Back to bug 1979244
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Humble Chirammal | 2021-07-06 10:18:10 UTC | Status | NEW | ASSIGNED |
| CC | ndevos | |||
| Flags | needinfo?(ndevos) | |||
| Raz Tamir | 2021-07-07 08:27:10 UTC | CC | ratamir | |
| Mudit Agarwal | 2021-07-07 08:29:42 UTC | CC | muagarwa | |
| Assignee | hchiramm | ndevos | ||
| Doc Type | If docs needed, set a value | Known Issue | ||
| Flags | needinfo?(ndevos) | |||
| Mudit Agarwal | 2021-07-07 08:29:58 UTC | Blocks | 1966894 | |
| Niels de Vos | 2021-07-07 11:05:34 UTC | Flags | needinfo?(ndevos) needinfo?(ndevos) | needinfo?(rgeorge) |
| Rachael | 2021-07-09 04:28:27 UTC | Flags | needinfo?(rgeorge) | |
| Mudit Agarwal | 2021-07-28 05:34:41 UTC | Flags | needinfo?(ndevos) | |
| Niels de Vos | 2021-07-28 10:11:05 UTC | Flags | needinfo?(ndevos) | needinfo?(rgeorge) |
| Niels de Vos | 2021-07-28 10:18:41 UTC | Doc Text | Cause: Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys make it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. Consequence: When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. It will be possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS. Workaround (if any): It is possible to manually delete the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used, but kept available with v2. Result: |
|
| Olive Lakra | 2021-07-28 14:21:22 UTC | CC | olakra | |
| Doc Text | Cause: Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys make it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. Consequence: When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. It will be possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS. Workaround (if any): It is possible to manually delete the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used, but kept available with v2. Result: | .Keys are still listed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. Though it is possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS. You can resolve this issue by manually deleting the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used but kept available with v2. | ||
| Flags | needinfo?(ndevos) | |||
| Rachael | 2021-07-29 05:03:59 UTC | CC | etamir | |
| Flags | needinfo?(rgeorge) | needinfo?(etamir) | ||
| Niels de Vos | 2021-08-02 07:36:48 UTC | Flags | needinfo?(ndevos) | |
| Niels de Vos | 2021-08-02 10:21:01 UTC | Flags | needinfo?(rgeorge) | |
| Link ID | Github ceph/ceph-csi/pull/2343 | |||
| Elad | 2021-08-02 10:29:29 UTC | Flags | needinfo?(rgeorge) | needinfo?(etamir) |
| Eran Tamir | 2021-08-02 11:53:13 UTC | Flags | needinfo?(etamir) needinfo?(etamir) | needinfo?(rgeorge) needinfo?(ndevos) |
| Niels de Vos | 2021-08-16 13:52:48 UTC | Flags | needinfo?(ndevos) | |
| Rachael | 2021-08-17 04:09:38 UTC | Flags | needinfo?(rgeorge) | needinfo?(ndevos) |
| Niels de Vos | 2021-08-24 11:40:37 UTC | Flags | needinfo?(ndevos) | |
| Mudit Agarwal | 2021-09-21 11:39:24 UTC | Doc Type | Known Issue | Bug Fix |
| Status | ASSIGNED | ON_QA | ||
| krishnaram Karthick | 2021-09-24 16:10:26 UTC | CC | kramdoss | |
| RHEL Program Management | 2021-09-24 16:10:32 UTC | Target Release | --- | OCS 4.9.0 |
| Rejy M Cyriac | 2021-09-26 20:45:37 UTC | Target Release | OCS 4.9.0 | --- |
| Rejy M Cyriac | 2021-09-26 20:47:29 UTC | Component | csi-driver | csi-driver |
| Product | Red Hat OpenShift Container Storage | Red Hat OpenShift Data Foundation | ||
| RHEL Program Management | 2021-09-26 20:49:04 UTC | Target Release | --- | ODF 4.9.0 |
| Rachael | 2021-09-29 11:48:55 UTC | QA Contact | ebenahar | rgeorge |
| Flags | needinfo?(ndevos) | |||
| Neha Berry | 2021-10-14 07:32:23 UTC | Flags | needinfo?(ndevos) needinfo?(muagarwa) | |
