Deploy MinIO Operator on RedHat OpenShift
Overview
Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multi-cloud, and edge deployments. OpenShift includes an enterprise-grade Linux operating system, container runtime, networking, monitoring, registry, and authentication and authorization solutions.
You can deploy the MinIO Kubernetes Operator through the Red Hat® OpenShift® Container Platform 4.8+. You can deploy and manage MinIO Tenants through OpenShift after deploying the MinIO Operator. This procedure includes instructions for the following deployment paths:
Purchase and Deploy MinIO through the RedHat Marketplace.
Deploy MinIO through the OpenShift OperatorHub
After deploying the MinIO Operator into your OpenShift cluster, you can create and manage MinIO Tenants through the OperatorHub user interface.
This documentation assumes familiarity with all referenced Kubernetes and OpenShift concepts, utilities, and procedures. While this documentation may provide guidance for configuring or deploying Kubernetes-related or OpenShift-related resources on a best-effort basis, it is not a replacement for the official Kubernetes Documentation and OpenShift Container Platform 4.8+ Documentation.
Prerequisites
RedHat OpenShift 4.8+
The MinIO Kubernetes Operator is available starting with OpenShift 4.8+.
Red Hat Marketplace installation requires registration of the OpenShift cluster with the Marketplace for the necessary namespaces. See Register OpenShift cluster with Red Hat Marketplace for complete instructions.
For older versions of OpenShift, use the generic Deploy the MinIO Operator procedure.
Administrator Access
Installation of operators through the Red Hat Marketplace and the Operator Hub is restricted to OpenShift cluster administrators (cluster-admin
privileges).
This procedure requires logging into the Marketplace and/or OpenShift with an account that has those privileges.
OpenShift oc
CLI
Download and Install the OpenShift CLI oc
for use in this procedure.
Procedure
1) Access the MinIO Operator Installation
Select the tab that corresponds to your preferred installation method:
Log into the OpenShift Web Console as a user with cluster-admin
privileges.
From the Administrator panel, select Operators, then OperatorHub.
From the OperatorHub page, type “MinIO” into the Filter text entry. Select the MinIO Operator tile from the search list.
![From the OperatorHub, search for MinIO, then select the MinIO Tile.](../_images/minio-openshift-select-minio1.png)
Select the MinIO Operator tile, then click Install to begin the installation.
Open the MinIO Red Hat Marketplace listing in your browser. Click Login to log in with your Red Hat Marketplace account.
After logging in, click Purchase to purchase the MinIO Operator for your account.
After completing the purchase, click Workplace from the top navigation and select My Software.
![From the Red Hat Marketplace, select Workplace, then My Software](../_images/minio-openshift-marketplace-my-software1.png)
Click MinIO Hybrid Cloud Object Storage and select Install Operator to start the Operator Installation procedure in OpenShift.
2) Configure and Deploy the Operator
The Install Operator page provides a walkthrough for configuring the MinIO Operator installation.
![Complete the Operator Installation Walkthrough](../_images/minio-openshift-operator-installation1.png)
For Update channel, select any of the available options.
For Installation Mode, select All namespaces on the cluster
For Installed Namespace, select openshift-operators
For Approval Strategy, select the approval strategy of your choice.
See the Operator Installation Documentation Step 5 for complete descriptions of each displayed option.
Click Install to start the installation procedure. The web console displays a widget for tracking the installation progress.
![Wait for Installation to Complete.](../_images/minio-openshift-operator-installation-progress1.png)
Once installation completes, click View Operator to view the MinIO Operator page.
3) Configure TLS Certificates
If you have installed the MinIO Operator from Red Hat OperatorHub, the installation process also configures the OpenShift Service CA Operator. This Operator manages the TLS certificates required to access the MinIO Operator Console and Tenants. It automatically renews and rotates the certificates 13 months before expiration. No additional action is required.
For Operator installations deployed by other methods, configure the Service CA certificates manually. See the dropdowns below for details.
OpenShift Service CA Certificate configuration
To manually enable the service-ca
Operator to manage TLS certificates:
Use the following oc command to edit the deployment:
oc edit deployment minio-operator -n minio-operator
If needed, replace
minio-operator
with the name and namespace of your deployment.oc edit
opens the deployment configuration file in an editor.In the
spec
section, add the highlighted MinIO Operator environment variables:containers: - args: - controller env: - name: MINIO_CONSOLE_TLS_ENABLE value: 'on' - name: MINIO_OPERATOR_RUNTIME value: OpenShift
In the
volumes
section, add the following volumes and volume mounts:sts-tls
openshift-service-ca
openshift-csr-signer-ca
The added volume configuration resembles the following:
volumes: - name: sts-tls projected: sources: - secret: name: sts-tls items: - key: tls.crt path: public.crt - key: tls.key path: private.key optional: true defaultMode: 420 - name: openshift-service-ca configMap: name: openshift-service-ca.crt items: - key: service-ca.crt path: service-ca.crt defaultMode: 420 optional: true - name: openshift-csr-signer-ca projected: sources: - secret: name: openshift-csr-signer-ca items: - key: tls.crt path: tls.crt optional: true defaultMode: 420 volumeMounts: - name: openshift-service-ca mountPath: /tmp/service-ca - name: openshift-csr-signer-ca mountPath: /tmp/csr-signer-ca - name: sts-tls mountPath: /tmp/sts
OpenShift Service CA Certificate for Helm deployments
For Helm deployments on OpenShift, add the following environment variables and volumes to the values.yaml
in the Operator Helm chart before deploying.
