feat: external cert support

* Add cert-manager to dev manifests
* Add cert-manager resources to dev manifests
* Deploy cert-manager as part of 'apply-manifests' Makefile target
* Generate cert-manager resources as part of 'apply-manifests' Makefile target
* Update operator 'getTenantClientInfo' to correctly set 'secure' flag based upon external cert settings
* Update operator 'getTenantClientInfo' to build cert pool with 'operator-ca-tls' prefixed secrets
* Update operator 'getTenantClientInfo' to build cert pool with tenant spec 'externalCaCertSecret' secrets

Author: benfiola

Makefile

@@ -19,6 +19,10 @@ ifeq ($(ALTARCH),amd64)
 	ALTARCH = x86_64
 endif
 
+CERT_MANAGER_MANIFEST = $(ASSETS)/cert-manager.yaml
+CERT_MANAGER_MANIFEST_SRC = $(DEV)/manifests/cert-manager
+CERT_MANAGER_RESOURCES_MANIFEST = $(ASSETS)/cert-manager-resources.yaml
+CERT_MANAGER_RESOURCES_MANIFEST_SRC = $(DEV)/manifests/cert-manager-resources
 CONTROLLER_GEN = $(ASSETS)/controller-gen
 CONTROLLER_GEN_URL = https://github.com/kubernetes-sigs/controller-tools/releases/download/v$(CONTROLLER_GEN_VERSION)/controller-gen-$(OS)-$(ARCH)
 CRANE = $(ASSETS)/crane
@@ -218,7 +222,9 @@ $(MINIKUBE): | $(ASSETS)
 # MANIFESTS
 
 .PHONY: apply-manifests
-apply-manifests: $(CRDS_MANIFEST) $(KUBECTL) $(MINIO_OPERATOR_MANIFEST) $(MINIO_TENANT_MANIFEST) $(OPENLDAP_MANIFEST)
+apply-manifests: $(CERT_MANAGER_MANIFEST) $(CERT_MANAGER_RESOURCES_MANIFEST) $(CRDS_MANIFEST) $(KUBECTL) $(MINIO_OPERATOR_MANIFEST) $(MINIO_TENANT_MANIFEST) $(OPENLDAP_MANIFEST)
+	# deploy cert-manager
+	$(KUBECTL_CMD) apply -f $(CERT_MANAGER_MANIFEST)
 	# deploy minio operator
 	$(KUBECTL_CMD) apply -f $(MINIO_OPERATOR_MANIFEST)
 	# deploy minio tenant
@@ -228,6 +234,14 @@ apply-manifests: $(CRDS_MANIFEST) $(KUBECTL) $(MINIO_OPERATOR_MANIFEST) $(MINIO_
 	# deploy crds
 	$(KUBECTL_CMD) apply -f $(CRDS_MANIFEST)
 
+$(CERT_MANAGER_MANIFEST): $(KUBECTL) $(HELM) | $(ASSETS)
+	# generate cert-manager manifest
+	$(KUSTOMIZE_CMD) $(CERT_MANAGER_MANIFEST_SRC) > $(CERT_MANAGER_MANIFEST)
+
+$(CERT_MANAGER_RESOURCES_MANIFEST): $(KUBECTL) $(HELM) | $(ASSETS)
+	# generate cert-manager resources manifest
+	$(KUSTOMIZE_CMD) $(CERT_MANAGER_RESOURCES_MANIFEST_SRC) > $(CERT_MANAGER_RESOURCES_MANIFEST)
+
 $(CRDS_MANIFEST): generate $(KUBECTL) $(HELM) | $(ASSETS)
 	# generate crds manifest
 	$(KUSTOMIZE_CMD) $(CRDS_MANIFEST_SRC) > $(CRDS_MANIFEST)

README.md

@@ -51,18 +51,18 @@ The following arguments/environment variables configure the operator:
 
 The operator requires the a service account with the following RBAC settings:
 
