Feature Overview (aka. Goal Summary)  

ROSA clusters provide an internal, integrated container image registry that can be deployed in your OpenShift Container Platform environment to locally manage images. The actual image data is stored in a configurable storage location, such as cloud storage or a filesystem volume. Rosa and OSD/AWS clusters use S3 as backend storage for internal image registry. Since Jan 2023, S3 enabled baseline Server-Side Encryption for all new objects using S3's own symmetric key. This feature will allow customers to create clusters with image registry that are encrypted with their own KMS key (BYOK).

Goals (aka. expected user outcomes)

As an administrator of the ROSA cluster, I need to encrypt container registry images stored in the cloud object storage (S3) using my own symmetric key in AWS Key Management Service (KMS) so that I can comply with corporate data security and governance policies for data protection. ** 

• KMS keys provided by the users are used to encrypt the image registries
• Customer can comply with their corporate data governance and security compliance by using their own encryption/decryption keys and manage these keys through key policies etc.

Requirements (aka. Acceptance Criteria):

1. During creation of ROSA (needed especially for ROSA Classic) and OSD clusters, customers can optionally provide an ARN of key for encrypting Image Registry.
2. Supporting Day 1 and Day 2 scenarios.
3. Customers can create ROSA clusters in customer-owned or hosted control plane architecture.
4. ROSA CLI, OCM CLI/UI/API and Terraform supports the field. 
5. Image Registry operator defines and assumes only required permission on the mentioned KMS key (BYOK).

Background

Additional info https://issues.redhat.com/browse/XCMSTRAT-193

Documentation Considerations

Usual documentation to instruct the user on how to use this feature will be required.

Implementation Considerations

Terraform is used for bucket creation