Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

Renewing KES certificate

AJ AJ on Security
Renewing KES certificate

MiniO KES (Key Encryption Service) is a service developed by MinIO to bridge the gap between applications that run in Kubernetes and a centralized Key Management Service (KMS). The central KMS server contains all the state information, while the KES talks to the KMS when it is required to do any operation related to fetching new keys or updating existing ones. Once it fetches a key, as long as it doesn’t need to be updated or deleted, it will be cached in KES so the subsequent calls will be much faster.

So why use KES rather than directly using the KMS? Depending on the KMS used and the load it needs to handle, sometimes KMS systems do not have the capability or the support to handle large deployments where it has to manage hundreds if not thousands of keys back and forth while the Kubernetes cluster puts an enormous load on them. In these situations, it's paramount you use KES because it can scale horizontally very easily, unlike traditional KMS systems.

All KES operations between the Application <-> KES and between KES <-> KMS use mTLS authentication for authentication and authorization functions. This is done using a pair of public/private keys and X.509 certificate. The thing with certs is they have a very common problem, they tend to expire and when they do, services all around fail spectacularly with little rhyme or reason. What do we mean by that?

What we mean is once the cert expires, you will start to see errors such as these in the KES log

{"message":"2024/01/04 02:23:21 http: TLS handshake error from 10.244.2.9:32816: remote error: tls: bad certificate"}

{"message":"2024/01/04 02:23:28 http: TLS handshake error from 10.244.3.11:53456: remote error: tls: bad certificate"}

{"message":"2024/01/04 02:23:28 http: TLS handshake error from 10.244.1.9:56722: remote error: tls: bad certificate"}

{"message":"2024/01/04 02:23:28 http: TLS handshake error from 10.244.4.11:34152: remote error: tls: bad certificate"}

{"message":"2024/01/04 02:23:28 http: TLS handshake error from 10.244.2.9:55300: remote error: tls: bad certificate"}

{"message":"2024/01/04 02:23:28 http: TLS handshake error from 10.244.4.11:34160: remote error: tls: bad certificate"}

Also, when MinIO tries to do a periodic IAM refresh, those would also fail with the following messages in the MinIO log

Error: Failure in periodic refresh for IAM (took 0.03s): Post "https://kes-tenant-kes-hl-svc.default.svc.cluster.local:7373/v1/key/decrypt/my-minio-key": x509: certificate has expired or is not yet valid: current time 2024-01-04T02:27:31Z is after 2024-01-04T02:12:40Z (*errors.errorString)

If you are lucky, you will see an obvious message such as certificate has expired. Other times it's not so obvious, you could also see edge case issues when trying to create or delete keys among a host of other issues. The quickest solution is to renew and update KES with new certs as soon as possible. In this post we’ll show you exactly how to do that.

How to Renew

Let’s first start by creating a new private key

openssl genrsa -out private.key 2048

Create a file called cert.cnf which will be used by openssl to create the Certificate Signing Request (CSR)

[req]

distinguished_name = req_distinguished_name

req_extensions = req_ext

prompt = no


[req_distinguished_name]

O = "system:nodes"

C = US

CN  = "system:node:*.kes-tenant-kes-hl-svc.default.svc.cluster.local"


[req_ext]

subjectAltName = @alt_names


[alt_names]

DNS.1 = kes-tenant-kes-0.kes-tenant-kes-hl-svc.default.svc.cluster.local

DNS.2 = kes-tenant-kes-hl-svc.default.svc.cluster.local

Be sure to modify the Common Name CN and Subject Alternative Names SAN (under [alt_names]) to match the FQDN of your KES nodes. Be sure to use proper FQDNs and not IP addresses.

Create the CSR using the command below

openssl req -new -config cert.cnf -key private.key -out kes.csr

Convert the CSR into an encoded string so it can be added to Kubernetes as a CertificateSigningRequest resource.

cat kes.csr | base64 | tr -d "\n"

Create a file kes-csr.yaml with the content below and paste the above encoded CSR in the request field. The cert has been truncated so you can see the entire yaml.

apiVersion: certificates.k8s.io/v1

kind: CertificateSigningRequest

metadata:

  name: kes-csr

spec:

  expirationSeconds: 604800

  groups:

  - system:serviceaccounts

  - system:serviceaccounts:minio-operator

  - system:authenticated

  - system:nodes

  request: LS0tLS1CRUdJTiBDRV…FUVVFU1QtLS0tLQo=

  signerName: kubernetes.io/kubelet-serving

  usages:

  - digital signature

  - key encipherment

  - server auth

  username: system:serviceaccount:minio-operator:minio-operator

Be sure to update the expirationSeconds to something high so that it doesn’t expire very soon.

