Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1625

[Blocked] Validate Hashicorp Vault with Kube KMS for OpenShift Core

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • 0
    • Backlog Refinement

      Feature Overview

      Test and automate with CI the integration with Kube KMS and Hashicorp Vault. 

      OpenShift is planning to support the use of KMS providers for encrypting etcd data OCPSTRAT-108

      Goals

       

      Integrating Kube KMS with Vault offers high value for OCP, aligning with EU Security Policy and addressing strong demand from the field (GFSI and Telco). This feature is critical for securing upcoming EU deals in 2025 that require OCP support for Kube KMS.

      Vault has different integration points. An expected integration to validate is Kube KMS API to manage the etcd encryption keys with Vault. 

      Resources to consider for encrypting with this integration

      Q&A

      • How can we get access to Vault in CI? 
      •  Is it going to run in a cloud separately from the CI cluster, or should we get it to run inside the cluster.
        • Inside the cluster if there aren't technical constraints for the features to be validated, on its own cluster otherwise.
      • No plugin/provider exists today to create the bridge between Kubernetes and Vault.

      Requirements 

      • Integration between Kube KMS and vault is tested and integration points documented
      • CI is implemented

      Dependencies

      Work required

      • Create a Vault KMS plugin (by HashiCorp)
      • QE the Vault KMS plugin with OpenShift and HCP (ideally by HashiCorp)
      • Docs for use of Vault KMS plugin for data encryption in OpenShift and HCP

            racedoro@redhat.com Ramon Acedo
            racedoro@redhat.com Ramon Acedo
            Damien Grisonnet Damien Grisonnet
            Ramon Acedo Ramon Acedo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: