From 1cf381f1b099376c6e1db9435e1ceee4988814b9 Mon Sep 17 00:00:00 2001 From: rawipfel Date: Fri, 18 May 2018 01:01:11 -0400 Subject: [PATCH] handle Kubernetes read-only secrets (#5951) --- docs/tls/kubernetes/README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/tls/kubernetes/README.md b/docs/tls/kubernetes/README.md index 37f22f0a5..d0fdc6b53 100644 --- a/docs/tls/kubernetes/README.md +++ b/docs/tls/kubernetes/README.md @@ -43,9 +43,9 @@ If you're using certificates provided by a CA, add the below section in your yam secretName: tls-ssl-minio items: - key: public.crt - path: .minio/certs/public.crt + path: public.crt - key: private.key - path: .minio/certs/private.key + path: private.key ``` In case you are using a self signed certificate, Minio server will not trust it by default. To add the certificate as a @@ -58,11 +58,11 @@ trusted certificate, add the `public.crt` to the `.minio/certs/CAs` directory as secretName: tls-ssl-minio items: - key: public.crt - path: .minio/certs/public.crt + path: public.crt - key: private.key - path: .minio/certs/private.key + path: private.key - key: public.crt - path: .minio/certs/CAs/public.crt + path: CAs/public.crt ``` Note that the `secretName` should be same as the secret name created in previous step. Then add the below section under @@ -71,10 +71,10 @@ Note that the `secretName` should be same as the secret name created in previous ```yaml volumeMounts: - name: secret-volume - mountPath: // + mountPath: //.minio/certs ``` -Here the name of `volumeMount` should match the name of `volume` created previously. Also `mountPath` is the path of -Minio server's config directory, (used to store the certificates). By default the location is -`/user-running-minio/.minio/certs`. Update the `mountPath` to appropriate parent directory for Minio server config -directory. (Tip: In default Kubernetes configuration this will be `/root`). +Here the name of `volumeMount` should match the name of `volume` created previously. Also `mountPath` must be set to the path of +the Minio server's config sub-directory that is used to store certificates. By default, the location is +`/user-running-minio/.minio/certs`. Tip: In a standard Kubernetes configuration, this will be `/root/.minio/certs`. +Kubernetes will mount the secrets volume read-only, so avoid setting `mountPath` to a path that Minio server expects to write to.