TLS certificate management with cert-manager

The MinIO AIStor Operator supports cert-manager to provision and manage certificates, as an alternative to the Operator. cert-manager obtains valid certificates from an Issuer or ClusterIssuer and can automatically renew certificates prior to expiration.

A ClusterIssuer issues certificates for multiple Namespaces. An Issuer only mints certificates for its own Namespace.

The following instructions implement a self-signed Cluster Issuer. You can also work with other issuers supported by cert-manager. With other issuers, you must provide the Issuer CA certificate to MinIO AIStor, instead of the CAs mentioned in this guide.

This example will use cert-manager to issue cluster certificates. The same procedure can be used to issue certificates that can be used outside the cluster. It’s also allowed to let AIStor Operator generate the cluster certificates and use cert-manager to issue the other certificates. Make sure to keep .spec.certificates.disableAutoCert: false to ensure that AIStor Operator will generate the cluster certificates.

Summary

You complete the following steps to manage your TLS certificates with cert-manager:

Install cert-manager
Create cluster issuers (self-signed and with fixed CA root certificate)
Create cert-manager certificates for each object store.
Add certificates with cert-manager to object stores.

The details

Install cert-manager. See the cert-manager documentation for details. Version 1.20 is recommended.
Create a Cluster Issuer resource for your cluster that can generate self-signed certificates. This is needed to create the initial self-signed certificate that is used by the CA.
```
# selfsigned-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
```

Create the self-signed root CA certificate using the selfsigned-issuer issuer, by creating the root-ca certificate in the cert-manager namespace that is valid for 10 years:

# root-ca.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: cert-manager      # change if cert-manager is installed in another namespace
spec:
  commonName: root-ca
  duration: 87600h        # 10 years
  renewBefore: 720h       # 30 days
  isCA: true
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: selfsigned-issuer
  privateKey:
    algorithm: ECDSA
    size: 256
  secretName: root-ca

Create a Cluster Issuer resource for your cluster that issues certificates that are signed using the root-ca certificate:
```
# ca-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: root-ca
```
This cluster issuer will always sign certificates using the root-ca certificate.
Create the certificate for the object store with cert-manager.

The certificate must be valid for the following DNS domains:
- minio.<namespace>, minio.<namespace>.svc and minio.<namespace>.svc.<cluster domain> (S3 API)
- *.<object store-name>-hl.<namespace>.svc.<cluster domain> (inter-node service)
- Optional <object store-name>-console.<namespace>, <object store-name>-console.<namespace>.svc and <object store-name>-console.<namespace>.svc.<cluster domain> (console)
where:
- <cluster domain> is the internal root DNS domain assigned in your Kubernetes cluster. Typically, this is cluster.local, but confirm the value by checking your CoreDNS configuration for the correct value for your Kubernetes cluster.
  
  Different Kubernetes providers manage the root domain differently. Check with your Kubernetes provider for more information.
- <object store-name> is the name provided to your object store in the metadata.name of the object store YAML. For this example it is myaistor.
- <namespace> is the value created earlier where the object store will be installed. In the object store YAML, it is defined in the the metadata.namespace field. For this example the value is object-store-example.
Create a file called object-store-example-minio-certificate.yaml (or whatever suits your naming conventions). The contents of the file should resemble the following, modified to reflect your cluster and object store configurations:
```
# object-store-example-minio-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: object-store-certmanager-cert
  namespace: object-store-example
spec:
  dnsNames:
    # S3 API (required)
    - "minio.object-store-example"
    - "minio.object-store-example.svc"
    - 'minio.object-store-example.svc.cluster.local'
    # Internode service (headless, required)
    - '*.myaistor-hl.object-store-example.svc.cluster.local'
    # AIStor console (optional)
    - "myaistor-console.object-store-example"
    - "myaistor-console.object-store-example.svc"
    - 'myaistor-console.object-store-example.svc.cluster.local'
  secretName: myaistor-tls
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: ca-issuer
```
Tip

For this example, the object store name is myaistor. We recommend naming the secret in the field spec.secretName as <object store-name>-tls as a naming convention.

Deploy the object store using cert-manager for TLS certificate management

When deploying an object store, you must set the TLS configuration such that:

The object store does not automatically generate its own certificates (spec.certificates.disableAutoCert: true) and
The object store has a valid cert-manager reference (spec.certificates.server)

This directs the Operator to deploy the object store using the cert-manager certificates exclusively.

The following YAML spec provides a baseline configuration meeting these requirements:

apiVersion: aistor.min.io/v1
kind: ObjectStore
metadata:
  name: myaistor
  namespace: object-store-example
spec:
...
  certificates:
    disableAutoCert: true    # leave this to `false` if you only use cert-manager to create external certificates
    server:
    - name: myaistor-tls
      type: kubernetes.io/tls
...