1. Proposed title of this feature request

[OSD-GCP] Use customer managed encryption key for image-registry bucket

2. What is the nature and description of the request?

Customers on GCP that require that all buckets use a customer-managed encryption key (for example, with the Organization Policy Constraint "constraints/gcp.restrictNonCmekServices" set to include "storage.googleapis.com/Bucket") should be able to use the cluster's image registry. Currently (on OSD-GCP 4.18.14), the image-registry bucket is not configured with "Encryption type: Google-managed" even when the "Use Custom KMS keys" option is specified during the OSD-GCP install.

This is the same customer need as RFE-5333 , but that issue is scoped to the bootstrap-ignition bucket, and we want to make sure that image-registry is covered as well.

3. Why does the customer need this? (List the business requirements here)

For compliance and data security reasons, many customers require all data be stored with a customer-managed encryption key. OSD-GCP accepts a CMEK, but currently only uses it for VM disks, not for buckets.

4. List any affected packages or components.

• Image Registry Operator
• OCM provisioning of OSD-GCP
• May impact how service accounts are configured with SA or WIF auth