d5d3243413
@djwfyi cursory review in case I missed something. Closes #580 I do need to do further testing beyond the patches here. But I'm going to handle that out-of-band.
3.6 KiB
Deploy MinIO and KES with Server-Side Encryption using Hashicorp Vault
Prior to starting these steps, create the following folders:
mkdir -P |kescertpath|
mkdir -P |kesconfigpath|
mkdir -P |miniodatapath|1) Download the KES Binary
2) Generate TLS Certificates for KES and MinIO
Depending on your Vault configuration, you may need to pass the
kes-server.cert as a trusted Certificate Authority. See the
Hashicorp
Vault Configuration Docs for more information. Defer to the client
documentation for instructions on trusting a third-party CA.
3) Create the KES and MinIO Configurations
Create the KES Configuration File
Create the configuration file using your preferred text editor. The following example uses
nano:nano |kesconfigpath|/kes-config.yamlSet
MINIO_IDENTITY_HASHto the identity hash of the MinIO mTLS certificate.The following command computes the necessary hash:
kes identity of |miniocertpath|/minio-kes.certReplace the
vault.endpointwith the hostname of the Vault server(s).Replace the
VAULTAPPIDandVAULTAPPSECRETwith the appropriateVault AppRole credentials <minio-sse-vault-prereq-vault>.
Create the MinIO Environment File
Create the environment file using your preferred text editor. The following example uses
nano:nano |minioconfigpath|/minio
4) Start KES and MinIO
You must start KES before starting MinIO. The MinIO deployment requires access to KES as part of its startup.
- Start the KES Server
- Start the MinIO Server
Foreground processes depend on the shell or terminal in which they run. Exiting or terminating the shell/terminal instance also kills the attached process. Defer to your operating system best practices for running processes in the background.