-| Resource                         | Verbs                    | Why                                                                                                                 |
-| -------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------- |
-| minio.min.io/v2/Tenant           | Get                      | Used to discover MinIO tenants                                                                                      |
-| v1/ConfigMap                     | Get                      | Used to obtain the CA bundle used to generate a MinIO tenant's TLS certificates (- for HTTP client cert validation) |
-| v1/Secret                        | Get                      | Used to fetch a MinIO tenant's configuration (which is stored as a secret)                                          |
-| v1/Services                      | Get                      | Used to determine a MinIO tenant's internal endpoint                                                                |
-| bfiola.dev/v1/MinioBucket        | Get, Watch, List, Update | Required for the operator to manage minio bucket resources                                                          |
-| bfiola.dev/v1/MinioGroup         | Get, Watch, List, Update | Required for the operator to manage minio group resources                                                           |
-| bfiola.dev/v1/MinioGroupBinding  | Get, Watch, List, Update | Required for the operator to manage minio group membership                                                          |
-| bfiola.dev/v1/MinioPolicy        | Get, Watch, List, Update | Required for the operator to manage minio policies                                                                  |
-| bfiola.dev/v1/MinioPolicyBinding | Get, Watch, List, Update | Required for the operator to manage minio policy attachments                                                        |
-| bfiola.dev/v1/MinioUser          | Get, Watch, List, Update | Required for the operator to manage minio user resources                                                            |
+| Resource                         | Verbs                    | Why                                                                                                                                                                    |
+| -------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| minio.min.io/v2/Tenant           | Get                      | Used to discover MinIO tenants                                                                                                                                         |
+| v1/ConfigMap                     | Get                      | Used to fetch TLS certificate data to perform TLS verification when connecting to MinIO tenants                                                                        |
+| v1/Secret                        | Get, List                | Used to fetch a MinIO tenant's configuration (which is stored as a secret) and fetch TLS certificate data to perform TLS verification when connecting to MinIO tenants |
+| v1/Services                      | Get                      | Used to determine a MinIO tenant's internal endpoint                                                                                                                   |
+| bfiola.dev/v1/MinioBucket        | Get, Watch, List, Update | Required for the operator to manage minio bucket resources                                                                                                             |
+| bfiola.dev/v1/MinioGroup         | Get, Watch, List, Update | Required for the operator to manage minio group resources                                                                                                              |
+| bfiola.dev/v1/MinioGroupBinding  | Get, Watch, List, Update | Required for the operator to manage minio group membership                                                                                                             |
+| bfiola.dev/v1/MinioPolicy        | Get, Watch, List, Update | Required for the operator to manage minio policies                                                                                                                     |
+| bfiola.dev/v1/MinioPolicyBinding | Get, Watch, List, Update | Required for the operator to manage minio policy attachments                                                                                                           |
+| bfiola.dev/v1/MinioUser          | Get, Watch, List, Update | Required for the operator to manage minio user resources                                                                                                               |
 
 ## Limitations
 

dev/manifests/cert-manager-resources/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - ./root-issuer.yaml
+  - ./tenant-ca.yaml
+  - ./tenant-issuer.yaml
+  - ./tenant-cert.yaml

dev/manifests/cert-manager-resources/root-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cm-root
+spec:
+  selfSigned: {}

dev/manifests/cert-manager-resources/tenant-ca.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cm-tenant-ca
+spec:
+  isCA: true
+  commonName: cm-tenant
+  secretName: cm-tenant-ca-tls
+  duration: 70128h
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: cm-root
+    kind: ClusterIssuer
+    group: cert-manager.io

dev/manifests/cert-manager-resources/tenant-cert.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cm-tenant-cert
+spec:
+  dnsNames:
+    - minio.default
+    - minio.default.svc
+    - minio.default.svc.cluster.local
+    - "*.tenant-hl.default.svc.cluster.local"
+    - "*.default.svc.cluster.local"
+    - "*.tenant.minio.default.svc.cluster.local"
+  secretName: cm-tenant-tls
+  issuerRef:
+    name: cm-tenant-issuer

dev/manifests/cert-manager-resources/tenant-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cm-tenant-issuer
+spec:
+  ca:
+    secretName: cm-tenant-ca-tls

dev/manifests/cert-manager/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml

internal/operator/operator.go

@@ -23,7 +23,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
-	"encoding/pem"
 	"fmt"
 	"io"
 	"log/slog"
@@ -209,7 +208,7 @@ type minioTenantClientInfo struct {
 
