Test KES with cert‐manager - cniackz/public GitHub Wiki

Objective:

To use cert-manager for KES and the tenant.

Current Steps:

  1. Install KES as in https://github.com/cniackz/public/wiki/Test-KES

  2. Once is up and running, install cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml

echo "Wait until cert-manager pods are running:"
kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s
  1. Aplica el issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: tenant-certmanager-issuer
  namespace: default
spec:
  selfSigned: {}
  1. Aplica el primer certificado:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenant-certmanager-2-cert
  namespace: default
spec:
  dnsNames:
  - '*.default.svc.cluster.local'
  - '*.minio.default.svc.cluster.local'
  - '*.kes-tenant-hl.default.svc.cluster.local'
  issuerRef:
    name: tenant-certmanager-issuer
  secretName: tenant-certmanager-2-tls
  1. Aplica el segundo certificado:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenant-certmanager-cert
  namespace: default
spec:
  dnsNames:
  - '*.default.svc.cluster.local'
  - '*.minio.default.svc.cluster.local'
  - '*.kes-tenant-hl.default.svc.cluster.local'
  issuerRef:
    name: tenant-certmanager-issuer
  secretName: tenant-certmanager-tls
  1. Turn off requestAutoCert
spec:
  requestAutoCert: false
  1. Set Tenant Cert to be external:
spec:
  externalCertSecret:
  - name: tenant-certmanager-tls
    type: cert-manager.io/v1
  1. Set KES Cert to be external, provided by cert-manager:
spec:
  kes:
    externalCertSecret:
      name: tenant-certmanager-2-tls
      type: cert-manager.io/v1
  1. Copy the cert-manager CA from the tenant certificate, this will allow Operator to trust the cert-manager CA and allow Operator to trust the Tenant certificate, instructions from: https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret
kubectl get secrets -n default tenant-certmanager-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
kubectl create secret generic operator-ca-tls --from-file=ca.crt -n minio-operator
kubectl rollout restart deployment.apps/minio-operator -n minio-operator

Results:

  • As a result the tenant and the kes are using the certificates generated from cert-manager rather than minio generating those certs:
  • Mon Jan 15 2024 @ 5:37 pm GDL Time Tested and passed!.