Improve TLS configuration instructions #1037
Conversation
source/administration/identity-access-management/ad-ldap-access-management.rst
Show resolved
Hide resolved
| .. code-block:: shell | ||
|
|
||
| ${HOME}/.minio/CAs | ||
| myCA.pem |
There was a problem hiding this comment.
What should this filename be? I'm not certain it's actually a pem.
There was a problem hiding this comment.
Also depends - if it's self-signed, it's going to be a .crt.
We might need to confirm w/ engineering what we expect the keys to be. .pem is a valid wrapper, but I'm not sure if we require .crt
There was a problem hiding this comment.
Poking at the code, I think we expect .crt. Will confirm.
|
TODO: summarize the configuration steps near the top of the Network Encryption page (once the technical detail within is confirmed correct). |
| .. code-block:: shell | ||
|
|
||
| ${HOME}/.minio/CAs | ||
| myCA.pem |
There was a problem hiding this comment.
Also depends - if it's self-signed, it's going to be a .crt.
We might need to confirm w/ engineering what we expect the keys to be. .pem is a valid wrapper, but I'm not sure if we require .crt
|
Is possible to include a section about additional CA's? this is an frequent issue with clients, we usually we share this doc in the repo https://github.com/minio/operator/blob/master/docs/tls.md#using-your-own-ca-certificate-for-minio-operator. operator-ca-tlsIf your MinIO tenants are using custom certificates or certificates generated by your own internal certificate authority (ie: cert-manager). MinIO Operator needs to trust the TLS connections in order to talk to the MinIO tenants, for that you need to create a new secret in the minio-operator namespace named Once the secret is created, operator will create a copy of this secret with the same name in the tenant namespaces. Whenever a change to the secret However operator will not automatically mount the secret ...
spec:
externalCaCertSecret:
- name: operator-ca-tls
type: kubernetes.io/tls
... |
Can totally add more. Is there anything you would include in addition to that text? @pjuarezd |
There was a problem hiding this comment.
My only added suggestion is to provide some kind of link that can give folks a hint of how to "update MINIO_VOLUMES". Could just be linking to the envvar. But that line occurs many times in these changes, and some link to another resource is warranted.
Other than that, LGTM as far as I know/understand.
|
Note: @pjuarezd approved in a separate conversation |
Update and clarify how to configure TLS for a distributed deployment. The existing steps were out of date, and also were not clear configuration needs to happen on each node.
I'd particularly appreciate comments on terminology. I'm a little fuzzy about how to work with CAs, perhaps some of the phrasing can be improved.
Staged:
-http://192.241.195.202:9000/staging/DOCS-447/linux/operations/install-deploy-manage/expand-minio-deployment.html#add-tls-ssl-certificates
Closes #447