certConfig - cniackz/public GitHub Wiki

Objective:

To explain certConfig functionality

Tested:

Wed Jan 4 2023 @ 4:39 pm

Explanation:

If you deploy your tenant with below configuration, api.apps.ocp4.openshift.zone domain will be recognized by the certificate:

File: /Users/cniackz/operator/examples/kustomization/base/tenant.yaml

  ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
  ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
  ## not provided. DNS name format is *.minio.default.svc.cluster.local
  certConfig:
    commonName: 'system:node:*.storage-lite-hl.tenant-lite.svc.cluster.local'
    dnsNames:
      - api.apps.ocp4.openshift.zone
      - storage-lite-pool-0-{0...3}.storage-lite-hl.tenant-lite.svc.cluster.local
      - minio.tenant-lite.svc.cluster.local
      - minio.tenant-lite
      - minio.tenant-lite.svc
      - '*.storage-lite-hl.tenant-lite.svc.cluster.local'
      - '*.tenant-lite.svc.cluster.local'

https://www.sslchecker.com/certdecoder

Then it will not be rejected:

root@ubuntu:/# mc alias set myminio https://api.apps.ocp4.openshift.zone minio minio123
Added `myminio` successfully.

Otherwise, if not added while deploying the tenant you will get:

$ mc ls alias
mc: <ERROR> Unable to list folder. Get "https://api.apps.ocp4.openshift.zone/": x509: certificate is valid for tenant-ss-0-{0...3}.tenant-hl.services.apps.ocp4.openshift.zone, minio.services.svc.cluster.local, minio.services, minio.services.svc, *.tenant-hl.services.svc.cluster.local, *.services.svc.cluster.local, not api.apps.ocp4.openshift.zone

Additional information:

certConfig will only works when deploying the tenant, once tenant is deployed, adding this field will not regenerate the certificate nor include the domain.

Steps:

Create cluster:

$ createcluster
Deleting cluster "kind" ...
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.25.3) 🖼
 ✓ Preparing nodes 📦 📦 📦 📦 📦  
 ✓ Writing configuration 📜 
 ✓ Starting control-plane 🕹️ 
 ✓ Installing CNI 🔌 
 ✓ Installing StorageClass 💾 
⠈⠁ Joining worker nodes 🚜

Install Operator:

$ installoperator
namespace/minio-operator created
customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created
serviceaccount/console-sa created
serviceaccount/minio-operator created
clusterrole.rbac.authorization.k8s.io/console-sa-role created
clusterrole.rbac.authorization.k8s.io/minio-operator-role created
clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created
clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created
configmap/console-env created
secret/console-sa-secret created
service/console created
service/operator created
deployment.apps/console created
deployment.apps/minio-operator created

Modify file /Users/cniackz/operator/examples/kustomization/base/tenant.yaml

  ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
  ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
  ## not provided. DNS name format is *.minio.default.svc.cluster.local
  certConfig:
    commonName: 'system:node:*.storage-lite-hl.tenant-lite.svc.cluster.local'
    dnsNames:
      - api.apps.ocp4.openshift.zone
      - storage-lite-pool-0-{0...3}.storage-lite-hl.tenant-lite.svc.cluster.local
      - minio.tenant-lite.svc.cluster.local
      - minio.tenant-lite
      - minio.tenant-lite.svc
      - '*.storage-lite-hl.tenant-lite.svc.cluster.local'
      - '*.tenant-lite.svc.cluster.local'

Install tenant:

$ installtenant
namespace/tenant-lite created
secret/storage-configuration created
secret/storage-user created
tenant.minio.min.io/storage-lite created