stackabletech · dervoeti · Mar 20, 2025 · Mar 19, 2025 · Mar 19, 2025 · Mar 20, 2025
diff --git a/demos/data-lakehouse-iceberg-trino-spark/create-spark-ingestion-job.yaml b/demos/data-lakehouse-iceberg-trino-spark/create-spark-ingestion-job.yaml
@@ -67,7 +67,7 @@ data:
         - name: script
           configMap:
             name: write-iceberg-table-script
-        - name: tls
+        - name: spark-tls
           ephemeral:
             volumeClaimTemplate:
               metadata:
@@ -101,7 +101,7 @@ data:
           volumeMounts:
             - name: script
               mountPath: /stackable/spark/jobs
-            - name: tls
+            - name: spark-tls
               mountPath: /stackable/tls
       executor:
         replicas: 4
@@ -115,7 +115,7 @@ data:
           volumeMounts:
             - name: script
               mountPath: /stackable/spark/jobs
-            - name: tls
+            - name: spark-tls
               mountPath: /stackable/tls
 ---
 apiVersion: v1

diff --git a/demos/data-lakehouse-iceberg-trino-spark/load-test-data.yaml b/demos/data-lakehouse-iceberg-trino-spark/load-test-data.yaml
@@ -16,7 +16,10 @@ spec:
             - pipefail
             - -c
             - |
-              mc --insecure alias set minio http://minio:9000/ $(cat /minio-s3-credentials/accessKey) $(cat /minio-s3-credentials/secretKey)
+              # Copy the CA cert from the "tls" SecretClass
+              cp -v /etc/minio/mc/original_certs/ca.crt /.mc/certs/CAs/public.crt
+
+              mc alias set minio https://minio.default.svc.cluster.local:9000/ $(cat /minio-s3-credentials/accessKey) $(cat /minio-s3-credentials/secretKey)
               cd /tmp
 
               curl -sO https://repo.stackable.tech/repository/misc/datasets/open-postcode-geo/open-postcode-geo.csv
@@ -69,9 +72,36 @@ spec:
           volumeMounts:
             - name: minio-s3-credentials
               mountPath: /minio-s3-credentials
+            # Mount the certificate generated by the secret-operator
+            - name: tls
+              mountPath: /etc/minio/mc/original_certs
+            # On startup, we will rename the certs and move them here:
+            - mountPath: /.mc/certs/CAs
+              name: certs
       volumes:
         - name: minio-s3-credentials
           secret:
             secretName: minio-s3-credentials
+        # Request a TLS certificate from the secret-operator
+        - name: tls
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/class: tls
+                  secrets.stackable.tech/scope: |-
+                    service=minio,pod
+              spec:
+                storageClassName: secrets.stackable.tech
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: "1"
+        # Create an in-memory emptyDir to copy the certs to (to avoid permission errors)
+        - name: certs
+          emptyDir:
+            sizeLimit: 5Mi
+            medium: Memory
       restartPolicy: OnFailure
   backoffLimit: 50
diff --git a/stacks/_templates/minio-distributed-tls/README.md b/stacks/_templates/minio-distributed-tls/README.md
@@ -0,0 +1,16 @@
+# MinIO with TLS from secret-operator
+
+MinIO has a severe limitation whereby the TLS certificates must be named `public.crt`
+and `private.key`. This goes against Kubernetes naming of `tls.crt` and `tls.key`.
+
+The upstream minio chart is also too limited:
+
+- No way to add initContainers (to rename cert files in a shared volume).
+- No way to edit the container command (to rename cert files before starting minio).
+
+Therefore, we will render the upstream chart here, and then apply the necessary
+customizations on top.
+
+```yaml
+helm template minio minio/minio -f values.yaml > rendered-chart.yaml
+```