Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-1058

vSphere CSI encryption support

XMLWordPrintable

    • vSphere CSI encryption support
    • Strategic Product Work
    • 3
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-322 - vSphere VMcrypt support (UPI)
    • OCPSTRAT-322vSphere VMcrypt support (UPI)
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal*

      This epic tracks the support of encrypted storage class with vSphere. It allows the creation of an storage class that references an encrypted storage policy.

      It's one of the required epic to support https://issues.redhat.com/browse/OCPPLAN-9655

      This epic should be mostly QE and docs as the feature is already available in the vSphere CSI driver we ship in OCP.

      This epic targets vSphere 7.0.2 and newer, and only with UPI deployment.

      VMware documentation: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-003511C4-6B5F-484F-BE78-B9A9387C0E7F.html

       Why is this important? (mandatory)

      This feature allows user provisioned persistent storage to be encrypted over wire. This is a requirement for some customers who are under strict security regulations.

       
      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. Create a custom storage class that reference an encrypted storage policy.
        1. If such PV is created for an unencrypted VM, user gets an error
        2. If such PV is created for an encrypted VM, the volume is encrypted
          1. Support the same storage operations that are available with unencrypted PVs
          2. Document unsupported operations, if any 
      2. Trigger an alert if encrypted and unencrypted VMs and PVs are mixed together.
      3. Red Hat gets info if encryption is enabled and/or environment supports encryption via telemetry 

      Dependencies (internal and external) (mandatory)

      This epics requires the OCP VMs to be encrypted with KMS, we first need to support this scenario. This dependency is not covered by the storage team.

      We need to scope the VMWare support coverage & limitation.

      Contributing Teams(and contacts) (mandatory) 

      SPLAT team for supporting encrypted VMs.

      SPLAT team for providing  a testing vSphere environment with encryption support.

      Acceptance Criteria (optional)

      With encrypted OCP VMs, regression tests of all supported CSI features with both encrypted PVs via custom SC and unencrypted PVs via the default SC.

      Drawbacks or Risk (optional)

      Increases vsphere support matrix. Support may be more complex due to encryption.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

              hekumar@redhat.com Hemant Kumar
              rh-gs-gcharot Gregory Charot
              Penghao Wang Penghao Wang
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 3 weeks
                  3w
                  Remaining:
                  0m
                  Logged:
                  Time Not Required
                  Not Specified