docs/source/includes/k8s/steps-configure-minio-kes-azure.rst

Deploy MinIO Tenant with Server-Side Encryption using Azure Key Vault

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.

To connect open a browser and go to http://localhost:9090

Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.

2) Complete the Encryption Section

Reference the Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant> procedure for complete documentation of other Tenant settings.

To enable |SSE| with |rootkms-short| during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then select the Azure Radio button to display the |rootkms-short| configuration settings.

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field	Description
Endpoint	The hostname or IP address for the |rootkms-short| service to use for |SSE|. The MinIO Tenant |KES| pods must have network access to the specified endpoint.
Tenant ID Client ID Client Secret	Specify the |rootkms-short| credentials the MinIO Tenant should use when authenticating to the service. Review the Azure Prerequisites <minio-sse-azure-prereq-azure> for instructions on generating these values.

Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.

3) Generate a New Encryption Key

4) Enable SSE-KMS for a Bucket