-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Strategic Product Work
-
False
-
-
False
-
OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
-
100% To Do, 0% In Progress, 0% Done
-
0
-
Backlog Refinement
Feature Overview
Test and automate with CI the integration with Kube KMS and Hashicorp Vault.
OpenShift is planning to support the use of KMS providers for encrypting etcd data OCPSTRAT-108.
Goals
Integrating Kube KMS with Vault offers high value for OCP, aligning with EU Security Policy and addressing strong demand from the field (GFSI and Telco). This feature is critical for securing upcoming EU deals in 2025 that require OCP support for Kube KMS.
Vault has different integration points. An expected integration to validate is Kube KMS API to manage the etcd encryption keys with Vault.
Resources to consider for encrypting with this integration
- Secrets, configmaps: https://github.com/openshift/cluster-kube-apiserver-operator/blob/37df1b1f80d3be6036b9e31975ac42fcb21b6447/pkg/operator/starter.go#L364-L365
- Oauthaccesstokens, oauthauthorizetokens: https://github.com/openshift/cluster-authentication-operator/blob/dc429ef1d8a470720aae41b2d62e29ebd07771dd/pkg/operator/starter.go#L652-L653
- Routes: https://github.com/openshift/cluster-openshift-apiserver-operator/blob/2ebad02bac4ed67b7450a14b47e5c1618877ff76/pkg/operator/starter.go#L311
Q&A
- How can we get access to Vault in CI?
- We don’t need the enterprise features of Hashicorp Vault. The OpenSource feature set is enough, it’s the same code and operators. These are their operators available: https://catalog.redhat.com/search?q=vault&partnerName=HashiCorp&p=1
- Is it going to run in a cloud separately from the CI cluster, or should we get it to run inside the cluster.
- Inside the cluster if there aren't technical constraints for the features to be validated, on its own cluster otherwise.
- No plugin/provider exists today to create the bridge between Kubernetes and Vault.
- We are expecting a plugin from HashiCorp. Example here https://github.com/FalcoSuessgott/vault-kubernetes-kms but this isn’t written by a HashiCorp employee or have anything to do with Hashicorp
- Hashicorp to have a look at https://github.com/Azure/kubernetes-kms, since it was the first plugin that was written with KMS v2 by the developers of the new API.
Requirements
- Integration between Kube KMS and vault is tested and integration points documented
- CI is implemented
Dependencies
- Hashicorp Vault KMS plugin for Kubernetes (https://github.com/hashicorp/vault-k8s/issues/293)
- Expected by Hashicorp but no commitment as of Sep 2024. This is blocking this integration.
Work required
- Create a Vault KMS plugin (by HashiCorp)
- QE the Vault KMS plugin with OpenShift and HCP (ideally by HashiCorp)
- Docs for use of Vault KMS plugin for data encryption in OpenShift and HCP
- relates to
-
OCPSTRAT-108 [TP] Support Kube KMS Integration in OCP (User-Provided)
- In Progress