The added YAML configuration for the operator
pod resembles the following:
operator:
env:
- name: MINIO_OPERATOR_RUNTIME
value: "OpenShift"
- name: MINIO_CONSOLE_TLS_ENABLE
value: "on"
volumes:
- name: sts-tls
projected:
sources:
- secret:
name: sts-tls
items:
- key: tls.crt
path: public.crt
- key: tls.key
path: private.key
optional: true
defaultMode: 420
- name: openshift-service-ca
configMap:
name: openshift-service-ca.crt
items:
- key: service-ca.crt
path: service-ca.crt
defaultMode: 420
optional: true
- name: openshift-csr-signer-ca
projected:
sources:
- secret:
name: openshift-csr-signer-ca
items:
- key: tls.crt
path: tls.crt
optional: true
defaultMode: 420
volumeMounts:
- name: openshift-service-ca
mountPath: /tmp/service-ca
- name: openshift-csr-signer-ca
mountPath: /tmp/csr-signer-ca
- name: sts-tls
mountPath: /tmp/sts
4) Open the MinIO Operator Interface
You can find the MinIO Operator Interface from the Operators left-hand navigation header
Go to Operators, then Installed Operators.
For the Project dropdown, select openshift-operators.
Select MinIO Operators from the list of installed operators. The Status column must read Success to access the Operator interface.
5) Access the Operator Console
The MinIO Operator includes the Operator Console, a browser-based management interface for managed MinIO tenants.
Port Forwarding
The Operator Console service does not automatically bind or expose itself for external access on the Kubernetes cluster. Instead, configure a network control plane component, such as a load balancer or ingress, to grant external access.
For testing purposes or short-term access, expose the Operator Console service through a NodePort using the following patch:
kubectl patch service -n minio-operator console -p '
{
"spec": {
"ports": [
{
"name": "http",
"port": 9090,
"protocol": "TCP",
"targetPort": 9090,
"nodePort": 30090
},
{
"name": "https",
"port": 9443,
"protocol": "TCP",
"targetPort": 9443,
"nodePort": 30433
}
],
"type": "NodePort"
}
}'
The patch command should output service/console patched
.
You can now access the service through ports 30433
(HTTPS) or 30090
(HTTP) on any of your Kubernetes worker nodes.
For example, a Kubernetes cluster with the following Operator nodes might be accessed at https://172.18.0.2:30443
:
kubectl get nodes -o custom-columns=IP:.status.addresses[:] IP map[address:172.18.0.5 type:InternalIP],map[address:k3d-MINIO-agent-3 type:Hostname] map[address:172.18.0.6 type:InternalIP],map[address:k3d-MINIO-agent-2 type:Hostname] map[address:172.18.0.2 type:InternalIP],map[address:k3d-MINIO-server-0 type:Hostname] map[address:172.18.0.4 type:InternalIP],map[address:k3d-MINIO-agent-1 type:Hostname] map[address:172.18.0.3 type:InternalIP],map[address:k3d-MINIO-agent-0 type:Hostname]
Use the following command to retrieve the JWT token necessary for logging into the Operator Console:
kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r '.data.token' | base64 -d
If your local host does not have the jq
utility installed, you can run the kubectl
part of this command (before | jq
) and locate the data.token
section of the output.
You can create a permanent routing rule by creating a Route or Ingress to allow access from external clients, such as your local computer browser.
The following steps provides a summary of actions necessary to create a Route.
From Networking, go to Routes
Create a new Route in the MinIO Operator project. Select a recognizable route name, such as
operator-console-route
.Set the Hostname as per your organizations networking and hostname topology. Omit the hostname to allow OpenShift to generate it automatically
Set the Service to console
Set the Target Port to
9090
You can then access the Operator Console using the configured Route.
The Operator Console still requires using the generated JWT token for access, which you can generate at any time using oc minio port-forward
.
6) Next Steps
After deploying the MinIO Operator, you can create a new MinIO Tenant. To deploy a MinIO Tenant using OpenShift, see Deploy a Tenant using the OpenShift Web Console.