You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
minio/docs/tls/kubernetes/README.md

2.8 KiB

How to secure access to Minio on Kubernetes with TLS Slack

This document explains how to configure Minio server with TLS certificates on Kubernetes.

1. Prerequisites

2. Create Kubernetes secret

Kubernetes secrets are intended to hold sensitive information. We'll use secrets to hold the TLS certificate and key. To create a secret, update the paths to private.key and public.crt below.

Then type

kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt

Cross check if the secret is created successfully using

kubectl get secrets

You should see a secret named tls-ssl-minio.

3. Update deployment yaml file

Whether you are planning to use Kubernetes StatefulSet or Kubernetes Deployment, the steps remain the same.

If you're using certificates provided by a CA, add the below section in your yaml file under spec.volumes[]

    volumes:
      - name: secret-volume
        secret:
          secretName: tls-ssl-minio
          items:
          - key: public.crt
            path: .minio/certs/public.crt
          - key: private.key
            path: .minio/certs/private.key

In case you are using a self signed certificate, Minio server will not trust it by default. To add the certificate as a trusted certificate, add the public.crt to the .minio/certs/CAs directory as well. This can be done by

    volumes:
      - name: secret-volume
        secret:
          secretName: tls-ssl-minio
          items:
          - key: public.crt
            path: .minio/certs/public.crt
          - key: private.key
            path: .minio/certs/private.key
          - key: public.crt
            path: .minio/certs/CAs/public.crt

Note that the secretName should be same as the secret name created in previous step. Then add the below section under spec.containers[].volumeMounts[]

    volumeMounts:
        - name: secret-volume
          mountPath: /<user-running-minio>/

Here the name of volumeMount should match the name of volume created previously. Also mountPath is the path of Minio server's config directory, (used to store the certificates). By default the location is /user-running-minio/.minio/certs. Update the mountPath to appropriate parent directory for Minio server config directory. (Tip: In default Kubernetes configuration this will be /root).