Back to bug 1979244

Who When What Removed Added
Humble Chirammal 2021-07-06 10:18:10 UTC Status NEW ASSIGNED
CC ndevos
Flags needinfo?(ndevos)
Raz Tamir 2021-07-07 08:27:10 UTC CC ratamir
Mudit Agarwal 2021-07-07 08:29:42 UTC CC muagarwa
Assignee hchiramm ndevos
Doc Type If docs needed, set a value Known Issue
Flags needinfo?(ndevos)
Mudit Agarwal 2021-07-07 08:29:58 UTC Blocks 1966894
Niels de Vos 2021-07-07 11:05:34 UTC Flags needinfo?(ndevos) needinfo?(ndevos) needinfo?(rgeorge)
Rachael 2021-07-09 04:28:27 UTC Flags needinfo?(rgeorge)
Mudit Agarwal 2021-07-28 05:34:41 UTC Flags needinfo?(ndevos)
Niels de Vos 2021-07-28 10:11:05 UTC Flags needinfo?(ndevos) needinfo?(rgeorge)
Niels de Vos 2021-07-28 10:18:41 UTC Doc Text Cause: Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys make it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step.

Consequence: When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. It will be possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS.

Workaround (if any): It is possible to manually delete the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used, but kept available with v2.

Result:
Olive Lakra 2021-07-28 14:21:22 UTC CC olakra
Doc Text Cause: Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys make it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step.

Consequence: When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. It will be possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS.

Workaround (if any): It is possible to manually delete the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used, but kept available with v2.

Result:
.Keys are still listed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine
Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. Though it is possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS.

You can resolve this issue by manually deleting the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used but kept available with v2.
Flags needinfo?(ndevos)
Rachael 2021-07-29 05:03:59 UTC CC etamir
Flags needinfo?(rgeorge) needinfo?(etamir)
Niels de Vos 2021-08-02 07:36:48 UTC Flags needinfo?(ndevos)
Niels de Vos 2021-08-02 10:21:01 UTC Flags needinfo?(rgeorge)
Link ID Github ceph/ceph-csi/pull/2343
Elad 2021-08-02 10:29:29 UTC Flags needinfo?(rgeorge) needinfo?(etamir)
Eran Tamir 2021-08-02 11:53:13 UTC Flags needinfo?(etamir) needinfo?(etamir) needinfo?(rgeorge) needinfo?(ndevos)
Niels de Vos 2021-08-16 13:52:48 UTC Flags needinfo?(ndevos)
Rachael 2021-08-17 04:09:38 UTC Flags needinfo?(rgeorge) needinfo?(ndevos)
Niels de Vos 2021-08-24 11:40:37 UTC Flags needinfo?(ndevos)
Mudit Agarwal 2021-09-21 11:39:24 UTC Doc Type Known Issue Bug Fix
Status ASSIGNED ON_QA
krishnaram Karthick 2021-09-24 16:10:26 UTC CC kramdoss
RHEL Program Management 2021-09-24 16:10:32 UTC Target Release --- OCS 4.9.0
Rejy M Cyriac 2021-09-26 20:45:37 UTC Target Release OCS 4.9.0 ---
Rejy M Cyriac 2021-09-26 20:47:29 UTC Component csi-driver csi-driver
Product Red Hat OpenShift Container Storage Red Hat OpenShift Data Foundation
RHEL Program Management 2021-09-26 20:49:04 UTC Target Release --- ODF 4.9.0
Rachael 2021-09-29 11:48:55 UTC QA Contact ebenahar rgeorge
Flags needinfo?(ndevos)
Neha Berry 2021-10-14 07:32:23 UTC Flags needinfo?(ndevos) needinfo?(muagarwa)
CC nberry
Niels de Vos 2021-10-14 08:18:37 UTC Flags needinfo?(ndevos) needinfo?(ndevos) needinfo?(rgeorge)
Rachael 2021-10-14 15:09:50 UTC Flags needinfo?(rgeorge)
Mudit Agarwal 2021-10-18 05:53:13 UTC Flags needinfo?(muagarwa)
Rachael 2021-10-27 08:07:03 UTC Flags needinfo?(ndevos)
Niels de Vos 2021-10-27 09:35:05 UTC Flags needinfo?(ndevos)
Niels de Vos 2021-10-28 08:26:16 UTC Flags needinfo?(rgeorge)
Rachael 2021-10-28 09:00:34 UTC Flags needinfo?(rgeorge)
Niels de Vos 2021-10-28 11:22:53 UTC Status ON_QA POST
Link ID Github ceph/ceph-csi/pull/2602
OpenShift BugZilla Robot 2021-10-28 15:41:11 UTC Link ID Github red-hat-storage/ceph-csi/pull/42
OpenShift BugZilla Robot 2021-10-28 16:41:30 UTC Status POST MODIFIED
Mudit Agarwal 2021-11-03 04:17:24 UTC Flags needinfo?(ndevos)
Mudit Agarwal 2021-11-03 04:17:34 UTC Blocks 2011326
errata-xmlrpc 2021-11-04 17:46:05 UTC Status MODIFIED ON_QA
Olive Lakra 2021-11-09 04:36:37 UTC CC olakra
Rachael 2021-11-09 07:32:47 UTC Status ON_QA VERIFIED
Niels de Vos 2021-11-17 07:38:21 UTC Doc Text .Keys are still listed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine
Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes will not remove the metadata of the encryption passphrase from the KMS. Though it is possible to restore the encryption passphrase at a later time. These partially deleted keys are not automatically cleaned up by the KMS.

