This document explains how to enable KES with MinIO Operator.
- MinIO Operator up and running as explained in the document here.
- Install
kubectl minioplugin. - KES requires a KMS backend in configuration. Currently KES supports AWS Secrets Manager and Hashicorp Vault as KMS backend for production.S Set up one of these as the KMS backend before setting up KES.
Use kubectl minio plugin to create the MinIO tenant with console and encryption enabled:
kubectl create ns tenant1-ns
kubectl create secret generic tenant1-secret --from-literal=accesskey=YOUR-ACCESS-KEY --from-literal=secretkey=YOUR-SECRET-KEY --namespace tenant1-ns
kubectl create -f https://raw.githubusercontent.com/minio/operator/master/examples/console-secret.yaml --namespace tenant1-ns
kubectl create -f https://raw.githubusercontent.com/minio/operator/master/examples/kes-secret.yaml --namespace tenant1-ns
kubectl minio tenant create --name tenant1 --secret tenant1-secret --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --console-secret console-secret --kes-secret kes-config
KES Configuration is a part of Tenant yaml file. Check the sample file available here. The config offers below options
| Field | Description |
|---|---|
| spec.kes | Defines the KES configuration. Refer this |
| spec.kes.replicas | Number of KES pods to be created. |
| spec.kes.image | Defines the KES image. |
| spec.kes.kesSecret | Secret to specify KES Configuration. This is a mandatory field. |
| spec.kes.metadata | This allows a way to map metadata to the KES pods. Internally metadata is a struct type as explained here. |
A complete list of values is available here in the API reference.