-
Notifications
You must be signed in to change notification settings - Fork 0
certConfig
Cesar Celis Hernandez edited this page Jan 13, 2023
·
7 revisions
To explain certConfig
functionality
- Wed Jan 4 2023 @ 4:39 pm
- If you deploy your tenant with below configuration,
api.apps.ocp4.openshift.zone
domain will be recognized by the certificate:
File: /Users/cniackz/operator/examples/kustomization/base/tenant.yaml
## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
certConfig:
commonName: 'system:node:*.storage-lite-hl.tenant-lite.svc.cluster.local'
dnsNames:
- api.apps.ocp4.openshift.zone
- storage-lite-pool-0-{0...3}.storage-lite-hl.tenant-lite.svc.cluster.local
- minio.tenant-lite.svc.cluster.local
- minio.tenant-lite
- minio.tenant-lite.svc
- '*.storage-lite-hl.tenant-lite.svc.cluster.local'
- '*.tenant-lite.svc.cluster.local'
https://www.sslchecker.com/certdecoder
- Then it will not be rejected:
root@ubuntu:/# mc alias set myminio https://api.apps.ocp4.openshift.zone minio minio123
Added `myminio` successfully.
- Otherwise, if not added while deploying the tenant you will get:
$ mc ls alias
mc: <ERROR> Unable to list folder. Get "https://api.apps.ocp4.openshift.zone/": x509: certificate is valid for tenant-ss-0-{0...3}.tenant-hl.services.apps.ocp4.openshift.zone, minio.services.svc.cluster.local, minio.services, minio.services.svc, *.tenant-hl.services.svc.cluster.local, *.services.svc.cluster.local, not api.apps.ocp4.openshift.zone
certConfig
will only works when deploying the tenant, once tenant is deployed, adding this field will not regenerate the certificate nor include the domain.
- Create cluster:
$ createcluster
Deleting cluster "kind" ...
Creating cluster "kind" ...
✓ Ensuring node image (kindest/node:v1.25.3) 🖼
✓ Preparing nodes 📦 📦 📦 📦 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
⠈⠁ Joining worker nodes 🚜
- Install Operator:
$ installoperator
namespace/minio-operator created
customresourcedefinition.apiextensions.k8s.io/tenants.minio.min.io created
serviceaccount/console-sa created
serviceaccount/minio-operator created
clusterrole.rbac.authorization.k8s.io/console-sa-role created
clusterrole.rbac.authorization.k8s.io/minio-operator-role created
clusterrolebinding.rbac.authorization.k8s.io/console-sa-binding created
clusterrolebinding.rbac.authorization.k8s.io/minio-operator-binding created
configmap/console-env created
secret/console-sa-secret created
service/console created
service/operator created
deployment.apps/console created
deployment.apps/minio-operator created
- Modify file
/Users/cniackz/operator/examples/kustomization/base/tenant.yaml
## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
certConfig:
commonName: 'system:node:*.storage-lite-hl.tenant-lite.svc.cluster.local'
dnsNames:
- api.apps.ocp4.openshift.zone
- storage-lite-pool-0-{0...3}.storage-lite-hl.tenant-lite.svc.cluster.local
- minio.tenant-lite.svc.cluster.local
- minio.tenant-lite
- minio.tenant-lite.svc
- '*.storage-lite-hl.tenant-lite.svc.cluster.local'
- '*.tenant-lite.svc.cluster.local'
- Install tenant:
$ installtenant
namespace/tenant-lite created
secret/storage-configuration created
secret/storage-user created
tenant.minio.min.io/storage-lite created