MinIO TLS Process certificate k8s and OpenShift

Relevant information:

Steps:

Create the private key:

openssl genrsa -out private.key 2048

cert.cnf with data from my tenant:

File: cert.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
O = "system:nodes"
C = US
CN  = "system:node:*.pepe-hl.pepe.svc.cluster.local"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = pepe-pool-0-0.pepe-hl.pepe.svc.cluster.local
DNS.2 = minio.pepe.svc.cluster.local
DNS.3 = minio.pepe
DNS.4 = .pepe.svc
DNS.5 = *.
DNS.6 = *.pepe.svc.cluster.local

Get the tenant.csr

openssl req -new -config cert.cnf -key private.key -out tenant.csr
                             |            |_ first openssl command (private key)
                             |__ file above

Encode:

cat tenant.csr | base64 | tr -d "\n"

Expected:

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRFJEQ0NBaXdDQVFBd1d6RVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekUxTURNR0ExVUVBd3dzYzNsemRHVnRPbTV2WkdVNktpNXdaWEJsTFdoc0xuQmxjR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUR3dExua1dnRWoKcHZubWxSSm5SQmJUakZ5OTY2RG5JVEd6UW5abDAxejYxTldaQ2h6VFdwOE94bE9ybXI1TXBGeks3VUZGdm5KcgpiU1JwWlo2M0VVQUlJQndHbkk3Qm9vT0xEekRnNjk5SkRvV1pLZ0NHVjE3bEtNQ1hNZ3ZTN3ZSOTNuUTRRS3dKCkNYMEE3VVpjL0owa1ZzM1Bwa1lJM2VZK2RWeThhRnY5RnhZemUzc0UzcXJQZURJeEx4UkRRQ3MrT1lFQ3A4RW4KYUQyaFl6NUZTWmpXQTZOT0NaWDJBazdZUThzcVcwT3l2bDhGTnFhamxpQ25BWkUrNTlVREdja1Z4VU1LVDlmNgpoUUNwRm1QVy81d09haVYrZFdMZ2RKZnc4Ly9zbjZqN09PSi8vcjNsVW5BV2dQMmNkZDlTbWMxOG5QKzErNlJ0CksxeEFqNVhMU1d0REFnTUJBQUdnZ2FNd2dhQUdDU3FHU0liM0RRRUpEakdCa2pDQmp6Q0JqQVlEVlIwUkJJR0UKTUlHQmdpeHdaWEJsTFhCdmIyd3RNQzB3TG5CbGNHVXRhR3d1Y0dWd1pTNXpkbU11WTJ4MWMzUmxjaTVzYjJOaApiSUljYldsdWFXOHVjR1Z3WlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJS2JXbHVhVzh1Y0dWd1pZSUpMbkJsCmNHVXVjM1pqZ2dJcUxvSVlLaTV3WlhCbExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUURzNXNvY1VscVpKUGZ0akdERnBsMkdVVTRlMlMyaTRNWU9xUzg0dzYzY3gvLzNMbjVsanA4RgpCK0Q0cGZ0NVZwb2dBQlVTSGFvTkpxSmJNZU5xTHZNdUNGNnREandnNFBZTlhDaVVSZlFiY0xWK2I4Y3JMUm1SClkzaUp1Zk9SR1laQTVWUkZ1SlpaZkhmcUNaaFAyVzFSeEtsRTJtbmdtYWtKOVZQNXozZkk4bll6UU9kMmNrR3oKZjNRVlBKZHMyaWFycUsyVEFkUVFvQWZvTlZOY1V6M0plaC9WRHJkbnNqOC9ibVBkOHpMc2R2T1ZHeFFjUWF2Swo4M2NEWnoyN1c5U2NDNkdtYzR2NHFUYU8xT3Y2TWNqU0tQWWxkZFNJdlF3T0crVU5CamRKU2dnZTNocFFCb2NnCmlvVTJYQStpME9XV2swTHB3K3h2UHo5R0VSR2VkS2NSCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

