ExternalCaCertSecret crd field for MinIO Tenant and Console

Users can provide multiple ca.crt files via k8s secrets for MinIO and Console using the `ExternalCaCertSecret` field

examples/tenant-pod-security-policy.yaml

@@ -121,7 +121,7 @@ spec:
 
   ## Enable Kubernetes based certificate generation and signing as explained in
   ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
-  requestAutoCert: false
+  requestAutoCert: true
 
   ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
   ## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`

operator-kustomize/crds/minio.min.io_tenants.yaml

@@ -159,8 +159,21 @@ spec:
                     - name
                     type: object
                   type: array
+                externalCaCertSecret:
+                  description: ExternalCaCertSecret allows a user to provide additional CA certificates. This is used for Console to verify TLS connections with other applications.
+                  items:
+                    description: LocalCertificateReference defines the spec for a local certificate
+                    properties:
+                      name:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type: array
                 externalCertSecret:
-                  description: ExternalCertSecret allows a user to specify custom CA certificate, and private key. This is used for enabling TLS support on Console Pods.
+                  description: ExternalCertSecret allows a user to provide an external certificate and private key. This is used for enabling TLS on Console and has priority over AutoCert.
                   properties:
                     name:
                       type: string
@@ -304,8 +317,21 @@ spec:
                 - name
                 type: object
               type: array
+            externalCaCertSecret:
+              description: ExternalCaCertSecret allows a user to provide additional CA certificates. This is used for MinIO to verify TLS connections with other applications.
+              items:
+                description: LocalCertificateReference defines the spec for a local certificate
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                required:
+                - name
+                type: object
+              type: array
             externalCertSecret:
-              description: ExternalCertSecret allows a user to specify one or more custom TLS certificates, and private keys. This is used for enabling TLS with SNI support on MinIO Pods.
+              description: ExternalCertSecret allows a user to provide one or more TLS certificates and private keys. This is used for enabling TLS with SNI support on MinIO server.
               items:
                 description: LocalCertificateReference defines the spec for a local certificate
                 properties:

pkg/apis/minio.min.io/v1/helper.go

@@ -113,6 +113,12 @@ func (t *Tenant) ExternalCert() bool {
 	return t.Spec.ExternalCertSecret != nil
 }
 
+// ExternalCaCerts returns true is the user has provided a
+// additional CA certificates for MinIO
+func (t *Tenant) ExternalCaCerts() bool {
+	return len(t.Spec.ExternalCaCertSecret) > 0
+}
+
 // ExternalClientCert returns true is the user has provided a secret
 // that contains CA client cert, server cert and server key
 func (t *Tenant) ExternalClientCert() bool {
@@ -137,6 +143,12 @@ func (t *Tenant) ConsoleExternalCert() bool {
 	return t.Spec.Console != nil && t.Spec.Console.ExternalCertSecret != nil
 }
 
+// ConsoleExternalCaCerts returns true is the user has provided a
+// additional CA certificates for Console
+func (t *Tenant) ConsoleExternalCaCerts() bool {
+	return t.Spec.Console != nil && len(t.Spec.Console.ExternalCaCertSecret) > 0
+}
+
 // AutoCert is enabled by default, otherwise we return the user provided value
 func (t *Tenant) AutoCert() bool {
 	if t.Spec.RequestAutoCert == nil {

pkg/apis/minio.min.io/v1/types.go

@@ -76,10 +76,14 @@ type TenantSpec struct {
 	// If provided, use these environment variables for Tenant resource
 	// +optional
 	Env []corev1.EnvVar `json:"env,omitempty"`
-	// ExternalCertSecret allows a user to specify one or more custom TLS certificates, and private keys. This is
-	// used for enabling TLS with SNI support on MinIO Pods.
+	// ExternalCertSecret allows a user to provide one or more TLS certificates and private keys. This is
+	// used for enabling TLS with SNI support on MinIO server.
 	// +optional
 	ExternalCertSecret []*LocalCertificateReference `json:"externalCertSecret,omitempty"`
+	// ExternalCaCertSecret allows a user to provide additional CA certificates. This is
+	// used for MinIO to verify TLS connections with other applications.
+	// +optional
+	ExternalCaCertSecret []*LocalCertificateReference `json:"externalCaCertSecret,omitempty"`
 	// ExternalClientCertSecret allows a user to specify custom CA client certificate, and private key. This is
 	// used for adding client certificates on MinIO Pods --> used for KES authentication.
 	// +optional
@@ -195,10 +199,14 @@ type ConsoleConfiguration struct {
 	// If provided, use these requests and limit for cpu/memory resource allocation
 	// +optional
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
-	// ExternalCertSecret allows a user to specify custom CA certificate, and private key. This is
-	// used for enabling TLS support on Console Pods.
+	// ExternalCertSecret allows a user to provide an external certificate and private key. This is
+	// used for enabling TLS on Console and has priority over AutoCert.
 	// +optional
 	ExternalCertSecret *LocalCertificateReference `json:"externalCertSecret,omitempty"`
+	// ExternalCaCertSecret allows a user to provide additional CA certificates. This is
+	// used for Console to verify TLS connections with other applications.
+	// +optional
+	ExternalCaCertSecret []*LocalCertificateReference `json:"externalCaCertSecret,omitempty"`
 	// If provided, use these annotations for Console Object Meta annotations
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`

