Bug 2181446

Summary: [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured.
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Parag Kamble <pakamble>
Component: management-consoleAssignee: Debjyoti Pandit <dpandit>
Status: CLOSED ERRATA QA Contact: Parag Kamble <pakamble>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.13CC: dpandit, ebenahar, ocs-bugs, odf-bz-bot, skatiyar
Target Milestone: ---   
Target Release: ODF 4.13.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-21 15:25:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Parag Kamble 2023-03-24 06:46:17 UTC 
Created attachment 1953330 [details]
Configuring the encryption while creating SC

Description of problem (please be detailed as possible and provide log
snippests):

On an ODF 4.13 cluster, While setting up new storageclass encryption is enabled with  Vault kubernetes auth method. In this case PVC provisioning is failing with following error.

failed to provision volume with StorageClass "encrypt": rpc error: code = Internal desc = failed to setup encryption for image ocs-storagecluster-cephblockpool/csi-vol-807e9e27-bf0d-4eb6-a800-f746da57362d: failed to save the passphrase for 0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d: saving passphrase at 0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d request to vault failed: failed to put secret: backendPath=odf/, backendV2=false, namespace=, secretID=0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d: get auth token for namespace: Error making API request. URL: PUT https://<vault Enterprose instance>:8200/v1/auth/kubernetes/login Code: 403. Errors: * 1 error occurred: * permission denied

     

Version of all relevant components (if applicable):


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Setup service accounts, auth method for the intended namespace by following steps mention in this link: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.12/html/managing_and_allocating_storage_resources/storage-classes_rhodf#configuring-access-to-kms-using-vaulttenantsa_rhodf
2. [UI] Go to "Storage > StorageClasses".
3. [UI] Create StorageClass using "rbd" provisioner.
4. [UI] Opt for "Kubernetes" authentication method.
5. [UI] Create PVC on configured namespace on step 1.


Actual results:
PVC provision is failed with Error as mention in the description. 


Expected results:

PVC provision should be successful. 


Additional info:

While debugging this issue found that 'vaultNamespace' value is not getting populated in the 'csi-kms-connection-details'  configmap. After adding that value manually in the config map then PVC provision. is successful.
Comment 3 Sanjal Katiyar 2023-03-24 07:33:52 UTC 
workaround is present... we can directly add one extra field to the ConfigMap from the CLI for un-blocking happy path testing (if blocked)...
Comment 15 errata-xmlrpc 2023-06-21 15:25:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.13.0 enhancement and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3742