Install Key Manager on Upstream Kubernetes

This section documents steps for installing and managing AIStor Key Manager on Kubernetes infrastructure using a distribution that follows the upstream API and functionality.

This procedure assumes that the user interacting with the Kubernetes cluster has authorization to:

  • Install Kubernetes operators and associated resources including CustomResourceDefinitions, Statefulsets, and secrets into new or existing namespaces and
  • Perform operations as a user that has broad permissions to create resources within multiple namespaces.

Deploy AIStor Key Manager using Helm

This procedure documents installation on Kubernetes with the AIStor Helm Charts.

  1. Download your SUBNET license key

    Log into MinIO SUBNET and access your License Key. From the Deployment view, select License to view the key.

    SUBNET License download

    Save the value to a secure location for use in a subsequent step.

  2. Add the AIStor Helm Repository

    helm repo add minio https://helm.min.io/

  3. Configure and install the minio/aistor-keymanager-operator chart

    This chart contains the necessary Kubernetes resources for deploying AIStor Key Manager resources through the aistor-keymanager chart.

    Create a YAML manifest for the chart named aistor-keymanager-operator-values.yaml. Replace the LICENSE-STRING with your SUBNET license.

    global:
   license: "LICENSE-STRING"

    Install the chart to the keymanager-operator namespace:

    helm install keymanager-operator minio/aistor-keymanager-operator \
  -n keymanager-operator --create-namespace \
  -f aistor-keymanager-operator-values.yaml

    If successful, the command outputs a summary of installed resources.

    To validate the installation, run kubectl get all -n keymanager-operator and check the status of deployed resources. The chart creates a Deployment, Replicaset, Service, and Pod within the namespace.

  4. Generate a root encryption key for Key Manager

    Key Manager uses a Root Encryption Key (REK) for encrypting all stored cryptographic data. To generate a key, use the following command:

    docker run quay.io/minio/aistor/minkms:latest --soft-hsm

    The output resembles the following:

    hsm:ALGORITHM:<KEYSTRING>

    Save the output to a secure location such as a dedicated secrets manager or password vault.

  5. Deploy the minio/aistor-keymanager chart

    The following command deploys the Key Manager with the name and namespace of aistor-keymanager.

       helm install aistor-keymanager minio/aistor-keymanager \
     -n aistor-keymanager --create-namespace \
     --set "keyManager.hsm.key=hsm:ALGORITHM:<KEYSTRING>"

    The command outputs instructions for connecting an AIStor object store to the Key Manager. AIStor can then use Key Manager to enable Server Side Encryption of objects.

    By default, Key Manager deploys with 3 replicas. Each replica requires 25MiB of storage and uses the default storage class on the cluster. For more complete documentation, see Server Side Encryption with AIStor Key Manager.

All Rights Reserved 2024-Present, MinIO, Inc.