I run it using a configuration that follows the documentation similarly, and when I run /usr/local/bin/kes server --config=/opt/kes/config/kes-config.yml manually it works fine, but in systemd it won't work, but there's no error output either.
Expected behavior
Additional context
What version of Go are you using (go version)?
go1.20.6 linux/amd64
What operating system and processor architecture are you using (go env)?
Ubuntu 20.04
The minio policy grants access to the listed APIs.
policy:
minio:
allow:
/v1/key/create/ # You can replace these wildcard '' with a string prefix to restrict key names
/v1/key/generate/* # e.g. '/minio-'
/v1/key/decrypt/*
/v1/key/bulk/decrypt
/v1/key/list
/v1/status
/v1/metrics
/v1/log/audit
/v1/log/error
identities:
*** # Replace with the output of 'kes identity of minio-kes.cert'
In production environments, each client connecting to KES must
# Have their TLS hash listed under at least one `policy`.
Specify the connection information for the Vault server.
The endpoint should be resolvable from the host.
This example assumes that Vault is configured with an AppRole ID and
Secret for use with KES.
keystore:
vault:
endpoint: https://127.0.0.1:8200
engine: "kv" # Replace with the path to the K/V Engine
version: "v2" # Specify v1 or v2 depending on the version of the K/V Engine
approle:
id: "" # Hashicorp Vault AppRole ID
secret: "" # Hashicorp Vault AppRole Secret ID
retry: 15s
status:
ping: 10s
Required if Vault uses certificates signed by an unknown CA,
# e.g. self-signed or internal (non-globally trusted).
# Replace this value with the full path to the Vault CA certificate.
tls:
ca: /opt/vault/tls/certificate2.crt
Bug describtion
I run it using a configuration that follows the documentation similarly, and when I run
/usr/local/bin/kes server --config=/opt/kes/config/kes-config.yml
manually it works fine, but in systemd it won't work, but there's no error output either.Expected behavior
Additional context
go version
)?go1.20.6 linux/amd64
go env
)?Ubuntu 20.04
kes.service
[Service] WorkingDirectory=/opt/kes/ AmbientCapabilities=CAP_IPC_LOCK User=kes Group=kes ProtectProc=invisible
ExecStart=/usr/local/bin/kes server --config=/opt/kes/config/kes-config.yml
Let systemd restart this service always
Restart=always
Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
Specifies the maximum number of threads this process can create
TasksMax=infinity
Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity SendSIGKILL=no
[Install] WantedBy=multi-user.target
address: 0.0.0.0:7373
Disable the root administrator identity, as we do not need that level of access for
supporting SSE operations.
admin: identity: disabled
Specify the TLS keys generated in the previous step here
For production environments, use keys signed by a known and trusted
Certificate Authority (CA).
tls: key: /opt/kes/certs/privatekes.key cert: /opt/kes/certs/certificatekes.crt
Sets access policies for KES
The
minio
policy grants access to the listed APIs.policy: minio: allow:
In production environments, each client connecting to KES must
Specify the connection information for the Vault server.
The endpoint should be resolvable from the host.
This example assumes that Vault is configured with an AppRole ID and
Secret for use with KES.
keystore: vault: endpoint: https://127.0.0.1:8200 engine: "kv" # Replace with the path to the K/V Engine version: "v2" # Specify v1 or v2 depending on the version of the K/V Engine approle: id: "" # Hashicorp Vault AppRole ID secret: "" # Hashicorp Vault AppRole Secret ID retry: 15s status: ping: 10s
Required if Vault uses certificates signed by an unknown CA,