Create CSR with above encoded message:

subl /Users/cniackz/minio/tenant.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tenant-csr 
spec:
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:minio-operator
  - system:authenticated
  - system:nodes
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRFJEQ0NBaXdDQVFBd1d6RVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekUxTURNR0ExVUVBd3dzYzNsemRHVnRPbTV2WkdVNktpNXdaWEJsTFdoc0xuQmxjR1V1YzNaakxtTnNkWE4wClpYSXViRzlqWVd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURuT2RmWHYvUDUKMFBUTnFPOXZkWDRvSWRDWFJNOHpvS0pSSVN0WVJsKzU0L3NzNlIxYzFnZCt5SkF1MmJaNzlobkE2aTdJOE84ZQprVUgrcmY4Tk11czdPMkF5QitPQjZaaDFqQlFJK2JTdk4wZndQaDFwekhkUE4rZHlReXdTV3E0Yld2WVJiQmJCCnRIWnBwUFFBWjMyaXZ0WVVsc3BOOHBuV2VETDI4SjNUZ2dhRFlzcnE0VW1Qb2lBUVZSN2pNUmJGV0E2SXZHM1kKYmh5VVI4dHVLU0NRNnYzdnI0WEt3ZnZ6bGRzZUJvZDlza3F3RVdXUjhjWGFkRlNXd1FjUm9OenpMTkc1aWpZYQpaQUNrd3ZXSGd5THBYQTNhZEl0MW9hblM4dXR2OHFNVTdoTWQrcmwreC92eHAwZ1gyYTdaaHdNTFFKcll4R2tmCm90eXc5MU1UejVGckFnTUJBQUdnZ2FNd2dhQUdDU3FHU0liM0RRRUpEakdCa2pDQmp6Q0JqQVlEVlIwUkJJR0UKTUlHQmdpeHdaWEJsTFhCdmIyd3RNQzB3TG5CbGNHVXRhR3d1Y0dWd1pTNXpkbU11WTJ4MWMzUmxjaTVzYjJOaApiSUljYldsdWFXOHVjR1Z3WlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJS2JXbHVhVzh1Y0dWd1pZSUpMbkJsCmNHVXVjM1pqZ2dJcUxvSVlLaTV3WlhCbExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUJEZUhRdktyOVE3NUdyOUN1OG9RSUFmelhvMXZreCtnZjhONGJTdWlGUnFLWEdMUDA3Mk54WAo2MXY4bW41V0krd0lMazdtMTA2MWQvaWtFc1F3R3pJL0lTbGIvcGdDeXQrNlg5MWFsQkMyd3NaVXBwKzJaeVZqClhDQlpESy84MDgzOHJseUU1dlR5TTVNQ1Q0ZlJkU1BDT3ZQQ0dtclFxNXpuZnRtbFdrYUM2VE1nbEhWc01MUXcKUVlFWjN2MmhualMxYVpIc1d4SEFuLys0YXF0cnl0UDZVWndxQStqUnFsS3ZUVURUSDJ0YnhJRkl2dVBocGtNdApwYW9IRTdiMGVRMm9rcm5FQk9UUUJPZm5aaC90MzFDOG5sdStVNFNJUkZ1S2JKVGlWZ3JrSGpMQWljS3p4YlEwCk4wTXV1d0JJT0xkdzllRmdGckRYd1ZjSXJsRnFwY0JVCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:serviceaccount:minio-operator:minio-operator

Apply it:

oc apply -f /Users/cniackz/minio/tenant.yaml

Expected:

$ oc apply -f /Users/cniackz/minio/tenant.yaml
certificatesigningrequest.certificates.k8s.io/tenant-csr created

Approve it:

k8s:

kubectl certificate approve tenant-csr

oc adm certificate approve tenant-csr

Expected:

$ kubectl certificate approve tenant-csr
certificatesigningrequest.certificates.k8s.io/tenant-csr approved

$ oc get csr
NAME         AGE   SIGNERNAME                      REQUESTOR   REQUESTEDDURATION   CONDITION
tenant-csr   56s   kubernetes.io/kubelet-serving   kubeadmin   <none>              Approved,Issued

Get the public cert:

oc get csr tenant-csr -o jsonpath='{.status.certificate}'| base64 -d > public.crt

================================

================================ PAY CLOSE ATTENTION TO THIS PART: For OpenShift, we need the Wildcard Certificate and the Signer in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. In Other words, above generated cert is not enough and has to be concatenated to the Signer then a WorkAround is needed to actually patch the proxy and put the cert in ca.crt.

