minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-11-06 03:49:02 +03:00
Code Activity
Files
main
docs/source/operations/network-encryption/cert-manager.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

3.9 KiB
Raw Permalink Blame History

cert-manager

minio

Table of Contents

TLS certificate management with cert-manager

This guide shows you how to install cert-manager for TLS certificate management. The guide assumes a new or fresh MinIO Operator installation.

Note

This guide uses a self-signed Cluster Issuer. You can also use other Issuers supported by cert-manager.

The main difference is that you must provide that Issuer CA certificate to MinIO, instead of the CA's mentioned in this guide.

Refer to the cert-manager documentation and your own organization's certificate requirements for more advanced configurations.

cert-manager manages certificates within Kubernetes clusters. The MinIO Operator supports using cert-manager for managing and provisioning certificates as an alternative to the MinIO Operator managing certificates for itself and its tenants.

cert-manager obtains valid certificates from an Issuer or ClusterIssuer and can automatically renew certificates prior to expiration.

A ClusterIssuer issues certificates for multiple namespaces. An Issuer only mints certificates for its own namespace.

The following graphic depicts how cert-manager provides certificates in namespaces across a Kubernetes cluster.

  • A ClusterIssuer exists at the root level of the Kubernetes cluster, typically the default namespace, to provide certificates to all other namespaces.
  • The minio-operator namespace receives its own, local Issuer.
  • Each tenant's namespace receives its own, local Issuer.
  • The certificates issued by each tenant namespace must be made known to and trusted by the MinIO Operator.

A graph of the namespaces in a Kubernetes cluster showing the relationship between the root level ClusterIssuer and three other namespaces with their own Issuer.

Prerequisites

Setup cert-manager

Install cert-manager

The following command installs version 1.12.13 using kubectl.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.13/cert-manager.yaml

Release 1.12.X LTS is preferred, but you may install the latest version. For more details on installing cert-manager, see their installation instructions.

Create a self-signed Cluster Issuer for the cluster

The Cluster Issuer is the top level Issuer from which all other certificates in the cluster derive.

  1. Request cert-manager to generate this by creating a ClusterIssuer resource.

    Create a file called selfsigned-root-clusterissuer.yaml with the following contents:

    # selfsigned-root-clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-root
spec:
  selfSigned: {}

  2. Apply the resource to the cluster:

    kubectl apply -f selfsigned-root-clusterissuer.yaml

Next steps

Set up cert-manager for the MinIO Operator <minio-certmanager-operator>.

/operations/cert-manager/cert-manager-operator /operations/cert-manager/cert-manager-tenants