-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update KMS readme with vault quick start guide #6747
Conversation
Codecov Report
@@ Coverage Diff @@
## master #6747 +/- ##
==========================================
+ Coverage 52.25% 52.97% +0.71%
==========================================
Files 269 269
Lines 42176 42986 +810
==========================================
+ Hits 22039 22771 +732
+ Misses 18199 18194 -5
- Partials 1938 2021 +83
Continue to review full report at Codecov.
|
We don't need a separate vault quick start guide, we should simply add it in the same documentation in the prerequisite section. |
b0540bc
to
2272500
Compare
docs/kms/README.md
Outdated
vault auth enable approle # enable approle style auth | ||
vault secrets enable transit # enable transit secrets engine | ||
vault write -f transit/keys/my-minio-key #define a encryption key-ring for the transit path | ||
vault policy write minio-policy ~/code/src/github.com/minio/vaultpolicy.hcl #define a policy for AppRole to access transit path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should amend to a shorter path to the sample file (from the heredoc it implies pwd
?)
docs/kms/README.md
Outdated
vault secrets enable transit # enable transit secrets engine | ||
vault write -f transit/keys/my-minio-key #define a encryption key-ring for the transit path | ||
vault policy write minio-policy ~/code/src/github.com/minio/vaultpolicy.hcl #define a policy for AppRole to access transit path | ||
vault write auth/approle/role/my-role token_num_uses=0 secret_id_num_uses=0 period=60s # period indicates it is renewable if tok renewed before the period is over |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"...if token is renewed..."
docs/kms/README.md
Outdated
@@ -14,6 +14,43 @@ Vault as Key Management System requires following to be configured in Vault | |||
- AppRole based authentication with read/update policy for transit backend. In particular, read and update policy | |||
are required for the generate data key endpoint and decrypt key endpoint. | |||
|
|||
Here is a sample quick start to configuring vault with a transit backend and Approle with correct policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
start to configuring vault
=> start for configuring vault
IMHO
@eco-minio && @ebozduman - updated PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
objects.This document explains how to configure Minio with Vault as KMS.
objects. This document explains how to configure Minio with Vault as KMS.
9e12bd0
to
8ee6ff7
Compare
@ebozduman , addressed your feedback |
docs/kms/README.md
Outdated
are required for the generate data key endpoint and decrypt key endpoint. | ||
- [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) backend configured with a named encryption key-ring | ||
- [AppRole](https://www.vaultproject.io/docs/auth/approle.html) based authentication with read/update policy for transit backend. In particular, read and update policy | ||
are required for the Generate Data Key](https://www.vaultproject.io/api/secret/transit/index.html#generate-data-key) endpoint and [Decrypt Data](https://www.vaultproject.io/api/secret/transit/index.html#decrypt-data) endpoint. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing [
in ...for the Generate Data Key](...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks,fixed.
Mint Automation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I noticed there is travis failure after giving my LGTM.
|
@ebozduman , travis passed on restart |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
Adding a quick start guide to configure Vault for use as KMS with minio server
Motivation and Context
Helps guide new users
Regression
NoHow Has This Been Tested?
Types of changes
Checklist:
mint
PR # here: )