vm broker ‐ kes hashicorp ‐ monitor - allanrogerr/public GitHub Wiki
1.- Create new instance kes-monitor on same node as kes-vault, kes-server and kes-minio to share the same network, under lab.min.dev domain, with Enable TLS and SSL Required
2.- Connect to kes-monitor
ssh -p 20052 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
loginctl enable-linger ubuntu
Install and validate kes
loginctl enable-linger ubuntu
curl -sSL --tlsv1.2 'https://github.com/minio/kes/releases/latest/download/kes-linux-amd64' -o ./kes
chmod +x ./kes
./kes --version
Output
Version 2023-10-27T22-05-35Z commit=bc66190159ecda31db407eead7baa6bff356c9b3
Runtime go1.21.1 linux/amd64 compiler=gc
License AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Copyright 2015-2023 MinIO Inc. https://min.io
3.- Connect to kes-server using apis. Use the minio mTLS identity instead of TLS
export KES_SERVER=https://10.214.226.20:9073
export KES_API_KEY=kes:v1:ACAIYfVuDywN4O3bsMaaZCXdVjaVe283XYBab0k01pP0
Invoke api
./kes key ls -k
Output
Key
minio-key
4.- Connect to kes-server
ssh -p 20070 [email protected] -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
Kill current server process
kill -9 $(ps aux | grep "kes server" | grep -v grep | grep -v $$ | awk '{print $2}')
Generate Admin Credentials
./kes identity new admin
Output
Your API key:
kes:v1:APx7bEbFfg9ciM9a3eSxkYv0K28YUcMwenonAKzhQGly
This is the only time it is shown. Keep it secret and secure!
Your Identity:
1a9eaa1b05d9e4a47a71015fc9a141cedb2c9a04183d21e642808b1f72d3ff6f
The identity is not a secret. It can be shared. Any peer
needs this identity in order to verify your API key.
The identity can be computed again via:
kes identity of kes:v1:APx7bEbFfg9ciM9a3eSxkYv0K28YUcMwenonAKzhQGly
Configure KES Server
vi config.yml
address: 0.0.0.0:9073 # Listen on all network interfaces on port 9073
admin:
identity: 1a9eaa1b05d9e4a47a71015fc9a141cedb2c9a04183d21e642808b1f72d3ff6f
tls:
key: private.key # The KES server TLS private key
cert: public.crt # The KES server TLS certificate
policy:
minio:
allow:
- /v1/key/create/minio-key
- /v1/key/generate/minio-key
- /v1/key/decrypt/minio-key
- /v1/key/list/*
- /v1/key/delete/minio-key
identities:
- 83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c # Use the identity of your client.crt
log:
error: on
audit: on
keystore:
vault:
endpoint: https://10.214.226.171:9020
version: v2 # The K/V engine version - either "v1" or "v2".
approle:
id: "079cc3a0-3051-f365-dac7-59c52413621f" # Your AppRole ID
secret: "eb7d9f02-4ff0-dbe6-cacf-456603886797" # Your AppRole Secret
retry: 15s
status:
ping: 10s
tls:
ca: vault.crt # Manually trust the vault certificate since we use self-signed certificates
Restart KES Server
kill -9 $(ps aux | grep "kes server" | grep -v grep | grep -v $$ | awk '{print $2}')
./kes server --config config.yml --auth off --addr :9073 > out.log &
tail -f out.log
5.- Return to kes-monitor terminal session
Connect to kes-server using apis. Use the minio mTLS identity instead of TLS
export KES_SERVER=https://10.214.226.20:9073
export KES_API_KEY=kes:v1:APx7bEbFfg9ciM9a3eSxkYv0K28YUcMwenonAKzhQGly
Invoke other apis (see https://github.com/minio/kes/wiki/Server-API)
./kes key ls -k
Output
Key
minio-key
Key Info
./kes key info minio-key -k
Output
Name minio-key
Algorithm AES256
Date 2023-11-07 20:36:01
Owner 83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c
Status
./kes status --api -k
Output
● 10.214.226.20:9073
Version 2023-10-27T22-05-35Z
Uptime 0 seconds
Latency 5ms
OS linux
CPUs 2 amd64
Memory
· Heap 4.0MB
· Stack 884.7KB
Method API Timeout
GET /v1/identity/self/describe 15s
GET /v1/log/error Inf
GET /version 10s
DELETE /v1/key/delete/ 15s
PUT /v1/key/encrypt/ 15s
GET /v1/policy/list/ 15s
PUT /v1/key/generate/ 15s
GET /v1/policy/describe/ 15s
GET /v1/identity/list/ 15s
GET /v1/policy/read/ 15s
GET /v1/log/audit Inf
GET /v1/ready 15s
PUT /v1/key/create/ 15s
GET /v1/key/describe/ 15s
PUT /v1/key/decrypt/ 15s
GET /v1/key/list/ 15s
GET /v1/identity/describe/ 15s
GET /v1/status 15s
GET /v1/metrics 15s
GET /v1/api 10s
PUT /v1/key/import/ 15s
Status
./kes log -k
Commands
ubuntu@kes-monitor:~$ github/kes/kes key rm minio-key-3 -k
ubuntu@kes-monitor:~$ github/kes/kes key create minio-key-3 -k
ubuntu@kes-monitor:~$ github/kes/kes key create minio-key-4 -k
ubuntu@kes-monitor:~$ github/kes/kes key create minio-key-5 -k
ubuntu@kes-monitor:~$ github/kes/kes key rm minio-key-3 -k
ubuntu@kes-monitor:~$ github/kes/kes key rm minio-key-4 -k
ubuntu@kes-monitor:~$ github/kes/kes key rm minio-key-5 -k
Output
Time Status Identity IP API Latency
00:55:38 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/delete/minio-key-3 5ns
00:55:48 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/create/minio-key-3 12ns
00:55:52 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/create/minio-key-4 8ns
00:55:55 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/create/minio-key-5 13ns
00:56:13 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/delete/minio-key-3 6ns
00:56:15 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/delete/minio-key-4 9ns
00:56:19 200 1a9eaa1b05d9e4a47a71 10.214.226.233 /v1/key/delete/minio-key-5 5ns