Bug 1953572

Summary: Encryption key in vault for volumesnapshot does not get deleted when the snapshot is deleted in OCS
Product: [Red Hat Storage] Red Hat OpenShift Container Storage Reporter: Rachael <rgeorge>
Component: csi-driverAssignee: Madhu Rajanna <mrajanna>
Status: CLOSED ERRATA QA Contact: Rachael <rgeorge>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.8CC: madam, muagarwa, nberry, ndevos, ocs-bugs
Target Milestone: ---   
Target Release: OCS 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.8.0-406.ci Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-03 18:15:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rachael 2021-04-26 12:14:46 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

For an encrypted RBD PV, when a snapshot is taken an encryption key is generated in vault. When the volumesnapshot is deleted, the key in vault does not get deleted. 

$ oc describe volumesnapshotcontent snapcontent-e7ff7b45-b4c7-4d84-94e6-aaa344a0dff0 | grep "Snapshot Handle"
  Snapshot Handle:  0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216

Keys in vault after snapshot and restore:
=========================================
0001-0011-openshift-storage-0000000000000001-089e2dae-a682-11eb-82a5-0a580a810216
==== Data ====
Key     Value
---     -----
data    map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=]
++++++++++++++++++++++++++++++++++++++

0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216
==== Data ====
Key     Value
---     -----
data    map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=]
++++++++++++++++++++++++++++++++++++++

0001-0011-openshift-storage-0000000000000001-7396824e-a682-11eb-82a5-0a580a810216
==== Data ====
Key     Value
---     -----
data    map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=]


Keys in vault after deleting the volumesnapshot, parent PVC and restored PVC:
==============================================================================
0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216
==== Data ====
Key     Value
---     -----
data    map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=]



Version of all relevant components (if applicable):
OCS: ocs-operator.v4.8.0-361.ci
OCP: 4.8.0-0.nightly-2021-04-25-231500


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
No


Is there any workaround available to the best of your knowledge?
Manually deleting the key from vault

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
3

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:
No

Steps to Reproduce:
1. Create an encrypted RBD PVC
2. Create a snapshot of the encrypted PV
3. Check encryption key in vault. There should be two keys, one for the parent PV and the other for the volumesnapshot
4. Delete the volumesnapshot
5. Delete the parent PVC
6. Check encryption keys in vault

Actual results:
The encryption key for PVC is deleted, but the key for volumesnapshot is still present

Expected results:
Deletion of volumesnapshot should delete the key for the snapshot in vault
Comment 3 Humble Chirammal 2021-04-28 13:38:43 UTC 
Upstream PR is in in review queue:https://github.com/ceph/ceph-csi/pull/2021
Comment 4 Niels de Vos 2021-04-30 10:04:43 UTC 
Backport for release-3.3 has been merged: https://github.com/ceph/ceph-csi/pull/2040

This can now be synced in the https://github.com/openshift/ceph-csi downstream fork.
Comment 10 errata-xmlrpc 2021-08-03 18:15:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Container Storage 4.8.0 container images bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3003