-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
100% To Do, 0% In Progress, 0% Done
-
M
-
0
Feature Overview (aka. Goal Summary)
In OCP, we use hard rotation when updating the encryption key of etcd. This means we proceed to re-encrypt all the objects with the new. This key rotation process happens on a weekly basis. In clusters with high utilization, the hard rotation approach causes components from the control plane to be restarted, resulting in applications experiencing temporary outages of the Kube API.
Using a soft-rotation, re-encryption of an object will only happen when the encrypted object is accessed. This approach will promote a rolling update of the encryption key without affecting the control-plane.
Goals (aka. expected user outcomes)
The goal is for soft-rotation to become the default operating mode while providing an option for a cluster-admin to request a hard-rotation on-demand if they need to do so.
Requirements (aka. Acceptance Criteria):
- Migrate to soft-rotation as the default etcd key rotation mechanism
- Provide the ability for cluster-admin to request a hard-rotation on-demand
- Have CI test for the hard-rotation on-demand capability
- Document behavior and options in OCP docs
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
Deployment considerations | List applicable specific needs (N/A = not applicable) |
Self-managed, managed, or both | both |
Classic (standalone cluster) | yes |
Hosted control planes | ?? |
Multi node, Compact (three node), or Single node (SNO), or all | all |
Connected / Restricted Network | all |
Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | all |
Operator compatibility | n/a |
Backport needed (list applicable versions) | n/a |
UI need (e.g. OpenShift Console, dynamic plugin, OCM) | n/a |
Other (please specify) | n/a |
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
<your text here>
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
<your text here>
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
<your text here>
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
<your text here>
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
<your text here>
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
<your text here>
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
<your text here>
- relates to
-
RFE-3094 Need set up key rotation outside of working hours for API pods.
- Rejected
-
OCPBUGS-38523 kube-apiserver resource Spike during data re-encryption at rest
- New
- split from
-
OCPSTRAT-555 Improvements to ETCD datastore encryption [from OCPBU-81]
- Closed
- links to