DOCS-IA: Platformize SSE Docs. Hashicorp Pass (#518)

* Platformization of Data Encryption Docs: Hashicorp Pass * Platformization of Data Encryption Docs: Hashicorp Pass * Big pass, CR changes + K8s
2025-07-28 19:42:10 +03:00 · 2022-08-15 12:53:08 -04:00
parent 0e63416cb1
commit 2376fa9924
41 changed files with 1837 additions and 310 deletions
--- a/source/includes/k8s/common-minio-kes.rst
+++ b/source/includes/k8s/common-minio-kes.rst
@ -0,0 +1,170 @@
+.. start-kes-prereq-hashicorp-vault-desc
+
+This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io/>`__ installation accessible from the Kubernetes cluster.
+
+- For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.
+
+- For Vault deployments external to the Kubernetes cluster, you must configure Ingress or a similar network control plane component to allow the MinIO Tenant to establish connectivity to Vault.
+
+Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
+
+MinIO |KES| supports both the V1 and V2 Vault engines.
+Select the corresponding tab to the engine used by your Vault deployment for instructions on configuring the necessary permissions:
+
+.. tab-set::
+
+   .. tab-item:: Vault Engine V1
+
+      Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
+         
+      .. code-block:: shell
+         :class: copyable
+
+         path "kv/*" {
+               capabilities = [ "create", "read", "delete" ]
+         }
+
+      Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``.
+
+   .. tab-item:: Vault Engine V2
+
+      Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
+
+      .. code-block:: shell
+         :class: copyable
+
+         path "kv/data/*" {
+               capabilities = [ "create", "read"]
+
+         path "kv/metadata/*" {
+               capabilities = [ "list", "delete"]
+         
+      Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``
+
+MinIO requires using AppRole authentication for secure communication with the Vault server.
+The following commands:
+
+- Create an App Role ID for |KES|
+- Binds that role to the created KES policy
+- Requests a RoleID and SecretID
+
+  .. code-block:: shell
+     :class: copyable
+
+     vault write    auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
+     vault write    auth/approle/role/kes-role policies=kes-policy
+     vault read     auth/approle/role/kes-role/role-id
+     vault write -f auth/approle/role/kes-role/secret-id
+
+You must specify both RoleID and SecretID as part of this procedure.
+
+.. end-kes-prereq-hashicorp-vault-desc
+
+.. start-kes-enable-sse-kms-desc
+
+You can use either the MinIO Tennat Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
+
+.. tab-set::
+
+   .. tab-item:: MinIO Tenant Console
+
+      You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the MinIO Tenant Console service to your local host machine for simplified access:
+
+      .. code-block:: shell
+         :class: copyable
+
+         # Replace 'minio-tenant' with the name of the MinIO Tenant
+         # Replace '-n minio' with the namespace of the MinIO Tenant
+
+         kubectl port-forward svc/minio-tenant-console 9443:9443 -n minio
+
+      Open the MinIO Console by navigating to http://127.0.0.1:9443 in your preferred browser and logging in with the root credentials for the deployment.
+
+      Once logged in, create a new Bucket and name it to your preference.
+      Select the Gear :octicon:`gear` icon to open the management view.
+
+      Select the pencil :octicon:`pencil` icon next to the :guilabel:`Encryption` field to open the modal for configuring a bucket default SSE scheme.
+
+      Select :guilabel:`SSE-KMS`, then enter the name of the key created in the previous step.
+
+      Once you save your changes, try to upload a file to the bucket. 
+      When viewing that file in the object browser, note that in the sidebar the metadata includes the SSE encryption scheme and information on the key used to encrypt that object.
+      This indicates the successful encrypted state of the object.
+
+   .. tab-item:: MinIO CLI
+
+      You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.
+
+      Run this command in a separate Terminal or Shell:
+
+      .. code-block:: shell
+         :class: copyable
+
+         # Replace '-n minio' with the namespace of the MinIO deployment
+         # If you deployed the Tenant without TLS you may need to change the port range
+         
+         # You can validate the ports in use by running
+         #  kubectl get svc/minio -n minio
+
+         kubectl port forward svc/minio 443:443 -n minio
+
+      The following commands in a new Terminal or Shell window:
+      
+      - Create a new :ref:`alias <alias>` for the MinIO deployment
+      - Create a new bucket for storing encrypted data
+      - Enable SSE-KMS encryption on that bucket
+
+      .. code-block:: shell
+         :class: copyable
+
+         mc alias set k8s https://127.0.0.1:443 ROOTUSER ROOTPASSWORD
+
+         mc mb k8s/encryptedbucket
+         mc encrypt set SSE-KMS encrypted-bucket-key k8s/encryptedbucket
+
+      Write a file to the bucket using :mc:`mc cp` or any S3-compatible SDK with a ``PutObject`` function. 
