Skip to content

Use custom certs in tenant quick test

Jump to bottom
Allan Roger Reid edited this page Mar 16, 2023 · 3 revisions

Get certgen

wget https://github.com/minio/certgen/releases/latest/download/certgen-darwin-arm64
chmod +x certgen-darwin-arm64

Create private key/public cert

./certgen-darwin-arm64 -host "127.0.0.1,minio.tenant-lite.svc.cluster.local,storage-lite-pool-0-0.storage-lite-hl.tenant-lite.svc.cluster.local,storage-lite-pool-0-1.storage-lite-hl.tenant-lite.svc.cluster.local,storage-lite-pool-0-2.storage-lite-hl.tenant-lite.svc.cluster.local,storage-lite-pool-0-3.storage-lite-hl.tenant-lite.svc.cluster.local"

Export sample tls secret from running tenant

k -n tenant-lite get secret/storage-lite-tls -o yaml > storage-lite-tls.yaml
cat private.key | base64
cat public.crt | base64
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2lsZnpqUkFrMzNwY2h4MnQKS1JzRmV3OWxGNHNCa0ZyV2liWUtLUjNuaCtxaFJBTkNBQVNqd1h1TDB5WFpPbE4xNmZDMGxPa3ZxRVMzb3dMNApKemFScEN2dkc0MzJIWWk5VG5WNDJQWkJyc1NHWFRHN3J4SmpuN0xFNEtmaFFSVGMramp6VE9XWQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQXNxZ0F3SUJBZ0lSQUlia0cvR3NJRG5CeWwza1VQWEo2MDh3Q2dZSUtvWkl6ajBFQXdJd1BURWMKTUJvR0ExVUVDaE1UUTJWeWRHZGxiaUJFWlhabGJHOXdiV1Z1ZERFZE1Cc0dBMVVFQ3d3VVlXeHNZVzV5WldsawpRRUZzYkdGdWN5MU5RbEF3SGhjTk1qTXdNekUyTVRnME5EVXpXaGNOTWpRd016RTFNVGcwTkRVeldqQTlNUnd3CkdnWURWUVFLRXhORFpYSjBaMlZ1SUVSbGRtVnNiM0J0Wlc1ME1SMHdHd1lEVlFRTERCUmhiR3hoYm5KbGFXUkEKUVd4c1lXNXpMVTFDVURCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQktQQmU0dlRKZGs2VTNYcAo4TFNVNlMrb1JMZWpBdmduTnBHa0srOGJqZllkaUwxT2RYalk5a0d1eElaZE1idXZFbU9mc3NUZ3ArRkJGTno2Ck9QTk01WmlqZ2dHcE1JSUJwVEFPQmdOVkhROEJBZjhFQkFNQ0FxUXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWpqTnBkRnRPaCswOGhEVjVYYk41bWdKYQp1NVV3Z2dGTUJnTlZIUkVFZ2dGRE1JSUJQNElqYldsdWFXOHVkR1Z1WVc1MExXeHBkR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd5Q1EzTjBiM0poWjJVdGJHbDBaUzF3YjI5c0xUQXRNQzV6ZEc5eVlXZGxMV3hwZEdVdGFHd3UKZEdWdVlXNTBMV3hwZEdVdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd5Q1EzTjBiM0poWjJVdGJHbDBaUzF3YjI5cwpMVEF0TVM1emRHOXlZV2RsTFd4cGRHVXRhR3d1ZEdWdVlXNTBMV3hwZEdVdWMzWmpMbU5zZFhOMFpYSXViRzlqCllXeUNRM04wYjNKaFoyVXRiR2wwWlMxd2IyOXNMVEF0TWk1emRHOXlZV2RsTFd4cGRHVXRhR3d1ZEdWdVlXNTAKTFd4cGRHVXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXeUNRM04wYjNKaFoyVXRiR2wwWlMxd2IyOXNMVEF0TXk1egpkRzl5WVdkbExXeHBkR1V0YUd3dWRHVnVZVzUwTFd4cGRHVXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXeUhCSDhBCkFBRXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdSeTRvR0N1K3JJcGRQQWozUXFMek1IU0MzT29DYXBpWnZvVmQKdGsyNkMwY0NJUUNhQ0tZMmhwSTVqQ21JOUVISXA5UGN5eGo1M29vOHBORHhCRzkvK3hUSXp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

