kes icon indicating copy to clipboard operation
kes copied to clipboard
verified publisher icon minio

Option to output identity in plain text or json for automation purposes

Open avoidik opened this issue 1 year ago • 3 comments

What is the problem you want to solve?

There's no way to output generated identity without annotations. The most cleanest solution I've found is this:

MINIO_IDENTITY="$(kes identity of client.crt | tail -n 1 | tr -d '[:blank:]')"

How do you want to solve it?

MINIO_IDENTITY="$(kes identity of client.crt --plain)"

or

MINIO_IDENTITY="$(kes identity of client.crt --json | jq -r '.identity')"

Additional context

  1. Are there alternative solutions?

Piping output

  1. Would your solution cause a major breaking API change?

No

  1. Anything else that is important?

This creates unnecessary complexity for automation

avoidik avatar Dec 11 '24 09:12 avoidik

Hey @avoidik, could you please share how you are using kes identity of command ?

the working of kes identity of is, when it is run over terminal, a long version is printed, else just identity is printed.

here is an example

  1. here is the output when run in terminal
toastsandwich:~/kes-server> SAMPLE=$(kes identity of client.crt)
toastsandwich:~/kes-server> echo $SAMPLE
Identity: <identity value>
  1. here is the output when we create a sh file and we source it script.sh 
       export TEST=$(kes identity of client.crt)

toastsandwich:~/kes-server> env | grep TEST
TEST=<identity value>

toastsandwich avatar May 30 '25 08:05 toastsandwich

Sure, here is an example:

Save it as kes.sh, and run it

#!/bin/bash

if [[ -z "$IN_DOCKER" ]]; then

docker run --rm -i -t \
    --name kes \
    -v $PWD:/workdir \
    -e IN_DOCKER=1 \
    -w /workdir \
    --entrypoint '/workdir/kes.sh' \
    minio/kes \
    bash

    exit

fi

ln -fsn /kes /usr/local/bin/kes

kes identity new --ip '127.0.0.1' --dns 'localhost' --key server.key --cert server.crt --force "$HOSTNAME"

kes identity new --key client.key --cert client.crt --force minio

echo "Hahaha"

echo $(kes identity of client.crt)

echo "Hahaha"

MINIO_IDENTITY="$(kes identity of client.crt | tail -n 1 | tr -d '[:blank:]')"

cat << EOF > config.yml
version: v1

address: 0.0.0.0:7373

admin:
  identity: disabled

tls:
  key: server.key
  cert: server.crt

policy:
  minio:
    allow:
      - /v1/key/create/minio-*
      - /v1/key/generate/minio-*
      - /v1/key/decrypt/minio-*
    identities:
      - $MINIO_IDENTITY

keystore:
  fs:
    path: ./keys

log:
  error: on
  audit: on
EOF

# kes server --config config.yml

At the end:

Hahaha
Identity: 315b8695450b58b2983358fde3b05103d75dfc12bf4f29037116da61043a5c07
Hahaha

avoidik avatar May 30 '25 12:05 avoidik

The reason for this behavior is that KES checks if either, the stdout or the stderr is a terminal. There are multiple ways to only print the identity value. For example, export MINIO_IDENTITY=$(kes identity of <cert>) or you redirect stdout and stderr.

We can also change the behavior when detecting a terminal to check whether stdout and stderr are terminals. This does not justify an additional flag

aead avatar Jun 02 '25 12:06 aead