KES cert manager example - cniackz/public GitHub Wiki

Tested:

• Fri Jan 27, 2023 @ 1:27 pm Toronto Time

Objective:

Use cert-manager for KES

Inspired from:

• https://github.com/cniackz/public/wiki/How-to-install-MinIO-Tenant-using-cert-manager-in-k8s
• https://github.com/cniackz/public/wiki/Tenant-TLS-plus-KES-TLS-all-with-cert-manager-together

Steps:

1. Create a cluster

createcluster

2. Install Operator

installoperator

3. Install cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

4. Wait for some time and deploy the tenant from the example added:

sleep 120 # wait 2 minutes
k apply -k ~/operator/examples/kustomization/tenant-certmanager-kes

5. Wait for vault to be ready:

kubectl wait --namespace tenant-certmanager --for=condition=ready pod --selector=app=vault --timeout=120s

6. Configure Vault:

VAULT_ROOT_TOKEN=$(kubectl logs -l app=vault -n tenant-certmanager | grep "Root Token: " | sed -e "s/Root Token: //g");

kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager  | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle'

kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'

kubectl cp ~/operator/examples/vault/kes-policy.hcl $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}'):/kes-policy.hcl -n tenant-certmanager

kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl'

kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy'

ROLE_ID=$(kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id' | grep "role_id    " | sed -e "s/role_id    //g")

SECRET_ID=$(kubectl exec $(kubectl get pods -l app=vault -n tenant-certmanager | grep -v NAME | awk '{print $1}') -n tenant-certmanager -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id' | grep "secret_id             " | sed -e "s/secret_id             //g")

echo " "
echo " "
echo " "
echo " "
echo "ROLE_ID = ${ROLE_ID}"
echo "SECRET_ID = ${SECRET_ID}"

7. Set the configuration and make sure proper approle is configured:

echo "apiVersion: v1
kind: Secret
metadata:
  name: storage-certmanager-secret-kes-configuration
  namespace: tenant-certmanager
  labels:
    v1.min.io/tenant: storage-certmanager
  managedFields:
    - manager: console
      operation: Update
      apiVersion: v1
      time: '2022-11-29T14:29:22Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:server-config.yaml: {}
        f:immutable: {}
        f:metadata:
          f:labels:
            .: {}
            f:v1.min.io/tenant: {}
        f:type: {}
  selfLink: /api/v1/namespaces/tenant-certmanager/secrets/storage-certmanager-secret-kes-configuration
immutable: true
type: Opaque
stringData:
  server-config.yaml: |-
    address: 0.0.0.0:7373
    root: disabled
    tls:
      key: /tmp/kes/server.key
      cert: /tmp/kes/server.crt
    policy:
      default-policy:
        paths:
        - /v1/key/create/my-minio-key
        - /v1/key/generate/my-minio-key
        - /v1/key/decrypt/my-minio-key
        identities:
        - \${MINIO_KES_IDENTITY}
    cache:
      expiry:
        any: 5m0s
        unused: 20s
    log:
      error: "on"
      audit: "off"
    keys:
      vault:
        endpoint: http://vault.tenant-certmanager.svc.cluster.local:8200
        prefix: my-minio
        approle:
          id: ${ROLE_ID}
          secret: ${SECRET_ID}
        status: {}" > kes-configuration.yaml
k apply -f kes-configuration.yaml

8. Make sure you can encrypt, use Ubuntu pod to check that:

# Previous steps on the pod:
apt update
apt install vim
apt install wget
wget https://dl.min.io/client/mc/release/linux-amd64/mc

root@ubuntu:/# chmod +x mc
root@ubuntu:/# mv mc /usr/local/bin/mc
root@ubuntu:/# mc alias set myminio https://minio.tenant-certmanager.svc.cluster.local minio minio123
mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/root/.mc/share`.
mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
Fingerprint of myminio public key: 061e0661adbc70b7a79b3cf1817d2c4d16e91acf4f0de17b31561bf82ab47698
Confirm public key y/N: y
Added `myminio` successfully.
root@ubuntu:/# mc mb myminio/testing
Bucket created successfully `myminio/testing`.
root@ubuntu:/# mc encrypt set sse-s3 myminio/testing/
Auto encryption configuration has been set successfully for myminio/testing/
root@ubuntu:/# mc encrypt info myminio/testing
Auto encryption 'sse-s3' is enabled