Once the encoded CSR has been added and other settings have been set, apply the yaml.

kubectl apply -f kes-csr.yaml

Be sure to approve the kes-csr CSR created above

kubectl certificate approve kes-csr

Get a public cert from the csr resource

kubectl get csr kes-csr -o jsonpath='{.status.certificate}'| base64 -d > public.crt

Convert both the private.key (from the beginning of the process) and public.crt (from the previous step) to an encoded string.

cat private.key | base64 | tr -d "\n"

cat public.crt | base64 | tr -d "\n"

Using the encoded strings from above, we’ll update the existing Secret kes-tenant-kes-tls, in order to do that, follow the steps below.

Copy the existing secret where the existing expired cert is located.

kubectl get secret kes-tenant-kes-tls -o yaml > kes-tls-secret.yaml

Once you have backed up the existing secret, delete it

kubectl delete secret kes-tenant-kes-tls

Open kes-tls-secret.yaml with the expired certs and replace the following two fields with their respective base64 encoded strings.

data:

  private.key: >-

LS0tLS1CRUd…ZLS0tLS0

  public.crt: >-

LS0tLS1CRUdJTi…tLS0K

Once the new certs have been added apply the Secret, which will recreate kes-tenant-kes-tls

kubectl apply -f kes-tls-secret.yaml

Once a valid cert is added, be sure to restart the KES service and you should see the output like so:

'http://vault.default.svc.cluster.local:8200' ...

Endpoint: https://127.0.0.1:7373    https://10.244.4.16:7373  


Admin: _ [ disabled ]

Auth: off   [ any client can connect but policies still apply ]


Keys: Hashicorp Vault: http://vault.default.svc.cluster.local:8200


CLI:  export KES_SERVER=https://127.0.0.1:7373

       export KES_CLIENT_KEY=   // e.g. $HOME/root.key

       export KES_CLIENT_CERT=  // e.g. $HOME/root.cert

       kes --help

The MinIO log should also be clean and should not show any TLS errors anymore.

Waiting for all MinIO sub-systems to be initialized.. lock acquired

Automatically configured API requests per node based on available memory on the system: 221

All MinIO sub-systems initialized successfully in 15.44125ms

MinIO Object Storage Server

Copyright: 2015-2024 MinIO, Inc.

License: GNU AGPLv3

Version: RELEASE.2024-01-04T09-40-09Z (go1.19.4 linux/arm64)


Status:     4 Online, 0 Offline.

API: https://minio.default.svc.cluster.local

Console: https://10.244.3.12:9443 https://127.0.0.1:9443   


Documentation: https://min.io/docs/minio/linux/index.html

Final Thoughts

KES is an integral part when it comes to managing keys  used to encrypt objects. It is important that objects get encrypted and decrypted in the quickest manner possible because each nanosecond it takes to perform these operations the end user will get the objects that much slower. Yes, ultimately, inefficient and slow KMS systems can degrade overall cluster performance. So it's paramount to ensure the service performing these actions is fast, lean, performant and scalable. MinIO’s KES enables any KMS to be a high performance and scalable service without any modification to the existing KMS. By following the steps above, you can get KES back to having valid unexpired certs in no time!

If you have any questions on KES be sure to reach out to us on Slack!

Previous Post Next Post
S3 Select Security Modern Data Lakes Apache Presto SQL Performance S3 Brand/Design Golang Programming Cloud Computing Microservices Docker AWS Kubernetes Apache Spark Open Source Benchmarks Integrations SUBNET Edge Computing Sidekick Secure-by-Design Splunk Veeam Intel Apache Nifi Immutability Software Defined Storage VMware Apache Arrow Hybrid Cloud Red Hat OpenShift Multicloud Scalability Cloud Field Day Cloud Native Apache Kafka Architect's Guide Awards Operator's Guide Security Advisory AI/ML AGPLv3 Apache Hadoop SFD Azure GCP Observability Analytics R H20 DirectPV DevOps Apache Iceberg Apache Hudi YouTube Summaries EKS Elastic Load Balancers CI/CD Object Storage Compliance opentelemetry BC/DR Storage Newsletter Predictions Best Practices Dremio New MinIO Features partners Small Files Databases DuckDB PostgreSQL Delta Lake Cloud Repatriation Python Object Lambdas Data Pipelines Cloud Operating Model Webhook ClickHouse Vector Database Events Value Engineering Change Data Capture Enterprise Object Store GitOps Case Study Equinix