Bug 1795235

Summary: ETCD backups should keep keys and data separate
Product: OpenShift Container Platform Reporter: Suresh Kolichala <skolicha>
Component: EtcdAssignee: Suresh Kolichala <skolicha>
Status: CLOSED ERRATA QA Contact: ge liu <geliu>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.3.0CC: geliu, mfojtik, sbatsche
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1796440 (view as bug list) Environment:
Last Closed: 2020-05-04 11:27:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1796440    

Description Suresh Kolichala 2020-01-27 13:59:14 UTC
Description of problem:

When etcd is encrypted, the encryption key is stored as a part of static pod resources. Current backup procedure combines the etcd snapshot database and static pod resources into a single tar archive.

For enhanced security, they should not be stored together.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Take a snapshot backup using DR scripts.


Actual results:
It produces a single tar.gz archive containing keys and snapshot data.

Expected results:
For enhanced security, it is expected that encryption keys and data are kept separate.

Additional info:

Comment 6 ge liu 2020-02-03 13:01:20 UTC
Verified with 4.4.0-0.nightly-2020-02-02-201619,
$ cd assets/
$ ls
backup  bin  manifests  manifests-stopped  restore  shared  templates  tmp
$ cd backup/
$ ls
etcd  etcd-ca-bundle.crt  etcd-member.yaml  snapshot_2020-02-03_115156.db  static_kuberesources_2020-02-03_115156.tar.gz

Comment 8 errata-xmlrpc 2020-05-04 11:27:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581