cert‐manager in aistor - cniackz/public GitHub Wiki

🧪 Objetivo:

Usar cert-manager para emitir certificados TLS para un ObjectStore en AIStor, usando disableAutoCert: true y verificando que los pods inicien correctamente con el TLS custom (sin usar los auto-firmados del operador).

---

✅ Pasos adaptados para AIStor

1. Instala cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s

2. Instala AIStor Operator

cd
rm -rf aistor-operator/
git clone https://github.com/miniohq/aistor-operator.git
cd aistor-operator
kustomize build . > operator.yaml
k apply -f operator.yaml

Expected:

$ k get pods -n aistor
NAME                                     READY   STATUS    RESTARTS   AGE
adminjob-operator-84fcb5957c-ddgl8       1/1     Running   0          39s
object-store-operator-6bc9cfb689-vd66n   1/1     Running   0          39s

Install ObjectStore with cert-manager:

• URL: examples/kustomization/objectstore-certmanager

kustomize build /Users/cniackz/aistor-operator/examples/kustomization/objectstore-certmanager > objectstore-certmanager.yaml
k apply -f objectstore-certmanager.yaml

Exacto, lo entendiste bien: cert-manager genera Secrets temporales con sufijos aleatorios (como -mp5kv o -sls5d), pero no crea automáticamente el Secret final (tenant-certmanager-ca-tls) hasta que el Certificate se emita correctamente y el Issuer esté listo.

En tu caso, lo que falta es que el ClusterIssuer llamado selfsigned-root exista y esté accesible globalmente. Pero no está:

IssuerNotFound: clusterissuer.cert-manager.io "selfsigned-root" not found

---

✅ Entonces: crea este ClusterIssuer global:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-root
spec:
  selfSigned: {}

Aplica eso con:

kubectl apply -f clusterissuer.yaml

Cesars-MacBook-Pro:~ cniackz$ kubectl get certificate -n objectstore-certmanager
NAME                                     READY   SECRET                           AGE
objectstore-certmanager-ca-certificate   True    objectstore-certmanager-ca-tls   15m
objectstore-certmanager-cert             True    myminio-tls                      15m
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ kubectl get issuer -n objectstore-certmanager
NAME                             READY   AGE
objectstore-certmanager-issuer   True    15m
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ kubectl get secret -n objectstore-certmanager
NAME                             TYPE                DATA   AGE
minio-license                    Opaque              1      13m
myminio-generated                Opaque              5      23s
myminio-tls                      kubernetes.io/tls   3      50s
objectstore-certmanager-ca-tls   kubernetes.io/tls   3      77s
storage-configuration            Opaque              1      15m
storage-user                     Opaque              2      15m

5. Create operator-ca-tls secret

Cesars-MacBook-Pro:~ cniackz$ kubectl get secret -n objectstore-certmanager myminio-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > private.crt
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ cat private.crt
-----BEGIN CERTIFICATE-----
MIIBijCCATCgAwIBAgIQY/lWsT2VLHAKiBXvr4rQQDAKBggqhkjOPQQDAjAlMSMw
IQYDVQQDExpvYmplY3RzdG9yZS1jZXJ0bWFuYWdlci1jYTAeFw0yNTA3MTExODM2
NTNaFw0zMzA3MTExODM2NTNaMCUxIzAhBgNVBAMTGm9iamVjdHN0b3JlLWNlcnRt
YW5hZ2VyLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c/gPW9E1MssVyUh
6uNxFxVP0XFidC5hxk5KV4uUsLa1NDeySChpssP+3BfsygWRaDCay6jCPu+98p4b
4G95JqNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFFvjfm2ElH0pzLjevZiZ1fsyZ1qTMAoGCCqGSM49BAMCA0gAMEUCIEYQ4cPy
dOe0t7ZwMqZqB/cW8k0fQ4hGP19HBSAD0EOBAiEA4o76Ts6o8NssgKLRJ7lO5OmQ
vV3DQ4JvXodyeePqeaA=
-----END CERTIFICATE-----
Cesars-MacBook-Pro:~ cniackz$ 
Cesars-MacBook-Pro:~ cniackz$ 

Cesars-MacBook-Pro:~ cniackz$ kubectl create secret generic operator-ca-tls --from-file=private.crt -n aistor
secret/operator-ca-tls created

Cesars-MacBook-Pro:~ cniackz$ kubectl rollout restart deployment.apps/object-store-operator -n aistor
deployment.apps/object-store-operator restarted

Issue observed:

Failed to pull image "quay.io/minio/aistor/minio-sidecar:RELEASE.2025-07-01T00-09-56Z"

Solving:

$ k edit ObjectStore -n objectstore-certmanager
objectstore.aistor.min.io/myminio edited

spec:
  image: quay.io/minio/aistor/minio:latest

apiVersion: v1
kind: ConfigMap
metadata:
  name: object-store-operator
  namespace: aistor
data:
  kes: |
    image: "quay.io/minio/kes:2025-03-12T09-35-18Z"
  kes-sidecar: |
    image: "quay.io/minio/aistor/kes-sidecar:RELEASE.2025-07-01T00-09-56Z"
  kms-sidecar: |
    image: "quay.io/minio/aistor/kms-sidecar:RELEASE.2025-04-30T06-02-27Z"
  minio: |
    image: "quay.io/minio/aistor/minio:RELEASE.2025-06-27T22-30-56Z"
  minio-sidecar: |
    image: "quay.io/minio/aistor/minio-sidecar:RELEASE.2025-06-30T21-59-04Z"