minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-31 18:04:52 +03:00
Code Activity

DOCS-IA: Platformize SSE Docs. Hashicorp Pass (#518)

Browse Source 
* Platformization of Data Encryption Docs: Hashicorp Pass

* Platformization of Data Encryption Docs: Hashicorp Pass

* Big pass, CR changes + K8s
This commit is contained in:
Ravind Kumar
2022-08-15 12:53:08 -04:00
committed by GitHub
parent 0e63416cb1
commit 2376fa9924
41 changed files with 1837 additions and 310 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
source/includes/macos/common-installation.rst
View File

@ -29,7 +29,7 @@
:class: copyable
curl -O https://dl.min.io/server/minio/release/darwin-arm64/minio
chmod +x minio
chmod +x ./minio
sudo mv ./minio /usr/local/bin/
.. tab-item:: Binary - amd64
@ -40,7 +40,7 @@
:class: copyable
curl -O https://dl.min.io/server/minio/release/darwin-amd64/minio
chmod +x minio
chmod +x ./minio
sudo mv ./minio /usr/local/bin/
.. end-install-minio-binary-desc

56
source/includes/macos/common-minio-kes.rst Normal file
View File

@ -0,0 +1,56 @@
..start-kes-download-desc
Download the binary of the latest stable KES release (|kes-stable|) from :minio-git:`github.com/minio/kes <kes/releases/>`.
Select the tab corresponding to the architecture for your MacOS hardware.
The command downloads the |kes-stable| binary for that architecture, sets it to executable, and adds it to your system PATH.
.. tab-set::
.. tab-item:: ARM64 (Apple Silicon)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/v|kes-stable|/kes-darwin-arm64
chmod +x ./kes-darwin-arm64
sudo mv ./kes-darwin-arm64 /usr/local/bin/kes
.. tab-item:: AMD64 (Intel)
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://github.com/minio/kes/releases/download/v|kes-stable|/kes-darwin-amd64
chmod +x ./kes-darwin-amd64
sudo mv ./kes-darwin-amd64 /usr/local/bin/kes
.. end-kes-download-desc
.. start-kes-start-server-desc
Run the following command in a terminal or shell to start the KES server as a foreground process.
.. code-block:: shell
:class: copyable
kes server --mlock --auth --config=~/minio-kes-vault/kes-server-config.yaml
Defer to the documentation for your MacOS Operating System version for instructions on running a process in the background.
.. end-kes-start-server-desc
.. start-kes-minio-start-server-desc
Run the following command in a terminal or shell to start the MinIO server as a foreground process.
.. code-block:: shell
:class: copyable
export MINIO_CONFIG_ENV_FILE=/etc/default/minio
minio server --console-address :9090
.. end-kes-minio-start-server-desc

12
source/includes/macos/quickstart.rst
View File

@ -23,16 +23,16 @@ Procedure
#. **Install the MinIO Server**
.. include:: /includes/macos/common-installation.rst
:start-after: start-install-minio-binary-desc
:end-before: end-install-minio-binary-desc
.. include:: /includes/macos/common-installation.rst
:start-after: start-install-minio-binary-desc
:end-before: end-install-minio-binary-desc
#. **Launch the MinIO Server**
.. include:: /includes/macos/common-installation.rst
:start-after: start-run-minio-binary-desc
:end-before: end-run-minio-binary-desc
.. include:: /includes/macos/common-installation.rst
:start-after: start-run-minio-binary-desc
:end-before: end-run-minio-binary-desc
#. **Connect your Browser to the MinIO Server**

127
source/includes/macos/steps-configure-minio-kes-hashicorp.rst Normal file
View File

@ -0,0 +1,127 @@
This procedure assumes a single local host machine running the MinIO and KES processes.
As part of this procedure, you will:
- Deploy a |KES| server configured to use `Hashicorp Vault <https://www.vaultproject.io/>`__ as the root |KMS|.
- Create a new |EK| on Vault for use with |SSE|.
- Deploy a MinIO server configured to use the |KES| container for supporting |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For production environments, MinIO recommends using Linux hosts.
See the MinIO on Linux documentation for configuring MinIO with KES and Hashicorp Vault.
For production orchestrated environments, use the MinIO Kubernetes Operator to deploy a tenant with |SSE| enabled and configured for use with Hashicorp Vault.
.. important::
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-encrypted-backend-desc
:end-before: end-kes-encrypted-backend-desc
Prerequisites
-------------
.. _minio-sse-vault-prereq-vault:
Deploy or Ensure Access to a Hashicorp Vault Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-prereq-hashicorp-vault-desc
:end-before: end-kes-prereq-hashicorp-vault-desc
Deploy or Ensure Access to a MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-new-existing-minio-deployment
:end-before: end-kes-new-existing-minio-deployment
Deploy MinIO and KES to Enable Server-Side Encryption with Hashicorp Vault
--------------------------------------------------------------------------
Prior to starting these steps, create the following folders:
.. code-block:: shell
:class: copyable
mkdir -P ~/minio-kes-vault/certs ~/minio-kes-vault/minio ~/minio-kes-vault/config
1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-download-desc
:end-before: end-kes-download-desc
2) Generate TLS Certificates for KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-kes-certs-desc
:end-before: end-kes-generate-kes-certs-desc
3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Create the KES Configuration File
.. include:: /includes/common/common-minio-kes-hashicorp.rst
:start-after: start-kes-configuration-hashicorp-vault-desc
:end-before: end-kes-configuration-hashicorp-vault-desc
Save the configuration file as ``~/minio-kes-vault/config/kes-config.yaml``.
- Set ``MINIO_IDENTITY_HASH`` to the identity hash of the MinIO mTLS certificate.
The following command computes the necessary hash:
.. code-block:: shell
:class: copyable
kes tool identity of ~/minio-kes-vault/certs/minio-kes.cert
- Replace the ``vault.endpoint`` with the hostname of the Vault server(s).
- Replace the ``VAULTAPPID`` and ``VAULTAPPSECRET`` with the appropriate :ref:`Vault AppRole credentials <minio-sse-vault-prereq-vault>`.
b. Create the MinIO Environment File
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-configuration-minio-desc
:end-before: end-kes-configuration-minio-desc
4) Start KES and MinIO
~~~~~~~~~~~~~~~~~~~~~~
You must start KES *before* starting MinIO.
The MinIO deployment requires access to KES as part of its startup.
a. Start the KES Server
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-start-server-desc
:end-before: end-kes-start-server-desc
b. Start the MinIO Server
.. include:: /includes/macos/common-minio-kes.rst
:start-after: start-kes-minio-start-server-desc
:end-before: end-kes-minio-start-server-desc
5) Generate a New Encryption Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-generate-key-desc
:end-before: end-kes-generate-key-desc
6) Enable SSE-KMS for a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common/common-minio-kes.rst
:start-after: start-kes-enable-sse-kms-desc
:end-before: end-kes-enable-sse-kms-desc

2
source/includes/macos/steps-deploy-minio-single-node-multi-drive.rst
View File

@ -20,7 +20,7 @@ You must keep the shell or terminal session open to keep the process running.
.. include:: /includes/macos/common-installation.rst
:start-after: start-run-minio-binary-desc
:end-before: start-run-minio-binary-desc
:end-before: end-run-minio-binary-desc
4) Connect to the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~