Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Kubernetes

cert-manager for Operator

MinIO Operator manages TLS certificate issuing for the services hosted in the minio-operator namespace.

This page describes how to manage the Operator’s TLS certificates with cert-manager.

Prerequisites

1) Create a CA Issuer for the minio-operator namespace

This guide disables the automatic generation of certificates in MinIO Operator and issues certificates using cert-manager instead.

The minio-operator namespace must have its own certificate authority (CA), derived from the cluster’s ClusterIssuer certificate created during cert-manager setup. Create this CA certificate using cert-manager.

Important

This CA certificate must exist before installing MinIO Operator.

  1. If it does not exist, create the minio-operator namespace

    kubectl create ns minio-operator

  2. Request a new Certificate with spec.isCA: true specified.

    This certificate serves as the CA for the minio-operator namespace.

    Create a file called operator-ca-tls-secret.yaml with the following contents:

    # operator-ca-tls-secret.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: minio-operator-ca-certificate
  namespace: minio-operator
spec:
  isCA: true
  commonName: operator
  secretName: operator-ca-tls
  duration: 70128h # 8y
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-root
    kind: ClusterIssuer
    group: cert-manager.io

    Important

    The spec.issueRef.name must match the name of the ClusterIssuer created when setting up cert-manager. If you specified a different ClusterIssuer name or are using a different Issuer from the guide, modify the issuerRef to match your environment.

  3. Apply the resource:

    kubectl apply -f operator-ca-tls-secret.yaml

Kubernetes creates a new secret with the name operator-ca-tls in the minio-operator namespace.

Important

Make sure to trust this certificate in any applications that need to interact with the MinIO Operator.

2) Use the secret to create the Issuer

Use the operator-ca-tls secret to add an Issuer resource for the minio-operator namespace.

  1. Create a file called operator-ca-issuer.yaml with the following contents:

    # operator-ca-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: minio-operator-ca-issuer
  namespace: minio-operator
spec:
  ca:
    secretName: operator-ca-tls

  2. Apply the resource:

    kubectl apply -f operator-ca-issuer.yaml

3) Create TLS certificate

Now that the Issuer exists in the minio-operator namespace, cert-manager can add a certificate.

The certificate from cert-manager must be valid for the following DNS domains:

  • sts

  • sts.minio-operator.svc.

  • sts.minio-operator.svc.<cluster domain>

    Important

    Replace <cluster domain> with the actual value for your MinIO tenant. cluster domain is the internal root DNS domain assigned in your Kubernetes cluster. Typically, this is cluster.local, but confirm the value by checking your CoreDNS configuration for the correct value for your Kubernetes cluster.

    For example:

    kubectl get configmap coredns -n kube-system -o jsonpath="{.data}"

    Different Kubernetes providers manage the root domain differently. Check with your Kubernetes provider for more information.

  1. Create a Certificate for the specified domains:

    Create a file named sts-tls-certificate.yaml with the following contents:

    # sts-tls-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sts-certmanager-cert
  namespace: minio-operator
spec:
  dnsNames:
    - sts
    - sts.minio-operator.svc
    - sts.minio-operator.svc.cluster.local # Replace cluster.local with the value for your domain.
  secretName: sts-tls
  issuerRef:
    name: minio-operator-ca-issuer

    Important

    The spec.secretName is not optional.

    The secret name must be sts-tls. Confirm this by setting spec.secretName: sts-tls as highlighted in the certificate YAML.

  2. Apply the resource:

    kubectl apply -f sts-tls-certificate.yaml

This creates a secret called sts-tls in the minio-operator namespace.

Warning

The STS service will not start if the sts-tls secret, containing the TLS certificate, is missing or contains an invalid key-value pair.

4) Install Operator with Auto TLS disabled

You can now install the MinIO Operator.

When installing the Operator deployment, set the OPERATOR_STS_AUTO_TLS_ENABLED environment variable to off in the minio-operator container.

Disabling this environment variable prevents the MinIO Operator from issuing the certificates. Instead, Operator relies on cert-manager to issue the TLS certificate.

There are various methods to define an environment variable depending on how you install the Operator. The following steps define the variable with kustomize.

  1. Create a kustomization patch file called kustomization.yaml with the following contents:

    # minio-operator/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- github.com/minio/operator/resources

patches:
- patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: minio-operator
      namespace: minio-operator
    spec:
      template:
        spec:
          containers:
            - name: minio-operator
              env:
                - name: OPERATOR_STS_AUTO_TLS_ENABLED
                  value: "off"
                - name: OPERATOR_STS_ENABLED
                  value: "on"

  2. Apply the kustomization resource to the cluster:

    kubectl apply -k minio-operator

Migrate an existing MinIO Operator deployment to cert-manager

To transition an existing MinIO Operator deployment from using AutoCert to cert-manager, complete the following steps:

  1. Complete the steps for installing cert-manager, including disabling auto-cert.

  2. Complete steps 1-3 on this page to generate the certificate authority for the Operator.

  3. When you get to the install step on this page, instead replace the existing Operator TLS certificate with the cert-manager issued certificate.

  4. Create new cert-manager certificates for each tenant, similar to the steps described on the cert-manager for Tenants page.

  5. Replace the secrets in the MinIO Operator namespace for the tenants with secrets related to each tenant’s cert-manager issued certificate.

Next steps

Set up cert-manager for a MinIO Tenant.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License