Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-346

Customer-controlled AWS KMS key for S3 encryption

XMLWordPrintable

    • Customer-controlled AWS KMS key for S3 encryption
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-734 - Support user managed key for OpenShift Registry at installation time
    • OCPSTRAT-734Support user managed key for OpenShift Registry at installation time
    • 100% To Do, 0% In Progress, 0% Done

      Epic Goal

      • Allow OpenShift users who leverage AWS Key Management System to denote a customer-controlled key which is used to encrypt the S3 bucket that is backing the OpenShift integrated registry at install time

      Why is this important?

      • At rest encryption is a security requirement for many customers
      • AWS has recently (January 2023) introduced automatic encryption of S3 buckets but it's an AWS-managed key
      • Customer prefers AWS SSE-KMS

      Scenarios

      1. Customer specifies the key id to be used for encryption of the S3 bucket that the integrated registry uses in the install-config.yaml of the OpenShift installer
      2. IR operator picks up the key definition and creates a bucket that is encrypted server-side with a customer controlled key in AWS KMS (SSE-KMS)

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Open questions:

      1. How does key rotation work here?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            fmissi Flavian Missi
            DanielMesser Daniel Messer
            xiujuan wang xiujuan wang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: