-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
Implement the core data re-encryption functionality to ensure all existing etcd data is re-encrypted with new keys during rotation operations, while maintaining cluster availability and performance.
Although the issue mentions rotation/reencryption of keys in general, the encryption algorithm in ARO-HCP that is a higher priority is Azure KMS, which is the one leveraged for customer-managed keys.
Goals (aka. expected user outcomes)
- All existing etcd data is guaranteed to be re-encrypted with the new keys
- ARO-HCP clusters can meet Microsoft's security requirements for key rotation with complete data coverage
Requirements (aka. Acceptance Criteria):
- Ensure all existing etcd data (resources that HyperShift currently sets to be encrypted) is re-encrypted
with new keys - Guarantee complete data coverage - all existing etcd data must be re-encrypted with the new keys
- Maintain cluster availability during key rotation and re-encryption processes
- Ensure key rotation does not significantly impact cluster performance
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | Both - primarily needed for managed ARO-HCP clusters |
| Classic (standalone cluster) | Supported for consistency |
| Hosted control planes | Primary use case - ARO-HCP clusters |
| Multi node, Compact (three node), or Single node (SNO), or all | All cluster sizes |
| Connected / Restricted Network | Both deployment types |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | x86_x64, ARM |
| Operator compatibility | Must work with HyperShift operator |
| Backport needed (list applicable versions) | TBD based on ARO-HCP GA timeline |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | N/A |
| Other (please specify) | N/A |
Use Cases (Optional):
Primary use case: ARO-HCP cluster administrator initiates key rotation process, HyperShift detects the new key, triggers OpenShift key rotation, all data has been successfully re-encrypted.
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
Out of Scope
- Management of the creation and renewal of the keys by Hypershift
- Automatic key rotation scheduling/policies
- Performance tuning for specific cluster sizes
Background
This feature is required to support ARO-21568, and ARO-21456. Microsoft requires comprehensive key rotation capabilities for ARO-HCP to meet S360 security requirements. Currently, Hypershift key rotation lacks the guaranteed re-encryption that is needed to provide reliable key rotation for ARO customers.
Customer Considerations
ARO-HCP needs assurance that all their etcd data is protected with the latest keys. Any gaps in re-encryption could leave sensitive data encrypted with potentially compromised or rotated-out keys, creating security and compliance issues.
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends
existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test
scenarios should be factored by the layered products? Initial completion during Refinement status.
- relates to
-
-
- New
-
