The OpenKCM (CMK) API Server architecture relies on a plugin-based model to interact with external systems (Identity, Keystores, Notifications). For the Apeiro Platform Mesh, we must implement specific backend plugins.
Functional Requirements (FR)
FR-1: Identity Management Plugin (Apeiro IDP)
Goal: Replace generic or SAP-specific identity logic with Apeiro's standard.
- Context: The CMK API Server currently uses plugins like SCIM or OpenFGA to retrieve user groups and associations.
- FR-1.1: Implement an ApeiroIdentityPlugin that validates OIDC tokens issued by the Platform Mesh IDP (Keycloak).
- FR-1.2: The plugin must resolve "Workload Identities" (SPIFFE IDs) to support the
ServiceEncryptionKey usage patterns where pods request keys directly.
- FR-1.3: Map Apeiro Workspace Roles (e.g.,
Viewer, Admin) to CMK internal permissions, replacing the legacy SCIM group retrieval logic.
FR-2: Certificate Issuer Plugin (Apeiro PKI)
Goal: Integrate with the Platform's Certificate Authority for mTLS.
- Context: A "CertificateIssuer Plugin" is required to create x509 Client Certificates on demand for tenants connecting to external keystores.
- FR-2.1: Implement an ApeiroCertManagerPlugin that interfaces with the platform's
cert-manager (or internal CA).
- FR-2.2: The plugin must automate the signing of Client Certificates needed for the
Crypto (Manager) and Crypto (Migrate) components to authenticate against the CMK Registry.
- FR-2.3: Ensure issued certificates include the correct
TenantID in the Subject Alternative Name (SAN) to enforce strict mTLS isolation.
FR-3: Keystore Management Plugin (Apeiro HYOK/BYOK)
Goal: Enable "Bring Your Own Key" (BYOK) and "Hold Your Own Key" (HYOK) scenarios specific to Apeiro infrastructure.
- Context: The architecture defines specific plugins for
AWS KMS (Apeiro HYOK), Thales (Apeiro HYOK), and OpenBao (Apeiro BYOK).
- FR-3.1 (AWS HYOK): Implement the ApeiroAWSPlugin. Unlike the SAP BYOK plugin, this must use IRSA (IAM Roles for Service Accounts) for authentication within Apeiro's AWS footprint, removing reliance on static credentials.
- FR-3.2 (OpenBao BYOK): Implement the ApeiroOpenBaoPlugin. This allows tenants to use the platform-provided OpenBao (HashiCorp Vault) as their L1 Root of Trust without managing their own infrastructure.
- FR-3.3: The plugin must implement the logic to validate the
Account CRD, verifying that the referenced L1 Key exists and is reachable before the Account status is set to Ready.
FR-4: System Information Service (SIS) Plugin
Goal: Adapt metadata resolution to the Apeiro resource hierarchy.
- Context: The SIS Plugin currently expects SAP-specific data like
System (ULI Tenant) and Subaccount.
- FR-4.1: Implement an ApeiroResourceGraphPlugin. Instead of querying SAP systems, this plugin connects to the Apeiro KCP/Mesh API.
- FR-4.2: Validate
Tenant CR creation. The plugin must verify that the requested region and audiences in the CR spec are valid within the current Platform Mesh configuration.
- FR-4.3: Enforce Hierarchy Rules. As defined in the
ServiceEncryptionKey description, the plugin must verify that a key request references an Account within the same Tenant hierarchy (Root, Nested, or Shadow), rejecting cross-tenant references.
FR-5: Notification Plugin (Apeiro Alerts)
Goal: Route alerts to the platform's observability stack.
- Context: CMK is required to send notifications for lifecycle events; currently, SAP ANS is used.
- FR-5.1: Implement an ApeiroAlertPlugin that pushes critical events (e.g., "L1 Key Unreachable", "Rotation Failure") to the Platform Mesh Prometheus AlertManager.
- FR-5.2: Support the
WebHookNotification CRD. The plugin must dynamically load webhook URLs defined by the tenant in this CRD and dispatch events to them (e.g., notifying a tenant's Slack channel when a key is rotated).
Definition of Done
- All 5 plugins are implemented in Go and pass the CMK
PluginInterface contract tests.
- The
SIS Plugin successfully queries the KCP API to validate a mock Tenant CR.
- The
Keystore Plugin successfully encrypts/decrypts a test payload using an AWS KMS key via IRSA.
- A valid
config.yaml profile named apeiro-profile is created to load this specific set of plugins at runtime.
The OpenKCM (CMK) API Server architecture relies on a plugin-based model to interact with external systems (Identity, Keystores, Notifications). For the Apeiro Platform Mesh, we must implement specific backend plugins.
Functional Requirements (FR)
FR-1: Identity Management Plugin (Apeiro IDP)
Goal: Replace generic or SAP-specific identity logic with Apeiro's standard.
ServiceEncryptionKeyusage patterns where pods request keys directly.Viewer,Admin) to CMK internal permissions, replacing the legacy SCIM group retrieval logic.FR-2: Certificate Issuer Plugin (Apeiro PKI)
Goal: Integrate with the Platform's Certificate Authority for mTLS.
cert-manager(or internal CA).Crypto (Manager)andCrypto (Migrate)components to authenticate against the CMK Registry.TenantIDin the Subject Alternative Name (SAN) to enforce strict mTLS isolation.FR-3: Keystore Management Plugin (Apeiro HYOK/BYOK)
Goal: Enable "Bring Your Own Key" (BYOK) and "Hold Your Own Key" (HYOK) scenarios specific to Apeiro infrastructure.
AWS KMS (Apeiro HYOK),Thales (Apeiro HYOK), andOpenBao (Apeiro BYOK).AccountCRD, verifying that the referenced L1 Key exists and is reachable before the Account status is set toReady.FR-4: System Information Service (SIS) Plugin
Goal: Adapt metadata resolution to the Apeiro resource hierarchy.
System (ULI Tenant)andSubaccount.TenantCR creation. The plugin must verify that the requestedregionandaudiencesin the CR spec are valid within the current Platform Mesh configuration.ServiceEncryptionKeydescription, the plugin must verify that a key request references anAccountwithin the same Tenant hierarchy (Root, Nested, or Shadow), rejecting cross-tenant references.FR-5: Notification Plugin (Apeiro Alerts)
Goal: Route alerts to the platform's observability stack.
WebHookNotificationCRD. The plugin must dynamically load webhook URLs defined by the tenant in this CRD and dispatch events to them (e.g., notifying a tenant's Slack channel when a key is rotated).Definition of Done
PluginInterfacecontract tests.SIS Pluginsuccessfully queries the KCP API to validate a mockTenantCR.Keystore Pluginsuccessfully encrypts/decrypts a test payload using an AWS KMS key via IRSA.config.yamlprofile namedapeiro-profileis created to load this specific set of plugins at runtime.