KES certificate added via UI - cniackz/public GitHub Wiki

Steps:

• Window 1:

createcluster
kubectl apply -f ~/operator/examples/vault/deployment.yaml
kubectl wait --namespace default --for=condition=ready pod --selector=app=vault --timeout=120s
echo " "
echo " "
echo " "
installoperator
echo " "
echo " "
echo " "

• Window 2:

VAULT_ROOT_TOKEN=$(kubectl logs -l app=vault | grep "Root Token: " | sed -e "s/Root Token: //g");

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle'

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'

kubectl cp ~/operator/examples/vault/kes-policy.hcl $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}'):/kes-policy.hcl

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl'

kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy'

ROLE_ID=$(kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id' | grep "role_id    " | sed -e "s/role_id    //g")

SECRET_ID=$(kubectl exec $(kubectl get pods -l app=vault  | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id' | grep "secret_id             " | sed -e "s/secret_id             //g")

echo " "
echo " "
echo " "
echo " "
echo "ROLE_ID = ${ROLE_ID}"
echo "SECRET_ID = ${SECRET_ID}"

• Create cert as in https://github.com/cniackz/public/wiki/Create-Cert-for-KES-manually-self-signed-cert and obtain public.crt and private.key then upload those options while creating the tenant

Tenant Name: kes-tenant
Tenant Namespace: default

Audit Log OFF
Monitoring OFF

KMS: Vault
Endpoint: http://vault.default.svc.cluster.local:8200
Prefix: my-minio

App Role ID <---- echo $ROLE_ID
App Role Secret <---- echo $SECRET_ID

Image: minio/kes:v0.17.6
Replicas: 1

Run As User* 1000
Run As Group* 1000
FsGroup* 1000

Do not run as root is true

  kes:
    externalCertSecret:
      name: kes-tenant-secret-kes-external-cert-0 <----------- De tal suerte que este es el que tiene el certificado que gener manual
      type: kubernetes.io/tls
    image: minio/kes:v0.17.6
    kesSecret:
      name: kes-tenant-secret-kes-configuration
    replicas: 1
    resources: {}
    securityContext:
      fsGroup: 1000
      fsGroupChangePolicy: Always
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
  log: