How to deploy kes tenant via UI - cniackz/public GitHub Wiki

Tested:

  • Wed Jan 25, 2023 @ 2:11 pm Toronto Time
  • Wed Feb 08, 2023 @ 4:00 pm Toronto Time
  • Thu Mar 09, 2023 @ 2:38 pm Toronto Time
  • Tue Mar 14, 2023 @ 7:52 pm Toronto Time
  • Thu Mar 23, 2023 @ 4:31 pm Toronto Time
  • Thu Mar 30, 2023 @ 2:16 pm Toronto TIme FAILED: https://github.com/minio/operator/issues/1538

Objective:

To deploy KES Tenant via UI

Steps:

  • Window 1:
createcluster
kubectl apply -f ~/operator/examples/vault/deployment.yaml
kubectl wait --namespace default --for=condition=ready pod --selector=app=vault --timeout=120s
echo " "
echo " "
echo " "
installoperator
echo " "
echo " "
echo " "
  • Window 2:

VAULT_ROOT_TOKEN=$(kubectl logs -l app=vault | grep "Root Token: " | sed -e "s/Root Token: //g");

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle'

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'

kubectl cp ~/operator/examples/vault/kes-policy.hcl $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}'):/kes-policy.hcl

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl'

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy'

ROLE_ID=$(kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id' | grep "role_id    " | sed -e "s/role_id    //g")

SECRET_ID=$(kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id' | grep "secret_id             " | sed -e "s/secret_id             //g")

echo " "
echo " "
echo " "
echo " "
echo "ROLE_ID = ${ROLE_ID}"
echo "SECRET_ID = ${SECRET_ID}"
  • Create the tenant:

Tenant Name: kes-tenant
Tenant Namespace: default

Audit Log OFF
Monitoring OFF

KMS: Vault
Endpoint: http://vault.default.svc.cluster.local:8200
Prefix: my-minio

App Role ID <---- echo $ROLE_ID
App Role Secret <---- echo $SECRET_ID

Image: minio/kes:v0.17.6
Replicas: 1

Run As User* 1000
Run As Group* 1000
FsGroup* 1000

Do not run as root is true