Feature Overview (aka. Goal Summary)  

The Installer will use existing user-managed kms keys to extend the usage of these keys to encrypt the S3 buckets used to store ignition files during cluster bootstrap and internal registry storage

Goals (aka. expected user outcomes)

Extend the existing support for customer-managed kms keys to the bootstrap storage and image registry storage

Requirements (aka. Acceptance Criteria):

The install-config KMSKey option used today for different objects encryption will be extended to be used as well for the S3 bucket created at install time to store ignition files as well as the S3 bucket the Interl Registry uses for container images

Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

Background

GCP OpenShift users want to protect the content stored in the S3 used by the Intaller for Ignition as well as the S3 used by the Internal Registry for container images so all the content stored in these objects are encrypted using the user-managed provided KMS Keys

Documentation Considerations

Usual documentation will be required to instruct the user on how to use this feature