Bug 1502767

Summary: Encryption of secrets in datastore is not occurring
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: apiserver-authAssignee: Slava Semushin <vsemushi>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.1CC: aos-bugs, haowang, jialiu, jokerman, mmccomas, vsemushi
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:17:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Walter 2017-10-16 16:03:40 UTC 
Description of problem:
Following the guide here: https://docs.openshift.com/container-platform/3.6/admin_guide/encrypting_data.html

Customer was attempting to have all secrets in the cluster become encrypted. Steps followed below.

0. Generate encryption key
[root@br1endvosm01 ~]# head -c 32 /dev/urandom | base64
1. Update kubernetesMasterConfig in master-config.yaml on all masters with:
kubernetesMasterConfig:
  admissionConfig:
  apiServerArguments:
# BEGIN Encrypt secrets
    experimental-encryption-provider-config:
    - /usr/local/src/encryption_config.yml
# END Encrypt secrets

2. Add /usr/local/src/encryption_config.yml on all masters
[root@br1endvosm01 ~]# ls -al /usr/local/src/encryption_config.yml
-rw-------. 1 root root 225 Oct  4 10:44 /usr/local/src/encryption_config.yml
[root@br1endvosm01 ~]# cat /usr/local/src/encryption_config.yml 
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: "<REDACTED>"
    - identity: {}
3. Restart api service on all masters:
systemctl restart atomic-openshift-master-api

4. Create new secret
[root@br1endvosm01 ~]# oc create secret generic secret1 -n default --from-literal=mykey=mydata
secret "secret1" created

5. Attempt to confirm secret is encrypted, but it isn't
[root@br1endvosm01 ~]# etcdctl --cert-file='/etc/origin/master/master.etcd-client.crt' --key-file='/etc/origin/master/master.etcd-client.key' --endpoints='https://10.24.249.21:2379' --ca-file='/etc/origin/master/master.etcd-ca.crt' get /kubernetes.io/secrets/default/secret1 
2017-10-04 11:06:28.581200 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{"kind":"Secret","apiVersion":"v1","metadata":{"name":"secret1","namespace":"default","uid":"b299b1d4-a91d-11e7-bbf7-005056ab6e19","creationTimestamp":"2017-10-04T16:04:27Z"},"data":{"mykey":"bXlkYXRh"},"type":"Opaque"}



The service is running as root, who owns the encryption_config.yaml file. 


Version-Release number of selected component (if applicable):
oc v3.6.173.0.21
kubernetes v1.6.1+5115d708d7
openshift v3.6.173.0.21
kubernetes v1.6.1+5115d708d7


How reproducible:
Unconfirmed
Comment 1 Slava Semushin 2017-10-24 15:27:19 UTC 
Which version of etcd are you using? Is it v3?
Comment 2 Slava Semushin 2017-10-24 15:46:02 UTC 
Bases on the command that you are using for getting data from etcd (etcdctl --cert-file), I conclude that you are using etcd2.

Data encryption is only supported on etcd3.

I will create a pull request to mention this limitation in the documentation.
Comment 3 Slava Semushin 2017-10-24 16:11:39 UTC 
Documentation update: https://github.com/openshift/openshift-docs/pull/5923
Comment 4 Slava Semushin 2017-10-25 14:07:01 UTC 
PR has been merged. I don't know when the new documentation will be available on the site, but I think that I can close this bug.
Comment 5 Chuan Yu 2017-10-26 01:00:17 UTC 
Verified, the documentation changes make sense.
Comment 8 errata-xmlrpc 2017-11-28 22:17:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188