Relevant information:

Steps:

Create the private key:

openssl genrsa -out private.key 2048

cert.cnf with data from my tenant:

File: cert.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
O = "system:nodes"
C = US
CN  = "system:node:*.pepe-hl.pepe.svc.cluster.local"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = pepe-pool-0-0.pepe-hl.pepe.svc.cluster.local
DNS.2 = minio.pepe.svc.cluster.local
DNS.3 = minio.pepe
DNS.4 = .pepe.svc
DNS.5 = *.
DNS.6 = *.pepe.svc.cluster.local

Get the tenant.csr

openssl req -new -config cert.cnf -key private.key -out tenant.csr
                             |            |_ first openssl command (private key)
                             |__ file above

Encode:

cat tenant.csr | base64 | tr -d "\n"

Expected:

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRFJEQ0NBaXdDQVFBd1d6RVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekUxTURNR0ExVUVBd3dzYzNsemRHVnRPbTV2WkdVNktpNXdaWEJsTFdoc0xuQmxjR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUR3dExua1dnRWoKcHZubWxSSm5SQmJUakZ5OTY2RG5JVEd6UW5abDAxejYxTldaQ2h6VFdwOE94bE9ybXI1TXBGeks3VUZGdm5KcgpiU1JwWlo2M0VVQUlJQndHbkk3Qm9vT0xEekRnNjk5SkRvV1pLZ0NHVjE3bEtNQ1hNZ3ZTN3ZSOTNuUTRRS3dKCkNYMEE3VVpjL0owa1ZzM1Bwa1lJM2VZK2RWeThhRnY5RnhZemUzc0UzcXJQZURJeEx4UkRRQ3MrT1lFQ3A4RW4KYUQyaFl6NUZTWmpXQTZOT0NaWDJBazdZUThzcVcwT3l2bDhGTnFhamxpQ25BWkUrNTlVREdja1Z4VU1LVDlmNgpoUUNwRm1QVy81d09haVYrZFdMZ2RKZnc4Ly9zbjZqN09PSi8vcjNsVW5BV2dQMmNkZDlTbWMxOG5QKzErNlJ0CksxeEFqNVhMU1d0REFnTUJBQUdnZ2FNd2dhQUdDU3FHU0liM0RRRUpEakdCa2pDQmp6Q0JqQVlEVlIwUkJJR0UKTUlHQmdpeHdaWEJsTFhCdmIyd3RNQzB3TG5CbGNHVXRhR3d1Y0dWd1pTNXpkbU11WTJ4MWMzUmxjaTVzYjJOaApiSUljYldsdWFXOHVjR1Z3WlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJS2JXbHVhVzh1Y0dWd1pZSUpMbkJsCmNHVXVjM1pqZ2dJcUxvSVlLaTV3WlhCbExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUURzNXNvY1VscVpKUGZ0akdERnBsMkdVVTRlMlMyaTRNWU9xUzg0dzYzY3gvLzNMbjVsanA4RgpCK0Q0cGZ0NVZwb2dBQlVTSGFvTkpxSmJNZU5xTHZNdUNGNnREandnNFBZTlhDaVVSZlFiY0xWK2I4Y3JMUm1SClkzaUp1Zk9SR1laQTVWUkZ1SlpaZkhmcUNaaFAyVzFSeEtsRTJtbmdtYWtKOVZQNXozZkk4bll6UU9kMmNrR3oKZjNRVlBKZHMyaWFycUsyVEFkUVFvQWZvTlZOY1V6M0plaC9WRHJkbnNqOC9ibVBkOHpMc2R2T1ZHeFFjUWF2Swo4M2NEWnoyN1c5U2NDNkdtYzR2NHFUYU8xT3Y2TWNqU0tQWWxkZFNJdlF3T0crVU5CamRKU2dnZTNocFFCb2NnCmlvVTJYQStpME9XV2swTHB3K3h2UHo5R0VSR2VkS2NSCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

Create CSR with above encoded message:

