Epic Goal

• Allow OpenShift users who leverage AWS Key Management System to denote a customer-controlled key which is used to encrypt the S3 bucket that is backing the OpenShift integrated registry at install time

Why is this important?

• At rest encryption is a security requirement for many customers
• AWS has recently (January 2023) introduced automatic encryption of S3 buckets but it's an AWS-managed key
• Customer prefers AWS SSE-KMS

Scenarios

1. Customer specifies the key id to be used for encryption of the S3 bucket that the integrated registry uses in the install-config.yaml of the OpenShift installer
2. IR operator picks up the key definition and creates a bucket that is encrypted server-side with a customer controlled key in AWS KMS (SSE-KMS)

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Open questions:

1. How does key rotation work here?

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>