'minio kes and Hashicorp vault using docker-compose

I want to use KES and Hashicorp vault to encrypt files in minio. Without using docker, I managed to encrypt files using these servers. My problem is that I want to run KES as a docker container using docker-compose. When I run the kes container without using Hashicorp vault in config file, the docker container will start, but when I add the Hashicorp vault as the keystore inside the kes config file, the kes container won’t start. Here is my docker-compose file for KES:

version: '3.7'
services:
  minio-kes:
    image: minio/kes:latest
    container_name: minio-kes
    restart: always
    volumes:
      - /home/zahra/docker/kes/certs:/root/.kes/certs    
      - /home/zahra/docker/kes/config:/root/.kes/config
      - /home/zahra/vault/certs:/root/.kes/vault/certs
    environment:
      - KES_SERVER=https://127.0.0.1:7373
      - KES_CLIENT_KEY=/root/.kes/certs/client.key
      - KES_CLIENT_CERT=/root/.kes/certs/client.cert
      
    ports:
      - "7373:7373"
    command: server --config=/root/.kes/config/config.yaml --auth=off 
    expose:
      - "7373"
    network_mode: "host"

and this is my config file for KES server when I run kes without vault:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

root: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    paths:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY-IDENTITY # Use the identity of your client.crt
keys:
  fs:
    path: ./keys  
log:
  error: on
  audit: on

but when I use the following config file which includes vault, the kes container won’t start and gives the "Error: no admin identity specified".

Here is my kes config file with vault:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

root: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    paths:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY_IDENTITY # Use the identity of your client.crt
    
keystore:
  vault:
    endpoint: https://127.0.0.1:8200
    version:  v1 # The K/V engine version - either "v1" or "v2".
    approle:
      id:     MY-ID # Your AppRole ID
      secret: MY-SECRET # Your AppRole Secret
      retry:  15s
    status:
      ping: 10s
    tls:
      ca: /root/.kes/vault/certs/server.cert # Manually trust the vault certificate since we use self-signed certificates
log:
  error: on
  audit: on
dockerdocker-composeminiovaulthashicorp


Solution 1:[1]

The problem was when at first I installed KES on its own instance without docker I used this command

wget https://github.com/minio/kes/releases/download/v0.16.1/kes-linux-amd64 -O /tmp/kes && \
chmod +x /tmp/kes && \
sudo mv /tmp/kes /usr/local/bin

kes –version

so my KES version was v0.16.1 and it worked with

root: disabled

but when I started KES server as a container inside docker the version was v0.19.1 and it needed this config:

admin:
   identity: disabled

so my final KES config file is this:

address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: disabled

tls:
  key: /root/.kes/certs/server.key    # The KES server TLS private key
  cert: /root/.kes/certs/server.cert    # The KES server TLS certificate

policy:
  admin:
    allow:
      - /v1/key/create/*
      - /v1/key/generate/*
      - /v1/key/decrypt/*      
      - /v1/key/delete/*
      - /v1/key/list/*
      - /v1/identity/list/*
    identities:
      - MY-IDENTITY # Use the identity of your client.crt

keystore:
  vault:
    endpoint: https://127.0.0.1:8200
    version:  v1 # The K/V engine version - either "v1" or "v2".
    approle:
      id:     MY-ID # Your AppRole ID
      secret: MY-SECRET # Your AppRole Secret
      retry:  15s
    status:
      ping: 10s
    tls:
      ca: /root/.kes/vault/certs/server.cert # Manually trust the vault certificate since we use self-signed certificates
log:
  error: on
  audit: on

Now my KES container starts successfully. Thanks for the minio/kes community which replied my question on this link. https://github.com/minio/kes/issues/232

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Zahra Vahidi

Related Questions

docker image - merged/diff/work/LowerDir components of GraphDriver

docker image - merged/diff/work/LowerDir components of GraphDriver

In docker-compose, is it possible to reuse volume configuration between services?

Installing imagemagick in docker container

How to set docker container name in Pycharm Docker Interpreter

Docker. Communication between Laravel containers

E: Package 'mysql-client' has no installation candidate in php-fpm image build using docker compose

M1 chip, Install Puppeteer in Docker NodeJs, The chromium binary is not available for arm64

How do I configure "ulimits" for a Docker container running in AWS ECS?

Travis-ci installs packages from requirements.txt file automatically

How critical is dumb-init for Docker?

docker build failed after pip installed requirements with exit code 137

Error with docker and react, digital envelope routines::unsupported

npm ERR! Tracker "idealTree" already exists while creating the Docker image for Node project

How to access gradle test reports from a docker container