bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
bakery-ia/infrastructure/security/certificates/generate-minio-certificates.sh

111 lines
3.5 KiB
Bash
Raw Permalink Normal View History

Add minio support and forntend analitycs
2026-01-17 22:42:40 +01:00
#!/usr/bin/env bash
# Generate MinIO TLS certificates using existing CA
# This script generates certificates for MinIO server
set -e
TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CA_DIR="$TLS_DIR/ca"
MINIO_DIR="$TLS_DIR/minio"
mkdir -p "$MINIO_DIR"
echo "Generating MinIO TLS certificates using existing CA..."
echo "CA Directory: $CA_DIR"
echo "MinIO Directory: $MINIO_DIR"
echo ""
# Check if CA exists
if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
exit 1
fi
# Generate MinIO server private key
echo "Step 1: Generating MinIO server private key..."
openssl genrsa -out "$MINIO_DIR/minio-key.pem" 4096
# Convert to traditional RSA format (required by MinIO)
echo "Step 1b: Converting private key to traditional RSA format..."
openssl rsa -in "$MINIO_DIR/minio-key.pem" -traditional -out "$MINIO_DIR/minio-key.pem"
# Create certificate signing request (CSR)
echo "Step 2: Creating MinIO certificate signing request..."
openssl req -new -key "$MINIO_DIR/minio-key.pem" -out "$MINIO_DIR/minio.csr" \
-subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Storage/CN=minio.bakery-ia.svc.cluster.local"
# Create SAN (Subject Alternative Names) configuration for MinIO
cat > "$MINIO_DIR/san.cnf" <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = SanFrancisco
O = BakeryIA
OU = Storage
CN = minio.bakery-ia.svc.cluster.local
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = minio.bakery-ia.svc.cluster.local
DNS.2 = minio.bakery-ia
DNS.3 = minio-console.bakery-ia.svc.cluster.local
DNS.4 = minio-console.bakery-ia
DNS.5 = minio
DNS.6 = minio-console
DNS.7 = localhost
IP.1 = 127.0.0.1
EOF
# Sign the certificate with CA (valid for 3 years)
echo "Step 3: Signing MinIO certificate with CA..."
openssl x509 -req -in "$MINIO_DIR/minio.csr" \
-CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
-out "$MINIO_DIR/minio-cert.pem" -days 1095 \
-extensions v3_req -extfile "$MINIO_DIR/san.cnf"
# Set proper permissions
chmod 600 "$MINIO_DIR/minio-key.pem"
chmod 644 "$MINIO_DIR/minio-cert.pem"
# Copy CA cert for MinIO
cp "$CA_DIR/ca-cert.pem" "$MINIO_DIR/ca-cert.pem"
echo ""
echo "Step 4: Verifying MinIO certificates..."
# Verify MinIO certificate
echo "MinIO certificate details:"
openssl x509 -in "$MINIO_DIR/minio-cert.pem" -noout -subject -issuer -dates
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MINIO_DIR/minio-cert.pem"
echo ""
echo "==================="
echo "✓ MinIO certificates generated successfully!"
echo ""
echo "Generated files:"
echo " MinIO:"
echo " - $MINIO_DIR/minio-cert.pem (Server certificate)"
echo " - $MINIO_DIR/minio-key.pem (Server private key - traditional RSA format)"
echo " - $MINIO_DIR/ca-cert.pem (CA certificate)"
echo ""
echo "Important Notes:"
echo " • Private key is in traditional RSA format (BEGIN RSA PRIVATE KEY)"
echo " • This format is required by MinIO to avoid 'The private key contains additional data' error"
echo " • Certificates follow the standardized Opaque secret structure"
echo ""
echo "Next steps:"
echo " 1. Update Kubernetes minio-tls secret with these certificates"
echo " 2. Apply the updated secret to your cluster"
echo " 3. Restart MinIO pods if necessary"
echo ""
echo "For more details, see: docs/MINIO_TLS_FIX_SUMMARY.md"
Reference in New Issue Copy Permalink