# How to secure access to MinIO on Kubernetes with TLS [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)

This document explains how to configure MinIO server with TLS certificates on Kubernetes.

## 1. Prerequisites

- Familiarity with [MinIO deployment process on Kubernetes](https://docs.min.io/community/minio-object-store/operations/deployments/kubernetes.html).

- Kubernetes cluster with `kubectl` configured.

   *
   * @deprecated If you must interoperate with a system that requires MD5, then use this method,
   *     despite its deprecation. But if you can choose your hash function, avoid MD5, which is
   *     neither fast nor secure. As of January 2017, we suggest:
   *     <ul>
   *       <li>For security:
   *           {@link Hashing#sha256} or a higher-level API.
   *       <li>For speed: {@link Hashing#goodFastHash}, though see its docs for caveats.

    title: Auth, user management and more for your B2B product
    img: https://fastapi.tiangolo.com/img/sponsors/propelauth.png
  - url: https://zuplo.link/fastapi-gh
    title: 'Zuplo: Deploy, Secure, Document, and Monetize your FastAPI'
    img: https://fastapi.tiangolo.com/img/sponsors/zuplo.png
  - url: https://liblab.com?utm_source=fastapi
    title: liblab - Generate SDKs from FastAPI

        .build()

    // An example test URL that returns client certificate details.
    val request =
      Request
        .Builder()
        .url("https://prod.idrix.eu/secure/")
        .build()

    client.newCall(request).execute().use { response ->
      if (!response.isSuccessful) throw IOException("Unexpected code $response")

      println(response.body.string())
    }
  }
}

     */
    protected InputStream bodyStream;

    /**
     * The compression type for the request.
     */
    protected String compression = null;

    /**
     * The SSL socket factory for secure connections.
     */
    protected SSLSocketFactory sslSocketFactory = null;

    /**
     * The thread pool for executing the request.
     */
    protected ForkJoinPool threadPool;

    /**

		} else {
			mcreds = credentials.NewStaticV4(sa.Credentials.AccessKey, sa.Credentials.SecretKey, "")
		}

		return minio.New(driver.endpoint, &minio.Options{
			Creds:           mcreds,
			Secure:          globalIsTLS,
			Transport:       tr,
			TrailingHeaders: true,
		})
	}

	// ok == true - at this point

	if ui.Credentials.IsTemp() {
		// Temporary credentials are not allowed.

const crossDomainXML = `<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false" /></cross-domain-policy>`

// Standard path where an app would find cross domain policy information.
const crossDomainXMLEntity = "/crossdomain.xml"

	github.com/prometheus/procfs v0.16.1
	github.com/puzpuzpuz/xsync/v3 v3.5.1
	github.com/rabbitmq/amqp091-go v1.10.0
	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9
	github.com/rs/cors v1.11.1
	github.com/secure-io/sio-go v0.3.1
	github.com/shirou/gopsutil/v3 v3.24.5
	github.com/tinylib/msgp v1.2.5
	github.com/valyala/bytebufferpool v1.0.0
	github.com/xdg/scram v1.0.5
	github.com/zeebo/xxh3 v1.0.2
	go.etcd.io/etcd/api/v3 v3.5.21

- name: authx
  html_url: https://github.com/yezz123/authx
  stars: 978
  owner_login: yezz123
  owner_html_url: https://github.com/yezz123
- name: secure
  html_url: https://github.com/TypeError/secure
  stars: 942
  owner_login: TypeError
  owner_html_url: https://github.com/TypeError
- name: titiler
  html_url: https://github.com/developmentseed/titiler
  stars: 940

        byte[] hash1 = md5_1.digest(data);
        byte[] hash2 = md5_2.digest(data);

        // Then
        assertArrayEquals(hash1, hash2);
    }

    @Test
    @DisplayName("Should generate secure random bytes")
    void testSecureRandomGeneration() throws java.security.NoSuchAlgorithmException {
        // Given
        int length = 16;

        // When
        byte[] random1 = new byte[length];