Loading...

XML

Word

Printable

Details

Type: Epic
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: kube-apiserver
Labels:
- api

Epic Name:
Encryption config TTL
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Links:
SFDC Cases Counter:

Description

Epic Goal*

The goal of this epic is to provide a mechanism for customers to set the TTL of encryption-config secrets to avoid them pilling up in their clusters when they don't need to keep them around because they either backed them up alongside their etcd backups or they just don't need to access old data.

Why is this important? (mandatory)

This work is required to help customers deal with encryption-config secrets pilling up in their clusters and causing potential disruption: https://issues.redhat.com/browse/OCPBUGS-7606

Scenarios (mandatory)

Provide details for user scenarios including actions to be performed, platform specifications, and user personas.

By default the encryption-config secrets will not have a TTL, meaning that they will never be deleted. The reason for that is to guarantee to the customers that they will always be able to access their backed-up etcd data.
By setting an explicit TTL in the apiservers config, the customers will be able to delegate the secrets deletion to our operators

Dependencies (internal and external) (mandatory)

What items must be delivered by other teams/groups to enable delivery of this epic.

Contributing Teams(and contacts) (mandatory)

Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

Development -
Documentation -
QE -
PX -
Others -

Acceptance Criteria (optional)

Provide some (testable) examples of how we will know if we have achieved the epic goal.

Drawbacks or Risk (optional)

Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

Done - Checklist (mandatory)

The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

CI Testing - Basic e2e automationTests are merged and completing successfully
Documentation - Content development is complete.
QE - Test scenarios are written and executed successfully.
Technical Enablement - Slides are complete (if requested by PLM)
Engineering Stories Merged
All associated work items with the Epic are closed
Epic status should be “Release Pending”

Attachments

Issue Links

incorporates

OCPBUGS-7606 In namespace openshift-kube-apiserver there are around 69 secrets copy maintained with name "encryption-config"

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Damien Grisonnet

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024/02/27 5:38 PM

Updated:: 2024/02/27 5:42 PM