party CA: ``` kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt ``` The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: ``` trustedCertsSecret: "minio-trusted-certs" or --set trustedCertsSecret=minio-trusted-certs ``` ### Create buckets after install Install the chart, specifying the buckets you want to create after install: ```bash helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false...

		GetValidationContext().
		GetTrustedCa().
		GetInlineBytes()

	// seems as though the most straightforward way to tell whether this is a root ca or not
	// is to check whether the inline bytes of the cert chain or the trusted ca field is zero length
	if len(certChainSecret) > 0 {
		builder.Data(string(certChainSecret))
	} else if len(caDataSecret) > 0 {
		builder.Data(string(caDataSecret))
	}

	secret, err := builder.Build()

          listOf(
            "Inaccessible trust store",
            "trustStore is",
            "Reload the trust store",
            "Reload trust certs",
            "Reloaded",
            "adding as trusted certificates",
            "Ignore disabled cipher suite",
            "Ignore unsupported cipher suite",
          ).joinToString(separator = "|"),
        )
        append(").*")
      },
    )

   */
  fun noClientAuth() {
    this.clientAuth = CLIENT_AUTH_NONE
  }

  /**
   * Configure the server to [want client auth][SSLSocket.setWantClientAuth]. If the
   * client presents a certificate that is [trusted][TrustManager] the handshake will
   * proceed normally. The connection will also proceed normally if the client presents no
   * certificate at all! But if the client presents an untrusted certificate the handshake

	if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) {
		return nil, ErrHeader
	}

	// Parse for all member entries.
	// numEntries is trusted after this since a potential attacker must have
	// committed resources proportional to what this library used.
	if err := feedTokens(2 * numEntries); err != nil {
		return nil, err
	}

    private CacheEntry<Map<String, CacheEntry<DfsReferralDataInternal>>> _domains = null; /*
                                                                                           * aka trusted domains cache
                                                                                           */
    private final Object domainsLock = new Object();

  - Add this Role into compositive role named `default-roles-{realm}` - `{realm}` should be replaced with whatever realm you created from `prerequisites` section. This role is automatically trusted in the 'Service Accounts' tab.

- Check that `account` client_id has the role 'admin' assigned in the "Service Account Roles" tab.

* Traefik (that can also handle certificate renewals)
* Caddy (that can also handle certificate renewals)
* Nginx
* HAProxy

## Let's Encrypt

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

| `Forwarded`   | For outgoing requests, the original source IP. Note that since we spoof IPs in most cases, this usually is the same as the actual IP seen. For incoming requests, this is used only for traffic from waypoints (which are trusted and cannot spoof IPs) |

If a self-signed certificate is being used, the certificate can be added to MinIO's certificates directory, so it can be trusted by the server.

#### DNS SRV Records