3.5 KiB
Deploy MinIO Tenant with Server-Side Encryption using Hashicorp Vault
1) Access the Operator Console
Use the kubectl minio proxy command to temporarily forward
traffic between the local host machine and the MinIO Operator
Console:
kubectl minio proxyThe command returns output similar to the following:
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKENOpen your browser to the specified URL and enter the JWT Token into
the login page. You should see the Tenants page:
Click the + Create Tenant to start creating a MinIO
Tenant.
2) Complete the Encryption Section
Reference the Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>
procedure for complete documentation of other Tenant settings.
To enable |SSE| with Hashicorp Vault
during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then
select the Vault
Radio button to Vault to display the Vault configuration
settings.
An asterisk * marks required fields. The following table
provides general guidance for those fields:
| Field | Description |
|---|---|
Endpoint |
The hostname or IP address for the Vault service
( The MinIO Tenant |KES| pods must have network access to the specified endpoint. For Vault services deployed in the same Kubernetes cluster
as the MinIO Tenant, you can specify either the service's cluster IP
or its For Vault services external to the Kubernetes cluster, you can specify that external hostname to the MinIO Tenant. This assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet. |
AppRole ID AppRole Secret |
Specify the Vault AppRole ID and AppRole Secret MinIO should use
when authenticating to the Vault service. Review the MinIO defaults to using the KV Version 1
engine. You can specify |
Once you have completed the Vault configuration, you can finish any
remaining sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.