How to install MinIO Tenant using cert manager in OpenShift - cniackz/public GitHub Wiki

Objective:

Install MinIO Tenant using cert-manager in OpenShift

Steps:

1. Create cluster:

crc stop
crc delete
crc setup
crc start

2. Install Operator:

oc login -u kubeadmin https://api.crc.testing:6443
oc apply -k github.com/minio/operator/

oc adm policy add-scc-to-user privileged -n minio-operator -z minio-operator
oc adm policy add-scc-to-user privileged -n minio-operator -z console-sa
oc adm policy add-scc-to-user privileged -n minio-operator -z default
oc adm policy add-scc-to-user privileged -n minio-operator -z builder
oc adm policy add-scc-to-user privileged -n minio-operator -z deployer

oc login -u kubeadmin https://api.crc.testing:6443
oc port-forward svc/console 9090 -n minio-operator

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-cesar-5
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - resourcequotas
      - deletecollection
      - persistentvolumeclaims
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---    
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-binding-cesar-5
  namespace: openshift-operators
subjects:
- kind: ServiceAccount
  name: minio-operator
  namespace: openshift-operators
roleRef:
  kind: ClusterRole
  name: cluster-role-cesar-5
  apiGroup: rbac.authorization.k8s.io

oc login -u kubeadmin https://api.crc.testing:6443
oc apply -f ~/permissions.yaml

3. Install cert-manager:

oc apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

4. Install Tenant:

• File: /home/ccelis/operator/examples/kustomization/tenant-certmanager/tenant.yaml

apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: storage
  namespace: minio-tenant
spec:
  ## Disable default tls certificates.
  requestAutoCert: false
  ## Use certificates generated by cert-manager.
  externalCertSecret:
    - name: tenant-certmanager-tls
      type: cert-manager.io/v1
  pools:
  - name: pool-0
    servers: 1
    volumeClaimTemplate:
      apiVersion: v1
      kind: persistentvolumeclaims
      metadata:
        creationTimestamp: null
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: crc-csi-hostpath-provisioner
    volumesPerServer: 1

sleep 120 # wait 2 minutes
rm -rf ~/operator
cd ~/
git clone https://github.com/minio/operator.git
oc apply -k ~/operator/examples/kustomization/tenant-certmanager

oc create serviceaccount minio-operator -n tenant-certmanager
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z minio-operator
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z builder
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z deployer
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z default

5. Tenant is running with TLS provided by cert-manager:

MinIO Object Storage Server
Copyright: 2015-2023 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: RELEASE.2023-01-12T02-06-16Z (go1.19.4 linux/amd64)
Status: 1 Online, 0 Offline.
API: https://minio.tenant-certmanager.svc.cluster.local
Console: https://10.217.0.85:9443 https://127.0.0.1:9443
Documentation: https://min.io/docs/minio/linux/index.html
Warning: The standard parity is set to 0. This can lead to data loss.
You are running an older version of MinIO released 1 week ago
Update: Run `mc admin update`