+      You can then run :mc:`mc stat` on the file to confirm the associated encryption metadata.
+
+.. end-kes-enable-sse-kms-desc
+
+.. start-kes-generate-key-desc
+
+MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
+You can use the :mc:`mc admin kms key create` command against the MinIO Tenant.
+
+You must ensure your local host can access the MinIO Tenant pods and services before using :mc:`mc` to manage the Tenant.
+You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.
+
+Run this command in a separate Terminal or Shell:
+
+.. code-block:: shell
+   :class: copyable
+
+   # Replace '-n minio' with the namespace of the MinIO deployment
+   # If you deployed the Tenant without TLS you may need to change the port range
+   
+   # You can validate the ports in use by running
+   #  kubectl get svc/minio -n minio
+
+   kubectl port forward svc/minio 443:443 -n minio
+
+The following commands in a new Terminal or Shell window:
+
+- Connect a local :mc:`mc` client to the Tenant.
+
+- Create the encryption key.
+
+See :ref:`mc-install` for instructions on installing ``mc`` on your local host.
+
+.. code-block:: shell
+   :class: copyable
+
+   # Replace USERNAME and PASSWORD with a user on the tenant with administrative permissions
+   # such as the root user
+
+   mc alias add k8s https://localhost:443 ROOTUSER ROOTPASSWORD
+
+   # Replace my-new-key with the name of the key you want to use for SSE-KMS
+   mc admin kms key create k8s encrypted-bucket-key
+
+.. end-kes-generate-key-desc
--- a/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst
@ -0,0 +1,120 @@
+This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
+As part of this procedure, you will:
+
+- Use the MinIO Operator Console to create or manage a MinIO Tenant.
+- Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using Hashicorp Vault.
+- Create a new |EK| on Vault for use with |SSE|.
+- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
+
+.. important::
+
+   .. include:: /includes/common/common-minio-kes.rst
+      :start-after: start-kes-encrypted-backend-desc
+      :end-before: end-kes-encrypted-backend-desc
+
+Prerequisites
+-------------
+
+.. _minio-sse-vault-prereq-vault:
+
+Deploy or Ensure Access to a Hashicorp Vault Service
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-prereq-hashicorp-vault-desc
+   :end-before: end-kes-prereq-hashicorp-vault-desc
+
+Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault
+---------------------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+2) Complete the :guilabel:`Encryption` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
+
+To enable |SSE| with Hashicorp Vault during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. 
+You can then select the :guilabel:`Vault` Radio button to :guilabel:`Vault` to display the Vault configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-encryption.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - Encryption Section
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - Endpoint
+
+     - The hostname or IP address for the Vault service (``https://vault.example.net:8200``) to use for |SSE|.
+       
+       The MinIO Tenant |KES| pods *must* have network access to the specified endpoint. 
+       
+       For Vault services deployed in the *same* Kubernetes cluster as the MinIO Tenant, you can specify either the service's cluster IP *or* its :kube-docs:`DNS hostname <concepts/services-networking/dns-pod-service/>`.
+
+       For Vault services external to the Kubernetes cluster, you can specify that external hostname to the MinIO Tenant.
+       This assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
+
+   * - | AppRole ID
+       | AppRole Secret
+
+     - Specify the Vault AppRole ID and AppRole Secret MinIO should use when authenticating to the Vault service.
+       Review the :ref:`Vault Prerequisites <minio-sse-vault-prereq-vault>` for instructions on generating these values.
+
+       MinIO defaults to using the `KV Version 1 <https://www.vaultproject.io/docs/secrets/kv>`__ engine.
+       You can specify ``v2`` to enable the KV Version 2 engine.
+
+Once you have completed the Vault configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Generate a New Encryption Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-generate-key-desc
+   :end-before: end-kes-generate-key-desc
+
+4) Enable SSE-KMS for a Bucket
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-enable-sse-kms-desc
+   :end-before: end-kes-enable-sse-kms-desc