Extend SSE-KMS in Rados Gateway to support HashiCorp Vault
Extend SSE-KMS functionality (server-side encryption with a Key Management System) in Rados Gateway to support HashiCorp Vault, in addition to existing OpenStack Barbican support. The proposed solution is to extend the SSE-KMS code in Rados Gateway, introducing an abstraction to plug-in other KMS systems, and adding support for HashiCorp Vault.
While Vault supports many authentication methods, the initial implementation will be restricted to the following methods:
- Token - if set, the token is used to call Vault (useful for development and simple use-cases),
- Vault Agent - the Vault agent automatically authenticates to Vault and manages the token renewal process for locally-retrieved dynamic secrets
More details: https://pad.ceph.com/p/rgw_sse-kms