How to reach KES Server from Ubuntu Pod when MinIO Pods are down - cniackz/public GitHub Wiki
-
It is for https://subnet.min.io/issues/2792
-
Follow steps from https://github.com/cniackz/public/wiki/How-to-deploy-kes-tenant-via-UI
-
Deploy Ubuntu Pod: https://downey.io/notes/dev/ubuntu-sleep-pod-yaml/
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
containers:
- image: ubuntu
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: ubuntu
restartPolicy: Always
EOF
- Create two files with below commands:
oc get secrets kes-tenant-tls -o json | jq '.data."private.key"' | tr -d '"' | base64 --decode > private.key
oc get secrets kes-tenant-tls -o json | jq '.data."public.crt"' | tr -d '"' | base64 --decode > public.crt
-
Put
private.keyandpublic.crtfiles inside Ubuntu pod -
Then you can post to kes:
curl -sSL -k --tlsv1.3 \
--key private.key \
--cert public.crt \
--data '{"bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4="}' \
-X POST 'https://<IP-OR-DOMAIN-OF-KES-SERVER>:7373/v1/key/import/somekey'
Additional info:
- MinIO can contact KES pod because inside
/tmp/certswe haveprivate.keyandpublic.crtthat comes from kes-tenant-tls Secret and those are used for the communication.
cd /tmp/certs
bash-4.4$ ls
CAs client.crt client.key private.key public.crt
| |
| |_________ This is inside MinIO Pod, what is the secret?
|
|_____________________ This is inside MinIO Pod, what is the secret?
bash-4.4$ cat private.key <----------------------------------------------------- kes-tenant-tls Secret
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgraP/W1dgrHTXtzA8
y3PB6NOvcjSyV+S47hWt+igcwW2hRANCAAQiDBtBf/phG4FqiFrgJZJ17J93GQ4H
y3x+RmUeWw2m5AljO30oUg9yrQDGcskerE9PbBDMcRbenh7/xkyAVUru
-----END PRIVATE KEY-----
bash-4.4$ curl -sSL -k --tlsv1.3 \
> --key private.key \
> --cert public.crt \
> --data '{"bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4="}' \
> -X POST 'https://10.244.4.3:7373/v1/key/import/somekey'
{"message":"prohibited by policy"}bash-4.4$