use the username and password combination (or openid/ldap) previously configured.

You should therefore directly access the MinIO tenant console using the following means:

  1. Validate the tenant console service is up
kubectl --namespace <TENANT_NAMESPACE> get svc/<TENANT_NAME>-console
  1. Add a NodePort (or Port Forward)
kubectl patch service -n <TENANT_NAMESPACE>/<TENANT_NAME>-console --type='merge' -p '{"spec":{"type": "NodePort", "ports":[{"name": "https", "port": 9443, "nodePort": 30000}]}}'

or

kubectl -n <TENANT_NAMESPACE> port-forward svc/<TENANT_NAME>-console 9043:9443 --address 0.0.0.0
  1. Access the tenant console directly
    image

@allanrogerr allanrogerr added the question Further information is requested label Nov 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@allanrogerr allanrogerr

Labels
community question Further information is requested triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@asura-10 @yaohwu @allanrogerr @qwegas @z666k