Description of problem (please be detailed as possible and provide log snippets): For an encrypted RBD PV, when a snapshot is taken an encryption key is generated in vault. When the volumesnapshot is deleted, the key in vault does not get deleted. $ oc describe volumesnapshotcontent snapcontent-e7ff7b45-b4c7-4d84-94e6-aaa344a0dff0 | grep "Snapshot Handle" Snapshot Handle: 0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216 Keys in vault after snapshot and restore: ========================================= 0001-0011-openshift-storage-0000000000000001-089e2dae-a682-11eb-82a5-0a580a810216 ==== Data ==== Key Value --- ----- data map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=] ++++++++++++++++++++++++++++++++++++++ 0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216 ==== Data ==== Key Value --- ----- data map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=] ++++++++++++++++++++++++++++++++++++++ 0001-0011-openshift-storage-0000000000000001-7396824e-a682-11eb-82a5-0a580a810216 ==== Data ==== Key Value --- ----- data map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=] Keys in vault after deleting the volumesnapshot, parent PVC and restored PVC: ============================================================================== 0001-0011-openshift-storage-0000000000000001-63f8d2aa-a682-11eb-82a5-0a580a810216 ==== Data ==== Key Value --- ----- data map[passphrase:AOjw9cGmXx7VyLkHPCSnOA5-zy8=] Version of all relevant components (if applicable): OCS: ocs-operator.v4.8.0-361.ci OCP: 4.8.0-0.nightly-2021-04-25-231500 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No Is there any workaround available to the best of your knowledge? Manually deleting the key from vault Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 3 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: 1. Create an encrypted RBD PVC 2. Create a snapshot of the encrypted PV 3. Check encryption key in vault. There should be two keys, one for the parent PV and the other for the volumesnapshot 4. Delete the volumesnapshot 5. Delete the parent PVC 6. Check encryption keys in vault Actual results: The encryption key for PVC is deleted, but the key for volumesnapshot is still present Expected results: Deletion of volumesnapshot should delete the key for the snapshot in vault
Upstream PR is in in review queue:https://github.com/ceph/ceph-csi/pull/2021
Backport for release-3.3 has been merged: https://github.com/ceph/ceph-csi/pull/2040 This can now be synced in the https://github.com/openshift/ceph-csi downstream fork.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Container Storage 4.8.0 container images bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3003