Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-873

Implement custom keys in Azure Disk CSI driver operator

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Storage Sprint 232

      User Story:

      As a cluster admin, I want OCP to provision new volumes with my custom encryption key that I specified during cluster installation in install-config.yaml so all OCP assets (PVs, VMs & their root disks) use the same encryption key.

      Acceptance Criteria:

      Description of criteria:

      • Check that dynamically provisioned PVs use the key specified in install-config.yaml
      • Check that the key can be changed in TBD API and all volumes newly provisioned after the key change use the new key. (Exact API is not defined yet, probably a new field in `Infrastructure`, calling it TBD API now).

      (optional) Out of Scope:

      Re-encryption of existing PVs with a new key. Only newly provisioned PVs will use the new key.

      Engineering Details:

      Enhancement (incl. TBD API with encryption key reference) will be provided as part of https://issues.redhat.com/browse/CORS-2080.

      "Raw meat" of this story is translation of the key reference in TBD API to StorageClass.Parameters. Azure Disk CSi driver operator should update both the StorageClass it manages (managed-csi) with:

      Parameters:
          diskEncryptionSetID: /subscriptions/<subs-id>/resourceGroups/<rg-name>/providers/Microsoft.Compute/diskEncryptionSets/<diskEncryptionSet-name>

      Upstream docs: https://github.com/kubernetes-sigs/azuredisk-csi-driver/blob/master/docs/driver-parameters.md (CreateVolume parameters == StorageClass.Parameters)

            jdobson@redhat.com Jonathan Dobson
            rhn-engineering-jsafrane Jan Safranek
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: