DOCS-912: Part 1: Cleaning up Vault (#949)

Staged: http://192.241.195.202:9000/staging/DOCS-912/linux/operations/server-side-encryption/configure-minio-kes-hashicorp.html --------- Co-authored-by: Andrea Longo <feorlen@users.noreply.github.com> Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
2025-07-30 07:03:26 +03:00 · 2023-08-11 17:08:36 -04:00
parent d2e8899685
commit 20403a7464
14 changed files with 68 additions and 255 deletions
--- a/source/includes/linux/common-minio-kes.rst
+++ b/source/includes/linux/common-minio-kes.rst
@ -25,7 +25,7 @@ For more granular controls, deploy a dedicated load balancer to manage connectio

 .. start-kes-service-file-desc

-Create the ``/etc/systemd/system/kes.service`` file on all KES hosts:
+Create the ``/lib/systemd/system/kes.service`` file on all KES hosts:

 .. literalinclude:: /extra/kes.service
   :language: shell
@ -88,41 +88,26 @@ For existing MinIO deployments, run the following command on each MinIO host to

 .. start-kes-generate-kes-certs-prod-desc

-Enabling connectivity between MinIO and KES requires at minimum one TLS certificate for performing mutual TLS (mTLS) authentication.
+KES requires TLS connectivity for all client connections, including those originating from MinIO.
+See :ref:`minio-tls` for more information on enabling TLS for the MinIO deployment.
+
 Depending on your Vault configuration, you may also need to create a dedicated set of TLS certificates for KES to connect and authenticate to Vault.
-Defer to your organizations best practices around generating production-ready TLS certificates.

-Place the certificates and corresponding private keys an appropriate directory such that the MinIO and KES service users can access and read their contents.
-The following example structure uses the folder hierarchy suggested in the beginning of this procedure:
+Defer to your organization's best practices around generating production-ready TLS certificates.

-.. tab-set::
+Place the certificates and corresponding private keys in a directory that the KES service user has permissions to access and read the directory's contents.
+For example:

-   .. tab-item:: KES Hosts
+.. code-block:: shell
+   :substitutions:

-      .. code-block:: shell
-         :substitutions:
+   -rw-r--r-- 1 kes:kes |kescertpath|/kes-server.cert
+   -rw-r--r-- 1 kes:kes |kescertpath|/kes-server.key

-         -rw-r--r-- 1 kes:kes |kescertpath|/kes-server.cert
-         -rw-r--r-- 1 kes:kes |kescertpath|/kes-server.key
+   # If the Vault certs are self-signed or use a non-global CA
+   # Include those CA certs as well

-         # If the Vault certs are self-signed or use a non-global CA
-         # Include those CA certs as well
-
-         -rw-r--r-- 1 kes:kes |kescertpath|/vault-CA.cert
-
-   .. tab-item:: MinIO Hosts
-
-      .. code-block:: shell
-         :substitutions:
-
-         -rw-r--r-- 1 minio-user:minio-user |miniocertpath|/minio-kes.cert
-         -rw-r--r-- 1 minio-user:minio-user |miniocertpath|/minio-kes.key
-
-         # If KES certs are self-signed or use a non-global CA
-         # Include the CA certs as well
-         -rw-r--r-- 1 minio-user:minio-user |miniocertpath|/kes-server.cert
-
-The general strategy for cert management is to ensure that each process (MinIO, KES, and Vault) have their own mTLS certificates *and* the Certificate Authority (CA) used to sign each client certificate.
+   -rw-r--r-- 1 kes:kes |kescertpath|/vault-CA.cert

 .. end-kes-generate-kes-certs-prod-desc

@ -135,12 +120,7 @@ The following command uses the ``kes key create`` command to add a new External

 .. code-block:: shell
   :class: copyable
-   :substitutions:

-   export KES_SERVER=https://127.0.0.1:7373
-   export KES_CLIENT_KEY=|miniocertpath|/minio-kes.key
-   export KES_CLIENT_CERT=|miniocertpath|/minio-kes.cert
-
-   kes key create -k encrypted-bucket-key
+   mc admin kms key create ALIAS KEYNAME