Modify storage-lite-tls.yaml with above base64 values

k -n tenant-lite delete secret storage-lite-tls-custom
k apply -f storage-lite-tls.yaml
k -n tenant-lite get secrets

apiVersion: v1
data:
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2lsZnpqUkFrMzNwY2h4MnQKS1JzRmV3OWxGNHNCa0ZyV2liWUtLUjNuaCtxaFJBTkNBQVNqd1h1TDB5WFpPbE4xNmZDMGxPa3ZxRVMzb3dMNApKemFScEN2dkc0MzJIWWk5VG5WNDJQWkJyc1NHWFRHN3J4SmpuN0xFNEtmaFFSVGMramp6VE9XWQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQXNxZ0F3SUJBZ0lSQUlia0cvR3NJRG5CeWwza1VQWEo2MDh3Q2dZSUtvWkl6ajBFQXdJd1BURWMKTUJvR0ExVUVDaE1UUTJWeWRHZGxiaUJFWlhabGJHOXdiV1Z1ZERFZE1Cc0dBMVVFQ3d3VVlXeHNZVzV5WldsawpRRUZzYkdGdWN5MU5RbEF3SGhjTk1qTXdNekUyTVRnME5EVXpXaGNOTWpRd016RTFNVGcwTkRVeldqQTlNUnd3CkdnWURWUVFLRXhORFpYSjBaMlZ1SUVSbGRtVnNiM0J0Wlc1ME1SMHdHd1lEVlFRTERCUmhiR3hoYm5KbGFXUkEKUVd4c1lXNXpMVTFDVURCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQktQQmU0dlRKZGs2VTNYcAo4TFNVNlMrb1JMZWpBdmduTnBHa0srOGJqZllkaUwxT2RYalk5a0d1eElaZE1idXZFbU9mc3NUZ3ArRkJGTno2Ck9QTk01WmlqZ2dHcE1JSUJwVEFPQmdOVkhROEJBZjhFQkFNQ0FxUXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWpqTnBkRnRPaCswOGhEVjVYYk41bWdKYQp1NVV3Z2dGTUJnTlZIUkVFZ2dGRE1JSUJQNElqYldsdWFXOHVkR1Z1WVc1MExXeHBkR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd5Q1EzTjBiM0poWjJVdGJHbDBaUzF3YjI5c0xUQXRNQzV6ZEc5eVlXZGxMV3hwZEdVdGFHd3UKZEdWdVlXNTBMV3hwZEdVdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd5Q1EzTjBiM0poWjJVdGJHbDBaUzF3YjI5cwpMVEF0TVM1emRHOXlZV2RsTFd4cGRHVXRhR3d1ZEdWdVlXNTBMV3hwZEdVdWMzWmpMbU5zZFhOMFpYSXViRzlqCllXeUNRM04wYjNKaFoyVXRiR2wwWlMxd2IyOXNMVEF0TWk1emRHOXlZV2RsTFd4cGRHVXRhR3d1ZEdWdVlXNTAKTFd4cGRHVXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXeUNRM04wYjNKaFoyVXRiR2wwWlMxd2IyOXNMVEF0TXk1egpkRzl5WVdkbExXeHBkR1V0YUd3dWRHVnVZVzUwTFd4cGRHVXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXeUhCSDhBCkFBRXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdSeTRvR0N1K3JJcGRQQWozUXFMek1IU0MzT29DYXBpWnZvVmQKdGsyNkMwY0NJUUNhQ0tZMmhwSTVqQ21JOUVISXA5UGN5eGo1M29vOHBORHhCRzkvK3hUSXp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2023-03-16T17:38:45Z"
  labels:
    v1.min.io/tenant: storage-lite
  name: storage-lite-tls-custom
  namespace: tenant-lite
  ownerReferences:
  - apiVersion: minio.min.io/v2
    blockOwnerDeletion: true
    controller: true
    kind: Tenant
    name: storage-lite
    uid: 4b1fe8fd-e2da-4e03-ad7e-004203fd67cf
  resourceVersion: "1344"
  uid: e3955433-fd7a-4cba-81f8-18084afacb2d
type: kubernetes.io/tls

Modify tenant yaml

spec:
  externalCertSecret:
    - name: storage-lite-tls-custom
      type: kubernetes.io/tls

Disable auto TLS in UI, and restart service.

Tenant pods may need to be deleted

k -n tenant-lite delete pod/storage-lite-pool-0-{0..3}

Observe public certs being used

k -n tenant-lite edit tenant/storage-lite
Clone this wiki locally