How to import key in KES - cniackz/public GitHub Wiki

Objective:

To import key in KES

Steps:

1. Deploy Operator/Tenant with KES (Encryption) enabled, you can follow this wiki: https://github.com/cniackz/public/wiki/How-to-deploy-kes-tenant-via-UI

2. Then update the KES image to the latest available

3. Also update the config for that new version:

address: 0.0.0.0:7373
admin:
  identity: ${MINIO_KES_IDENTITY}
tls:
  key: /tmp/kes/server.key
  cert: /tmp/kes/server.crt
cache:
  expiry:
    any: 5m0s
    unused: 20s
log:
  error: "on"
  audit: "off"
keystore:
  vault:
    endpoint: http://vault.default.svc.cluster.local:8200
    prefix: my-minio
    approle:
      id: 31e1d904-5fe2-1a6d-7ede-a65d04e93ea8
      secret: 76506dd8-9f03-b757-2f81-4b2e60abc64e
    status: {}

4. Then deploy Ubuntu pod and import the key

curl -v -sSL -k --tlsv1.3 \
    --key client.key \
    --cert client.crt \
    --data '{"bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4="}' \
    -X POST 'https://10.244.1.9:7373/v1/key/import/some-key-name-8'

5. List key in Vault:

export VAULT_TOKEN=hvs.Qpm6j4T9CWKJQVDlTud7PsFm
export VAULT_ADDR="http://127.0.0.1:8200"
vault kv get kv/my-minio/some-key-name-8

You should get the imported key:

/ # vault kv get kv/my-minio/some-key-name-8
========= Data =========
Key                Value
---                -----
some-key-name-8    {"version":"v1","bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4=","created_at":"2023-03-14T23:42:00.729167884Z","created_by":"0395d273b16e28073c8004fc195d2411928e80e1d6aea65a50fe36094169c2c4"}

Additional info:

• You get kv based on the way vault was configured: https://github.com/cniackz/public/wiki/KES-Encryption-via-UI

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'

Success! Enabled the kv secrets engine at: kv/

• my-minio might comes from the Prefix: my-minio

Certs kes-tenant-client-tls Secret:

cd /tmp/certs

bash-4.4$ ls
CAs  client.crt  client.key  private.key  public.crt
         |           |
         |           |_________ This is inside MinIO Pod, put this in Ubuntu Pod to communicate with kes
         |
         |_____________________ This is inside MinIO Pod, put this in Ubuntu Pod to communicate with kes