# Steps obtained from: https://access.redhat.com/solutions/6013471
# How to add a custom CA/CA-chain to "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
# To add the CA/CA-chain to the pod level mounted CA file, which is /var/run/secrets/kubernetes.io/serviceaccount/ca.crt , the [custom ingress certificate configuration steps](https://docs.openshift.com/container-platform/4.7/security/certificates/replacing-default-ingress-certificate.html) can be used.

# First generate the certificate of the signer:
oc get secret csr-signer -n openshift-kube-controller-manager-operator -o template='{{ index .data "tls.crt"}}' | base64 -d > route-ca.crt

# Then, put together the above cert along with its signer in a file called ingress.pem
cat public.crt route-ca.crt > ingress.pem

# Create a secret using the ingress.pem file above and the private.key from step 1
oc create secret tls secretocuatro --cert=ingress.pem --key=private.key -n openshift-ingress

# Patch it, and wait for couple of minutes for the cert to be located at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "secretocuatro"}}}' -n openshift-ingress-operator

================================

Verify it:

openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt
                                                                                          |__ File generated step above

Expected in k8s is:

root@ubuntu:/tmp# openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt 
public.crt: OK

We are failing in OpenShift:

# openssl verify -verbose -CAfile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt public.crt
C = US, O = system:nodes, CN = system:node:*.pepe-hl.pepe.svc.cluster.local
error 20 at 0 depth lookup: unable to get local issuer certificate
error public.crt: verification failed

