-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make operator-ca-tls handling GitOps friendly #1986
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The current documented approach to using cert-manager together with this operator lists manual steps in https://github.com/minio/operator/blob/master/docs/cert-manager.md#create-operator-ca-tls-secret. This is frustrating because I can only execute those steps after a tenant is deployed. Additionally it assumes that every tenant uses the same certificate issuer, even though that is not really required.
Describe the solution you'd like
The operator already has all the information it needs to get the certificate data (including CA) from the
externalCertSecret
field. I think it would be great if the operator just reads the mentioned secret from the namespace of the tenant and extract cert + CA itself without requiring manual steps by a user. Likewise, this would allow to define different issuers for different tenants (with different CAs)Describe alternatives you've considered
None really - I'm not familiar with the workings of this operator and I'm unsure why the current approach was taken.
Additional context
Here is a trimmed down example of how the prometheus-operator handles certificates in a ServiceMonitor resource:
Here we can define
tlsConfig
and be very explicit about which key from which secret we want to use. Since the minio-operator already knows which secret a tenant is using all this could be determined automatically by the minio-operator.The text was updated successfully, but these errors were encountered: