Feature Overview

The primary focus of this feature is to provide support to encrypt an image and be able to upload it to glance. Users can then create bootable volumes from this image and boot VMs from it. 

This orchestration needs to be done via the OCS/SDK and interact with Barbican to encrypt the image and upload it to glance.  Users will provide path to an unencrypted image to the client which will orchestrate the barbican key creation, retrieve the key, encrypt the image and upload it to glance.

The secondary focus is to provide a proper approach where glance can ensure correctness and play the role of defender to disallow images that should not be processed. The upstream work for that effort will be expanded for glance to be able to able to process already encrypted images.

Background and Strategic Fit

The specific customer asks are for Cinder boot path support.  There is a very non-standard approach under SE for NFV vendors that have needed Cinder support ([KBase Article|https://access.redhat.com/articles/5505061).  We need to satisfy the requests to have more direct and native support for glance encrypted images for the Cinder boot path use case. There is not an immediate ask for Nova Ephemeral support, but the core glance changes need to be able to accommodate all cases properly regardless of when or if we decide to productize them.

Goals 

• Deliver at least Tech Preview support for OSC/SDK support to encrypt and upload glance images for cinder boot from volumes use case
• Deliver improved standardize support for booting from an encrypted volume to ensure only valid boot images are allowed
• Provide upstream and downstream automated CI coverage for these feature changes
• Deliver Support Enablement for this feature within a quarter of GA
• Provide customer facing documentation in RHOSO-19 at GA (TP)

Requirements:

Done - Acceptance Criteria 

1. Deliver ability to encrypt glance images for cinder boot volumes use case
2. Complete all upstream requirements no later than the I release
3. Deliver downstream CI automation upstream and downstream
4. Deliver downstream docs for GA
5. It would be acceptable to be Tech Preview at 19 GA time

Use Cases - i.e. User Experience & Workflow: 

• User (Any priv requirements?) will use OCS or SDK to encrypt an image utilizing barbican and with a single command or API call will get an glance encrypted image uploaded for cinder boot usage
• All cases that an encyrpted image fails to boot should result in a clear error message if possible
  • Nova, Ironic would be 2 known cases so far

Customer Considerations

One of the customers does make extensive use of BareMetal, but this feature does not cover that case and if support is needed for that one or more RFEs will need to created.

Out of Scope

• Nova ephemeral use case
• Ironic or BM support 

Documentation Considerations 

• We will need customer facing glance documentation for the OCS/SDK addition
• Enumerate any limitation 
• Mention supported encryption algorithms

Product RA Considerations (Packaging, CIFW, CIHW, New CI jobs?)

• No major changes, support will be added to existing packages and CI jobs

Questions to Answer 

1. Will glance team need to deliver OCS/SDK changes - it is a different project, but not resourced
   • Yes is the expected answer
2. How is the change proposed to SDK/OCS? wing up
   • there is no specs repo -  croeland@redhat.com following up
3. Is Multi-Store use case covered by current spec?
   • dasmith@redhat.com - leaving a note here to check
4. Do we need an EPIC for an specific perf/scale aspects?