Epic Goal*

Current version of the SSCSI driver Operator from RedHat does not document support for the Google Cloud provider. This feature will track the testing and documentation of GCP provider with RedHat's Secret Store CSI Driver Operator. 

NOTE: REDHAT IS GOING TO ONLY PROVIDE VERIFICATION. ACTUAL TEST AND CERTIFICATION NEEDS TO BE COMPLETED BY GOOGLE CLOUD PROVIDER ON OPENSHIFT AND GOOGLE CLOUD SHOULD PROVIDE  SUPPORT FOR THE PROVIDER WHILE REDHAT WILL PROVIDE SUPPORT FOR THE SSCSI DRIVER. 

Idea of this epic is to enable customers to use the provider with our Operator and to verify from our end that the secrets workflow works with this provider. 

 
Why is this important? (mandatory)

Customers using our Secret Store CSI driver solution for secrets management on Google Cloud can store their secrets in Google Secrets Manager. 

Scenarios (mandatory) 

Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

1. I am a developer - I would like to store and retrieve secrets for my applications from Google Secrets Manager. I use Google Secrets Manager as it can version and store secrets securely. I would like to use the SSCSI Driver Operator from RedHat to load secrets directly into the application. 
2. I am a cluster administrator - I would like to setup external secrets management solution for securely bringing in secrets from External secrets storage such as Google Secrets Manager. I would like to install and configure Secret Store CSI Provider from Google along with RedHat's Secret Store CSI Driver Operator for an end-end secrets management solution.  

 
Dependencies (internal and external) (mandatory)

Intall and configure upstream provider https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp Current install instructions upstream are only for K8s and GKE. We want OpenShift customers to be able to have similar instructions for install on OpenShift. 

Contributing Teams(and contacts) (mandatory) 

Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

• Development - Y
• Documentation - Y 
• QE - Y
• PX - N/A
• Others - Auth QE/Docs 

Acceptance Criteria (optional)

Install SSCSI Driver Provider for GCP https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp on OpenShift

Connect to Google Secret Manager

Deploy Application and pull in secret from the Google Secret Manager

Test version change

Test secret change is refreshed/ auto-rotated every 2 mins 

Test syncsecrets where a K8s secret is created from application secret after it is mounted. Test deleting Pod/secret.  

Drawbacks or Risk (optional)

GCP support for install of the Provider puts this epic at risk of completion 

Any GKE specific settings that dont work with OpenShift

Done - Checklist (mandatory)

The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

• CI Testing -  Basic e2e automationTests are merged and completing successfully
• Documentation - Content development is complete.
• QE - Test scenarios are written and executed successfully.
• Technical Enablement - Slides are complete (if requested by PLM)
• Engineering Stories Merged
• All associated work items with the Epic are closed
• Epic status should be "Release Pending"