minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-08 01:43:18 +03:00
Code Activity
Files
relax-event-restriction
docs/source/operations/cert-manager.rst
Daryl White ca34aa7e43 Add cert-manager documentation (#1317) 
Adds cert-manager docs for Kubernetes outputs.

Closes #1245 

Partially addresses #1273
2024-10-01 16:06:37 -04:00

3.9 KiB
Raw Permalink Blame History

cert-manager

minio

Table of Contents

TLS certificate management with cert-manager

This guide shows you how to install cert-manager for TLS certificate management. The guide assumes a new or fresh MinIO Operator installation.

Note

This guide uses a self-signed Cluster Issuer. You can also use other Issuers supported by cert-manager.

The main difference is that you must provide that Issuer CA certificate to MinIO, instead of the CA's mentioned in this guide.

Refer to the cert-manager documentation and your own organization's certificate requirements for more advanced configurations.

cert-manager manages certificates within Kubernetes clusters. The MinIO Operator supports using cert-manager for managing and provisioning certificates as an alternative to the MinIO Operator managing certificates for itself and its tenants.

cert-manager obtains valid certificates from an Issuer or ClusterIssuer and can automatically renew certificates prior to expiration.

A ClusterIssuer issues certificates for multiple namespaces. An Issuer only mints certificates for its own namespace.

The following graphic depicts how cert-manager provides certificates in namespaces across a Kubernetes cluster.

  • A ClusterIssuer exists at the root level of the Kubernetes cluster, typically the default namespace, to provide certificates to all other namespaces.
  • The minio-operator namespace receives its own, local Issuer.
  • Each tenant's namespace receives its own, local Issuer.
  • The certificates issued by each tenant namespace must be made known to and trusted by the MinIO Operator.

A graph of the namespaces in a Kubernetes cluster showing the relationship between the root level ClusterIssuer and three other namespaces with their own Issuer.

Prerequisites

Setup cert-manager

Install cert-manager

The following command installs version 1.12.13 using kubectl.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.13/cert-manager.yaml

Release 1.12.X LTS is preferred, but you may install the latest version. For more details on installing cert-manager, see their installation instructions.

Create a self-signed Cluster Issuer for the cluster

The Cluster Issuer is the top level Issuer from which all other certificates in the cluster derive.

  1. Request cert-manager to generate this by creating a ClusterIssuer resource.

    Create a file called selfsigned-root-clusterissuer.yaml with the following contents:

    # selfsigned-root-clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-root
spec:
  selfSigned: {}

  2. Apply the resource to the cluster:

    kubectl apply -f selfsigned-root-clusterissuer.yaml

Next steps

Set up cert-manager for the MinIO Operator <minio-certmanager-operator>.

/operations/cert-manager/cert-manager-operator /operations/cert-manager/cert-manager-tenants