Minio - TLS configuration

[bondisk]

hi,
i have installed latest minio docker (2023-02-17_1.7.11) from official chart.
All works perfectly but i cannot found a way to enable TLS.
from google someone says to copy certificate files into /root/.minio/certs but is not work.
in the "Truenas Core" version i installed minio plugin and then create public.crt e public.key files into "/usr/local/etc/minio/certs" with success. but in Scale isn't work.
where i need to copy this files to enable TLS? is there any way without using proxy?

thanks

 

[aerospyke]

Hi, i don't know if this helps you, i'm int he same board right now. Using their doco

Network Encryption (TLS) — MinIO Object Storage for Kubernetes

min.io

I find it talking about the path /var/run/secrets/kubernetes.io/serviceaccount .... this at least exists but i've not had any luck getting it working for me. Perhaps this is a start you can try and help us out what you did (good luck)

 

[bondisk]

thanks for the information, for now, the only way i found (that works) is to use a reverse proxy to manage certificate

 

[stefanoc]

Hi all, are there any updates on the TLS activation by the container?
The official documentation tells something about this feature but it's not explicit https://www.truenas.com/docs/scale/scaletutorials/apps/minioclustersscale/minioclustering/

 

[stefanoc]

Solved adding an Extra Host Path in Pod.

mount path in pod: /etc/minio/certs
host path: /mnt/prd-pool-01/dataset-with-certificates

With a private.key and a public.cer file into the dataset dataset-with-certificates MinIO starts in HTTPS.

 

[kavaa]

We have done the same but still getting this error when starting MinIO: Startup probe failed: HTTP probe failed with statuscode: 400
Any news on good documentation on how to do this
We need to migrate the Standard S3 service to MinIO...

 

[neuromancer-es]

I have the same problem. If you try to curl to the service from within the minio pod (which is up, but the pod does not come up as healthy) it complains that the hostname "localhost" is not within the certificate.
I have tried to set the FQDN via MINIO_DOMAIN and MINIO_SERVER_URL to no avail.
I have also tried adding command line extra arguments, but it does not work either.

How are you people managing to change hostname of minio so it does not fail the SSL verification?

to clarify, if you "curl -k" which bypasess cefrt errors, it works. so this means the services is up, it just is not getting it's FQDN matching the certificate's

 

[kavaa]

I have the same problem. If you try to curl to the service from within the minio pod (which is up, but the pod does not come up as healthy) it complains that the hostname "localhost" is not within the certificate.
I have tried to set the FQDN via MINIO_DOMAIN and MINIO_SERVER_URL to no avail.
I have also tried adding command line extra arguments, but it does not work either.

How are you people managing to change hostname of minio so it does not fail the SSL verification?

to clarify, if you "curl -k" which bypasess cefrt errors, it works. so this means the services is up, it just is not getting it's FQDN matching the certificate's

Ended up using the Charts version.
What i was doing wrong was putting the certs in the wrong location. Wrong Copy/Paste Whatever.

Got it now like this;

Mount path in pod: /etc/minio/certs
Host Path: /mnt/HDD-DATA/Apps_Configs/minio/certs
In there put the private.key and public.crt < this needs to be the full chain. So Cert + Intermediate Certs

Also set the correct permissions;


chmod 644 private.key chown minio:minio private.key chown minio:minio public.crt


Now Edit the "Docker / k3s file;

k3s kubectl edit deployment.apps/minio -n ix-minio

Replace all http with https

Now your MinIO will be Available via HTTPS

 

[neuromancer-es]

Ended up using the Charts version.
What i was doing wrong was putting the certs in the wrong location. Wrong Copy/Paste Whatever.

Got it now like this;

Mount path in pod: /etc/minio/certs
Host Path: /mnt/HDD-DATA/Apps_Configs/minio/certs
In there put the private.key and public.crt < this needs to be the full chain. So Cert + Intermediate Certs

Also set the correct permissions;


chmod 644 private.key chown minio:minio private.key chown minio:minio public.crt


Now Edit the "Docker / k3s file;

k3s kubectl edit deployment.apps/minio -n ix-minio

Replace all http with https

Now your MinIO will be Available via HTTPS



View attachment 70559

View attachment 70560

Life saver!!
Changing the scheme to HTTPS did the trick. Can confirm it works with the offical TrueNAS app too. THANKS !!