Create the secret in the minio-operator namespace

apiVersion: v1
kind: Secret
metadata:
  name: tenant-tls
  namespace: minio-operator
type: Opaque
data:
  private.key: >-
    LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRREpYMTV0aS95NDBnZWMKblVJVjh3SmVsVEFjaXpQcmhQSFVMbzZTRktYRFFEVTVCbnlha3k4SDdFWkliV2ZvNGF2QlUwVVhyZk1qRUVGSgpYTHFNd1JuRXBIeStPR0FlMUo1RVdtMHllY3FkZWVTaVdYSVdlMzh4eitOdDlZQldnSkdCVGRIRGR1QnZXZzdkCkxGd1NiODJmT1hweTdPVHlzWHBHemNCeHlQSExUbXllcFZVRnE2Q3RsNVhheFZ3bHBQczZvZnhiRXJMbTREZDQKR3ozVEhzNElCUENMMDRrdUU5RWZGTkRSQnkwbFhqQXFycDVmbHphR3RibW5LQ0xNT2dnVlpHM1BzT0pJc0hULwphMmZxRlc3WWp4ZmtralBzdllvVW8reW43K3ZXNGpndkdWWFVZUHI4SU4rSWJobVc0VnBTQzhPeUtZR0IrMjM5CldDaGNnSDRCQWdNQkFBRUNnZ0VBRU9PTFAyUE11OUY5cXZCemdQVERINXlpanRwTDdmWlY4K1k5dGRtK2QwdzAKeW9ZVlFEK1U0N1M0eGsxS3VEanBGMHM5RWJuWW1QbTlpQUliY1QrbXdodkxqSWFjNVNrTzV3dXdlZG5HR1FRRwpuV2trRE9lcHFNdFhOenN1V3RMb29UQWVKaWNidHFzV2NRMU40WXYzOG1FM09GbE84RjNiTkFJQW9HcHFnUkw2CktsaTBWVExZaXowcVZuanoybVZWQmJBejdYMDdYUEtseGZlOHFWaUFyT0lrVlBjRjA5TXYydTc1aXQ5K0IrZTEKMnNzblZOZy85WVV6eGsrTFNGb3ZCdENKLzdDQ0FjWDlHZ3phSHVKcVZ6aDROeFd3eUQydzFQZVFKRllqRjV3ZwpreC9qdjNFWnlXclc4aXZLTE1nMVFhcnlHcHByT0U3RldLZHcxNk5DU3dLQmdRRGpPd0pKMHRnNkVFNFpaR1pvCkdSc0U5L3UranNSSHF6dDg2TXhDZUt2T1Q0VVVmL2xObzBFTEx6RUFLQkRqdFBQME5Vc1BwNHByWEZwTGhhT1MKYnZMc3BPUHIyWGpuS3BVZWZHMWxDbUVWQ1pIRWUzazU5T2RLUXlZd2wyVUpZV1IwRWVxYk9pMUkwWGlEV1AxNAp2Njc0bUdUVDhiQzdFK2drSkNXMFIwY1Nrd0tCZ1FEaTNrQjdoTllSVHVRMGYxaXNmbEF3ZW0rVWd3OC9KQ3RNCkZBd01JOGtqZU83V2hhMG9WazhxdUU5NWVvQjAxQjc2NUpraTVjNWtZb3JnWVFnS2d5c05KQmV0QW9PaURZeXYKS21LZzlrUzVIajd6LzduT2NtYUpHTTF4WE9PdTczWVNsTS8wWFFKaXRXd1pLY3NiaWhMcklLUzhIdjZ2enFZegowbWd6aHJNbG13S0JnUUNOYnpWRmJnOVlWTDNINEU0OWpTTGNQTjVkQmMvMkxBYWpBT1BpbSttVVNMcTB2OU1WCkdBQnNUYnRhTlpZTnBad1M3UGtEalcwQzFrRDlzUGpYTkdmUUUvSXA0dnIySi9NWlBxbDRzclVxdXdJWUlpS2EKaUcxT00rMlpZU0pxYkV4eVVwU01lZkdsMlh3QmhXcC90Zy9hZkVDR0MzSE5mOTZHWUZsM2xNWVFNUUtCZ1FDcApUQVYrcDNBLzFrbUJ5NDVXbXFRb3FSVmZGRFpxZmdrNWFyUmEwdEdrZ1BocWFiTUFLUGhHL3VkLzFhVEtpZ2pjClhYN1JoZ0J3OVFDQjFLYjFnVkM5SzdQblRic0JVVzhzd0VwOXA0azlRNDdpOG5DcjJMOGZpN3l6M2dlaVlkd1EKbmJCWndKYXBKbzJXY1pPNTUxMmF6TzloMnhkZ0Jxd01lL1Y2amdoZUJRS0JnUURiZW9XQVlXZFhZdmpJZldJMgpjaTA1ZzBSUHZ5UXFYZThxajRNcFA5VUVnYVF6dEV4Zk5JMGpoWW1wNXRlTEdmcnlvSWlFWHplR1NJQ0t6NnFkCkdqM1dWMUZzT1VwVzdlTUFIRmNOMkIwQXhWM2dFYkw3dzV5RU9KMk9IdE1RTDkzTEFOdGg4WTZXTWxEMWt3Y1gKWHU2RStJdGg0YVBMNVRGYlV3TzdsQzkvMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t
  public.crt: >-
