Description of problem:
When etcd is encrypted, the encryption key is stored as a part of static pod resources. Current backup procedure combines the etcd snapshot database and static pod resources into a single tar archive.
For enhanced security, they should not be stored together.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Take a snapshot backup using DR scripts.
It produces a single tar.gz archive containing keys and snapshot data.
For enhanced security, it is expected that encryption keys and data are kept separate.
Verified with 4.4.0-0.nightly-2020-02-02-201619,
$ cd assets/
backup bin manifests manifests-stopped restore shared templates tmp
$ cd backup/
etcd etcd-ca-bundle.crt etcd-member.yaml snapshot_2020-02-03_115156.db static_kuberesources_2020-02-03_115156.tar.gz
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.