Bug 1921540 - RBD PVC creation fails with error "invalid encryption kms configuration: "POD_NAMESPACE" is not set"
Summary: RBD PVC creation fails with error "invalid encryption kms configuration: "POD...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Container Storage
Classification: Red Hat Storage
Component: csi-driver
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: OCS 4.7.0
Assignee: Niels de Vos
QA Contact: Rachael
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-28 06:53 UTC by Rachael
Modified: 2021-09-29 07:34 UTC (History)
5 users (show)

Fixed In Version: 4.7.0-714.ci
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-19 09:18:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-csi pull 1844 0 None closed rbd: fix issue in ENV variable check 2021-02-17 13:31:56 UTC
Github openshift ceph-csi pull 16 0 None closed BUG 1921540: rbd: fix issue in ENV variable check 2021-02-17 13:31:57 UTC
Red Hat Product Errata RHSA-2021:2041 0 None None None 2021-05-19 09:19:02 UTC

Description Rachael 2021-01-28 06:53:30 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

PVC creation using RBD storageclass where encryption is enabled using KMS fails with the following error:

E0128 05:54:51.218498       1 utils.go:136] ID: 1028 Req-ID: pvc-e3fbd0d1-e1c3-47ac-a852-1b9b73bde32e GRPC error: rpc error: code = InvalidArgument desc = invalid encryption kms configuration: "POD_NAMESPACE" is not set

The POD_NAMESPACE ENV variable is set in the csi provisioner pod:

$ oc describe pod csi-rbdplugin-provisioner-697f4498b4-rz9zl |grep POD_NAMESPACE
      POD_NAMESPACE:  openshift-storage (v1:metadata.namespace)

Version of all relevant components (if applicable):

OCS version: ocs-operator.v4.7.0-238.ci
OCP version: 4.7.0-0.nightly-2021-01-27-072811

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes, Provisioning for RBD PVC fails

Is there any workaround available to the best of your knowledge?
Not that I am aware of

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Create an RBD storageclass with encryption enabled
2. Create a secret containing the token from vault
3. Create an RBD PVC using the storageclass in step 1

Actual results:
The PVC is stuck in Pending state with the error 

E0128 05:54:51.218498       1 utils.go:136] ID: 1028 Req-ID: pvc-e3fbd0d1-e1c3-47ac-a852-1b9b73bde32e GRPC error: rpc error: code = InvalidArgument desc = invalid encryption kms configuration: "POD_NAMESPACE" is not set

Expected results:
PVC should be in bound state
Comment 8 errata-xmlrpc 2021-05-19 09:18:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2041
Note You need to log in before you can comment on or make changes to this bug.