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ0akNDQXNxZ0F3SUJBZ0lSQUp5WnRTQU5yakNBYjA0VVc4OXVuTmN3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpFeE1Ea3lNakl4TXpoYUZ3MHlNekV4TURreQpNakl4TXpoYU1Gc3hDekFKQmdOVkJBWVRBbFZUTVJVd0V3WURWUVFLRXd4emVYTjBaVzA2Ym05a1pYTXhOVEF6CkJnTlZCQU1NTEhONWMzUmxiVHB1YjJSbE9pb3VjR1Z3WlMxb2JDNXdaWEJsTG5OMll5NWpiSFZ6ZEdWeUxteHYKWTJGc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeVY5ZWJZdjh1TklIbkoxQwpGZk1DWHBVd0hJc3o2NFR4MUM2T2toU2x3MEExT1FaOG1wTXZCK3hHU0cxbjZPR3J3Vk5GRjYzekl4QkJTVnk2CmpNRVp4S1I4dmpoZ0h0U2VSRnB0TW5uS25YbmtvbGx5Rm50L01jL2piZldBVm9DUmdVM1J3M2JnYjFvTzNTeGMKRW0vTm56bDZjdXprOHJGNlJzM0FjY2p4eTA1c25xVlZCYXVnclplVjJzVmNKYVQ3T3FIOFd4S3k1dUEzZUJzOQoweDdPQ0FUd2k5T0pMaFBSSHhUUTBRY3RKVjR3S3E2ZVg1YzJoclc1cHlnaXpEb0lGV1J0ejdEaVNMQjAvMnRuCjZoVnUySThYNUpJejdMMktGS1BzcCsvcjF1STRMeGxWMUdENi9DRGZpRzRabHVGYVVndkRzaW1CZ2Z0dC9WZ28KWElCK0FRSURBUUFCbzRIbU1JSGpNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRgpCUWNEQVRBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkhkMVdmQ1ZPT0dNSUlGenliMndNaDY5CmFWSXlNSUdNQmdOVkhSRUVnWVF3Z1lHQ0xIQmxjR1V0Y0c5dmJDMHdMVEF1Y0dWd1pTMW9iQzV3WlhCbExuTjIKWXk1amJIVnpkR1Z5TG14dlkyRnNnaHh0YVc1cGJ5NXdaWEJsTG5OMll5NWpiSFZ6ZEdWeUxteHZZMkZzZ2dwdAphVzVwYnk1d1pYQmxnZ2t1Y0dWd1pTNXpkbU9DQWlvdWdoZ3FMbkJsY0dVdWMzWmpMbU5zZFhOMFpYSXViRzlqCllXd3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSXVpdUp5bXo2dWo1Njk4UGlncVFhQ245cUpWSzB6RFV3aTcKdno5SUlKZiswWmxzcHNpKzhBKzdVZC94RzhaczJmZ0I4aGxiY0JCN2wzeW5VVXRCc3Y2T3JJWXE2NkNTcldOegpISlRoSnF2eDdzMklNZ0h3TklZNitYZFgwWkhGUnUxU1pQNXVOZlBpbkp2eDM1cWVVVmhmUDJybWMrUC92d09TCkpLL3pnV1JyNU95eEJQME5oN1YwVy9qeVBoaTlOdFBWU2xGTS8xU2RacnJrb1FKbnF2K1ZVaVFZRXJZbDdOdDAKNHNWeGlrTXUrNCt4em1LUllQZEt0K0JueVpSRjd6bldvWUNNQ1c0dG9SQzdZOXlLZ1B4UWR0YVMwVW5kL3A4YQpEQ0tpL0dWbi9lYzZ3UVY1WlVVZU02UHBXb09VYVpxWjVaRFRXdzFocm82WUlaY1FIQnM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

Pass that secret down to your tenant config:

apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: pepe
  namespace: pepe
spec:
  ## Disable default tls certificates.
  requestAutoCert: false
  ## Use certificates generated by cert-manager.
  externalCertSecret:
    - name: tenant-tls
      type: Opaque
  ## Specification for MinIO Pool(s) in this Tenant.
  pools:
    - servers: 1
      name: pool-0
      volumesPerServer: 1
      ## Configure security context
      securityContext: {}
      volumeClaimTemplate:
        apiVersion: v1
        kind: persistentvolumeclaims
        metadata: { }
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
          storageClassName: standard

kubectl apply -k ~/operator/examples/kustomization/tenant-certmanager

MinIO TLS Process certificate k8s and OpenShift

Relevant information:

Steps:

================================

================================

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!