Add new infra architecture

infrastructure/scripts/setup/generate-minio-certificates.sh

@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+
+# Generate MinIO TLS certificates using existing CA
+# This script generates certificates for MinIO server
+
+set -e
+
+TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_DIR="$TLS_DIR/ca"
+MINIO_DIR="$TLS_DIR/minio"
+
+mkdir -p "$MINIO_DIR"
+
+echo "Generating MinIO TLS certificates using existing CA..."
+echo "CA Directory: $CA_DIR"
+echo "MinIO Directory: $MINIO_DIR"
+echo ""
+
+# Check if CA exists
+if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
+    echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
+    exit 1
+fi
+
+# Generate MinIO server private key
+echo "Step 1: Generating MinIO server private key..."
+openssl genrsa -out "$MINIO_DIR/minio-key.pem" 4096
+
+# Convert to traditional RSA format (required by MinIO)
+echo "Step 1b: Converting private key to traditional RSA format..."
+openssl rsa -in "$MINIO_DIR/minio-key.pem" -traditional -out "$MINIO_DIR/minio-key.pem"
+
+# Create certificate signing request (CSR)
+echo "Step 2: Creating MinIO certificate signing request..."
+openssl req -new -key "$MINIO_DIR/minio-key.pem" -out "$MINIO_DIR/minio.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Storage/CN=minio.bakery-ia.svc.cluster.local"
+
+# Create SAN (Subject Alternative Names) configuration for MinIO
+cat > "$MINIO_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Storage
+CN = minio.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = minio.bakery-ia.svc.cluster.local
+DNS.2 = minio.bakery-ia
+DNS.3 = minio-console.bakery-ia.svc.cluster.local
+DNS.4 = minio-console.bakery-ia
+DNS.5 = minio
+DNS.6 = minio-console
+DNS.7 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+echo "Step 3: Signing MinIO certificate with CA..."
+openssl x509 -req -in "$MINIO_DIR/minio.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$MINIO_DIR/minio-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$MINIO_DIR/san.cnf"
+
+# Set proper permissions
+chmod 600 "$MINIO_DIR/minio-key.pem"
+chmod 644 "$MINIO_DIR/minio-cert.pem"
+
+# Copy CA cert for MinIO
+cp "$CA_DIR/ca-cert.pem" "$MINIO_DIR/ca-cert.pem"
+
+echo ""
+echo "Step 4: Verifying MinIO certificates..."
+
+# Verify MinIO certificate
+echo "MinIO certificate details:"
+openssl x509 -in "$MINIO_DIR/minio-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MINIO_DIR/minio-cert.pem"
+
+echo ""
+echo "==================="
+echo "✓ MinIO certificates generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  MinIO:"
+echo "    - $MINIO_DIR/minio-cert.pem (Server certificate)"
+echo "    - $MINIO_DIR/minio-key.pem (Server private key - traditional RSA format)"
+echo "    - $MINIO_DIR/ca-cert.pem (CA certificate)"
+echo ""
+echo "Important Notes:"
+echo "  • Private key is in traditional RSA format (BEGIN RSA PRIVATE KEY)"
+echo "  • This format is required by MinIO to avoid 'The private key contains additional data' error"
+echo "  • Certificates follow the standardized Opaque secret structure"
+echo ""
+echo "Next steps:"
+echo "  1. Update Kubernetes minio-tls secret with these certificates"
+echo "  2. Apply the updated secret to your cluster"
+echo "  3. Restart MinIO pods if necessary"
+echo ""
+echo "For more details, see: docs/MINIO_TLS_FIX_SUMMARY.md"