DOCS-IA: Platformize SSE Docs. Hashicorp Pass (#518)

* Platformization of Data Encryption Docs: Hashicorp Pass

* Platformization of Data Encryption Docs: Hashicorp Pass

* Big pass, CR changes + K8s

source/includes/linux/common-minio-kes.rst

@@ -0,0 +1,78 @@
+.. start-kes-download-desc
+
+Download the latest stable release (|kes-stable|) of KES from :minio-git:`github.com/minio/kes <kes/releases/latest>`.
+
+Select the binary appropriate for the host OS architecture. 
+For example, hosts running X86-64 (Intel/AMD64) should download the ``kes-linux-amd64`` package.
+
+The following example code downloads the latest Linux AMD64-compatible binary and moves it to the system ``PATH``:
+
+.. code-block:: shell
+   :class: copyable
+   :substitutions:
+
+   wget https://github.com/minio/kes/releases/download/v|kes-stable|/kes-linux-amd64 -O /tmp/kes && \
+   chmod +x /tmp/kes && \
+   sudo mv /tmp/kes /usr/local/bin
+
+   kes --version
+
+For distributed KES topologies, repeat this step and all following KES-specific instructions for each host on which you want to deploy KES.
+MinIO strongly recommends configuring a load balancer with a "Least Connections" configuration to manage connections to distributed KES hosts.
+
+.. end-kes-download-desc
+
+.. start-kes-service-file-desc
+
+Create the ``/etc/systemd/system/minio.service`` file on all KES hosts:
+
+.. literalinclude:: /extra/kes.service
+   :language: shell
+
+You may need to run ``systemctl daemon-reload`` to load the new service file into ``systemctl``.
+
+The ``kes.service`` file runs as the ``kes-user`` User and Group by default.
+You can create the user and group using the ``useradd`` and ``groupadd`` commands.
+The following example creates the user and group.
+These commands typically require root (``sudo``) permissions.
+
+.. code-block:: shell
+   :class: copyable
+
+   groupadd -r kes-user
+   useradd -M -r -g kes-user kes-user
+
+.. end-kes-service-file-desc
+
+.. start-kes-start-service-desc
+
+Run the following command on each KES host to start the service:
+
+.. code-block:: shell
+   :class: copyable
+
+   systemctl start kes
+
+You can validate the startup by using ``systemctl status kes``. 
+If the service started successfully, use ``journalctl -uf kes`` to check the KES output logs.
+
+.. end-kes-start-service-desc
+
+.. start-kes-minio-start-service-desc
+
+For new MinIO deployments, run the following command on each MinIO host to start the service:
+
+.. code-block:: shell
+   :class: copyable
+
+   systemctl start minio
+
+For existing MinIO deployments, run the following command on each MinIO host to restart the service:
+
+.. code-block:: shell
+   :class: copyable
+
+   systemctl reload minio
+   systemctl restart minio
+
+.. end-kes-minio-start-service-desc

source/includes/linux/steps-configure-minio-kes-hashicorp.rst

@@ -0,0 +1,135 @@
+This procedure assumes a single local host machine running the MinIO and KES processes.
+As part of this procedure, you will:
+
+- Deploy a |KES| server configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
+
+- Create a new |EK| on Vault for use with |SSE|.
+
+- Deploy a MinIO server configured to use the |KES| container for supporting |SSE|.
+
+- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
+
+For production environments, this procedure provides general guidance on deploying and configuring KES at scale.
+Defer to the :ref:`Deploy Distributed MinIO <minio-mnmd>` tutorial for guidance on production-ready MinIO deployments.
+
+For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
+
+.. important::
+
+   .. include:: /includes/common/common-minio-kes.rst
+      :start-after: start-kes-encrypted-backend-desc
+      :end-before: end-kes-encrypted-backend-desc
+
+Prerequisites
+-------------
+
+.. _minio-sse-vault-prereq-vault:
+
+Deploy or Ensure Access to a Hashicorp Vault Service
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-minio-kes-hashicorp.rst
+   :start-after: start-kes-prereq-hashicorp-vault-desc
+   :end-before: end-kes-prereq-hashicorp-vault-desc
+
+Deploy or Ensure Access to a MinIO Deployment
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-minio-kes.rst
+   :start-after: start-kes-new-existing-minio-deployment-desc
+   :end-before: end-kes-new-existing-minio-deployment-desc
+
+Deploy MinIO and KES to Enable Server-Side Encryption with Hashicorp Vault
+--------------------------------------------------------------------------
+
+Prior to starting these steps, create the following folders:
+
+.. code-block:: shell
+   :class: copyable
+
+   mkdir -P ~/minio-kes-vault/certs ~/minio-kes-vault/minio ~/minio-kes-vault/config
+
+1) Download KES and Create the Service File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+a. Download KES
+
+   .. include:: /includes/linux/common-minio-kes.rst
+      :start-after: start-kes-download-desc
+      :end-before: end-kes-download-desc
+
+b. Create the Service File
+
+   .. include:: /includes/linux/common-minio-kes.rst
+      :start-after: start-kes-service-file-desc
+      :end-before: end-kes-service-file-desc
+
+2) Generate TLS Certificates for KES and MinIO
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-minio-kes.rst
+   :start-after: start-kes-generate-kes-certs-desc
+   :end-before: end-kes-generate-kes-certs-desc
+
+3) Create the KES and MinIO Configurations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+a. Create the KES Configuration File
+
+   .. include:: /includes/common/common-minio-kes-hashicorp.rst
+      :start-after: start-kes-configuration-hashicorp-vault-desc
+      :end-before: end-kes-configuration-hashicorp-vault-desc
+
+   Save the configuration file as ``~/minio-kes-vault/config/kes-config.yaml``. 
+
+   - Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
+
+      The following command computes the necessary hash:
+
+      .. code-block:: shell
+         :class: copyable
+
+         kes tool identity of ~/minio-kes-vault/certs/minio-kes.cert
+
+   - Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
+
+   - Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
+
+
+b. Create the MinIO Environment File
+
+   .. include:: /includes/common/common-minio-kes.rst
+      :start-after: start-kes-configuration-minio-desc
+      :end-before: end-kes-configuration-minio-desc
+
+4) Start KES and MinIO
+~~~~~~~~~~~~~~~~~~~~~~
+
+You must start KES *before* starting MinIO. 
+The MinIO deployment requires access to KES as part of its startup.
+
+a. Start the KES Server
+
+   .. include:: /includes/linux/common-minio-kes.rst
+      :start-after: start-kes-start-service-desc
+      :end-before: end-kes-start-service-desc
+
+b. Start the MinIO Server
+
+   .. include:: /includes/linux/common-minio-kes.rst
+      :start-after: start-kes-minio-start-service-desc
+      :end-before: end-kes-minio-start-service-desc
+
+5) Generate a New Encryption Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-minio-kes.rst
+   :start-after: start-kes-generate-key-desc
+   :end-before: end-kes-generate-key-desc
+
+6) Enable SSE-KMS for a Bucket
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/common/common-minio-kes.rst
+   :start-after: start-kes-enable-sse-kms-desc
+   :end-before: end-kes-enable-sse-kms-desc