import okhttp3.internal.DoubleInetAddressDns
import okhttp3.internal.connection.RealConnectionPool.Companion.get
import okhttp3.testing.Flaky
import okhttp3.testing.PlatformRule
import okhttp3.tls.internal.TlsUtil.localhost
import org.junit.jupiter.api.BeforeEach
import org.junit.jupiter.api.Tag
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.Timeout
import org.junit.jupiter.api.extension.RegisterExtension

cleanup

export MINIO_CI_CD=1
export MINIO_BROWSER=off
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
TEST_MINIO_ENC_KEY="MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDA"

# Create certificates for TLS enabled MinIO
echo -n "Setup certs for MinIO instances ..."
wget -O certgen https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64 && chmod +x certgen
./certgen --host localhost
mkdir -p /tmp/certs

E tem que haver algo responsável por **renovar os certificados HTTPS**, pode ser o mesmo componente ou pode ser algo diferente.

### Ferramentas de exemplo para HTTPS { #example-tools-for-https }

Algumas das ferramentas que você pode usar como um proxy de terminação TLS são:

* Traefik
    * Lida automaticamente com renovações de certificados ✨

 * New: Use ALPN on Android platforms that support it (4.4+)
 * New: CacheControl model and parser.
 * New: Protocol selection in MockWebServer.
 * Fix: Route selection shouldn't use TLS modes that we know will fail.
 * Fix: Cache SPDY responses even if the response body is closed prematurely.
 * Fix: Use strict timeouts when aborting a download.
 * Fix: Support Shoutcast HTTP responses like `ICY 200 OK`.

		if err != nil {
			return nil
		}
		return &xnet.URL{
			Host: net.JoinHostPort(xhost.Name, globalMinioConsolePort),
			Scheme: func() string {
				scheme := "http"
				if r.TLS != nil {
					scheme = "https"
				}
				return scheme
			}(),
		}
	}
	return nil
}

// guessIsHealthCheckReq - returns true if incoming request looks
// like healthCheck request

	MOVD	$(709.78271289338397), F3		// 970f000087b10f00

	// TLS load with local-exec (LUI + ADDIW + ADD of TP + load)
	MOV	tls(SB), X5				// b70f00009b8f0f00b38f4f0083b20f00
	MOVB	tls(SB), X5				// b70f00009b8f0f00b38f4f0083820f00

	// TLS store with local-exec (LUI + ADDIW + ADD of TP + store)
	MOV	X5, tls(SB)				// b70f00009b8f0f00b38f4f0023b05f00
	MOVB	X5, tls(SB)				// b70f00009b8f0f00b38f4f0023805f00

import okhttp3.internal.connection.RouteDatabase
import okhttp3.internal.immutableListOf
import okhttp3.internal.platform.Platform
import okhttp3.internal.proxy.NullProxySelector
import okhttp3.internal.tls.CertificateChainCleaner
import okhttp3.internal.tls.OkHostnameVerifier
import okhttp3.internal.toImmutableList
import okhttp3.internal.unmodifiable
import okhttp3.internal.ws.RealWebSocket
import okio.Sink
import okio.Source

==== TLS

`JKS` and `PKCS#12` keystores cannot be used in FIPS mode. If the test depends on being able to use
a keystore, it can be muted when needed ( see `ESTestCase#inFipsJvm` ). Alternatively, one can use
PEM encoded files for keys and certificates for the tests or for setting up TLS in a test cluster.
Also, when in FIPS 140 mode, hostname verification for TLS cannot be turned off so if you are using

            trustManagerFactory.init(keyStore);

            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

            Curl.get("https://localhost:9200/").sslSocketFactory(sslContext.getSocketFactory()).execute(response -> {

{{ $poolCount := .Values.pools | int }}
{{ $nodeCount := .Values.replicas | int }}
{{ $replicas := mul $poolCount $nodeCount }}
{{ $drivesPerNode := .Values.drivesPerNode | int }}
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
{{ $mountPath := .Values.mountPath }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
{{ $subPath := .Values.persistence.subPath }}
{{ $penabled := .Values.persistence.enabled }}