In confidential clusters, secrets such as encryption keys and passwords must be securely generated and stored. This issue proposes integrating the CL Operator, Trustee, and a secret management backend like Vault to support attestation-gated secret access.
Goal
- Enable the CL Operator to request and trigger secret (e.g., password) generation. The secret needs to be stored in a form which can be retrieved by Trustee.
- Store generated secrets securely in Vault.
- Allow Trustee to retrieve and deliver secrets only after successful attestation of the requesting workload.
In confidential clusters, secrets such as encryption keys and passwords must be securely generated and stored. This issue proposes integrating the CL Operator, Trustee, and a secret management backend like Vault to support attestation-gated secret access.
Goal