Multi TLS support - losesing own internal certificate

[sergey-kudriavtsev]

When using an external certificate, the tenant loses its own internal certificate (making it unusable)

You also have to use MINIO_SERVER_URL, although the documentation states that it is no longer required env minio

Expected Behavior

X509v3 Subject Alternative Name: 
                DNS:main-tenant-pool-0-{0...3}.main-tenant-hl.default.svc.cluster.local, DNS:minio.default.svc.cluster.local, DNS:minio.default, DNS:minio.default.svc, DNS:*.main-tenant-hl.default.svc.cluster.local, DNS:*.default.svc.cluster.local

Current Behavior

The domain test.example.con is given as an example

X509v3 Subject Alternative Name: 
                DNS:*test.example.con, DNS:*.s3.example.con

Possible Solution

1. Add a field to the tenant operator for manual set path
2. Automatically read the common domain name from certificates and form a mountPath from it

Manual Fix Tempsolution

1. Don`t use additionalVolumes
2. Use mount cert like this

...
  additionalVolumes:
    - name: s3-example-com-tls
      secret:
        secretName: s3.example.com-tls
        items:
          - key: tls.crt
            path: public.crt
          - key: tls.key
            path: private.key
 
  additionalVolumeMounts:
    - name:  s3-example-com-tls
      mountPath: /tmp/certs/s3.example.com
...

Steps to Reproduce (for bugs)

1. Create cert secret (or request by cert-manager) s3.example.com-tls
2. Add in tenant external cert

   apiVersion: minio.min.io/v2
   kind: Tenant
   metadata:
     name: main-tenant
     namespace: default
   spec:
        externalCertSecret:
           name: s3.example.comt-tls

3. create tenant
4. list dir in pod

   ls -ls /tmp/certs/

5. check tls

   kubectl run tets-ssl --image=alpine/openssl --rm -ti -n default --command -- openssl s_client -showcerts -connect minio.s3-mainnet.svc:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text | grep -A1 "Subject Alternative Name"
   
   

Context

How it works is described here Minio Description TLS
But the code generates a path without taking the domain into account Code link
This makes it unacceptable to use embedded certificates with external or multi-external ones.

Regression

Yes

Your Environment

• Version used (minio-operator): 6.0.3
• Environment name and version (e.g. kubernetes v1.17.2): kubernetes v1.30.2