Bug 1502767 – Encryption of secrets in datastore is not occurring

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1502767 - Encryption of secrets in datastore is not occurring

Summary:	Encryption of secrets in datastore is not occurring

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Auth (Show other bugs)
Sub Component:
Version:	3.6.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity medium
Target Milestone:	---
Target Release:	3.7.0
Assigned To:	Slava Semushin
QA Contact:	Chuan Yu
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-10-16 12:03 EDT by Steven Walter
Modified:	2017-11-28 17:17 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-11-28 17:17:21 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-28 21:34:54 EST

Groups: None (edit)

Description Steven Walter 2017-10-16 12:03:40 EDT

Description of problem:
Following the guide here: https://docs.openshift.com/container-platform/3.6/admin_guide/encrypting_data.html

Customer was attempting to have all secrets in the cluster become encrypted. Steps followed below.

0. Generate encryption key
[root@br1endvosm01 ~]# head -c 32 /dev/urandom | base64
1. Update kubernetesMasterConfig in master-config.yaml on all masters with:
kubernetesMasterConfig:
  admissionConfig:
  apiServerArguments:
# BEGIN Encrypt secrets
    experimental-encryption-provider-config:
    - /usr/local/src/encryption_config.yml
# END Encrypt secrets

2. Add /usr/local/src/encryption_config.yml on all masters
[root@br1endvosm01 ~]# ls -al /usr/local/src/encryption_config.yml
-rw-------. 1 root root 225 Oct  4 10:44 /usr/local/src/encryption_config.yml
[root@br1endvosm01 ~]# cat /usr/local/src/encryption_config.yml 
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: "<REDACTED>"
    - identity: {}
3. Restart api service on all masters:
systemctl restart atomic-openshift-master-api

4. Create new secret
[root@br1endvosm01 ~]# oc create secret generic secret1 -n default --from-literal=mykey=mydata
secret "secret1" created

5. Attempt to confirm secret is encrypted, but it isn't
[root@br1endvosm01 ~]# etcdctl --cert-file='/etc/origin/master/master.etcd-client.crt' --key-file='/etc/origin/master/master.etcd-client.key' --endpoints='https://10.24.249.21:2379' --ca-file='/etc/origin/master/master.etcd-ca.crt' get /kubernetes.io/secrets/default/secret1 
2017-10-04 11:06:28.581200 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
{"kind":"Secret","apiVersion":"v1","metadata":{"name":"secret1","namespace":"default","uid":"b299b1d4-a91d-11e7-bbf7-005056ab6e19","creationTimestamp":"2017-10-04T16:04:27Z"},"data":{"mykey":"bXlkYXRh"},"type":"Opaque"}



The service is running as root, who owns the encryption_config.yaml file. 


Version-Release number of selected component (if applicable):
oc v3.6.173.0.21
kubernetes v1.6.1+5115d708d7
openshift v3.6.173.0.21
kubernetes v1.6.1+5115d708d7


How reproducible:
Unconfirmed

Comment 1 Slava Semushin 2017-10-24 11:27:19 EDT

Which version of etcd are you using? Is it v3?

Comment 2 Slava Semushin 2017-10-24 11:46:02 EDT

Bases on the command that you are using for getting data from etcd (etcdctl --cert-file), I conclude that you are using etcd2.

Data encryption is only supported on etcd3.

I will create a pull request to mention this limitation in the documentation.

Comment 3 Slava Semushin 2017-10-24 12:11:39 EDT

Documentation update: https://github.com/openshift/openshift-docs/pull/5923

Comment 4 Slava Semushin 2017-10-25 10:07:01 EDT

PR has been merged. I don't know when the new documentation will be available on the site, but I think that I can close this bug.

Comment 5 Chuan Yu 2017-10-25 21:00:17 EDT

Verified, the documentation changes make sense.

Comment 8 errata-xmlrpc 2017-11-28 17:17:21 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.