Description of problem (please be detailed as possible and provide log snippests): When configuring PV encryption with an external kms, 2 types (encryptionKMSType) are available - vaulttokens and vault. When using the "vault" encryption KMS type the follow error is returned: invalid encryption kms configuration: unknown encryption KMS type The "vault" encryption KMS type should be available. https://github.com/openshift/ceph-csi/blob/release-4.7/internal/util/crypto.go#L166 Version of all relevant components (if applicable): ODF 4.7.x Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes, serviceaccount authentication to an external Vault kms is broken. Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 5 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. https://github.com/ceph/ceph-csi/blob/devel/docs/design/proposals/encrypted-pvc.md 2. https://github.com/ceph/ceph-csi/blob/devel/examples/kms/vault/csi-kms-connection-details.yaml 3. Create a storageclass with encryption enabled 4. Create PVC using the encrypted storage class 5. Watch for errors Actual results: PVC is pending with error: invalid encryption kms configuration: unknown encryption KMS type Expected results: Bound PVC Additional info:
*** Bug 1974806 has been marked as a duplicate of this bug. ***
*** Bug 1974802 has been marked as a duplicate of this bug. ***
AFAIU, we don't need this fix in 4.8 So once we verify the same, this issue can be closed, reducing the priority.
(In reply to Mudit Agarwal from comment #5) > AFAIU, we don't need this fix in 4.8 > So once we verify the same, this issue can be closed, reducing the priority. Indeed, everything is expected to work the same on 4.8 as on 4.7.2. Some (regression) testing might be appropriate though.
This BZ doesn't require any fix as mentioned by Niels in https://bugzilla.redhat.com/show_bug.cgi?id=1974800#c6 We need to check if things work fine plus regression. Moving it to ON_QA
Tested with Vault v1.7.3+ent. Procedure documented in ocs-training. (https://red-hat-storage.github.io/ocs-training/training/ocs4/ocs4-encryption.html#_granular_persistentvolume_at_rest_encryption_without_cluster_wide_encryption_kubernetes_auth_method_serviceaccounts)