docs/source/includes/k8s/steps-configure-minio-kes-gcp.rst

Deploy MinIO Tenant with Server-Side Encryption using GCP Secret Manager

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.

To connect open a browser and go to http://localhost:9090

Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.

2) Complete the Encryption Section

Reference the Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant> procedure for complete documentation of other Tenant settings.

To enable |SSE| with |rootkms-short| during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then select the GCP Radio button to display the |rootkms-short| configuration settings.

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field	Description
Project ID Endpoint	The Project ID and endpoint for the |rootkms-short| service to use for |SSE|. The MinIO Tenant |KES| pods must have network access to the specified endpoint.
Client Email Client ID Private Key ID Private Key	Specify the credentials for the GCP user with which the Tenant authenticates to the |rootkms-short| service. Review the GCP Secret Manager Prerequisites <minio-sse-gcp-prereq-gcp> for instructions on generating these values.

Once you have completed the |rootkms-short| configuration, you can finish any remaining sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.

3) Generate a New Encryption Key

4) Enable SSE-KMS for a Bucket