check that we can reach KES server and that the default key exists (#12291)

This commit adds a check to the MinIO server setup that verifies
that MinIO can reach KES, if configured, and that the default key
exists. If the default key does not exist it will create it
automatically.

Signed-off-by: Andreas Auernhammer <aead@mail.de>

cmd/common-main.go

@@ -38,6 +38,7 @@ import (
 	"github.com/fatih/color"
 	dns2 "github.com/miekg/dns"
 	"github.com/minio/cli"
+	"github.com/minio/kes"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/cmd/config"
 	xhttp "github.com/minio/minio/cmd/http"
@@ -387,15 +388,24 @@ func handleCommonEnvVars() {
 			logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
 		}
 
+		var defaultKeyID = env.Get(config.EnvKESKeyName, "")
 		KMS, err := kms.NewWithConfig(kms.Config{
 			Endpoints:    endpoints,
-			DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
+			DefaultKeyID: defaultKeyID,
 			Certificate:  certificate,
 			RootCAs:      rootCAs,
 		})
 		if err != nil {
 			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
 		}
+
+		// We check that the default key ID exists or try to create it otherwise.
+		// This implicitly checks that we can communicate to KES. We don't treat
+		// a policy error as failure condition since MinIO may not have the permission
+		// to create keys - just to generate/decrypt data encryption keys.
+		if err = KMS.CreateKey(defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
+			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
+		}
 		GlobalKMS = KMS
 	}
 	if tiers := env.Get("_MINIO_DEBUG_REMOTE_TIERS_IMMEDIATELY", ""); tiers != "" {