KES certificate added via UI
- Window 1:
createcluster
kubectl apply -f ~/operator/examples/vault/deployment.yaml
kubectl wait --namespace default --for=condition=ready pod --selector=app=vault --timeout=120s
echo " "
echo " "
echo " "
installoperator
echo " "
echo " "
echo " "- Window 2:
VAULT_ROOT_TOKEN=$(kubectl logs -l app=vault | grep "Root Token: " | sed -e "s/Root Token: //g");
kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle'
kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv'
kubectl cp ~/operator/examples/vault/kes-policy.hcl $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}'):/kes-policy.hcl
kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl'
kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy'
ROLE_ID=$(kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id' | grep "role_id " | sed -e "s/role_id //g")
SECRET_ID=$(kubectl exec $(kubectl get pods -l app=vault | grep -v NAME | awk '{print $1}') -- sh -c 'VAULT_TOKEN='$VAULT_ROOT_TOKEN' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id' | grep "secret_id " | sed -e "s/secret_id //g")
echo " "
echo " "
echo " "
echo " "
echo "ROLE_ID = ${ROLE_ID}"
echo "SECRET_ID = ${SECRET_ID}"- Create cert as in https://github.com/cniackz/public/wiki/Create-Cert-for-KES-manually-self-signed-cert and obtain public.crt and private.key then upload those options while creating the tenant
Tenant Name: kes-tenant
Tenant Namespace: default
Audit Log OFF
Monitoring OFF
KMS: Vault
Endpoint: http://vault.default.svc.cluster.local:8200
Prefix: my-minio
App Role ID <---- echo $ROLE_ID
App Role Secret <---- echo $SECRET_ID
Image: minio/kes:v0.17.6
Replicas: 1
Run As User* 1000
Run As Group* 1000
FsGroup* 1000
Do not run as root is true
kes:
externalCertSecret:
name: kes-tenant-secret-kes-external-cert-0 <----------- De tal suerte que este es el que tiene el certificado que gener manual
type: kubernetes.io/tls
image: minio/kes:v0.17.6
kesSecret:
name: kes-tenant-secret-kes-configuration
replicas: 1
resources: {}
securityContext:
fsGroup: 1000
fsGroupChangePolicy: Always
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
log: