Configure TLS/SSL for MinIO Tenants

Overview

MinIO by default automatically generates self-signed TLS certificates for MinIO Tenant resources. This procedure documents configuring custom TLS x.509 certificates for use by the MinIO Tenant.

MinIO SNI support allows pods and services in the Tenant to use both auto-generated and custom certificates when establishing TLS connections. For example, you can deploy a Tenant where only services or pods accessed by external clients have custom certificates signed by a trusted Certificate Authority, while inter-Tenant TLS traffic continues to use the automatically generated self-signed certificates.

User-Generated TLS Certificates for MinIO Object Storage

The MinIO Operator supports specifying user-generated x.509 certificates for establishing TLS connections. MinIO supports SNI where the pod or service can select the appropriate x.509 certificate based on the hostname to which the client is connecting. For example, consider an x.509 certificate with the following Subject Alternative Name (SAN) DNS names:

• minio.example.net

• *.minio.example.net

Any MinIO pod or server with that certificate can select it in response to a client making a request against a matching domain.

The Operator also supports specifying Certificate Authorities (CA) used by the MinIO Tenant for validating the x.509 certificates of external services.

You can specify custom TLS certificates while deploying a tenant using the MinIO Operator Console.

For users deploying MinIO Tenants using YAML object specifications, the following table lists a subset of MinIO Tenant object specification fields for specifying user-generated x.509 certificates or Certificate Authorities (CA):

Create a Kubernetes Secret with type kubernetes.io/tls for each x.509 certificate or CA which you want to add to the MinIO Tenant. See Kubernetes Secrets for more complete documentation.