From 5afd8563554a3b57291d25596addf9c504f4a1d2 Mon Sep 17 00:00:00 2001 From: Nitish Tiwari Date: Thu, 24 May 2018 09:11:25 +0530 Subject: [PATCH] Update Kubernetes TLS doc with info for distributed setups (#5971) Also, add details on how to create wildcard self-signed certificates using openssl --- docs/tls/README.md | 10 +++++++++- docs/tls/kubernetes/README.md | 4 ++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/tls/README.md b/docs/tls/README.md index 8dabe177a..0571d6880 100644 --- a/docs/tls/README.md +++ b/docs/tls/README.md @@ -70,8 +70,16 @@ openssl rsa -in private-pkcs8-key.key -aes256 -passout pass:PASSWORD -out privat **Generate the self-signed certificate**: +Generate self-signed certificate using the below command (remember to replace `` with your actual domain name) + +```sh +openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=" +``` + +Generate self-signed wildcard certificate using the below command. This certificate will be valid for all the sub-domains under `domain.com`. Wildcard certificates come in handy while deploying distributed Minio instances where there may be multiple sub-domains under a single domain, with each one running a separate Minio instance. + ```sh -openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=domain" +openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=<*.domain.com>" ``` ### Using OpenSSL (with IP address) diff --git a/docs/tls/kubernetes/README.md b/docs/tls/kubernetes/README.md index d0fdc6b53..c5f2cfddd 100644 --- a/docs/tls/kubernetes/README.md +++ b/docs/tls/kubernetes/README.md @@ -10,6 +10,10 @@ This document explains how to configure Minio server with TLS certificates on Ku - Acquire TLS certificates, either from a CA or [create self-signed certificates](https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls). +For a [distributed Minio setup](https://docs.minio.io/docs/distributed-minio-quickstart-guide), where there are multiple pods with different domain names expected to run, you will either need wildcard certificates valid for all the domains or have specific certificates for each domain. If you are going to use specific certificates, make sure to create Kubernetes secrets accordingly. + +For testing purposes, here is [how to create self-signed certificates](https://github.com/minio/minio/tree/master/docs/tls#3-generate-self-signed-certificates). + ## 2. Create Kubernetes secret [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret) are intended to hold sensitive information.