subl /Users/cniackz/minio/tenant.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tenant-csr 
spec:
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:minio-operator
  - system:authenticated
  - system:nodes
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRFJEQ0NBaXdDQVFBd1d6RVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekUxTURNR0ExVUVBd3dzYzNsemRHVnRPbTV2WkdVNktpNXdaWEJsTFdoc0xuQmxjR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURuT2RmWHYvUDUKMFBUTnFPOXZkWDRvSWRDWFJNOHpvS0pSSVN0WVJsKzU0L3NzNlIxYzFnZCt5SkF1MmJaNzlobkE2aTdJOE84ZQprVUgrcmY4Tk11czdPMkF5QitPQjZaaDFqQlFJK2JTdk4wZndQaDFwekhkUE4rZHlReXdTV3E0Yld2WVJiQmJCCnRIWnBwUFFBWjMyaXZ0WVVsc3BOOHBuV2VETDI4SjNUZ2dhRFlzcnE0VW1Qb2lBUVZSN2pNUmJGV0E2SXZHM1kKYmh5VVI4dHVLU0NRNnYzdnI0WEt3ZnZ6bGRzZUJvZDlza3F3RVdXUjhjWGFkRlNXd1FjUm9OenpMTkc1aWpZYQpaQUNrd3ZXSGd5THBYQTNhZEl0MW9hblM4dXR2OHFNVTdoTWQrcmwreC92eHAwZ1gyYTdaaHdNTFFKcll4R2tmCm90eXc5MU1UejVGckFnTUJBQUdnZ2FNd2dhQUdDU3FHU0liM0RRRUpEakdCa2pDQmp6Q0JqQVlEVlIwUkJJR0UKTUlHQmdpeHdaWEJsTFhCdmIyd3RNQzB3TG5CbGNHVXRhR3d1Y0dWd1pTNXpkbU11WTJ4MWMzUmxjaTVzYjJOaApiSUljYldsdWFXOHVjR1Z3WlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJS2JXbHVhVzh1Y0dWd1pZSUpMbkJsCmNHVXVjM1pqZ2dJcUxvSVlLaTV3WlhCbExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUJEZUhRdktyOVE3NUdyOUN1OG9RSUFmelhvMXZreCtnZjhONGJTdWlGUnFLWEdMUDA3Mk54WAo2MXY4bW41V0krd0lMazdtMTA2MWQvaWtFc1F3R3pJL0lTbGIvcGdDeXQrNlg5MWFsQkMyd3NaVXBwKzJaeVZqClhDQlpESy84MDgzOHJseUU1dlR5TTVNQ1Q0ZlJkU1BDT3ZQQ0dtclFxNXpuZnRtbFdrYUM2VE1nbEhWc01MUXcKUVlFWjN2MmhualMxYVpIc1d4SEFuLys0YXF0cnl0UDZVWndxQStqUnFsS3ZUVURUSDJ0YnhJRkl2dVBocGtNdApwYW9IRTdiMGVRMm9rcm5FQk9UUUJPZm5aaC90MzFDOG5sdStVNFNJUkZ1S2JKVGlWZ3JrSGpMQWljS3p4YlEwCk4wTXV1d0JJT0xkdzllRmdGckRYd1ZjSXJsRnFwY0JVCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:serviceaccount:minio-operator:minio-operator

Apply it:

oc apply -f /Users/cniackz/minio/tenant.yaml

Expected:

$ oc apply -f /Users/cniackz/minio/tenant.yaml
certificatesigningrequest.certificates.k8s.io/tenant-csr created

Approve it:

k8s:

kubectl certificate approve tenant-csr

oc adm certificate approve tenant-csr

Expected:

$ kubectl certificate approve tenant-csr
certificatesigningrequest.certificates.k8s.io/tenant-csr approved

$ oc get csr
NAME         AGE   SIGNERNAME                      REQUESTOR   REQUESTEDDURATION   CONDITION
tenant-csr   56s   kubernetes.io/kubelet-serving   kubeadmin   <none>              Approved,Issued

Get the public cert:

oc get csr tenant-csr -o jsonpath='{.status.certificate}'| base64 -d > public.crt

================================

================================ PAY CLOSE ATTENTION TO THIS PART: For OpenShift, we need the Wildcard Certificate and the Signer in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. In Other words, above generated cert is not enough and has to be concatenated to the Signer then a WorkAround is needed to actually patch the proxy and put the cert in ca.crt.

# Steps obtained from: https://access.redhat.com/solutions/6013471
# How to add a custom CA/CA-chain to "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
# To add the CA/CA-chain to the pod level mounted CA file, which is /var/run/secrets/kubernetes.io/serviceaccount/ca.crt , the [custom ingress certificate configuration steps](https://docs.openshift.com/container-platform/4.7/security/certificates/replacing-default-ingress-certificate.html) can be used.

# First generate the certificate of the signer:
oc get secret csr-signer -n openshift-kube-controller-manager-operator -o template='{{ index .data "tls.crt"}}' | base64 -d > route-ca.crt

# Then, put together the above cert along with its signer in a file called ingress.pem
cat public.crt route-ca.crt > ingress.pem

# Create a secret using the ingress.pem file above and the private.key from step 1
oc create secret tls secretocuatro --cert=ingress.pem --key=private.key -n openshift-ingress

# Patch it, and wait for couple of minutes for the cert to be located at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "secretocuatro"}}}' -n openshift-ingress-operator

================================

Verify it:

openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt
                                                                                          |__ File generated step above

Expected in k8s is:

root@ubuntu:/tmp# openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt 
public.crt: OK

Expected in OpenShift:

root@ubuntu:/attempt1# openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt
public.crt: OK

Deploy Operator
Deploy Tenant
Tenant can be deployed and Operator pod can trust its certificate because we helped operator:

sh-4.4$ curl https://minio.pepe.svc.cluster.local
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
sh-4.4$ 
sh-4.4$ 
sh-4.4$ 
sh-4.4$ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://minio.pepe.svc.cluster.local
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Resource>/</Resource><RequestId>17268F12146D2618</RequestId><HostId>a14d363c-841a-4a5f-b879-3218f17ab6d6</HostId></Error>sh-4.4$ 
sh-4.4$ 
sh-4.4$ 
sh-4.4$ 
sh-4.4$ 
sh-4.4$

MinIO TLS Process certificate k8s and OpenShift - cniackz/public GitHub Wiki

Relevant information:

Steps:

================================

================================

⚠️ GitHub.com Fallback ⚠️

MinIO TLS Process certificate k8s and OpenShift - cniackz/public GitHub Wiki

Relevant information:

Steps:

================================

================================

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️