Bug 2017732
| Summary: | [KMS] Prevent creation of encryption enabled storageclass without KMS connection set | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Rachael <rgeorge> | ||||
| Component: | Console Storage Plugin | Assignee: | Sanjal Katiyar <skatiyar> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Rachael <rgeorge> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.9 | CC: | afrahman, aos-bugs, jefbrown, madam, muagarwa, nberry, nthomas, ocs-bugs | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.10.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-03-10 16:22:12 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Not a 4.9 blocker, moving it out. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |
Created attachment 1837559 [details] Storageclass creation Description of problem (please be detailed as possible and provide log snippets): When creating encryption enabled storageclass, if the user clicks on Enable encryption, there are two options: - Choose existing KMS connection - Create new KMS connection If neither of these options are set, the storageclass creation still succeeds, but without the encryptionKMSID parameter which maps to the connection details in the csi-kms-connection-details configmap. Using this storageclass to create PVCs, fails. $ oc get sc test -o yaml allowVolumeExpansion: false apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: creationTimestamp: "2021-10-27T10:49:37Z" name: test resourceVersion: "235462" uid: a625ad67-13ed-4ba8-a975-37f766fda6e3 parameters: clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/fstype: ext4 csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage encrypted: "true" imageFeatures: layering imageFormat: "2" pool: ocs-storagecluster-cephblockpool provisioner: openshift-storage.rbd.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate Version of all relevant components (if applicable): --------------------------------------------------- ODF: odf-operator.v4.9.0 OpenShift Data Foundation 4.9.0 Succeeded full_version=4.9.0-203.ci OCP: 4.9.0-0.nightly-2021-10-26-041726 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes, if not checked properly, one could assume that the storageclass creation was successful and proceed with PVC creation which would fail. Is there any workaround available to the best of your knowledge? Delete the storageclass and create a new one. Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 1 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: 1. Click on Storageclasses -> Create Storageclass 2. Enter the the required details and select RBD rovisioner openshift-storage.rbd.csi.ceph.com 3. Select a pool from the dropdown 4. Click on Enable Encryption and do not select any KMS connection 5. Click on create Actual results: Storageclass creation is successful. Expected results: The create button shouldn't be enabled if encryption is enabled but no KMS connection is selected.