KES - minio/wiki GitHub Wiki
General KES information to expand our knowledge!.
Conceptually, if you want to use CA-issued certificates for the KES pods, your CA needs to issue a certificate valid for the SAN names under which the KES pods are reachable. I.e. *.kes-tenant-kes-hl-svc.default.svc.cluster.local This name may depend on the namespace of your tenant.
This certificate should be stored as K8S secret and mounted on the KES pods.
In the KES config file you can specify where the KES pod will look for its certificate. Ref: https://github.com/minio/kes/blob/master/server-config.yaml#L19-L21
- Do we need to import any Vault certs into KES configuration?
Yes, since KES has to talk to Vault it needs to be able to verify the Vault server certificate.
- What kind of certs do we need to get from Vault team?
Usually, the CA certificate that issued the certificate for Hashicorp Vault.
-
kes-tenant-kes-hl-svcKES Service to communicate with the port via port:7373/TCP
*.<service-name>.<namespace>.svc.cluster.local
*.kes-tenant-kes-hl-svc.default.svc.cluster.local
| |
| |___ Namespace
|___ Service
- The command they need to generate the KES identity using openssl:
openssl x509 -pubkey -noout -in <certificate> | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd -ps -c 32
- Is this because they have to re-configure KES for the new certificate they want to use on KES, right?:
Yes, so they do basically everything what operator would do by hand.
So, they have to create all secrets KES pods needs: TLS server certificate/private key, config file secret, vault ca certificate etc.
Then they have to create KES pod spec and mount all secrets on the pod in the correct place
One part here is that they have to insert the MinIO identity into the KES config file.
Since I doubt that they have KES CLI installed I crafted the openssl command for them.
OMG, KES API keys will make that so much easier xD