Description of problem (please be detailed as possible and provide log snippests): There isn't an option to configure one of KMS values VAULT_SKIP_VERIFY via UI hence can't test with unknown CA certificate. Via yaml the option is configurable. Version of all relevant components (if applicable): All ocp4.7 ocs4.7 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Can test KMS without certificates signed by trusted CA Is there any workaround available to the best of your knowledge? Work with trusted CA Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 1 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: 1. Install OCP4.7 2. Configure KMS 3. Install ocs-operator 4. Add storage cluster with encryption and KMS Actual results: OCS will install and the following error occur: ceph-cluster-controller: failed to reconcile. failed to reconcile cluster "ocs-storagecluster-cephcluster": failed to configure local ceph cluster: failed to create cluster: failed to start ceph osds: 3 failures encountered while running osds in namespace openshift-storage: failed to store secret. failed to init vault kms: failed to initialize vault secret store: Get "https://vault.default.svc.cluster.local:8200/v1/sys/mounts": x509: certificate signed by unknown authority Expected results: Have the option to configure VAULT_SKIP_VERIFY as installing via cli. Additional info:
Hi @
My understanding is after enabling encryption with TLS, Supporting an unknown CA certificate will lead to an insecure connection. Also, if we don't want a secure connection then we can disable TLS in the vault. Does this option make sense at the product level? Please connect me if I am wrong. Need info @
Hi, I have discussed this issue with Eran and he suggested adding this key-value manually to the config map (rook restart may be required, will confirm that) and document these steps. We have to figure out how important this fix for the customers and it is happening commonly or not, Based on that we will fix this bug in a later release. Any thoughts?
I don't understand why we can't make it simple to the customer to have this option when he will do a POC or other DEV environment that will not have to use trusted certificate. I think @sebastien han and I agree that it will broadly used.
Hi, Just need to clarify one thing, If the product allows the customer to use a trusted and non-trusted certificate do we really need to ask for this option? What if the customer enables this option and uploads trusted certificates. I don't see UI is the right place to fix this issue. My suggestion is: Either rook or OCS operator can validate the certificates and decide whether to add this option or not.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days