This document explains how to enable KES with MinIO Operator.
- MinIO Operator up and running as explained in the document here.
- KES requires a KMS backend in configuration. Currently KES supports AWS Secrets Manager and Hashicorp Vault as KMS backend for production.S Set up one of these as the KMS backend before setting up KES.
We have an example Tenant with KES encryption available at examples/tenant-kes-encryption.
You can install the example like:
kubectl apply -k github.com/minio/operator/examples/kustomization/tenant-kes-encryption
KES Configuration is a part of Tenant yaml file. Check the sample file available here. The config offers below options
Field | Description |
---|---|
spec.kes | Defines the KES configuration. Refer this |
spec.kes.replicas | Number of KES pods to be created. |
spec.kes.image | Defines the KES image. |
spec.kes.kesSecret | Secret to specify KES Configuration. This is a mandatory field. |
spec.kes.metadata | This allows a way to map metadata to the KES pods. Internally metadata is a struct type as explained here. |
A complete list of values is available here in the API reference.