-
Feature
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
Strategic Portfolio Work
-
False
-
-
False
-
OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
-
33% To Do, 33% In Progress, 33% Done
-
0
-
Program Call
Feature Overview
This feature aims to enable customers of OCP to integrate 3rd party KMS solutions for encrypting etcd values at rest in accordance with:
https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/
Goals
- Bring KMS v2 API to beta|stable level
- Create/expose mechanisms for customers to plug in containers/operators which can serve the API server's needs (can it be an operator, something provided via CoreOS layering, vanilla container spec provided to API server operator?)
- Provide similar UX experience for all of self-hosted, hypershift, SNO scenarios
- Provide example container/operator for the mechanism
General Prioritization for the Feature
- Approved design for detection & actuation for stand-alone OCP clusters.
- How to detect a problem like an expired/lost key and no contact with the KMS provider?
- How to inform/notify the situation, even at node level, of the situation
- Tech Preview (Feature gated) enabling Kube-KMS v2 for partners to start working on KMS plugin provider integrations:
- Cloud: (priority Azure > AWS > Google)
- Azure KMS
- Azure Dedicated HSM
- AWS KMS
- AWS CloudHSM
- Google Cloud HSM
- On-premise:
- HashiCorp Vault
- EU FSI & EU Telco KMS/HSM top-2 providers
- Cloud: (priority Azure > AWS > Google)
- GA after at least one stable KMS plugin provider
- is blocked by
-
AUTH-346 Make it possible to remove resources that cannot be accessed due to encryption issues
- Closed
- is cloned by
-
OCPSTRAT-1638 [GA] Support Kube KMS Integration in OCP (User-Provided)
- New
- is depended on by
-
OCPPLAN-9632 Deliver Supported AWS KMS provider for etcd encryption
- New
-
OCPPLAN-9633 Deliver Supported Azure KMS provider for etcd encryption
- New
- is related to
-
AUTH-346 Make it possible to remove resources that cannot be accessed due to encryption issues
- Closed
-
OCPSTRAT-1625 [Blocked] Validate Hashicorp Vault with Kube KMS for OpenShift Core
- Backlog
- relates to
-
API-1684 [TP] Support KMS on self-managed OCP
- In Progress
- links to