Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1625

[Blocked] Validate Hashicorp Vault with Kube KMS for OpenShift Core

XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1782OpenShift integration with external secret managers (Vault)
    • 100% To Do, 0% In Progress, 0% Done
    • 0
    • Backlog Refinement

      Feature Overview

      Test and automate with CI the integration with Kube KMS and Hashicorp Vault. 

      OpenShift is planning to support the use of KMS providers for encrypting etcd data OCPSTRAT-108

      Goals

       

      Integrating Kube KMS with Vault offers high value for OCP, aligning with EU Security Policy and addressing strong demand from the field (GFSI and Telco). This feature is critical for securing upcoming EU deals in 2025 that require OCP support for Kube KMS.

      Vault has different integration points. An expected integration to validate is Kube KMS API to manage the etcd encryption keys with Vault. 

      Resources to consider for encrypting with this integration

      Q&A

      • How can we get access to Vault in CI? 
      •  Is it going to run in a cloud separately from the CI cluster, or should we get it to run inside the cluster.
        • Inside the cluster if there aren't technical constraints for the features to be validated, on its own cluster otherwise.
      • No plugin/provider exists today to create the bridge between Kubernetes and Vault.

      Requirements 

      • Integration between Kube KMS and vault is tested and integration points documented
      • CI is implemented

      Dependencies

      Work required

      • Create a Vault KMS plugin (by HashiCorp)
      • QE the Vault KMS plugin with OpenShift and HCP (ideally by HashiCorp)
      • Docs for use of Vault KMS plugin for data encryption in OpenShift and HCP

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              Damien Grisonnet Damien Grisonnet
              Ramon Acedo Ramon Acedo
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: