Storageclass creation page with "Enable encryption" is not displaying saved KMS connection details when vaulttenantsa details are available in csi-kms-details config
DescriptionAmrita Mahapatra
2022-04-28 05:45:38 UTC
Description of problem (please be detailed as possible and provide log
snippests):
For OCP 4.10 and ODF 4.10 if details for "encryptionKMSType": "vaulttenantsa" is available in the csi-kms-connection-details configmap, for eg:
$ oc get cm csi-kms-connection-details -n openshift-storage -o yaml
apiVersion: v1
data:
vault-tenant-sa-auth: |-
{
"encryptionKMSType": "vaulttenantsa",
"vaultAddress": https://vault.qe.rh-ocs.com:8200",
"vaultAuthPath": "/v1/auth/ammahapa-k8/login",
"vaultBackendPath": "ammahapa_ocs3",
"vaultCAFromSecret": "ocs-kms-ca-secret-dslpu",
"vaultClientCertFromSecret": "ocs-kms-client-cert-i4t28j",
"vaultClientCertKeyFromSecret": "ocs-kms-client-key-or3su",
"tenantSAName": "ceph-csi-vault-sa"
}
vault-test: '{"encryptionKMSType":"vaulttokens","kmsServiceName":"vault-test","vaultAddress":"https://vault.qe.rh-ocs.com:8200","vaultBackendPath":"rook","vaultTLSServerName":"","vaultCAFileName":"","vaultClientCertFileName":"","vaultClientCertKeyFileName":"","vaultAuthMethod":"token","tenantTokenName":"ceph-csi-kms-token","vaultNamespace":""}'
vault-token: '{"encryptionKMSType":"vaulttokens","kmsServiceName":"vault-token","vaultAddress":"https://vault.qe.rh-ocs.com:8200","vaultBackendPath":"ammahapa_ocs3","vaultCAFromSecret":"ocs-kms-ca-secret-dslpu","vaultTLSServerName":"","vaultClientCertFromSecret":"ocs-kms-client-cert-i4t28j","vaultClientCertKeyFromSecret":"ocs-kms-client-key-or3su","vaultCAFileName":"fullchain.pem","vaultClientCertFileName":"cert.pem","vaultClientCertKeyFileName":"privkey.pem","vaultAuthMethod":"token","tenantTokenName":"ceph-csi-kms-token","vaultNamespace":""}'
kind: ConfigMap
metadata:
creationTimestamp: "2022-04-27T08:07:24Z"
name: csi-kms-connection-details
namespace: openshift-storage
resourceVersion: "247071"
uid: a9c64f1d-c291-4896-8b3c-35894d906956
in the storage class creation page, on clicking the "Enable Encryption" checkbox with radio button 'Choose existing KMS connection' selected 'Key service' empty drop down displayed.
For OCP 4.11 and ODF 4.11 for similar scenario, in the storage class creation page, after clicking "Enable Encryption" checkbox with radio button 'Choose existing KMS connection' selected 'Key service' drop down displayed with only added vaulttoken connection option.
Version of all relevant components (if applicable):
===================================================
For issue faced in OCP and ODF 4.10---
OCP: 4.10.0-0.nightly-2022-04-26-204343
ODF full_version: 4.10.1-2
For issue faced in OCP and ODF 4.11---
OCP: 4.11.0-0.nightly-2022-04-26-181148
ODF full_version: 4.11.0-51
Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)? No
Is there any workaround available to the best of your knowledge? No
Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)? 3
Can this issue reproducible? yes
Can this issue reproduce from the UI? yes
If this is a regression, please provide more details to justify this: yes
Steps to Reproduce:
1. Edit/create the csi-kms-connection-details configmap in the openshift-storage namespace with details for encryptionKMStype: vaulttenantsa and encryptionKMStype: vaulttokens
2. In the UI, navigate to storageclass creation page: Storage -> Storageclasses -> Create newstorageclass
3. Enter the name of the storageclass, select provisioner "openshift-storage.rbd.csi.ceph.com"
4. Click on the "Enable Encryption" checkbox
5. Select radio button 'Choose existing KMS connection'
6. Click on 'Key service' drop down
Actual results:
For OCP and ODF 4.10 no KMS connection details displayed under storageclass creation with encryption page with existing KMS connection when details of encryptionKMStype: vaulttenantsa type is available in csi-kms-details configmap along with encryptionKMStype: vaulttokens.
For OCP and ODF 4.11 only encryptionKMStype: vaulttokens details displayed under storageclass creation with encryption page with existing KMS connection when details of encryptionKMStype: vaulttenantsa type is available in csi-kms-details configmap along with encryptionKMStype: vaulttokens.
