The App Store of OpenShift: MinIO in OperatorHub
Running AI data storage infrastructure in the cloud is very expensive. Not only is it expensive to store the data, but everytime your applications consume the data from your AI data storage infrastructure you get charged ingress and egress fees. At one point when cloud was new and the scale of the data was small the costs were negligible. But with cloud costs rising industries have been looking to repatriate their data from the cloud without losing out on the cloud native benefits. That is the key here, repatriating out of the cloud without losing the ability to manage your infrastructure cloud natively.
That is where OpenShift OperatorHub comes in. One of the driving proponents of the cloud repatriation movement is OpenShift. OpenShift brings world-class cloud native ability to manage Kubernetes right on your own infrastructure from your own data center. Simply put, OperatorHub to OpenShift is what App Store is to Apple. With a web console interface, an Operator can be pulled from its off-cluster source, installed and subscribed on the cluster, and made ready for engineering teams to self-service manage the product across deployment environments.
Today we’ll show you how to install the MinIO operator using OperatorHub. In the process we’ll show you how to set up and test your local testing environment while using OpenShift with MinIO operator.
MinIO Operator via OperatorHub
Be sure to install crc
on your Ubuntu machine. To learn more about CRC please refresh with this blog post.
MinIO Operator Console
Expose the operator open web page http://localhost:9090/login
and get the token from the secret
oc login -u kubeadmin https://api.crc.testing:6443
oc port-forward svc/console 9090 -n openshift-operators
Apply these permissions to be able to create the namespace and get its quotas and this somehow will gain access to display the storage class in OpenShift
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-cesar-5 rules: - apiGroups: [""] resources: - namespaces - resourcequotas - deletecollection verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: role-binding-cesar-5 namespace: openshift-operators subjects: - kind: ServiceAccount name: minio-operator namespace: openshift-operators roleRef: kind: ClusterRole name: cluster-role-cesar-5 apiGroup: rbac.authorization.k8s.io |
oc login -u kubeadmin https://api.crc.testing:6443 oc apply -f ~/permissions.yaml |
oc adm policy add-scc-to-user privileged -n openshift-operators -z minio-operator oc adm policy add-scc-to-user privileged -n openshift-operators -z console-sa oc adm policy add-scc-to-user privileged -n openshift-operators -z default oc adm policy add-scc-to-user privileged -n openshift-operators -z builder oc adm policy add-scc-to-user privileged -n openshift-operators -z deployer --- oc create namespace rafta oc create serviceaccount minio-operator -n rafta oc adm policy add-scc-to-user privileged -n rafta -z minio-operator oc adm policy add-scc-to-user privileged -n rafta -z builder oc adm policy add-scc-to-user privileged -n rafta -z deployer oc adm policy add-scc-to-user privileged -n rafta -z default |
Create MinIO Tenant
Via the operator console create a tenant
Access Key: STSKAzp1TAsd9TGV
Secret Key: XzMOmH6erHeXzBM8dWAsf5LlOfSRKw7k
Then see the issue after pod is created
ERROR Unable to initialize backend: parity validation returned an error: parity 4 should be less than or equal to 0 <- (4, 1), for pool(1st)
To correct go to the tenant configuration http://localhost:9090/namespaces/rafta/tenants/rafta/configuration
and change EC:4
by EC:0
Updating Cert
In order for TLS to work we have to update the certs used by the MinIO operator, let’s go ahead and do that.
First generate the certificate of the signer
oc get secret csr-signer -n openshift-kube-controller-manager-operator -o template='{{ index .data "tls.crt"}}' | base64 -d > route-ca.crt |
Then, put together the above cert along with its signer in a file called ingress.pem
.
cat public.crt route-ca.crt > ingress.pem |
Create a secret using the ingress.pem
file above and the private.key from previous step
oc create secret tls secretocuatro --cert=ingress.pem --key=private.key -n openshift-ingress |
Patch it using kubectl
, and wait for couple of minutes for the cert to be located at /var/run/secrets/
kubernetes.io/serviceaccount/ca.crt
.
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "secretocuatro"}}}' -n openshift-ingress-operator |
Wait a few moments while things get ready after the change and Operator will work and be able to communicate
Operator App Store
OperatorHub is the de facto App Store of Operators for the OpenShift ecosystem. The operators that get listed on OperatorHub are thoroughly tested, vetted and supported by their respective authors. The authors can range from community operators to certified operators (such as MinIO) and also RedHat themselves. This gives your organization peace of mind knowing that the operators your developers are installed call be trusted with security and compliance. Because they have access to very critical pieces of infrastructure and you don’t want to just install some random operator from a GitHub repo which might degrade the performance of your system or in the worst case compromise it. So its paramount that your developers are given access to such Operator Marketplaces so they can build the infrastructure needed to power your application.
If you have any questions on the MinIO Operator or how to install it on an OpenShift cluster, be sure to reach out to us on Slack!