Specify TLS configuration is per-node #447
Description
Summary
There's some user confusion on configuring TLS for distributed MinIO.
- https://docs.min.io/minio/baremetal/security/network-encryption/minio-tls.html
- https://docs.min.io/minio/baremetal/installation/deploy-minio-distributed.html#add-tls-ssl-certificates
- https://docs.min.io/minio/baremetal/installation/expand-minio-distributed.html#add-tls-ssl-certificates
Users might read this as configuring some sort of cluster/replicated configuration.
We should specify that users must:
- Configure TLS per node
- The TLS certificate SAN must apply to the hostname for it's parent node (e.g. if non-wildcard SAN)
- The CAs directory must contain the appropriate CA if the certificates are self-signed or internally signed
- Update the URLs to be
https://after the fact
Worth also noting that MinIO may not automatically create the directory .minio/certs or .minio/certs/CAs - need to test this on RHEL8 and Ubuntu LTS.
Goals
List the in-scope goals
- Update TLS configuration docs to specify per-node
- Create a simple checklist for TLS certs (permissions, SAN, and path)
- Update TLS config docs to call out updating endpoints from HTTP -> HTTPS
Non-Goals
Actual tutorials on using openssl or certbot to generate self-signed certs
Additional context
Add any other context or screenshots about the feature request here.