Expected results:
All the existing KMS connections of type vaulttenantsa and vaulttokens should be displayed under 'Key service' drop down
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:5069
Description of problem (please be detailed as possible and provide log snippests): For OCP 4.10 and ODF 4.10 if details for "encryptionKMSType": "vaulttenantsa" is available in the csi-kms-connection-details configmap, for eg: $ oc get cm csi-kms-connection-details -n openshift-storage -o yaml apiVersion: v1 data: vault-tenant-sa-auth: |- { "encryptionKMSType": "vaulttenantsa", "vaultAddress": https://vault.qe.rh-ocs.com:8200", "vaultAuthPath": "/v1/auth/ammahapa-k8/login", "vaultBackendPath": "ammahapa_ocs3", "vaultCAFromSecret": "ocs-kms-ca-secret-dslpu", "vaultClientCertFromSecret": "ocs-kms-client-cert-i4t28j", "vaultClientCertKeyFromSecret": "ocs-kms-client-key-or3su", "tenantSAName": "ceph-csi-vault-sa" } vault-test: '{"encryptionKMSType":"vaulttokens","kmsServiceName":"vault-test","vaultAddress":"https://vault.qe.rh-ocs.com:8200","vaultBackendPath":"rook","vaultTLSServerName":"","vaultCAFileName":"","vaultClientCertFileName":"","vaultClientCertKeyFileName":"","vaultAuthMethod":"token","tenantTokenName":"ceph-csi-kms-token","vaultNamespace":""}' vault-token: '{"encryptionKMSType":"vaulttokens","kmsServiceName":"vault-token","vaultAddress":"https://vault.qe.rh-ocs.com:8200","vaultBackendPath":"ammahapa_ocs3","vaultCAFromSecret":"ocs-kms-ca-secret-dslpu","vaultTLSServerName":"","vaultClientCertFromSecret":"ocs-kms-client-cert-i4t28j","vaultClientCertKeyFromSecret":"ocs-kms-client-key-or3su","vaultCAFileName":"fullchain.pem","vaultClientCertFileName":"cert.pem","vaultClientCertKeyFileName":"privkey.pem","vaultAuthMethod":"token","tenantTokenName":"ceph-csi-kms-token","vaultNamespace":""}' kind: ConfigMap metadata: creationTimestamp: "2022-04-27T08:07:24Z" name: csi-kms-connection-details namespace: openshift-storage resourceVersion: "247071" uid: a9c64f1d-c291-4896-8b3c-35894d906956 in the storage class creation page, on clicking the "Enable Encryption" checkbox with radio button 'Choose existing KMS connection' selected 'Key service' empty drop down displayed. For OCP 4.11 and ODF 4.11 for similar scenario, in the storage class creation page, after clicking "Enable Encryption" checkbox with radio button 'Choose existing KMS connection' selected 'Key service' drop down displayed with only added vaulttoken connection option. Version of all relevant components (if applicable): =================================================== For issue faced in OCP and ODF 4.10--- OCP: 4.10.0-0.nightly-2022-04-26-204343 ODF full_version: 4.10.1-2 For issue faced in OCP and ODF 4.11--- OCP: 4.11.0-0.nightly-2022-04-26-181148 ODF full_version: 4.11.0-51 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 3 Can this issue reproducible? yes Can this issue reproduce from the UI? yes If this is a regression, please provide more details to justify this: yes Steps to Reproduce: 1. Edit/create the csi-kms-connection-details configmap in the openshift-storage namespace with details for encryptionKMStype: vaulttenantsa and encryptionKMStype: vaulttokens 2. In the UI, navigate to storageclass creation page: Storage -> Storageclasses -> Create newstorageclass 3. Enter the name of the storageclass, select provisioner "openshift-storage.rbd.csi.ceph.com" 4. Click on the "Enable Encryption" checkbox 5. Select radio button 'Choose existing KMS connection' 6. Click on 'Key service' drop down Actual results: For OCP and ODF 4.10 no KMS connection details displayed under storageclass creation with encryption page with existing KMS connection when details of encryptionKMStype: vaulttenantsa type is available in csi-kms-details configmap along with encryptionKMStype: vaulttokens. For OCP and ODF 4.11 only encryptionKMStype: vaulttokens details displayed under storageclass creation with encryption page with existing KMS connection when details of encryptionKMStype: vaulttenantsa type is available in csi-kms-details configmap along with encryptionKMStype: vaulttokens. Expected results: All the existing KMS connections of type vaulttenantsa and vaulttokens should be displayed under 'Key service' drop down