logo标签列表

使用docker-compose部署minio kes和Hashicorp vault

dockerdocker-composeminiovaulthashicorp
3

我想使用 KES 和 Hashicorp Vault 来加密 Minio 中的文件。在不使用 Docker 的情况下,我成功地使用这些服务器来加密文件。我的问题是,我想使用 docker-compose 运行 KES 容器。当我在不使用 Hashicorp Vault 的情况下运行 kes 容器时,Docker 容器会启动,但是当我将 Hashicorp Vault 添加为 kes 配置文件中的 keystore 时,kes 容器无法启动。
这是我的 KES Docker-compose 文件:

version: '3.7'
services:
  minio-kes:
    image: minio/kes:latest
    container_name: minio-kes
    restart: always
    volumes:
      - /home/zahra/docker/kes/certs:/root/.kes/certs    
      - /home/zahra/docker/kes/config:/root/.kes/config
      - /home/zahra/vault/certs:/root/.kes/vault/certs
    environment:
      - KES_SERVER=https://127.0.0.1:7373
      - KES_CLIENT_KEY=/root/.kes/certs/client.key
      - KES_CLIENT_CERT=/root/.kes/certs/client.cert
      
    ports:
      - "7373:7373"
    command: server --config=/root/.kes/config/config.yaml --auth=off 
    expose:
      - "7373"
    network_mode: "host"

这是我在没有保险库的情况下运行KES服务器的配置文件:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

root: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    paths:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY-IDENTITY # Use the identity of your client.crt
keys:
  fs:
    path: ./keys  
log:
  error: on
  audit: on

但是当我使用包含 vault 的以下配置文件时,kes 容器无法启动并显示“错误:未指定管理员身份”。

这是我的带有 vault 的 kes 配置文件:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

root: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    paths:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY_IDENTITY # Use the identity of your client.crt
    
keystore:
  vault:
    endpoint: https://127.0.0.1:8200
    version:  v1 # The K/V engine version - either "v1" or "v2".
    approle:
      id:     MY-ID # Your AppRole ID
      secret: MY-SECRET # Your AppRole Secret
      retry:  15s
    status:
      ping: 10s
    tls:
      ca: /root/.kes/vault/certs/server.cert # Manually trust the vault certificate since we use self-signed certificates
log:
  error: on
  audit: on
1个回答
2
问题出现在我最初安装 KES 时,没有使用 Docker,而是使用了以下命令来安装该实例。
wget https://github.com/minio/kes/releases/download/v0.16.1/kes-linux-amd64 -O /tmp/kes && \
chmod +x /tmp/kes && \
sudo mv /tmp/kes /usr/local/bin

kes –version

我的 KES 版本是 v0.16.1,它能够与以下内容配合使用:

root: disabled

但是当我在Docker容器中启动KES服务器时,版本为v0.19.1,需要以下配置:

admin:
   identity: disabled

所以我的最终KES配置文件如下:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    allow:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY-IDENTITY # Use the identity of your client.crt

keystore:
  vault:
    endpoint: https://127.0.0.1:8200
    version:  v1 # The K/V engine version - either "v1" or "v2".
    approle:
      id:     MY-ID # Your AppRole ID
      secret: MY-SECRET # Your AppRole Secret
      retry:  15s
    status:
      ping: 10s
    tls:
      ca: /root/.kes/vault/certs/server.cert # Manually trust the vault certificate since we use self-signed certificates
log:
  error: on
  audit: on

现在我的KES容器成功启动。 感谢minio/kes社区在这个链接上回答了我的问题。

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接