KES - cniackz/public GitHub Wiki

Objective:

General KES information to expand our knowledge!.

Using CA-issued certificates for the KES pods:

Conceptually, if you want to use CA-issued certificates for the KES pods, your CA needs to issue a certificate valid for the SAN names under which the KES pods are reachable. I.e. *.kes-tenant-kes-hl-svc.default.svc.cluster.local This name may depend on the namespace of your tenant.

This certificate should be stored as K8S secret and mounted on the KES pods.

In the KES config file you can specify where the KES pod will look for its certificate. Ref: https://github.com/minio/kes/blob/master/server-config.yaml#L19-L21

Screenshot 2023-02-08 at 4 41 12 PM Screenshot 2023-02-08 at 4 16 07 PM
  • Do we need to import any Vault certs into KES configuration?
Yes, since KES has to talk to Vault it needs to be able to verify the Vault server certificate.
  • What kind of certs do we need to get from Vault team?
Usually, the CA certificate that issued the certificate for Hashicorp Vault.

SANs list for KES server

  • kes-tenant-kes-hl-svc KES Service to communicate with the port via port: 7373/TCP
Screenshot 2023-02-08 at 4 21 20 PM 
*.<service-name>.<namespace>.svc.cluster.local
*.kes-tenant-kes-hl-svc.default.svc.cluster.local
           |               |
           |               |___ Namespace
           |___ Service
⚠️ **GitHub.com Fallback** ⚠️