Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for OpenShift

cert-manager for Tenants

The following procedures create and apply the resources necessary to use cert-manager for the TLS certificates within a tenant.

Note

The procedures use tenant-1 as the name of the tenant.

Replace the string tenant-1 throughout the procedures to reflect the name of your tenant.

Prerequisites

1) Create the tenant namespace CA Issuer

Before deploying a new tenant, create a Certificate Authority and Issuer for the tenant’s namespace.

  1. If necessary, create the tenant’s namespace.

    kubectl create ns tenant-1

    This much match the value of the metadata.namespace field in the tenant’s YAML.

  2. Request a Certificate for a new Certificate Authority with spec.isCA set to true.

    Create a file called tenant-1-ca-certificate.yaml with the following contents:

    # tenant-1-ca-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenant-1-ca-certificate
  namespace: tenant-1
spec:
  isCA: true
  commonName: tenant-1-ca
  secretName: tenant-1-ca-tls
  duration: 70128h # 8y
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-root
    kind: ClusterIssuer
    group: cert-manager.io

    Important

    The spec.issueRef.name must match the name of the ClusterIssuer created when setting up cert-manager. If you specified a different ClusterIssuer name or are using a different Issuer from the guide, modify the issuerRef to match your environment.

  3. Apply the resource:

    kubectl apply -f tenant-1-ca-certificate.yaml

2) Create the Issuer

The Issuer issues the certificates within the tenant namespace.

  1. Generate a resource definition for an Issuer.

    Create a file called tenant-1-ca-issuer.yaml with the following contents:

    # tenant-1-ca-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: tenant-1-ca-issuer
  namespace: tenant-1
spec:
  ca:
    secretName: tenant-1-ca-tls

  2. Apply the Issuer resource definition:

    kubectl apply -f tenant-1-ca-issuer.yaml

3) Create a certificate for the tenant

Request that cert-manager issue a new TLS server certificate for MinIO. The certificate must be valid for the following DNS domains:

  • minio.<namespace>

  • minio.<namespace>.svc

  • minio.<namespace>.svc.<cluster domain>

  • *.<tenant-name>-hl.<namespace>.svc.<cluster domain>

  • *.<namespace>.svc.<cluster domain>

  • *.<tenant-name>.minio.<namespace>.svc.<cluster domain>'

Important

Replace the the placeholder text (marked with the < and > characters) with values for your tenant:

  • <cluster domain> is the internal root DNS domain assigned in your Kubernetes cluster. Typically, this is cluster.local, but confirm the value by checking your CoreDNS configuration for the correct value for your Kubernetes cluster.

    For example:

    kubectl get configmap coredns -n kube-system -o jsonpath="{.data}"

    Different Kubernetes providers manage the root domain differently. Check with your Kubernetes provider for more information.

  • tenant-name is the name provided to your tenant in the metadata.name of the Tenant YAML. For this example it is myminio.

  • namespace is the value created earlier where the tenant will be installed. In the tenant YAML, it is defined in the the metadata.namespace field. For this example it is tenant-1.

  1. Request a Certificate for the specified domains

    Create a file called tenant-1-minio-certificate.yaml. The contents of the file should resemble the following, modified to reflect your cluster and tenant configurations:

    # tenant-1-minio-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenant-certmanager-cert
  namespace: tenant-1
spec:
  dnsNames:
    - "minio.tenant-1"
    - "minio.tenant-1.svc"
    - 'minio.tenant-1.svc.cluster.local'
    - '*.minio.tenant-1.svc.cluster.local'
    - '*.myminio-hl.tenant-1.svc.cluster.local'
    - '*.myminio.minio.tenant-1.svc.cluster.local'
  secretName: myminio-tls
  issuerRef:
    name: tenant-1-ca-issuer

    Tip

    For this example, the Tenant name is myminio. We recommend naming the secret in the field spec.secretName as <tenant-name>-tls as a naming convention.

  2. Apply the certificate resource:

    kubectl apply -f tenant-1-minio-certificate.yaml

  3. Validate the changes took effect:

    kubectl describe secret/myminio-tls -n tenant-1

    Note

    • Replace tenant-1 with the namespace for your tenant.

    • Replace myminio-tls with the name of your secret, if different.

4) Deploy the tenant using cert-manager for TLS certificate management

When deploying a Tenant, you must set the TLS configuration such that:

  • The Tenant does not automatically generate its own certificates (spec.requestAutoCert: false) and

  • The Tenant has a valid cert-manager reference (spec.externalCertSecret)

This directs the Operator to deploy the Tenant using the cert-manager certificates exclusively.

The following YAML spec provides a baseline configuration meeting these requirements:

apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: myminio
  namespace: tenant-1
spec:
...
  ## Disable default tls certificates.
  requestAutoCert: false
  ## Use certificates generated by cert-manager.
  externalCertSecret:
    - name: myminio-tls
      type: cert-manager.io/v1
...

5) Trust the tenant’s CA in MinIO Operator

The MinIO Operator does not trust the tenant’s CA by default. To trust the tenant’s CA, you must pass the certificate to the Operator as a secret.

To do this, create a secret with the prefix operator-ca-tls- followed by a unique identifier in the minio-operator namespace.

MinIO Operator mounts and trusts all certificates issued by the provided Certificate Authorities. This is required because the MinIO Operator performs health checks using the /minio/health/cluster endpoint.

Create operator-ca-tls-tenant-1 secret

Copy the tenant’s cert-manager generated CA public key (ca.crt) into the minio-operator namespace. This allows Operator to trust the cert-manager issued CA and all certificates derived from it.

  1. Create a ca.crt file containing the CA:

    kubectl get secrets -n tenant-1 tenant-1-ca-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt

  2. Create the secret:

    kubectl create secret generic operator-ca-tls-tenant-1 --from-file=ca.crt -n minio-operator

Tip

In this example we chose a secret name of operator-ca-tls-tenant-1. We used the tenant namespace tenant-1 as a suffix for easy identification of which namespace the CA comes from. Use the name of your tenant namespace for easier linking secrets to the related resources.

6) Deploy the tenant

With the Certificate Authority and Issuer in place for the tenant’s namespace, you can now deploy the object store tenant.

Use the modified baseline tenant YAML to disable AutoCert and reference the secret you generated.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License