Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1504

Enable Google customer managed keys for disk encryption at install

XMLWordPrintable

    • Enable Google customer managed keys for disk encryption at install
    • Done
    • OCPPLAN-5039 - Bring your own Key for OpenShift/GCP IPI
    • 0% To Do, 0% In Progress, 100% Done

      Goal:

      As an administrator, I would like to deploy OpenShift 4 on Google Cloud with VM disk encryption leveraging a user-managed encryption key.

      Problem:

      Many organizations require disks to be encrypted on their application nodes using a pre-defined, user-managed key. Today, OpenShift only supports encryption at rest with platform managed keys, but we do not support the use of user-managed keys.

      Why is this important:

      • Many corporate security policies mandate disk encryption on their application nodes. Without this support, it's blocking the adopt of OpenShift 4 on Google for many organizations.

      Lifecycle Information:

      • Core

      Previous Work:

      Dependencies:

      Prioritized epics + deliverables (in scope / not in scope):

      Estimate (XS, S, M, L, XL, XXL):

      Customers:

      Open questions:
      Implementation:

      compute:

      • architecture: amd64
          hyperthreading: Enabled
          name: worker
          platform:
            gcp:
              osDisk:
              diskType: pd-standard
              diskSizeGB: 512
              encryptionKey:
              kmsKey:
                keyRing: <key ring name>
                location: <global or us-central1 etc>
                name: <key name>
               kmsKeyServiceAccount (optional string): <this has no effect at install time - for 2nd day operations>
               projectID: <projectID>

       

            mstaeble Matthew Staebler (Inactive)
            pstrickrh Patrick Strick
            To Hung Sze To Hung Sze
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: