Table of Contents
MinIO by default automatically generates self-signed TLS certificates for MinIO Tenant resources. This procedure documents configuring custom TLS x.509 certificates for use by the MinIO Tenant.
MinIO SNI support allows pods and services in the Tenant to use both auto-generated and custom certificates when establishing TLS connections. For example, you can deploy a Tenant where only services or pods accessed by external clients have custom certificates signed by a trusted Certificate Authority, while inter-Tenant TLS traffic continues to use the automatically generated self-signed certificates.
The MinIO Operator supports specifying user-generated x.509 certificates for establishing TLS connections. MinIO supports SNI where the pod or service can select the appropriate x.509 certificate based on the hostname to which the client is connecting. For example, consider an x.509 certificate with the following Subject Alternative Name (SAN) DNS names:
Any MinIO pod or server with that certificate can select it in response to a client making a request against a matching domain.
The Operator also supports specifying Certificate Authorities (CA) used by the MinIO Tenant for validating the x.509 certificates of external services.
You can specify custom TLS certificates while deploying a tenant using the MinIO Operator Console.
For users deploying MinIO Tenants using YAML object specifications, the following table lists a subset of MinIO Tenant object specification fields for specifying user-generated x.509 certificates or Certificate Authorities (CA):
One or more Certificate Authority (CA) certificates used by Pods in the MinIO Tenant when validating x.509 TLS certificates presented by external services.
One or more x.509 certificates used by Pods in the MinIO Tenant for establishing TLS connections. The pod/service uses SNI to determine which certificate to serve based on the requested hostname.
Create a Kubernetes Secret with type
kubernetes.io/tls for each x.509
certificate or CA which you want to add to the MinIO Tenant. See
Kubernetes Secrets for
more complete documentation.