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list
 // +kubebuilder:rbac:groups=minio.min.io,resources=tenants,verbs=get
 
 // Returns [minioTenantClientInfo] for a [miniov2.Tenant] referenced by [v1.ResourceRef].
@@ -227,9 +226,11 @@ func getMinioTenantClientInfo(ctx context.Context, c client.Client, rr v1.Resour
 	}
 
 	// determine if tenant secure
-	s := true
-	if t.Spec.RequestAutoCert != nil {
-		s = *t.Spec.RequestAutoCert
+	s := false
+	if t.Spec.RequestAutoCert != nil && *t.Spec.RequestAutoCert {
+		s = true
+	} else if len(t.Spec.ExternalCertSecret) > 0 {
+		s = true
 	}
 
 	// obtain access + secret key
@@ -281,25 +282,61 @@ func getMinioTenantClientInfo(ctx context.Context, c client.Client, rr v1.Resour
 		return nil, fmt.Errorf("endpoint for minio service %s/%s not found", tsvc.Namespace, tsvc.Name)
 	}
 
-	// obtain ca bundle
-	krccm := &corev1.ConfigMap{}
-	err = c.Get(ctx, types.NamespacedName{Namespace: rr.Namespace, Name: "kube-root-ca.crt"}, krccm)
+	// create cert pool for tls verification
+	cbp, err := x509.SystemCertPool()
 	if err != nil {
-		return nil, err
+		cbp = x509.NewCertPool()
+	}
+	ks := []string{"public.crt", "tls.crt", "ca.crt"}
+	// pod CA
+	pcacm := &corev1.ConfigMap{}
+	err = c.Get(ctx, types.NamespacedName{Namespace: rr.Namespace, Name: "kube-root-ca.crt"}, pcacm)
+	if err == nil {
+		for _, k := range ks {
+			cas, ok := pcacm.Data[k]
+			if !ok {
+				continue
+			}
+			ca := []byte(cas)
+			cbp.AppendCertsFromPEM(ca)
+		}
 	}
-	cb, ok := krccm.Data["ca.crt"]
-	if !ok {
-		return nil, fmt.Errorf("kube root ca for %s not found", rr.Namespace)
+	// CAs from secrets prefixed with 'operator-ca-tls'
+	sl := &corev1.SecretList{}
+	err = c.List(ctx, sl, client.InNamespace(rr.Namespace))
+	if err == nil {
+		for _, s := range sl.Items {
+			if !strings.HasPrefix(s.Name, "operator-ca-tls") {
+				continue
+			}
+			for _, k := range ks {
+				cas, ok := s.Data[k]
+				if !ok {
+					continue
+				}
+				ca := []byte(cas)
+				cbp.AppendCertsFromPEM(ca)
+			}
+		}
 	}
-
-	// create cert pool with ca bundle
-	cbp := x509.NewCertPool()
-	cbb, _ := pem.Decode([]byte(cb))
-	cbc, err := x509.ParseCertificate(cbb.Bytes)
-	if err != nil {
-		return nil, err
+	// CAs from configured external sources
+	for _, eca := range t.Spec.ExternalCaCertSecret {
+		if eca.Type == "kubernetes.io/tls" {
+			s := &corev1.Secret{}
+			err := c.Get(ctx, types.NamespacedName{Namespace: t.Namespace, Name: eca.Name}, s)
+			if err != nil {
+				continue
+			}
+			for _, k := range ks {
+				cas, ok := s.Data[k]
+				if !ok {
+					continue
+				}
+				ca := []byte(cas)
+				cbp.AppendCertsFromPEM(ca)
+			}
+		}
 	}
-	cbp.AddCert(cbc)
 
 	return &minioTenantClientInfo{
 		AccessKey: ak,