CORS-4403: Add enhancement for GCP customer-managed KMS encryption

[barbacbd]

Proposes adding support for customer-managed Cloud KMS keys
to encrypt GCS buckets used by the OpenShift installer on GCP.
Covers bootstrap ignition bucket and image registry bucket
encryption for compliance and regulatory requirements.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
Reviewed by: @barbacbd

[openshift-ci-robot]

@barbacbd: This pull request references CORS-4403 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Proposes adding support for customer-managed Cloud KMS keys
to encrypt GCS buckets used by the OpenShift installer on GCP.
Covers bootstrap ignition bucket and image registry bucket
encryption for compliance and regulatory requirements.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
Reviewed by: @barbacbd

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoelSpeed]

ignitionStorageEncryptionKey.kmsKey has key twice in quick succession, maybe drop the first key?

[JoelSpeed]

NIt: Recommendation now is to avoid the pointer and use omitzero instead of omitempty

[JoelSpeed]

Might want to make this more structured in case we have additional stuff to add later

registry:
  storage:
    kmsKey:
      name: ...

[JoelSpeed]

For a UPI cluster, how does the platform status get populated so that the image registry operator can create the bucket?

[JoelSpeed]

Or now, what is the expectation for the image registry, do users configure that when they generate the manifests?

[barbacbd]

I don't think so. The manifest should be generated by the installer still. Even if this is run as upi, the installer is still executed and those manifests would be generated based on your input in the install-config.

[JoelSpeed]

What happens if a new field is added to KMSKeyReference, you'd expect that to be supported in all three usage locations?

[barbacbd]

not necessarily. The fields are validated individually so if a new value is added they don't have to support it but ideally any new field should apply to all of them.

[JoelSpeed]

How would you expect the API to evolve to support this in the future?

[JoelSpeed]

Can the installer team propose the changes to the operator as part of their work? You'd need commitment from the registry team to review

Is anyone from registry reviewing this EP?

[JoelSpeed]

You don't need to know anything about the encryption to read from the bucket right? So registry is not impacted?

[barbacbd]

that should be true. The service account only needs permission to read so that is more than likely a documentation update (if it doesn't already exist) to ensure the user has this permission when using this feature.

[barbacbd]

Response to Review Comments

Thank you @JoelSpeed for the thorough review! I've addressed your feedback and made some important discoveries during analysis. Here's the status of each comment:

✅ Addressed in Commit b96e1e99

Comments 1, 3, 4, 5: API structure, naming, and omitzero

• Changed from flat structure to nested: ignition.storage.encryptionKey.kmsKey
• Applied omitzero instead of pointers with omitempty
• Added structured namespaces for future extensibility

New structure:

platform:
  gcp:
    ignition:
      storage:
        encryptionKey:
          kmsKey:
            name: ignition-key
            keyRing: openshift-keyring
            location: us-east1
    registry:
      storage:
        encryptionKey:
          kmsKey:
            name: registry-key

✅ Resolved by Technical Analysis

Comment 2: Day-2 cluster access to these values

• Answer: Not needed. GCS stores the KMS key in bucket metadata at creation time. All subsequent encryption/decryption is automatic if the service account has cloudkms.cryptoKeyDecrypter IAM permission. No cluster component needs to reference the install-config values after install.

Comment 8: Operator changes and registry team coordination

• Great news: No operator changes needed! The cluster-image-registry-operator has had full KMS support since 2019 (commit 8c08cc6805).
• The ImageRegistry CR field spec.storage.gcs.keyID already exists in openshift/api since 2019.
• This is now an installer-only change - we just populate the existing field.
• Updated the enhancement (commit eca22306) to remove Infrastructure CR API changes and document existing operator support.

Comment 9: Encryption knowledge for reading

• Correct - you don't need to know the encryption key to read. GCS handles encryption/decryption transparently once the key is attached to bucket metadata. The service account just needs cloudkms.cryptoKeyDecrypter IAM permission.
• Registry operator is not impacted by encryption.

💬 Discussion Needed

Comment 6: Type reuse concerns with KMSKeyReference

• Currently reused across disk encryption, ignition storage, and registry storage
• My position: Type reuse is correct because GCP KMS keys have uniform structure regardless of use case
• Any new fields Google adds (versions, aliases, HSM level) would likely apply universally
• Alternative: Split into use-case-specific types for more flexibility
• Question: Do you prefer keeping the shared type or splitting?

Comment 7: Cross-project KMS keys - API evolution

• Good news: Current API already supports it! The ProjectID field enables cross-project keys.
• Evolution path:
  • Phase 1 (initial): Same-project only, validate ProjectID matches cluster
  • Phase 2 (future): Support cross-project with updated validation and documentation
  • No breaking changes needed
• When ProjectID differs from cluster project, we'd validate cross-project IAM permissions are set up
• Question: Does this evolution path work for you?

---

I've documented detailed responses in my analysis files. Happy to discuss Comments 6 and 7 further or adjust the approach based on your feedback.

[JoelSpeed]

Missing api-approvers metadata, should be a linter flagging that

[barbacbd]

done. Thanks!

[JoelSpeed]

What does your flow look like for testing this feature and making sure that it is GA ready before merge?

We have plenty of install time features that are tested first in tech preview before being promoted to GA, so I'd challenge "feature gates are not appropriate"

[barbacbd]

We will have to create a new step in the CI that will test this feature. This should ensure it is "green" or good to go before merging.

[JoelSpeed]

Or now, what is the expectation for the image registry, do users configure that when they generate the manifests?

[openshift-ci]

@barbacbd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.