Created attachment 1765941 [details] Storagecluster creation (configure page) Description of problem (please be detailed as possible and provide log snippets): In OCS 4.7, when the storagecluster is deployed only with storageclass encryption enabled (cluster-wide encryption using KMS is not enabled), the noobaa root secret key used for MCG encryption is stored on the vault (KMS) server. Screenshot of the storagecluster creation page is attached. $ oc describe noobaa Name: noobaa Namespace: openshift-storage Labels: app=noobaa Annotations: <none> API Version: noobaa.io/v1alpha1 Kind: NooBaa Metadata: ... Owner References: API Version: ocs.openshift.io/v1 Block Owner Deletion: true Controller: true Kind: StorageCluster Name: ocs-storagecluster UID: b5ae8e46-ac59-47f4-95ac-28354e63ed05 Resource Version: 248769 UID: affee07e-4752-4c30-832b-76df9b012dc1 Spec: ... Security: Kms: Connection Details: KMS_PROVIDER: vault KMS_SERVICE_NAME: vault VAULT_ADDR: https://vault.qe.rh-ocs.com:8200 VAULT_BACKEND_PATH: rbd-encryption VAULT_CACERT: ocs-kms-ca-secret-he41hq VAULT_CLIENT_CERT: ocs-kms-client-cert-p55qnc VAULT_CLIENT_KEY: ocs-kms-client-key-rd3h7k VAULT_NAMESPACE: ocs/rbd VAULT_TLS_SERVER_NAME: vault.qe.rh-ocs.com Token Secret Name: ocs-kms-token ... $ vault kv list -namespace=ocs/rbd rbd-encryption/NOOBAA_ROOT_SECRET_PATH/ Keys ---- rootkeyb64-affee07e-4752-4c30-832b-76df9b012dc1 Version of all relevant components (if applicable): OCS: ocs-operator.v4.7.0-307.ci Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Is there any workaround available to the best of your knowledge? Not that I am aware of Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: 1. Install the OCS operator 2. Create an OCS storagecluster with only storage class encryption enabled 3. Check for keys on the vault server Actual results: The encryption key for MCG is stored in the vault server Expected results: Since, cluster wide encryption is not enabled using KMS, MCG should use kubernetes secret to store the key, instead of the vault server
Created attachment 1765944 [details] Must gather logs and screenshots
I'm not too familiar with this part of the code, but offhand it does seem like a valid ocs-operator bug. Tagging Arun to take a closer look. Arun, if it makes sense please update this BZ and give devel_ack+.
Taking the bug... PS: Unable to give `devel_ack +`, might be a permission issue.
Done.
Created PR: https://github.com/openshift/ocs-operator/pull/1133 Jose please take a look.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2041