Completion of SSE-KMS doc rewrite (#539)

2025-07-28 19:42:10 +03:00 · 2022-09-06 17:38:08 -04:00
parent fc85a37c70
commit 40cd778e5b
44 changed files with 3325 additions and 1568 deletions
--- a/source/includes/k8s/common-minio-kes.rst
+++ b/source/includes/k8s/common-minio-kes.rst
@ -8,61 +8,11 @@ This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io

 Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.

-MinIO |KES| supports both the V1 and V2 Vault engines.
-Select the corresponding tab to the engine used by your Vault deployment for instructions on configuring the necessary permissions:
-
-.. tab-set::
-
-   .. tab-item:: Vault Engine V1
-
-      Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
-         
-      .. code-block:: shell
-         :class: copyable
-
-         path "kv/*" {
-               capabilities = [ "create", "read", "delete" ]
-         }
-
-      Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``.
-
-   .. tab-item:: Vault Engine V2
-
-      Create an access policy ``kes-policy.hcl`` with a configuration similar to the following:
-
-      .. code-block:: shell
-         :class: copyable
-
-         path "kv/data/*" {
-               capabilities = [ "create", "read"]
-
-         path "kv/metadata/*" {
-               capabilities = [ "list", "delete"]
-         
-      Write the policy to Vault using ``vault policy write kes-policy kes-policy.hcl``
-
-MinIO requires using AppRole authentication for secure communication with the Vault server.
-The following commands:
-
- Create an App Role ID for |KES|
- Binds that role to the created KES policy
- Requests a RoleID and SecretID
-
-  .. code-block:: shell
-     :class: copyable
-
-     vault write    auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m
-     vault write    auth/approle/role/kes-role policies=kes-policy
-     vault read     auth/approle/role/kes-role/role-id
-     vault write -f auth/approle/role/kes-role/secret-id
-
-You must specify both RoleID and SecretID as part of this procedure.
-
 .. end-kes-prereq-hashicorp-vault-desc

 .. start-kes-enable-sse-kms-desc

-You can use either the MinIO Tennat Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:
+You can use either the MinIO Tenant Console or the MinIO :mc:`mc` CLI to enable bucket-default SSE-KMS with the generated key:

 .. tab-set::

