How to reach KES Server from Ubuntu Pod when MinIO Pods are down - cniackz/public GitHub Wiki

• It is for https://subnet.min.io/issues/2792

• Follow steps from https://github.com/cniackz/public/wiki/How-to-deploy-kes-tenant-via-UI

• Deploy Ubuntu Pod: https://downey.io/notes/dev/ubuntu-sleep-pod-yaml/

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
spec:
  containers:
  - image: ubuntu
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: ubuntu
  restartPolicy: Always
EOF

• Create two files with below commands:

oc get secrets kes-tenant-tls -o json | jq '.data."private.key"' | tr -d '"' | base64 --decode > private.key
oc get secrets kes-tenant-tls -o json | jq '.data."public.crt"' | tr -d '"' | base64 --decode > public.crt

• Put private.key and public.crt files inside Ubuntu pod

• Then you can post to kes:

curl -sSL -k --tlsv1.3 \
    --key private.key \
    --cert public.crt \
    --data '{"bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4="}' \
    -X POST 'https://<IP-OR-DOMAIN-OF-KES-SERVER>:7373/v1/key/import/somekey'

Additional info:

• MinIO can contact KES pod because inside /tmp/certs we have private.key and public.crt that comes from kes-tenant-tls Secret and those are used for the communication.

cd /tmp/certs

bash-4.4$ ls
CAs  client.crt  client.key  private.key  public.crt
                                 |           |
                                 |           |_________ This is inside MinIO Pod, what is the secret?
                                 |
                                 |_____________________ This is inside MinIO Pod, what is the secret?


bash-4.4$ cat private.key <----------------------------------------------------- kes-tenant-tls Secret
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgraP/W1dgrHTXtzA8
y3PB6NOvcjSyV+S47hWt+igcwW2hRANCAAQiDBtBf/phG4FqiFrgJZJ17J93GQ4H
y3x+RmUeWw2m5AljO30oUg9yrQDGcskerE9PbBDMcRbenh7/xkyAVUru
-----END PRIVATE KEY-----


bash-4.4$ curl -sSL -k --tlsv1.3 \
>     --key private.key \
>     --cert public.crt \
>     --data '{"bytes":"1Xrfm4XjvL7MIdv9/H48uso5G0qZBNRJcy5iBqzQhG4="}' \
>     -X POST 'https://10.244.4.3:7373/v1/key/import/somekey'
{"message":"prohibited by policy"}bash-4.4$