Skip to content

Create Cert for Operator manually self signed cert

Cesar Celis Hernandez edited this page Feb 23, 2023 · 2 revisions

Ideally speaking, the certificate should get rotated automatically so no manual creation is needed. Nevertheless, I see you are using custom certificates and if that is the case, operator-ca-tls can be used for that and there will be no need for operator-tls that we generate. In any case, if cert is already expired and new certificate has to be issued for Operator, then you can follow these steps:

  1. Create the private key:
openssl genrsa -out private.key 2048
  1. Create a file with name cert.cnf and this content:
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
O = "system:nodes"
C = US
CN  = "system:node:operator.minio-operator.svc"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = operator
DNS.2 = operator.minio-operator.svc
DNS.3 = operator.minio-operator.svc.cluster.local
DNS.4 = minio-operator-service.minio-operator.svc

  1. Get CSR
openssl req -new -config cert.cnf -key private.key -out operator.csr

  1. Encode it:
cat operator.csr | base64 --wrap=0
  1. Create CSR with above output, where spec.expirationSeconds may not specify a duration less than 600 seconds (10 minutes) as per k8s rules.
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: operator-csr 
spec:
  expirationSeconds: 2630000
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:minio-operator
  - system:authenticated
  - system:nodes
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRE9UQ0NBaUVDQVFBd1ZqRVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekV3TUM0R0ExVUVBd3duYzNsemRHVnRPbTV2WkdVNmIzQmxjbUYwYjNJdWJXbHVhVzh0YjNCbGNtRjBiM0l1CmMzWmpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXhaNXFnUTVUZnVSWXpDbXcKb2pnbzhFc1RBSjhuN1JuTUdodFlBKzhBNkVkTW9NdktxMVVGTmJabWdoaS8wS2dDSzB3c1BqVmVPWjdvaWNRYwpqYmR2SVpuekRMTlI2SC9IVk0wSDVHRU8zcXkzcmE5bUY1RGxyTy9RVSt6RUp5eG5DTUpPeHV4L2hPd05Fd21hCm9NcUFtaUpxQ0duV0JKRmQ4a0pHWDd2Q3pkTkhxRkYyUEphakI0K3JJWkRURTlpVVN6UjcxMDIxK3FZM3VsMEgKRk9KRFFMTkdUUDEvOEFCd25YWXpKQ2hINExteUxwbGloZjJvSnJOc0RaRkJHcFpRYnhydDR1UTZMMmpuY0Z0MgpLYnljVWxZaDNqYzlVcm11VGoxMWo3eFdkM00rZlVuMjcwdkNPcy9JNTQvNHp0WEVTcVdmWEJ5M2JEZ3FPZHhmCjFabFU0UUlEQVFBQm9JR2RNSUdhQmdrcWhraUc5dzBCQ1E0eGdZd3dnWWt3Z1lZR0ExVWRFUVIvTUgyQ0NHOXcKWlhKaGRHOXlnaHR2Y0dWeVlYUnZjaTV0YVc1cGJ5MXZjR1Z5WVhSdmNpNXpkbU9DS1c5d1pYSmhkRzl5TG0xcApibWx2TFc5d1pYSmhkRzl5TG5OMll5NWpiSFZ6ZEdWeUxteHZZMkZzZ2lsdGFXNXBieTF2Y0dWeVlYUnZjaTF6ClpYSjJhV05sTG0xcGJtbHZMVzl3WlhKaGRHOXlMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQU1GbzkKNC9hMThiaUhWUGJPdFB2dkdvUTlORFlVcTlMVkVwZG5OOC9WcXJLeC84dWtPYytMaWRtdTY3SSs5djNBK3dYWAoyT2IvbEZrc2VVUHZuVy9xVEFJd2ZVbkM0L3JPbDU3SC9xaHRRU0dGNUtPWXQ3Y1pjRGhvWkxaQ2FEbnlpanl5ClZaNHpuMlI4QTE2SHVodmlMT1FSdVc5L2s4L3l1SkNCN2Ric3Qydm9BVmtlUk5GbU5UM2hBUVV0VzFDRHJLVEcKQWZGS1F5STE5YjJOWnVrRVZXdTRRU0xSaE40azJCOGFtUFhwRUNGNng5TlhLRUpNS1g0ZEdwUEMva05rcGFEVAp1NnhyREplQWhjRjhMQmQzREp2N1RKTk5JTUhORkRaZXQ3YUFneDNNZ3krNnd0NVA2WWFsNy9VZG1MU3hkeURkClMybndSMVVONGVpcCt3emdtQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:serviceaccount:minio-operator:minio-operator

  1. Apply the Operator CSR Above:
kubectl apply -f operator-csr.yaml
  1. Approve the CSR:
kubectl certificate approve operator-csr

  1. Look at it, it should be Approved,Issued
k get csr

k get csr operator-csr -o jsonpath='{.status.certificate}'| base64 -d > public.crt

  1. Save operator-tls secret to a file called operator-tls.yaml and then edit it to add new private.key from above and public.crt from above, then since a secret in k8s cannot be edited, please delete old expired cert and apply new cert:
k delete secret operator-tls -n minio-operator

k apply -f operator-tls.yaml

Additional Info:

You can use https://www.sslchecker.com/certdecoder to see Expires date is correct and hence more time you will have to use this certificate.

We have merged a PR that will potential fix this issue in the future: https://github.com/minio/operator/pull/1437

But the new operator tag is yet to come.

So in the meantime, please follow steps provided to get new cert with new expiration date.

Also, if you place this secret in operator-ca-tls, that is the secret that is going to be used. It is up to you how you provide the secret, but as long as it is provided, valid and not expired, it should work! 👍 So have fun and let us know how it goes for you.

Quote Share Create To-Do Edit Message Delete Message Also, I recommend you not to delete you previous certificate and take notes of Subject, Issuer, etc. So you can regenerate working cert based on previous values for Common name, SAN, Organization, Country, etc.

Clone this wiki locally