fix(api): MinIO health check use dynamic scheme and verify (Closes #13159 and #13158) (#13197)

## Summary Fixes MinIO SSL/TLS support in two places: the MinIO **client** connection and the **health check** used by the Admin/Service Health dashboard. Both now respect the `secure` and `verify` settings from the MinIO configuration. Closes #13158 Closes #13159 --- ## Problem **#13158 – MinIO client:** The client in `rag/utils/minio_conn.py` was hardcoded with `secure=False`, so RAGFlow could not connect to MinIO over HTTPS even when `secure: true` was set in config. There was also no way to disable certificate verification for self-signed certs. **#13159 – MinIO health check:** In `api/utils/health_utils.py`, the MinIO liveness check always used `http://` for the health URL. When MinIO was configured with SSL, the health check failed and the dashboard showed "timeout" even though MinIO was reachable over HTTPS. --- ## Solution ### MinIO client (`rag/utils/minio_conn.py`) - Read `MINIO.secure` (default `false`) and pass it into the `Minio()` constructor so HTTPS is used when configured. - Add `_build_minio_http_client()` that reads `MINIO.verify` (default `true`). When `verify` is false, return an `urllib3.PoolManager` with `cert_reqs=ssl.CERT_NONE` and pass it as `http_client` to `Minio()` so self-signed certificates are accepted. - Support string values for `secure` and `verify` (e.g. `"true"`, `"false"`). ### MinIO health check (`api/utils/health_utils.py`) - Add `_minio_scheme_and_verify()` to derive URL scheme (http/https) and the `verify` flag from `MINIO.secure` and `MINIO.verify`. - Update `check_minio_alive()` to use the correct scheme, pass `verify` into `requests.get(..., verify=verify)`, and use `timeout=10`. ### Config template (`docker/service_conf.yaml.template`) - Add commented optional MinIO keys `secure` and `verify` (and env vars `MINIO_SECURE`, `MINIO_VERIFY`) so deployers know they can enable HTTPS and optional cert verification. ### Tests - **`test/unit_test/utils/test_health_utils_minio.py`** – Tests for `_minio_scheme_and_verify()` and `check_minio_alive()` (scheme, verify, status codes, timeout, errors). - **`test/unit_test/utils/test_minio_conn_ssl.py`** – Tests for `_build_minio_http_client()` (verify true/false/missing, string values, `CERT_NONE` when verify is false). --- ## Testing - Unit tests added/updated as above; run with the project's test runner. - Manually: configure MinIO with HTTPS and `secure: true` (and optionally `verify: false` for self-signed); confirm client operations work and the Service Health dashboard shows MinIO as alive instead of timeout.
2026-05-05 17:57:47 +08:00 · 2026-02-25 09:47:12 +08:00
parent c292d617ca
commit f4cbdc3a3b
5 changed files with 267 additions and 8 deletions
--- a/rag/utils/minio_conn.py
+++ b/rag/utils/minio_conn.py
@ -15,15 +15,29 @@
 #

 import logging
+import ssl
 import time
 from minio import Minio
 from minio.commonconfig import CopySource
 from minio.error import S3Error, ServerError, InvalidResponseError
 from io import BytesIO
+import urllib3
 from common.decorator import singleton
 from common import settings


+def _build_minio_http_client():
+    """
+    Build an optional urllib3 HTTP client for MinIO when using SSL/TLS.
+    Respects MINIO.verify (default True) to allow self-signed certificates
+    when set to False.
+    """
+    verify = settings.MINIO.get("verify", True)
+    if verify is True or verify == "true" or verify == "1":
+        return None
+    return urllib3.PoolManager(cert_reqs=ssl.CERT_NONE)
+
+
@singleton
 class RAGFlowMinio:
    def __init__(self):
@ -83,11 +97,17 @@ class RAGFlowMinio:
            pass

        try:
-            self.conn = Minio(settings.MINIO["host"],
-                              access_key=settings.MINIO["user"],
-                              secret_key=settings.MINIO["password"],
-                              secure=False
-                              )
+            secure = settings.MINIO.get("secure", False)
+            if isinstance(secure, str):
+                secure = secure.lower() in ("true", "1", "yes")
+            http_client = _build_minio_http_client()
+            self.conn = Minio(
+                settings.MINIO["host"],
+                access_key=settings.MINIO["user"],
+                secret_key=settings.MINIO["password"],
+                secure=secure,
+                http_client=http_client,
+            )
        except Exception:
            logging.exception(
                "Fail to connect %s " % settings.MINIO["host"])