Goal:

As an administrator, I would like to deploy OpenShift 4 on Google Cloud with VM disk encryption leveraging a user-managed encryption key.

Problem:

Many organizations require disks to be encrypted on their application nodes using a pre-defined, user-managed key. Today, OpenShift only supports encryption at rest with platform managed keys, but we do not support the use of user-managed keys.

Why is this important:

• Many corporate security policies mandate disk encryption on their application nodes. Without this support, it's blocking the adopt of OpenShift 4 on Google for many organizations.

Lifecycle Information:

• Core

Previous Work:

Dependencies:

Prioritized epics + deliverables (in scope / not in scope):

Estimate (XS, S, M, L, XL, XXL):

Customers:

Open questions:
Implementation:

compute:

• architecture: amd64
    hyperthreading: Enabled
    name: worker
    platform:
      gcp:
        osDisk:
        diskType: pd-standard
        diskSizeGB: 512
        encryptionKey:
        kmsKey:
          keyRing: <key ring name>
          location: <global or us-central1 etc>
          name: <key name>
         kmsKeyServiceAccount (optional string): <this has no effect at install time - for 2nd day operations>
         projectID: <projectID>