-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
Implement comprehensive status reporting and monitoring capabilities for etcd encryption key rotation operations. This provides HyperShift operators and platform administrators with programmatic access to rotation status and progress visibility
Although the issue mentiones rotation/reencryption of keys in general, the encryption algorithm in ARO-HCP that is a higher priority is Azure KMS, which is the one leveraged for customer managed keys.
Goals (aka. expected user outcomes)
- HyperShift operators can programmatically determine when etcd encryption key rotation has completed successfully
- Platform administrators have visibility into data re-encryption progress during key rotation
Requirements (aka. Acceptance Criteria):
1. Provide a status/condition API that indicates when encryption key rotation has been successfully completed
3. Expose progress indicators for data re-encryption operations
4. Maintain cluster availability during key rotation processes
5. Performance: Key rotation should not significantly impact cluster performance
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | Both - primarily needed for managed ARO-HCP clusters |
| Classic (standalone cluster) | Supported for consistency |
| Hosted control planes | Primary use case - ARO-HCP clusters |
| Multi node, Compact (three node), or Single node (SNO), or all | All cluster sizes |
| Connected / Restricted Network | Both deployment types |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | x86_x64, ARM |
| Operator compatibility | Must work with HyperShift operator |
| Backport needed (list applicable versions) | TBD based on ARO-HCP GA timeline |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | N/A |
| Other (please specify) | N/A |
Use Cases (Optional):
Primary use case: ARO-HCP cluster administrator initiates key rotation process, HyperShift detects the new key, triggers OpenShift key rotation, and provides status back to ARO control plane.
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
Out of Scope
- Management of the creation and renewal of the keys by Hypershift
- Automatic key rotation scheduling/policies
- Performance tuning for specific cluster sizes
Background
This feature is required to support ARO-21568, and ARO-21456. Microsoft requires comprehensive key rotation capabilities for ARO-HCP to meet S360 security requirements. Currently, Hypershift key rotation lacks the status reporting that is needed to provide reliable key rotation for ARO customers.
Customer Considerations
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends
existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test
scenarios should be factored by the layered products? Initial completion during Refinement status.
- is related to
-
-
- New
-
