Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-346

Customer-controlled AWS KMS key for S3 encryption

    XMLWordPrintable

Details

    • Customer-controlled AWS KMS key for S3 encryption
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-734 - Support user managed key for OpenShift Registry at installation time
    • OCPSTRAT-734Support user managed key for OpenShift Registry at installation time
    • 0
    • 0% 0%

    Description

      Epic Goal

      • Allow OpenShift users who leverage AWS Key Management System to denote a customer-controlled key which is used to encrypt the S3 bucket that is backing the OpenShift integrated registry at install time

      Why is this important?

      • At rest encryption is a security requirement for many customers
      • AWS has recently (January 2023) introduced automatic encryption of S3 buckets but it's an AWS-managed key
      • Customer prefers AWS SSE-KMS

      Scenarios

      1. Customer specifies the key id to be used for encryption of the S3 bucket that the integrated registry uses in the install-config.yaml of the OpenShift installer
      2. IR operator picks up the key definition and creates a bucket that is encrypted server-side with a customer controlled key in AWS KMS (SSE-KMS)

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Open questions:

      1. How does key rotation work here?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          incorporates

          Feature Request - Feature requests from customers and/or users RFE-2200 Specify KMS key to S3 buckets during Install

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Accepted

          Activity

            People

              fmissi Flavian Missi
              DanielMesser Daniel Messer
              xiujuan wang xiujuan wang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: