1974800 – Error for PV encryption using encryptionKMSType "vault"

Bug 1974800 - Error for PV encryption using encryptionKMSType "vault"

Summary: Error for PV encryption using encryptionKMSType "vault"

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat OpenShift Container Storage
Classification:	Red Hat Storage
Component:	csi-driver
Sub Component:
Version:	4.7
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	OCS 4.8.0
Assignee:	Niels de Vos
QA Contact:	Rachael
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1974802 1974806 (view as bug list)
Depends On:
Blocks:	1974816
TreeView+	depends on / blocked

Reported:	2021-06-22 15:06 UTC by mdipalma
Modified:	2023-08-03 08:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	1974816 (view as bug list)
Environment:
Last Closed:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description mdipalma 2021-06-22 15:06:27 UTC

Description of problem (please be detailed as possible and provide log
snippests):
When configuring PV encryption with an external kms, 2 types (encryptionKMSType) are available - vaulttokens and vault. When using the "vault" encryption KMS type the follow error is returned:

invalid encryption kms configuration: unknown encryption KMS type

The "vault" encryption KMS type should be available. https://github.com/openshift/ceph-csi/blob/release-4.7/internal/util/crypto.go#L166

Version of all relevant components (if applicable):
ODF 4.7.x

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes, serviceaccount authentication to an external Vault kms is broken.

Is there any workaround available to the best of your knowledge?
No

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
5

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:

Steps to Reproduce:
1. https://github.com/ceph/ceph-csi/blob/devel/docs/design/proposals/encrypted-pvc.md
2. https://github.com/ceph/ceph-csi/blob/devel/examples/kms/vault/csi-kms-connection-details.yaml
3. Create a storageclass with encryption enabled
4. Create PVC using the encrypted storage class
5. Watch for errors

Actual results:
PVC is pending with error: invalid encryption kms configuration: unknown encryption KMS type

Expected results:
Bound PVC

Additional info:

Comment 3 Eran Tamir 2021-06-22 15:31:38 UTC

*** Bug 1974806 has been marked as a duplicate of this bug. ***

Comment 4 Eran Tamir 2021-06-22 15:31:57 UTC

*** Bug 1974802 has been marked as a duplicate of this bug. ***

Comment 5 Mudit Agarwal 2021-06-24 13:48:51 UTC

AFAIU, we don't need this fix in 4.8
So once we verify the same, this issue can be closed, reducing the priority.

Comment 6 Niels de Vos 2021-06-24 14:26:12 UTC

(In reply to Mudit Agarwal from comment #5)
> AFAIU, we don't need this fix in 4.8
> So once we verify the same, this issue can be closed, reducing the priority.

Indeed, everything is expected to work the same on 4.8 as on 4.7.2. Some (regression) testing might be appropriate though.

Comment 9 Mudit Agarwal 2021-07-06 14:41:41 UTC

This BZ doesn't require any fix as mentioned by Niels in https://bugzilla.redhat.com/show_bug.cgi?id=1974800#c6
We need to check if things work fine plus regression.

Moving it to ON_QA

Comment 15 mdipalma 2021-07-22 13:44:06 UTC

Tested with Vault v1.7.3+ent. Procedure documented in ocs-training. (https://red-hat-storage.github.io/ocs-training/training/ocs4/ocs4-encryption.html#_granular_persistentvolume_at_rest_encryption_without_cluster_wide_encryption_kubernetes_auth_method_serviceaccounts)

Note You need to log in before you can comment on or make changes to this bug.