Skip to content

MinIO in OpenShift using cert manager

Jump to bottom
Cesar Celis Hernandez edited this page Jan 24, 2023 · 2 revisions

Objective:

Install Tenant with TLS but using cert-manager all in OpenShift with OperatorHub for the operator.

Steps:

  1. crc has to be ready in your Ubuntu Machine:
crc stop
crc delete
crc setup
crc start

Expected to see:

INFO Adding crc-admin and crc-developer contexts to kubeconfig... 
Started the OpenShift cluster.

The server is accessible via web console at:
  https://console-openshift-console.apps-crc.testing

Log in as administrator:
  Username: kubeadmin
  Password: ebWeG-2KVqI-i8dPv-vXcER

Log in as user:
  Username: developer
  Password: developer

Use the 'oc' command line interface:
  $ eval $(crc oc-env)
  $ oc login -u developer https://api.crc.testing:6443
  1. In OperatorHub install latest Operator version:
Screenshot 2023-01-23 at 5 53 36 PM Screenshot 2023-01-23 at 5 53 52 PM Screenshot 2023-01-23 at 5 54 03 PM Screenshot 2023-01-23 at 5 55 10 PM
  1. Expose the operator open web page http://localhost:9090/login and get the token from the secret:
oc login -u kubeadmin https://api.crc.testing:6443
oc port-forward svc/console 9090 -n openshift-operators
eyJhbGciOiJSUzI1NiIsImtpZCI6Im8zTFl3dUFkVEs4TFA5U1cySW01TU5aLXNZUU95X2VEbV9PdHZLSEdWQ3cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtb3BlcmF0b3JzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1pbmlvLW9wZXJhdG9yLXRva2VuLXFka2ZoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im1pbmlvLW9wZXJhdG9yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjI0NzNlZWUtNWRkOC00OTJjLWEwNTctMTJiZWMyYjkyZThmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om9wZW5zaGlmdC1vcGVyYXRvcnM6bWluaW8tb3BlcmF0b3IifQ.o75c-P8QfP3DBJKyqbjYFRet5QT4-rp2TzxjRmhrp0ZmszgqxHgk2eg0Vge1g8S1H15G783PAv4st5Mp99ydYF7KP7nYbvJULVxmGNg8SEtFlz_R-6GdPe37htBjfEvcJxt5UkAPYYdcaVcUhNggeMlvpjdg7_1KRVZg3ghGQ5OsEgLCnRPt-D5xnNqS4jjTfXjjJnXB0eIvXDiktfPw0ofmDLgCGUT-Nl1nA_O26TVavs67QwzHfprgKQa8vYfwVm8wtn7XrRsU9IZR5BBKkyGwFH7GnmKToENd0Fip5V2MGIROhdYAgHDE_JfA0dEf9XUXjPCdCvASve6G6j7K3QADwC1eTRgkFfRwVIFHHaZeUqAMbmGDayEPl23SB5O6DXWn2E66lPvxf-7UxoAVlrbIrqTuDikkylFx3FRkEM6eBVoAmlj2PSHqJLixx4hMjkJTriGWjgvZV6sr5RgSI7MeORjXGnS9w4ubXh63oFLAMTBYGkcTOq7gnmW2TjNifyqnXzhQ9YXiqhMPXETNNrvacvxQFXwkOyx2p56Lui8YWep9FVtbBiwO34R7hVtHbTru3TWNNGcDb0RqaHCtTYjZzeMrWUMnfApIj5gtzmkidzoEVy7maQbNBHE9-JwGhflAUCAWZPMSUCGrYUgBMqCYErsHJGdB-ToOwhn1b-o
Screenshot 2023-01-23 at 6 00 49 PM
  1. Apply these permissions to be able to create the namespace and get its quotas and this somehow will gain access to display the storage class in openshift:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-cesar-5
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - resourcequotas
      - deletecollection
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---    
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-binding-cesar-5
  namespace: openshift-operators
subjects:
- kind: ServiceAccount
  name: minio-operator
  namespace: openshift-operators
roleRef:
  kind: ClusterRole
  name: cluster-role-cesar-5
  apiGroup: rbac.authorization.k8s.io
oc login -u kubeadmin https://api.crc.testing:6443
oc apply -f ~/permissions.yaml
oc adm policy add-scc-to-user privileged -n openshift-operators -z minio-operator
oc adm policy add-scc-to-user privileged -n openshift-operators -z console-sa
oc adm policy add-scc-to-user privileged -n openshift-operators -z default
oc adm policy add-scc-to-user privileged -n openshift-operators -z builder
oc adm policy add-scc-to-user privileged -n openshift-operators -z deployer
---
oc create namespace tenant-certmanager
oc create serviceaccount minio-operator -n tenant-certmanager
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z minio-operator
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z builder
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z deployer
oc adm policy add-scc-to-user privileged -n tenant-certmanager -z default
  1. Create tenant
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: storage
  namespace: minio-tenant
spec:
  ## Disable default tls certificates.
  requestAutoCert: false
  ## Use certificates generated by cert-manager.
  externalCertSecret:
    - name: tenant-certmanager-tls
      type: cert-manager.io/v1
  ## Specification for MinIO Pool(s) in this Tenant.
  pools:
    - servers: 1
      name: pool-0
      volumesPerServer: 1
      ## Configure security context
      volumeClaimTemplate:
        apiVersion: v1
        kind: persistentvolumeclaims
        metadata: { }
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
          storageClassName: crc-csi-hostpath-provisioner


oc apply -k ~/operator/examples/kustomization/tenant-certmanager
Clone this wiki locally