etcd/vault secret encryption

[jefflill]

We need to implement etcd encryption:

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

Things to think about:

• OpenShift can optionally configure aesgcm. This requires key rotation before 200K writes and OpenShift Encryption does this somehow. I think kms may be more interesting. We'd implement a key management system provider based on HashiCorp Vault or perhaps forwarding on to an integrated cloud key provider.

• We'd need to locate the kms provider somewhere like neon-cluster-operator

• Do we encrypt everything in etcd or just selected resources? OpenShift encrypts just: Secrets, ConfigMaps, Routes, OAuth access, and OAuth authorize tokens. This is probably done so make key rotation faster.

• Setup would need to generate keys and then read/write all secrured resources via something like:

  kubectl get secrets --all-namespaces -o json| kubectl replace -f -

• ready-to-go deployments would need to rotate keys and read/write the secured resources.

[marcusbooyah]

Azure, AWS and Google have solutions for KMS: https://github.com/Azure/kubernetes-kms https://github.com/kubernetes-sigs/aws-encryption-provider https://github.com/GoogleCloudPlatform/k8s-cloudkms-plugin