KES certificate auto rotate with cert‐manager - allanrogerr/public GitHub Wiki
Create a TLS enabled minio operator and tenant, with kes e.g. https://github.com/allanrogerr/public/blob/main/minio/supporting-scripts/kes-k8s-operator-tenant.sh. Login
ssh -p 20412 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s
cat << EOF > tenant-cert-manager-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: tenant-certmanager-issuer
namespace: tenant-kms-encrypted
spec:
selfSigned: {}
EOF
kubectl apply -f tenant-cert-manager-issuer.yaml
cat << EOF > tenant-certmanager-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tenant-certmanager-cert
namespace: tenant-kms-encrypted
spec:
dnsNames:
- '*.tenant-kms-encrypted.svc.cluster.local'
- '*.minio.tenant-kms-encrypted.svc.cluster.local'
- '*.myminio-kes-hl-svc.tenant-kms-encrypted.svc.cluster.local'
issuerRef:
name: tenant-certmanager-issuer
secretName: tenant-cert-manager-tls
EOF
kubectl apply -f tenant-certmanager-cert.yaml
kubectl patch tenant -n tenant-kms-encrypted myminio --type='merge' -p '{"spec":{"kes":{"externalCertSecret":{"name": "tenant-cert-manager-tls", "type": "cert-manager.io/v1"}}}}'
See https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret
Note: in the tenant, turn off requestAutoCert