--- a/source/includes/k8s/steps-configure-minio-kes-aws.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-aws.rst
@ -0,0 +1,89 @@
+Deploy MinIO Tenant with Server-Side Encryption using AWS SecretsManager
+------------------------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+2) Complete the :guilabel:`Encryption` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
+
+To enable |SSE| with AWS Key Management Service during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. 
+You can then change the :guilabel:`Vault` Radio button to :guilabel:`AWS` to display the configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-encryption-aws.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - Encryption Section - AWS Key Management Service
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - | Endpoint
+       | Region
+
+     - The hostname and AWS region for the AWS Secrets Manager instance (``https://secretmanager.us-east-2.amazonaws.com`` and ``us-east-2``) to use for |SSE|.
+       
+       The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
+       This procedure assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
+
+   * - | Access Key
+       | Secret Key
+       | Token
+
+     - Specify the AWS User Access Key and Secret Key MinIO should use when authenticating to the Vault service.
+       Review the :ref:`AWS Prerequisites <minio-sse-aws-prereq-aws>` for instructions on generating these values.
+
+Once you have completed the AWS |KMS| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Generate a New Encryption Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-generate-key-desc
+   :end-before: end-kes-generate-key-desc
+
+4) Enable SSE-KMS for a Bucket
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-enable-sse-kms-desc
+   :end-before: end-kes-enable-sse-kms-desc
--- a/source/includes/k8s/steps-configure-minio-kes-azure.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-azure.rst
@ -0,0 +1,87 @@
+Deploy MinIO Tenant with Server-Side Encryption using Azure Key Vault
+---------------------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+2) Complete the :guilabel:`Encryption` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
+
+To enable |SSE| with |rootkms-short| during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. 
+You can then select the :guilabel:`Azure` Radio button to display the |rootkms-short| configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-encryption-azure.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - Encryption Section
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - Endpoint
+
+     - The hostname or IP address for the |rootkms-short| service to use for |SSE|.
+       
+       The MinIO Tenant |KES| pods *must* have network access to the specified endpoint. 
+
+   * - | Tenant ID
+       | Client ID
+       | Client Secret
+
+     - Specify the |rootkms-short| credentials the MinIO Tenant should use when authenticating to the service.
+       Review the :ref:`Azure Prerequisites <minio-sse-azure-prereq-azure>` for instructions on generating these values.
+
+Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Generate a New Encryption Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-generate-key-desc
+   :end-before: end-kes-generate-key-desc
+
+4) Enable SSE-KMS for a Bucket
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-enable-sse-kms-desc
+   :end-before: end-kes-enable-sse-kms-desc
--- a/source/includes/k8s/steps-configure-minio-kes-gcp.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-gcp.rst
@ -0,0 +1,89 @@
+Deploy MinIO Tenant with Server-Side Encryption using GCP Secret Manager
+------------------------------------------------------------------------
+
+1) Access the Operator Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
+
+.. code-block:: shell
+   :class: copyable
+
+   kubectl minio proxy
+
+The command returns output similar to the following:
+
+.. code-block:: shell
+
+   Starting port forward of the Console UI.
+
+   To connect open a browser and go to http://localhost:9090
+
+   Current JWT to login: TOKEN
+
+Open your browser to the specified URL and enter the JWT Token into the login page. 
+You should see the :guilabel:`Tenants` page:
+
+.. image:: /images/k8s/operator-dashboard.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console
+
+Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
+
+2) Complete the :guilabel:`Encryption` Section
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
+
+To enable |SSE| with |rootkms-short| during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`. 
+You can then select the :guilabel:`GCP` Radio button to display the |rootkms-short| configuration settings.
+
+.. image:: /images/k8s/operator-create-tenant-encryption-gcp.png
+   :align: center
+   :width: 70%
+   :class: no-scaled-link
+   :alt: MinIO Operator Console - Create a Tenant - Encryption Section - GCP
+
+An asterisk ``*`` marks required fields.
+The following table provides general guidance for those fields:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 40 60
+   :width: 100%
+
+   * - Field
+     - Description
+
+   * - | Project ID
+       | Endpoint
+
+     - The Project ID and endpoint for the |rootkms-short| service to use for |SSE|.
+       
+       The MinIO Tenant |KES| pods *must* have network access to the specified endpoint.
+
+   * - | Client Email
+       | Client ID
+       | Private Key ID
+       | Private Key
+
+     - Specify the credentials for the GCP user with which the Tenant authenticates to the |rootkms-short| service.
+       Review the :ref:`GCP Secret Manager Prerequisites <minio-sse-gcp-prereq-gcp>` for instructions on generating these values.
+
+Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
+
+3) Generate a New Encryption Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-generate-key-desc
+   :end-before: end-kes-generate-key-desc
+
+4) Enable SSE-KMS for a Bucket
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/k8s/common-minio-kes.rst
+   :start-after: start-kes-enable-sse-kms-desc
+   :end-before: end-kes-enable-sse-kms-desc
--- a/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst
+++ b/source/includes/k8s/steps-configure-minio-kes-hashicorp.rst
@ -1,29 +1,3 @@
-This procedure assumes you have access to a Kubernetes cluster with an active MinIO Operator installation.
-As part of this procedure, you will:
-
- Use the MinIO Operator Console to create or manage a MinIO Tenant.
- Access the :guilabel:`Encryption` settings for that tenant and configure |SSE| using Hashicorp Vault.
- Create a new |EK| on Vault for use with |SSE|.
- Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
-
-.. important::
-
-   .. include:: /includes/common/common-minio-kes.rst
-      :start-after: start-kes-encrypted-backend-desc
-      :end-before: end-kes-encrypted-backend-desc
-
-Prerequisites
-------------
-
-.. _minio-sse-vault-prereq-vault:
-
-Deploy or Ensure Access to a Hashicorp Vault Service
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. include:: /includes/k8s/common-minio-kes.rst
-   :start-after: start-kes-prereq-hashicorp-vault-desc
-   :end-before: end-kes-prereq-hashicorp-vault-desc
-
 Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault
 ---------------------------------------------------------------------