Description of problem (please be detailed as possible and provide log snippets): With OCS 4.7.2 (https://bugzilla.redhat.com/show_bug.cgi?id=1970583) and OCS 4.8 (https://bugzilla.redhat.com/show_bug.cgi?id=1936858), the kv-v2 secret engine API is now supported for cluster-wide encryption with KMS. In order to successfully deploy a cluster in this case, the VAULT_BACKEND parameter has to be set to v2 in the ocs-kms-connection-details configmap. $ oc get cm ocs-kms-connection-details -o yaml apiVersion: v1 data: KMS_PROVIDER: vault KMS_SERVICE_NAME: vault VAULT_ADDR: https://vault.qe.rh-ocs.com:8200 VAULT_BACKEND: v2 VAULT_BACKEND_PATH: test-kv2 VAULT_CACERT: ocs-kms-ca-secret-znu27r VAULT_CLIENT_CERT: ocs-kms-client-cert-7od4d VAULT_CLIENT_KEY: ocs-kms-client-key-8obbs VAULT_NAMESPACE: ocs VAULT_TLS_SERVER_NAME: vault.qe.rh-ocs.com This is currently done by editing the configmap once it is created during the storagecluster creation. It would be good to have an option in the UI, which will allow the user to set this parameter while configuring the vault details in the storagecluster creation page, instead of having to edit it in the configmap directly. Version of all relevant components (if applicable): OCP: 4.8.0-0.nightly-2021-06-19-005119 OCS: ocs-operator.v4.8.0-424.ci Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes, without the UI option available, the deployment would not succeed in such a case unless the configmap is not edited manually. Is there any workaround available to the best of your knowledge? Yes, edit the ocs-kms-connection-details configmap to add the parameter Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 3 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: Steps to Reproduce: 1. Create a backend path in Vault with kv-v2 $ vault secrets enable -path=test-kv2 kv-v2 Success! Enabled the kv-v2 secrets engine at: test-kv2/ 2. Enter the path created above when deploying OCS with cluster wide encryption using KMS enabled in UI 3. Check the status of the OSD pods Actual results: The OSD pods don't come up and fail with the following error, since the VAULT_BACKEND parameter is not set to v2: $ oc logs rook-ceph-osd-0-54f9f6c6c-hrnw2 -c encryption-kms-get-kek ["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."] Expected results: The UI should have an option to set VAULT_BACKEND value, to avoid deployment failure
No RFE in 4.8 atm.
Rfe, reducing the severity to medium
As per the discussion: https://chat.google.com/room/AAAA2G9_Elw/MMbfZrj_Vos moving the BZ to rook component. Targeting for 4.9
part of https://github.com/red-hat-storage/rook/pull/17
Thanks Rachael, the problem is "VAULT_SECRET_ENGINE" set to transit and not "kv". Jiffin, do you know why this is set this way? IIRC, the transit should be part of the object store kms connection details, NOT part of the cephcluster KMS connection details. Is this a UI bug?
@Rachael in the meantime, can you force "VAULT_SECRET_ENGINE" to "kv" to validate the auto detection works? Thanks!
AFAIR OCS-Op sets secret engines differently for OSD encryption and for RGW, IMO most likely a bug there. Looping Pranshu who worked on the OCS-Op related changes
The latest PR needs to be backported to 4.9
https://github.com/red-hat-storage/rook/pull/303
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:5086