pkg/resources/deployments/console-deployment.go

@@ -159,7 +159,7 @@ func NewConsole(t *miniov1.Tenant) *appsv1.Deployment {
 		})
 	}
 
-	// If MinIO has AutoCert enabled load the autogenerated certificate into certs/CAS/public.crt
+	// If MinIO has AutoCert enabled load the autogenerated certificate into certs/CAS/minio.crt
 	if t.AutoCert() {
 		// MinIO tenant certificate generated by AutoCert
 		podVolumeSources = append(podVolumeSources, corev1.VolumeProjection{
@@ -206,6 +206,42 @@ func NewConsole(t *miniov1.Tenant) *appsv1.Deployment {
 		}
 	}
 
+	// Will mount into ~/.console/certs/CAs folder the user provided CA certificates.
+	// This is used for Console to verify TLS connections with other applications.
+	//	certs
+	//		+ CAs
+	//			 + ca-0.crt
+	//			 + ca-1.crt
+	//			 + ca-2.crt
+	if t.ConsoleExternalCaCerts() {
+		for index, secret := range t.Spec.Console.ExternalCaCertSecret {
+			var caCertPaths []corev1.KeyToPath
+			// This covers both secrets of type "kubernetes.io/tls" and
+			// "cert-manager.io/v1alpha2" because of same keys in both.
+			if secret.Type == "kubernetes.io/tls" {
+				caCertPaths = []corev1.KeyToPath{
+					{Key: "tls.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+				}
+			} else if secret.Type == "cert-manager.io/v1alpha2" {
+				caCertPaths = []corev1.KeyToPath{
+					{Key: "ca.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+				}
+			} else {
+				caCertPaths = []corev1.KeyToPath{
+					{Key: "public.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+				}
+			}
+			podVolumeSources = append(podVolumeSources, corev1.VolumeProjection{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: secret.Name,
+					},
+					Items: caCertPaths,
+				},
+			})
+		}
+	}
+
 	podVolumes := []corev1.Volume{
 		{
 			Name: t.ConsoleVolMountName(),

pkg/resources/statefulsets/minio-statefulset.go

@@ -398,6 +398,41 @@ func NewForMinIOZone(t *miniov1.Tenant, wsSecret *v1.Secret, zone *miniov1.Zone,
 				},
 			})
 		}
+		// Will mount into ~/.minio/certs/CAs folder the user provided CA certificates.
+		// This is used for MinIO to verify TLS connections with other applications.
+		//	certs
+		//		+ CAs
+		//			 + ca-0.crt
+		//			 + ca-1.crt
+		//			 + ca-2.crt
+		if t.ExternalCaCerts() {
+			for index, secret := range t.Spec.ExternalCaCertSecret {
+				var caCertPaths []corev1.KeyToPath
+				// This covers both secrets of type "kubernetes.io/tls" and
+				// "cert-manager.io/v1alpha2" because of same keys in both.
+				if secret.Type == "kubernetes.io/tls" {
+					caCertPaths = []corev1.KeyToPath{
+						{Key: "tls.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+					}
+				} else if secret.Type == "cert-manager.io/v1alpha2" {
+					caCertPaths = []corev1.KeyToPath{
+						{Key: "ca.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+					}
+				} else {
+					caCertPaths = []corev1.KeyToPath{
+						{Key: "public.crt", Path: fmt.Sprintf("CAs/ca-%d.crt", index)},
+					}
+				}
+				podVolumeSources = append(podVolumeSources, corev1.VolumeProjection{
+					Secret: &corev1.SecretProjection{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: secret.Name,
+						},
+						Items: caCertPaths,
+					},
+				})
+			}
+		}
 	}
 
 	// Add SSL volume from SSL secret to the podVolumes