github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/tls/kubernetes/README.md

github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/tls/kubernetes/README.md (about)

     1  # How to secure access to MinIO on Kubernetes with TLS [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
     2  
     3  This document explains how to configure MinIO server with TLS certificates on Kubernetes.
     4  
     5  ## 1. Prerequisites
     6  
     7  - Familiarity with [MinIO deployment process on Kubernetes](https://min.io/docs/minio/kubernetes/upstream/operations/installation.html).
     8  
     9  - Kubernetes cluster with `kubectl` configured.
    10  
    11  - Acquire TLS certificates, either from a CA or [create self-signed certificates](https://min.io/docs/minio/kubernetes/upstream/operations/network-encryption.html).
    12  
    13  For a [distributed MinIO setup](https://min.io/docs/minio/kubernetes/upstream/operations/installation.html#procedure), where there are multiple pods with different domain names expected to run, you will either need wildcard certificates valid for all the domains or have specific certificates for each domain. If you are going to use specific certificates, make sure to create Kubernetes secrets accordingly.
    14  
    15  For testing purposes, here is [how to create self-signed certificates](https://github.com/minio/minio/tree/master/docs/tls#3-generate-self-signed-certificates).
    16  
    17  ## 2. Create Kubernetes secret
    18  
    19  [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret) are intended to hold sensitive information.
    20  We'll use secrets to hold the TLS certificate and key. To create a secret, update the paths to `private.key` and `public.crt`
    21  below.
    22  
    23  Then type
    24  
    25  ```sh
    26  kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt
    27  ```
    28  
    29  Cross check if the secret is created successfully using
    30  
    31  ```sh
    32  kubectl get secrets
    33  ```
    34  
    35  You should see a secret named `tls-ssl-minio`.
    36  
    37  ## 3. Update deployment yaml file
    38  
    39  Whether you are planning to use Kubernetes StatefulSet or Kubernetes Deployment, the steps remain the same.
    40  
    41  If you're using certificates provided by a CA, add the below section in your yaml file under `spec.volumes[]`
    42  
    43  ```yaml
    44      volumes:
    45        - name: secret-volume
    46          secret:
    47            secretName: tls-ssl-minio
    48            items:
    49            - key: public.crt
    50              path: public.crt
    51            - key: private.key
    52              path: private.key
    53            - key: public.crt
    54              path: CAs/public.crt
    55  ```
    56  
    57  Note that the `secretName` should be same as the secret name created in previous step. Then add the below section under
    58  `spec.containers[].volumeMounts[]`
    59  
    60  ```yaml
    61      volumeMounts:
    62          - name: secret-volume
    63            mountPath: /<user-running-minio>/.minio/certs
    64  ```
    65  
    66  Here the name of `volumeMount` should match the name of `volume` created previously. Also `mountPath` must be set to the path of
    67  the MinIO server's config sub-directory that is used to store certificates. By default, the location is
    68  `/<user-running-minio>/.minio/certs`.
    69  
    70  *Tip*: In a standard Kubernetes configuration, this will be `/root/.minio/certs`. Kubernetes will mount the secrets volume read-only,
    71  so avoid setting `mountPath` to a path that MinIO server expects to write to.