From 6c7cd0383882d816abfa1af12eb450d7737e6f43 Mon Sep 17 00:00:00 2001
From: Chris Butler <chris.butler@redhat.com>
Date: Fri, 11 Oct 2024 16:41:36 +1100
Subject: [PATCH] feat: Add skeleton for Ecaas

Signed-off-by: Chris Butler <chris.butler@redhat.com>
---
 .../encrypted-clusters-aas/_index.adoc        | 66 +++++++++++++++++++
 .../ecaas-ciphertrust-manager.adoc            | 13 ++++
 .../ecaas-getting-started.adoc                | 23 +++++++
 3 files changed, 102 insertions(+)
 create mode 100644 content/patterns/encrypted-clusters-aas/_index.adoc
 create mode 100644 content/patterns/encrypted-clusters-aas/ecaas-ciphertrust-manager.adoc
 create mode 100644 content/patterns/encrypted-clusters-aas/ecaas-getting-started.adoc

diff --git a/content/patterns/encrypted-clusters-aas/_index.adoc b/content/patterns/encrypted-clusters-aas/_index.adoc
new file mode 100644
index 000000000..1fbf27cba
--- /dev/null
+++ b/content/patterns/encrypted-clusters-aas/_index.adoc
@@ -0,0 +1,66 @@
+---
+title: Encrypted clusters as a service
+date: 2024-10-03
+tier: sandbox
+summary: This pattern allows you to leverage a Thales CipherTrust appliance combined with hosted control planes to have encrypted clusters as a service.
+rh_products:
+- Red Hat OpenShift Container Platform
+- Red Hat Advanced Cluster Management
+- Red Hat OpenShift Virtualization
+- Red Hat Ansible Automation Platform
+industries:
+- General
+aliases: /encrypted-clusters-aas
+pattern_logo: coco-logo.png
+links:
+  install: coco-getting-started
+  help: https://groups.google.com/g/validatedpatterns
+  bugs: https://github.com/validatedpatterns-sandbox/encrypted-clusters-aas/issues
+---
+:toc:
+:imagesdir: /images
+:_content-type: ASSEMBLY
+include::modules/comm-attributes.adoc[]
+
+= About Encrypted clusters as a service
+
+When building a multi-tenant solution one of the most important considerations is how is isolation demonstrated between different users.
+One approach is to use virtual machines as the boundary. However, when you do not use virtual machines it's common to enforce segregation with encryption.
+Bring your own key is one such approach, where the key for a users data is stored in a separate service where the user can control key deletion.
+
+Encrypted clusters as a service is a pattern which demonstrates how to take this approach when deploying clusters with 'Hosted Control Planes'.
+Hosted control planes allows the consolidation of multiple OpenShift control planes into a smaller foot print. It does this by hosting the control planes on an underlying (aka undercloud) OpenShift Cluster.
+
+This creates a risk as an admin of the undercloud cluster has access to etcd across each of the hosted tenant clusters.
+
+This pattern leverages Thales' https://cpl.thalesgroup.com/encryption/transparent-encryption[CipherTrust transparent encryption] to provide storage that is encrypted on a per-cluster basis.
+This allows the CipherTrust to be an external key managemey
+
+
+
+== Requirements
+- The pattern has been configured to use OpenShift virtualization as the deployment method for the hosted clusters today. 
+- The pattern assumes that you have an underlying RWX storage provider for the cluster.
+- CipherTrust manager is assumed to be deployed outside of the OCP cluster.
+  - Instructions are provided for AWS.
+
+
+== Security considerations
+
+
+
+== Future work
+1. Allowing a 'bring your own CipherTrust Manager' - which is roughly equivalent to KYOK
+2. Integrating  link:../coco-pattern/[Confidential Containers] to protect data in memory 
+
+
+
+
+== Architecture
+
+Magic to be completed.
+
+
+
+
+== References
diff --git a/content/patterns/encrypted-clusters-aas/ecaas-ciphertrust-manager.adoc b/content/patterns/encrypted-clusters-aas/ecaas-ciphertrust-manager.adoc
new file mode 100644
index 000000000..994048ca2
--- /dev/null
+++ b/content/patterns/encrypted-clusters-aas/ecaas-ciphertrust-manager.adoc
@@ -0,0 +1,13 @@
+---
+title: CipherTrust manager
+weight: 10
+aliases: /encrypted-clusters-aas/ecaas-ciphertrust-manager/
+---
+:toc:
+
+:_content-type: ASSEMBLY
+include::modules/comm-attributes.adoc[]
+
+
+== Deploying
+
diff --git a/content/patterns/encrypted-clusters-aas/ecaas-getting-started.adoc b/content/patterns/encrypted-clusters-aas/ecaas-getting-started.adoc
new file mode 100644
index 000000000..d824cecfe
--- /dev/null
+++ b/content/patterns/encrypted-clusters-aas/ecaas-getting-started.adoc
@@ -0,0 +1,23 @@
+---
+title: Getting started
+weight: 10
+aliases: /encrypted-clusters-aas/ecaas-getting-started/
+---
+
+:toc:
+
+:_content-type: ASSEMBLY
+include::modules/comm-attributes.adoc[]
+
+
+== Deploying
+
+
+
+
+
+
+
+
+
+