Skip to content

minio tenant ‐ kes ‐ secrets

Jump to bottom
Allan Roger Reid edited this page Nov 16, 2023 · 2 revisions

KES Secrets

1 <tenant>-kes-tls

  • contains KES server public certificate and private key
  • used in KES server configuration yaml
  • helps client(minio) know the kes server (CAs/kes.crt) and avoid x509: certificate signed by unknown authority

Mount A

  • on <tenant>-kes-<number> in container minio
  • at /tmp/kes
  • as
    • server.crt from public.crt
    • server.key from private.key

Mount B

  • on <tenant>-pool-0-<number>
  • at /tmp/certs
  • as
    • CAs/kes.crt from public.crt

2 <tenant>-client-tls

  • contains client (minio) public certificate and private key

Mount 1

  • on <tenant>-kes-<number>
  • at /tmp/kes
  • as
    • client.crt from public.crt
    • client.key from private.key

3 kes-configuration

  • contains KES server configuration yaml

Mount 1

  • on <tenant>-kes-<number>
  • at /tmp/kes
  • as
    • server-config.yaml from server-config.yaml

Note: if vault is installed with TLS, then the vault CA certificate would need to be installed on the KES server, and accessible from the configuration yaml as .tls.ca

See example at https://github.com/allanrogerr/public/wiki/vm-broker-%E2%80%90-kes-%E2%80%90-hashicorp#configure-kes-server

Clone this wiki locally