Feature #41062
closedExtend SSE-KMS in Rados Gateway to support HashiCorp Vault
0%
Description
Extend SSE-KMS functionality (server-side encryption with a Key Management System) in Rados Gateway to support HashiCorp Vault, in addition to existing OpenStack Barbican support. The proposed solution is to extend the SSE-KMS code in Rados Gateway, introducing an abstraction to plug-in other KMS systems, and adding support for HashiCorp Vault.
While Vault supports many authentication methods, the initial implementation will be restricted to the following methods:
- Token - if set, the token is used to call Vault (useful for development and simple use-cases),
- Vault Agent - the Vault agent automatically authenticates to Vault and manages the token renewal process for locally-retrieved dynamic secrets
More details: https://pad.ceph.com/p/rgw_sse-kms
Updated by Casey Bodley over 4 years ago
- Tracker changed from Bug to Feature
- Status changed from New to In Progress
Updated by Sergio de Carvalho over 4 years ago
Updated by Sergio de Carvalho over 4 years ago
Second PR: https://github.com/ceph/ceph/pull/31025
Updated by Sergio de Carvalho over 4 years ago
Third PR: https://github.com/ceph/ceph/pull/31361