 .. end-kes-generate-key-desc
--- a/source/includes/linux/steps-configure-minio-kes-hashicorp-quick.rst
+++ b/source/includes/linux/steps-configure-minio-kes-hashicorp-quick.rst
@ -1,139 +0,0 @@
-Enable Server-Side Encryption using Hashicorp Vault for Local Development
-------------------------------------------------------------------------
-
-This procedure assumes deploying MinIO and KES onto the same host.
-You can use and modify the information below to better suit your local development environment.
-
-This procedure assumes the following:
-
- An existing Vault deployment
- A single host machine for deploying KES and MinIO
-
-.. admonition:: Set Up Folder Hierarchy
-   :class: note
-
-   Create the following folders on the host machine if they do not already exist.
-
-   .. code-block:: shell
-      :class: copyable
-      :substitutions:
-
-      mkdir -P |kescertpath|
-      mkdir -P |kesconfigpath|
-      mkdir -P |miniocertpath|
-      mkdir -P |minioconfigpath|
-      mkdir -P |miniodatapath|
-
-   This procedure uses these paths in the following steps. 
-   If you use different paths, make the necessary modifications for each step to reflect those changes
-
-1) Download the KES Server Binary
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/linux/common-minio-kes.rst
-   :start-after: start-kes-download-desc
-   :end-before: end-kes-download-desc
-
-2) Generate TLS Certificates for KES and MinIO
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/common/common-minio-kes.rst
-   :start-after: start-kes-generate-kes-certs-desc
-   :end-before: end-kes-generate-kes-certs-desc
-
-Depending on your Vault configuration, you may need to pass the ``kes-server.cert`` certificate as a trusted Certificate Authority. 
-See the `Hashicorp Server Configuration Documentation <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
-Defer to the client documentation for instructions on trusting a third-party CA.
-
-3) Create the KES and MinIO Configurations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. container:: procedure
-
-   a. Create the KES Configuration File
-
-      Create the configuration file using your preferred text editor.
-      The following example uses ``nano``:
-
-      .. code-block:: shell
-         :substitutions:
-
-         nano |kesconfigpath|/kes-config.yaml
-
-      .. include:: /includes/common/common-minio-kes-hashicorp.rst
-         :start-after: start-kes-configuration-hashicorp-vault-desc
-         :end-before: end-kes-configuration-hashicorp-vault-desc
-
-      - Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
-
-        The following command computes the necessary hash:
-
-        .. code-block:: shell
-           :class: copyable
-           :substitutions:
-
-           kes identity of |miniocertpath|/minio-kes.cert
-
-      - Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
-      - Set the ``vault.engine`` and ``vault.version`` to the appropriate values for the Vault K/V Engine configuration
-      - Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
-
-   b. Create the MinIO Environment File
-
-      Create or modify the environment file for the MinIO deployment using your preferred text editor.
-      The following example uses ``nano``:
-
-      .. code-block:: shell
-         :substitutions:
-
-         nano |minioconfigpath|/minio
-
-      .. include:: /includes/common/common-minio-kes.rst
-         :start-after: start-kes-configuration-minio-desc
-         :end-before: end-kes-configuration-minio-desc
-
-4) Start KES and MinIO
-~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/common/common-minio-kes-hashicorp.rst
-   :start-after: start-kes-vault-seal-unseal-desc
-   :end-before: end-kes-vault-seal-unseal-desc
-
-You must start KES *before* starting MinIO. 
-The MinIO deployment requires access to KES as part of its startup.
-
-.. container:: procedure
-
-   a. Start the KES Server
-
-      .. include:: /includes/common/common-minio-kes.rst
-         :start-after: start-kes-start-server-desc
-         :end-before: end-kes-start-server-desc
-
-   b. Start the MinIO Server
-
-      .. include:: /includes/common/common-minio-kes.rst
-         :start-after: start-kes-minio-start-server-desc
-         :end-before: end-kes-minio-start-server-desc
-
-Foreground processes depend on the shell or terminal in which they run.
-Exiting or terminating the shell/terminal instance also kills the attached process.
-Defer to your operating system best practices for running processes in the background.
-
-5) Generate a New Encryption Key
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/common/common-minio-kes-hashicorp.rst
-   :start-after: start-kes-vault-seal-unseal-desc
-   :end-before: end-kes-vault-seal-unseal-desc
-
-.. include:: /includes/common/common-minio-kes.rst
-   :start-after: start-kes-generate-key-desc
-   :end-before: end-kes-generate-key-desc
-
-6) Enable SSE-KMS for a Bucket
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/common/common-minio-kes.rst
-   :start-after: start-kes-enable-sse-kms-desc
-   :end-before: end-kes-enable-sse-kms-desc
--- a/source/includes/linux/steps-configure-minio-kes-hashicorp.rst
+++ b/source/includes/linux/steps-configure-minio-kes-hashicorp.rst
@ -1,5 +1,5 @@
-Enable Server-Side Encryption using Hashicorp Vault in Production Environments
------------------------------------------------------------------------------
+Procedure
+---------

