-
Notifications
You must be signed in to change notification settings - Fork 0
Test KES with cert‐manager
Cesar Celis Hernandez edited this page Jan 15, 2024
·
13 revisions
To use cert-manager
for KES and the tenant.
-
Install KES as in https://github.com/cniackz/public/wiki/Test-KES
-
Once is up and running, install cert-manager:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
echo "Wait until cert-manager pods are running:"
kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s
kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s
- Aplica el issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: tenant-certmanager-issuer
namespace: default
spec:
selfSigned: {}
- Aplica el primer certificado:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tenant-certmanager-2-cert
namespace: default
spec:
dnsNames:
- '*.default.svc.cluster.local'
- '*.minio.default.svc.cluster.local'
- '*.kes-tenant-hl.default.svc.cluster.local'
issuerRef:
name: tenant-certmanager-issuer
secretName: tenant-certmanager-2-tls
- Aplica el segundo certificado:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tenant-certmanager-cert
namespace: default
spec:
dnsNames:
- '*.default.svc.cluster.local'
- '*.minio.default.svc.cluster.local'
- '*.kes-tenant-hl.default.svc.cluster.local'
issuerRef:
name: tenant-certmanager-issuer
secretName: tenant-certmanager-tls
- Turn off
requestAutoCert
spec:
requestAutoCert: false
- Set Tenant Cert to be external:
spec:
externalCertSecret:
- name: tenant-certmanager-tls
type: cert-manager.io/v1
- Set KES Cert to be external, provided by
cert-manager
:
spec:
kes:
externalCertSecret:
name: tenant-certmanager-2-tls
type: cert-manager.io/v1
- Copy the cert-manager CA from the tenant certificate, this will allow Operator to trust the cert-manager CA and allow Operator to trust the Tenant certificate, instructions from: https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret
kubectl get secrets -n default tenant-certmanager-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
kubectl create secret generic operator-ca-tls --from-file=ca.crt -n minio-operator
kubectl rollout restart deployment.apps/minio-operator -n minio-operator
- As a result the tenant and the kes are using the certificates generated from cert-manager rather than minio generating those certs:
- Mon Jan 15 2024 @ 5:37 pm GDL Time Tested and passed!.