Bug 2051599

Summary: Use AAD while unwrapping the KEY from HPCS/Key Protect KMS
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Humble Chirammal <hchiramm>
Component: csi-driverAssignee: Humble Chirammal <hchiramm>
Status: CLOSED ERRATA QA Contact: Joy John Pinto <jopinto>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.10CC: madam, muagarwa, ocs-bugs, odf-bz-bot, rgeorge, rperiyas
Target Milestone: ---   
Target Release: ODF 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.0-148 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-13 18:52:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Humble Chirammal 2022-02-07 15:22:04 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

Recently we have added an enhancement to the wrap function while we use HPCS/Key protect KMS service to have AAD ( additional auth data). Eventhough it has been added and PVC claim works, while unwrapping we were not sending the AAD to the KMS and it caused the unwrapping to fail. 




Version of all relevant components (if applicable):

ODF 4.10

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 7 Joy John Pinto 2022-02-24 11:22:43 UTC 
Hi Humble, 

Can you please share verification steps and tests that need to be covered to close this bug

Thanks,
Joy
Comment 8 Joy John Pinto 2022-03-18 06:03:21 UTC 
Verified by running tier1 test suite on KMS enabled cluster and no failures were seen except namespace creation tests (which is due to community edition of vault instance)

OCS version: 4.10.0-0.nightly-2022-03-16-041611
OCP version: 4.10.0-0.nightly-2022-03-16-165813

Jenkins job link: https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/10878/
Logs for job id 10878 are located at-http://magna002.ceph.redhat.com/ocsci-jenkins/openshift-clusters/jopinto-bugkms/jopinto-bugkms_20220316T130317/
Rerun jenkins job link : https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/10888/testReport/
Logs for job id 10888 are located at- http://magna002.ceph.redhat.com/ocsci-jenkins/openshift-clusters/jopinto-bugkmsrerun/jopinto-bugkmsrerun_20220317T022450/

Hence closing the bug.
Comment 10 errata-xmlrpc 2022-04-13 18:52:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372
Comment 11 Red Hat Bugzilla 2023-12-08 04:27:42 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days