 This procedure provides instructions for configuring and enabling Server-Side Encryption using Hashicorp Vault in production environments. 
 Specifically, this procedure assumes the following:
@ -8,33 +8,6 @@ Specifically, this procedure assumes the following:
 - One or more hosts for deploying KES
 - One or more hosts for a new or existing MinIO deployment

-.. admonition:: Set Up Folder Hierarchy
-   :class: note
-
-   Create the following folders on the KES and MinIO host machines if they do not already exist:
-
-   .. tab-set::
-
-      .. tab-item:: KES Hosts
-
-         .. code-block:: shell
-            :class: copyable
-            :substitutions:
-
-            mkdir -P |kescertpath|
-            mkdir -P |kesconfigpath|
-
-      .. tab-item:: MinIO Hosts
-
-         .. code-block:: shell
-            :class: copyable
-            :substitutions:
-
-            mkdir -P |miniocertpath|
-
-   This procedure uses these paths in the following steps. 
-   If you use different paths, make the necessary modifications for each step to reflect those changes
-
 1) Download KES and Create the Service File
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

@ -52,8 +25,8 @@ Specifically, this procedure assumes the following:
         :start-after: start-kes-service-file-desc
         :end-before: end-kes-service-file-desc

-2) Generate TLS Certificates for KES and MinIO
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+2) Generate TLS Certificates for KES
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 .. include:: /includes/linux/common-minio-kes.rst
   :start-after: start-kes-generate-kes-certs-prod-desc
@ -63,7 +36,21 @@ Depending on your Vault configuration, you may also need to specify the CA used
 See the `Hashicorp Vault Configuration Docs <https://www.vaultproject.io/docs/configuration/listener/tcp#tls_client_ca_file>`__ for more information.
 Defer to the client documentation for instructions on trusting a third-party CA.

-3) Create the KES and MinIO Configurations
+3) Generate a KES API Key for use by MinIO
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Starting with KES version :minio-git:`2023-02-15T14-54-37Z <kes/releases/tag/2023-02-15T14-54-37Z>`, you can generate an API key to use for authenticating to the KES server.
+
+Use the :kes-docs:`kes identity new <cli/kes-identity/new>` command to generate a new API key for use by the MinIO Server:
+
+.. code-block:: shell
+   :class: copyable
+
+   kes identity new
+
+The output includes both the API Key for use with MinIO and the Identity hash for use with the :kes-docs:`KES Policy configuration <tutorials/configuration/#policy-configuration>`.
+
+4) Create the KES and MinIO Configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 .. important::
@ -87,15 +74,14 @@ Defer to the client documentation for instructions on trusting a third-party CA.
         :start-after: start-kes-configuration-hashicorp-vault-desc
         :end-before: end-kes-configuration-hashicorp-vault-desc

-      - Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
+      - Set ``MINIO_IDENTITY_HASH`` to the identity hash of the API Key generated in the previous step.

-        The following command computes the necessary hash:
+        The following command recomputes the necessary hash from the API key:

        .. code-block:: shell
           :class: copyable
-           :substitutions:

-           kes identity of |miniocertpath|/minio-kes.cert
+           kes identity of kes:v1:KEY/KEY

      - Replace the ``keystore.vault.endpoint`` with the hostname of the Vault server(s).

@ -107,16 +93,16 @@ Defer to the client documentation for instructions on trusting a third-party CA.

   b. Configure the MinIO Environment File

-      Modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables.
-
-      MinIO defaults to expecting this file at ``/etc/default/minio``.
-      If you modified your deployment to use a different location for the environment file, modify the file at that location.
+      Create or modify the MinIO Server environment file for all hosts in the target deployment to include the following environment variables:

      .. include:: /includes/common/common-minio-kes.rst
         :start-after: start-kes-configuration-minio-desc
         :end-before: end-kes-configuration-minio-desc

-4) Start KES and MinIO
+      MinIO defaults to expecting this file at ``/etc/default/minio``.
+      If you modified your deployment to use a different location for the environment file, modify the file at that location.
+
+5) Start KES and MinIO
 ~~~~~~~~~~~~~~~~~~~~~~

 .. include:: /includes/common/common-minio-kes-hashicorp.rst