| CC | nberry | |||
| Niels de Vos | 2021-10-14 08:18:37 UTC | Flags | needinfo?(ndevos) needinfo?(ndevos) | needinfo?(rgeorge) |
| Rachael | 2021-10-14 15:09:50 UTC | Flags | needinfo?(rgeorge) | |
| Mudit Agarwal | 2021-10-18 05:53:13 UTC | Flags | needinfo?(muagarwa) | |
| Rachael | 2021-10-27 08:07:03 UTC | Flags | needinfo?(ndevos) | |
| Niels de Vos | 2021-10-27 09:35:05 UTC | Flags | needinfo?(ndevos) | |
| Niels de Vos | 2021-10-28 08:26:16 UTC | Flags | needinfo?(rgeorge) | |
| Rachael | 2021-10-28 09:00:34 UTC | Flags | needinfo?(rgeorge) | |
| Niels de Vos | 2021-10-28 11:22:53 UTC | Status | ON_QA | POST |
| Link ID | Github ceph/ceph-csi/pull/2602 | |||
| OpenShift BugZilla Robot | 2021-10-28 15:41:11 UTC | Link ID | Github red-hat-storage/ceph-csi/pull/42 | |
| OpenShift BugZilla Robot | 2021-10-28 16:41:30 UTC | Status | POST | MODIFIED |
| Mudit Agarwal | 2021-11-03 04:17:24 UTC | Flags | needinfo?(ndevos) | |
| Mudit Agarwal | 2021-11-03 04:17:34 UTC | Blocks | 2011326 | |
| errata-xmlrpc | 2021-11-04 17:46:05 UTC | Status | MODIFIED | ON_QA |
| Olive Lakra | 2021-11-09 04:36:37 UTC | CC | olakra | |
| Rachael | 2021-11-09 07:32:47 UTC | Status | ON_QA | VERIFIED |
| Niels de Vos | 2021-11-17 07:38:21 UTC | Doc Text | .Keys are still listed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. Though it is possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS. You can resolve this issue by manually deleting the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used but kept available with v2. | .Keys are now completely destroyed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS. With this update, the keys in HashiCorp Vault will completely be destroyed by default when a PVC is deleted. A new configuration option `VAULT_DESTROY_KEYS` has been introduced that can be set to `false` to enable the previous behaviour. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible. |
| Flags | needinfo?(ndevos) | needinfo?(olakra) | ||
| CC | olakra | |||
| Kusuma | 2021-11-30 02:27:50 UTC | Flags | needinfo?(ndevos) | |
| CC | kbg | |||
| Doc Text | .Keys are now completely destroyed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS. With this update, the keys in HashiCorp Vault will completely be destroyed by default when a PVC is deleted. A new configuration option `VAULT_DESTROY_KEYS` has been introduced that can be set to `false` to enable the previous behaviour. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible. | .Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS. With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible. |
||
| Erin Donnelly | 2021-12-09 19:46:16 UTC | CC | edonnell | |
| Doc Text | .Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS. With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible. | .Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine HashiCorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in HashiCorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS. With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible. |
||
| errata-xmlrpc | 2021-12-13 15:16:29 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2021-12-13 17:44:31 UTC | Resolution | --- | ERRATA |
| Status | RELEASE_PENDING | CLOSED | ||
| Last Closed | 2021-12-13 17:44:31 UTC | |||
| errata-xmlrpc | 2021-12-13 17:44:50 UTC | Link ID | Red Hat Product Errata RHSA-2021:5086 | |
| Olive Lakra | 2022-08-17 05:20:59 UTC | CC | olakra | |
| Flags | needinfo?(olakra) | |||
| Niels de Vos | 2022-09-28 15:45:42 UTC | Flags | needinfo?(ndevos) | |
| Elad | 2023-08-09 16:37:41 UTC | CC | odf-bz-bot |
Back to bug 1979244