Bug 2094856

Summary: [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Rachael <rgeorge>
Component: csi-driverAssignee: Rakshith <rar>
Status: CLOSED ERRATA QA Contact: Rachael <rgeorge>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.11CC: madam, mrajanna, muagarwa, ndevos, ocs-bugs, odf-bz-bot, rar
Target Milestone: ---Keywords: Regression
Target Release: ODF 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2098536 (view as bug list) Environment:
Last Closed: 2022-08-24 13:54:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2098536    
Bug Blocks: 2098562    

Description Rachael 2022-06-08 13:00:41 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

In OCP 4.11 + ODF 4.11, the creation of encrypted PVC using the vaulttenantsa method is failing with the following error:

  Warning  ProvisioningFailed    7s (x8 over 71s)   openshift-storage.rbd.csi.ceph.com_csi-rbdplugin-provisioner-5c7ffd97-nlfdd_2d4c77af-4dad-4b7e-9bf1-92e5d11a8d3c  failed to provision volume with StorageClass "test-pv-encryption-1": rpc error: code = InvalidArgument desc = invalid encryption kms configuration: failed setting up token for test/ceph-csi-vault-sa: failed to find token in ServiceAccount test/ceph-csi-vault-sa


Due to recent changes in kubernetes, that is available in OCP 4.11, the serviceaccount does not have the token secret linked to it during its creation anymore.

$ oc get sa ceph-csi-vault-sa -o yaml
apiVersion: v1
imagePullSecrets:
- name: ceph-csi-vault-sa-dockercfg-psmtt
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-06-08T12:44:51Z"
  name: ceph-csi-vault-sa
  namespace: test
  resourceVersion: "165333"
  uid: 2d96aa2d-1c9f-4bd6-a762-6c65cbf16ea1
secrets:
- name: ceph-csi-vault-sa-dockercfg-psmtt


Version of all relevant components (if applicable):
---------------------------------------------------
OCP: 4.11.0-0.nightly-2022-06-06-025509
ODF: odf-operator.v4.11.0              OpenShift Data Foundation     4.11.0               Succeeded   full_version=4.11.0-89


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

Yes, using the vaulttenantsa method for PV encryption fails



Is there any workaround available to the best of your knowledge?

The secret can be linked to the tenant serviceaccount using the following command:

$ oc get secret|grep vault
ceph-csi-vault-sa-dockercfg-psmtt   kubernetes.io/dockercfg               1      2m14s
ceph-csi-vault-sa-token-2z9tp       kubernetes.io/service-account-token   4      2m14s

$ oc secrets link ceph-csi-vault-sa ceph-csi-vault-sa-token-2z9tp

$ oc get sa ceph-csi-vault-sa -o yaml
apiVersion: v1
imagePullSecrets:
- name: ceph-csi-vault-sa-dockercfg-psmtt
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-06-08T12:44:51Z"
  name: ceph-csi-vault-sa
  namespace: test
  resourceVersion: "165333"
  uid: 2d96aa2d-1c9f-4bd6-a762-6c65cbf16ea1
secrets:
- name: ceph-csi-vault-sa-dockercfg-psmtt
- name: ceph-csi-vault-sa-token-2z9tp

Once the secret is linked, the PVC creation succeeds.


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2


Can this issue reproducible?
Yes


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:
Yes


Steps to Reproduce:
-------------------

1. Follow the steps here to create an encrypted PVC using vaulttenantsa method:

https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.10/html/managing_and_allocating_storage_resources/storage-classes_rhodf#prerequisites_for_using_literal_vaulttenantsa_literal



Actual results:
---------------

The PVC creation fails with the error:

  Warning  ProvisioningFailed    7s (x8 over 71s)   openshift-storage.rbd.csi.ceph.com_csi-rbdplugin-provisioner-5c7ffd97-nlfdd_2d4c77af-4dad-4b7e-9bf1-92e5d11a8d3c  failed to provision volume with StorageClass "test-pv-encryption-1": rpc error: code = InvalidArgument desc = invalid encryption kms configuration: failed setting up token for test/ceph-csi-vault-sa: failed to find token in ServiceAccount test/ceph-csi-vault-sa


Expected results:
-----------------
PVC creation should be successful.
Comment 7 Niels de Vos 2022-06-17 16:29:39 UTC 
Is there a BZ for ocs-operator to update the RBAC?
Comment 13 errata-xmlrpc 2022-08-24 13:54:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6156