Bug 1942519

Summary: MCG should not use KMS to store encryption keys if cluster wide encryption is not enabled using KMS
Product: [Red Hat Storage] Red Hat OpenShift Container Storage Reporter: Rachael <rgeorge>
Component: ocs-operatorAssignee: arun kumar mohan <amohan>
Status: CLOSED ERRATA QA Contact: Rachael <rgeorge>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.7CC: amohan, etamir, jarrpa, madam, muagarwa, nbecker, nberry, ocs-bugs, sostapov
Target Milestone: ---Keywords: AutomationBackLog
Target Release: OCS 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.7.0-324.ci Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 09:20:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Storagecluster creation (configure page)
none
Must gather logs and screenshots none

Description Rachael 2021-03-24 13:45:45 UTC 
Created attachment 1765941 [details]
Storagecluster creation (configure page)

Description of problem (please be detailed as possible and provide log
snippets):

In OCS 4.7, when the storagecluster is deployed only with storageclass encryption enabled (cluster-wide encryption using KMS is not enabled), the noobaa root secret key used for MCG encryption is stored on the vault (KMS) server. 

Screenshot of the storagecluster creation page is attached.

$ oc describe noobaa
Name:         noobaa
Namespace:    openshift-storage
Labels:       app=noobaa
Annotations:  <none>
API Version:  noobaa.io/v1alpha1
Kind:         NooBaa
Metadata:
...

  Owner References:
    API Version:           ocs.openshift.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  StorageCluster
    Name:                  ocs-storagecluster
    UID:                   b5ae8e46-ac59-47f4-95ac-28354e63ed05
  Resource Version:        248769
  UID:                     affee07e-4752-4c30-832b-76df9b012dc1
Spec:
...
  Security:
    Kms:
      Connection Details:
        KMS_PROVIDER:           vault
        KMS_SERVICE_NAME:       vault
        VAULT_ADDR:             https://vault.qe.rh-ocs.com:8200
        VAULT_BACKEND_PATH:     rbd-encryption
        VAULT_CACERT:           ocs-kms-ca-secret-he41hq
        VAULT_CLIENT_CERT:      ocs-kms-client-cert-p55qnc
        VAULT_CLIENT_KEY:       ocs-kms-client-key-rd3h7k
        VAULT_NAMESPACE:        ocs/rbd
        VAULT_TLS_SERVER_NAME:  vault.qe.rh-ocs.com
      Token Secret Name:        ocs-kms-token
...


$ vault kv list -namespace=ocs/rbd rbd-encryption/NOOBAA_ROOT_SECRET_PATH/
Keys
----
rootkeyb64-affee07e-4752-4c30-832b-76df9b012dc1


Version of all relevant components (if applicable):
OCS: ocs-operator.v4.7.0-307.ci

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?
Not that I am aware of

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:
No

Steps to Reproduce:
1. Install the OCS operator
2. Create an OCS storagecluster with only storage class encryption enabled
3. Check for keys on the vault server

Actual results:
The encryption key for MCG is stored in the vault server

Expected results:
Since, cluster wide encryption is not enabled using KMS, MCG should use kubernetes secret to store the key, instead of the vault server
Comment 2 Rachael 2021-03-24 14:11:38 UTC 
Created attachment 1765944 [details]
Must gather logs and screenshots
Comment 5 Jose A. Rivera 2021-03-24 16:48:19 UTC 
I'm not too familiar with this part of the code, but offhand it does seem like a valid ocs-operator bug. Tagging Arun to take a closer look.

Arun, if it makes sense please update this BZ and give devel_ack+.
Comment 6 arun kumar mohan 2021-03-24 17:39:20 UTC 
Taking the bug...

PS: Unable to give `devel_ack +`, might be a permission issue.
Comment 7 Jose A. Rivera 2021-03-24 17:44:04 UTC 
Done.
Comment 8 arun kumar mohan 2021-03-25 09:13:51 UTC 
Created PR: https://github.com/openshift/ocs-operator/pull/1133

Jose please take a look.
Comment 14 errata-xmlrpc 2021-05-19 09:20:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2041