You can resolve this issue by manually deleting the metadata of the removed keys. Any key that has the `deletion_time` set in the metadata can be assumed to have been deleted when key-value storage v1 was used but kept available with v2.
.Keys are now completely destroyed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine
Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS.

With this update, the keys in HashiCorp Vault will completely be destroyed by default when a PVC is deleted. A new configuration option `VAULT_DESTROY_KEYS` has been introduced that can be set to `false` to enable the previous behaviour. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible.
Flags needinfo?(ndevos) needinfo?(olakra)
CC olakra
Kusuma 2021-11-30 02:27:50 UTC Flags needinfo?(ndevos)
CC kbg
Doc Text .Keys are now completely destroyed in Vault after deleting encrypted PVCs while using the `kv-v2` secret engine
Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS.

With this update, the keys in HashiCorp Vault will completely be destroyed by default when a PVC is deleted. A new configuration option `VAULT_DESTROY_KEYS` has been introduced that can be set to `false` to enable the previous behaviour. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible.
.Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine

Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS.

With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible.
Erin Donnelly 2021-12-09 19:46:16 UTC CC edonnell
Doc Text .Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine

Hashicorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in Hashicorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS.

With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible.
.Keys are completely destroyed in Vault after deleting encrypted persistent volume claims (PVCs) while using the `kv-v2` secret engine

HashiCorp Vault added a feature for the key-value store v2 where deletion of the stored keys makes it possible to recover the contents in case the metadata of the deleted key is not removed in a separate step. When using key-value v2 storage for secrets in HashiCorp Vault, deletion of volumes did not remove the metadata of the encryption passphrase from the KMS.

With this update, the keys in HashiCorp Vault is completely destroyed by default when a PVC is deleted. You can set the new configuration option `VAULT_DESTROY_KEYS` to `false` to enable the previous behavior. In that case, the metadata of the keys will be kept in HashiCorp Vault so that recovery of the encryption passphrase of the removed PVC is possible.
errata-xmlrpc 2021-12-13 15:16:29 UTC Status VERIFIED RELEASE_PENDING
errata-xmlrpc 2021-12-13 17:44:31 UTC Resolution --- ERRATA
Status RELEASE_PENDING CLOSED
Last Closed 2021-12-13 17:44:31 UTC
errata-xmlrpc 2021-12-13 17:44:50 UTC Link ID Red Hat Product Errata RHSA-2021:5086
Olive Lakra 2022-08-17 05:20:59 UTC CC olakra
Flags needinfo?(olakra)
Niels de Vos 2022-09-28 15:45:42 UTC Flags needinfo?(ndevos)
Elad 2023-08-09 16:37:41 UTC CC odf-bz-bot

Back to bug 1979244