Name:      testServiceAccountName,
			Namespace: testNamespace,
		},
	}

	for _, secret := range secrets {
		sa.Secrets = append(sa.Secrets, v1.ObjectReference{
			Name:      secret,
			Namespace: testNamespace,
		})
	}

	return sa
}

func makeSecret(name, caData, token string) *v1.Secret {
	out := &v1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:        name,
			Namespace:   testNamespace,

	return saName + "-istio-remote-secret-token"
}

func secretReferencesServiceAccount(serviceAccount *v1.ServiceAccount, secret *v1.Secret) error {
	if secret.Type != v1.SecretTypeServiceAccountToken ||
		secret.Annotations[v1.ServiceAccountNameKey] != serviceAccount.Name {
		return fmt.Errorf("secret %s/%s does not reference ServiceAccount %s",
			secret.Namespace, secret.Name, serviceAccount.Name)
	}
	return nil
}

#### Content Encryption

Import the modules installed.

Create a random secret key that will be used to sign the JWT tokens.

To generate a secure random secret key use the command:

<div class="termy">

```console
$ openssl rand -hex 32

09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7
```

</div>

And copy the output to the variable `SECRET_KEY` (don't use the one in the example).

		os.Setenv("CONSOLE_SECURE_CONTENT_SECURITY_POLICY", valueSCP)
	}

	if hstsSeconds := globalBrowserConfig.GetHSTSSeconds(); hstsSeconds > 0 {
		isubdom := globalBrowserConfig.IsHSTSIncludeSubdomains()
		isprel := globalBrowserConfig.IsHSTSPreload()
		os.Setenv("CONSOLE_SECURE_STS_SECONDS", strconv.Itoa(hstsSeconds))
		os.Setenv("CONSOLE_SECURE_STS_INCLUDE_SUB_DOMAINS", isubdom)

func (s *TestSuiteIAM) iamSetup(c *check) {
	var err error
	// strip url scheme from endpoint
	s.endpoint = strings.TrimPrefix(s.endPoint, "http://")
	if s.secure {
		s.endpoint = strings.TrimPrefix(s.endPoint, "https://")
	}

	s.adm, err = madmin.New(s.endpoint, s.accessKey, s.secretKey, s.secure)
	if err != nil {
		c.Fatalf("error creating admin client: %v", err)
	}
	// Set transport, so that TLS is handled correctly.

  ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
  ## MINIO_BROWSER: "off"

## The name of a secret in the same kubernetes namespace which contain secret values
## This can be useful for LDAP password, etc
## The key in the secret must be 'config.env'
##
extraSecret: ~

## OpenID Identity Management

   * MD5 (128 hash bits) hash function and the given secret key.
   *
   * <p>If you are designing a new system that needs HMAC, prefer {@link #hmacSha256} or other
   * future-proof algorithms <a
   * href="https://datatracker.ietf.org/doc/html/rfc6151#section-2.3">over {@code hmacMd5}</a>.
   *
   * @param key the secret key

displayed in the output of a successful install. Existing secret ---------- Instead of having this chart create the secret for you, you can supply a preexisting secret, much like an existing PersistentVolumeClai. First, create the secret: ```bash kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux ``` Then install the chart, specifying that you want to use an existing secret: ```bash helm install --set existingSecret=my-minio-secret...

displayed in the output of a successful install. Existing secret ---------- Instead of having this chart create the secret for you, you can supply a preexisting secret, much like an existing PersistentVolumeClai. First, create the secret: ```bash kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux ``` Then install the chart, specifying that you want to use an existing secret: ```bash helm install --set existingSecret=my-minio-secret...