-
Notifications
You must be signed in to change notification settings - Fork 0
KES cert manager example
Cesar Celis Hernandez edited this page Jan 27, 2023
·
5 revisions
- Fri Jan 27, 2023 @ 1:27 pm Toronto Time
Use cert-manager for KES
- https://github.com/cniackz/public/wiki/How-to-install-MinIO-Tenant-using-cert-manager-in-k8s
- https://github.com/cniackz/public/wiki/Tenant-TLS-plus-KES-TLS-all-with-cert-manager-together
- Create a cluster
createcluster
- Install Operator
installoperator
- Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
- Wait for some time and deploy the tenant from the example added:
sleep 120 # wait 2 minutes
k apply -k ~/operator/examples/kustomization/tenant-certmanager-kes
- Wait for vault to be ready:
kubectl wait --namespace tenant-certmanager --for=condition=ready pod --selector=app=vault --timeout=120s
- Configure Vault:
VAULT_ROOT_TOKEN=$(kubectl logs -l app=vault -n tenant-certmanager | grep "Root Token: " | sed -e "s/Root Token: //g");
kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle'
kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'
kubectl cp ~/operator/examples/vault/kes-policy.hcl $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}'):/kes-policy.hcl -n tenant-certmanager
kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl'
kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy'
ROLE_ID=$(kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id' | grep "role_id " | sed -e "s/role_id //g")
SECRET_ID=$(kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id' | grep "secret_id " | sed -e "s/secret_id //g")
echo " "
echo " "
echo " "
echo " "
echo "ROLE_ID = ${ROLE_ID}"
echo "SECRET_ID = ${SECRET_ID}"
- Set the configuration and make sure proper approle is configured:
echo "apiVersion: v1
kind: Secret
metadata:
name: storage-certmanager-secret-kes-configuration
namespace: tenant-certmanager
labels:
v1.min.io/tenant: storage-certmanager
managedFields:
- manager: console
operation: Update
apiVersion: v1
time: '2022-11-29T14:29:22Z'
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:server-config.yaml: {}
f:immutable: {}
f:metadata:
f:labels:
.: {}
f:v1.min.io/tenant: {}
f:type: {}
selfLink: /api/v1/namespaces/tenant-certmanager/secrets/storage-certmanager-secret-kes-configuration
immutable: true
type: Opaque
stringData:
server-config.yaml: |-
address: 0.0.0.0:7373
root: disabled
tls:
key: /tmp/kes/server.key
cert: /tmp/kes/server.crt
policy:
default-policy:
paths:
- /v1/key/create/my-minio-key
- /v1/key/generate/my-minio-key
- /v1/key/decrypt/my-minio-key
identities:
- \${MINIO_KES_IDENTITY}
cache:
expiry:
any: 5m0s
unused: 20s
log:
error: "on"
audit: "off"
keys:
vault:
endpoint: http://vault.tenant-certmanager.svc.cluster.local:8200
prefix: my-minio
approle:
id: ${ROLE_ID}
secret: ${SECRET_ID}
status: {}" > kes-configuration.yaml
k apply -f kes-configuration.yaml
- Make sure you can encrypt, use Ubuntu pod to check that:
# Previous steps on the pod:
apt update
apt install vim
apt install wget
wget https://dl.min.io/client/mc/release/linux-amd64/mc
root@ubuntu:/# chmod +x mc
root@ubuntu:/# mv mc /usr/local/bin/mc
root@ubuntu:/# mc alias set myminio https://minio.tenant-certmanager.svc.cluster.local minio minio123
mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/root/.mc/share`.
mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
Fingerprint of myminio public key: 061e0661adbc70b7a79b3cf1817d2c4d16e91acf4f0de17b31561bf82ab47698
Confirm public key y/N: y
Added `myminio` successfully.
root@ubuntu:/# mc mb myminio/testing
Bucket created successfully `myminio/testing`.
root@ubuntu:/# mc encrypt set sse-s3 myminio/testing/
Auto encryption configuration has been set successfully for myminio/testing/
root@ubuntu:/# mc encrypt info myminio/testing
Auto encryption 'sse-s3' is enabled