Reputation: 514
Minio does not recognize credentials when loaded from Kubernetes secrets
I am running a minio deployment in a Kubernetes Cluster. I used to have the access- and secret key in clear text in the yaml files as follows:
apiVersion: apps/v1
kind: Deployment
metadata:
name: minio
spec:
...
containers:
- name: minio
volumeMounts:
- name: data
mountPath: "/data"
image: minio/minio:RELEASE.2021-04-06T23-11-00Z
args:
- gateway
- nas
- /data
env:
- name: MINIO_ACCESS_KEY
value: "minio"
- name: MINIO_SECRET_KEY
value: "mysupersecretkey"
...
This works fine. However when I move the credetials into a kubernetes secret, minio does no longer recognize these credetials, even though they are loaded into the same environment variables:
apiVersion: apps/v1
kind: Deployment
...
containers:
- name: minio
...
env:
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
name: minio-secret
key: minioAccessKey
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
name: minio-secret
key: minioSecretKey
...
I can confirm, that these credentials get mounted properly into the container as environment variables:
$ echo $MINIO_ACCESS_KEY
minio
$ echo $MINIO_SECRET_KEY
mysupersecretkey
But minio does not recognize these credentials:
Is there any difference, to how these variables are used, when they originate from a kubernetes secret?
EDIT
I have also tried with the MINIO_ROOT_USER and MINIO_ROOT_PASSWORD variables, as the docs suggest. However, resulting in the same error using kubernetes secrets and no error with clear text.
Upvotes: 0
Views: 1394
Answers (1)
Reputation: 514
I have solved the problem, which was caused by the way the credentials were written into the Kubernetes secrets.
It turned out, that the tools I was using appended a \n (0x0a) newline character to the base64 encoded secret.
This is why the credentials never matched what I entered into the login UI.
Upvotes: 1
Related Questions
- Value of Kubernetes secret in environment variable seems incorrect
- Minio deployment using kubernetes doesn't work as expected
- Minio console login fails in cluster
- Kubernetes: external secrets operator error: InvalidClientTokenId: The security token included in the request is invalid
- Why would /var/run/secrets/kubernetes.io/serviceaccount/token be an empty file in a Pod?
- kubectl doesnt show username/password of secret?
- Minikube: kubectl doesn't use provided token permissions
- Unable to create a Secret Using kubectl
- Facing some issues when trying to create secrets in kubernetes
- Kuberentes - Minikube kubectl error: You must be logged in to the server