Creating a secret

You must create a secret for S3 targets that use a self signed certificate before you create a backup storage location.

Whenever you create a backup storage location for S3 compliant storage, you have the option to specify a certificate to authenticate the connection.

  1. Extract the certificate from an S3 compliant service to a file. Use the openssl command to extract the certificate into the file tls.crt.
    Note: Ensure that the file name must be tls.crt.
    openssl s_client -connect <s3-service-name>-<s3-service-namespace>.apps.<fusion-hostname>.<domainname>:443 -showcerts \
     | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > tls.crt

    For example, use the openssl command to extract the certificate from the minio service in the minio-ns namespace on a IBM Storage Fusion cluster.

    openssl s_client -connect minio-minio-ns.apps.myfusionhostname.mydomain:443 -showcerts \
     | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > tls.crt
  2. Run the oc command to create a generic secret in the IBM Storage Fusion namespace using the tls.crt file.
    oc create secret generic <secret-name> --type=opaque --from-file=tls.crt -n <fusion-namespace>
    For example, in the default IBM Storage Fusion namespace ibm-spectrum-fusion-ns.
    oc create secret generic minio-cert-secret --type=opaque --from-file=tls.crt -n ibm-spectrum-fusion-ns
    Note: Make a note of this secret name. You need it to create a backup storage location.