Bug 1975323 - [KMS] Keys for OSDs in vault are not deleted during uninstall when kv-v2 is used
Summary: [KMS] Keys for OSDs in vault are not deleted during uninstall when kv-v2 is used
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: rook
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Sébastien Han
QA Contact: Shay Rozen
URL:
Whiteboard:
Depends On:
Blocks: 1966894 1993801
TreeView+ depends on / blocked
 
Reported: 2021-06-23 12:23 UTC by Rachael
Modified: 2023-08-09 17:03 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.Keys for OSDs in the Vault are not deleted during uninstall when `kv-v2` is used Key encryption keys *data* are soft-deleted from Vault during cluster deletion when the Vault K/V Secret engine is version 2. This means any version of the Key can be retrieved and so the deletion is undone. The metadata is still visible so the key can be restored. If this is causing inconvenience, the key can still be deleted manually using the vault command with the "destroy" argument.
Clone Of:
: 1993801 2015088 (view as bug list)
Environment:
Last Closed: 2021-10-18 11:31:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github libopenstorage secrets pull 55 0 None open vault: add support for complete key deletion in kv v2 2021-06-28 08:36:07 UTC
Github red-hat-data-services rook pull 7 0 None closed Resync release-4.9 with Rook master for BZ 1975272 2021-07-12 15:42:11 UTC
Github rook rook pull 8288 0 None open ceph: destroy all vault keys on kv version 2 2021-07-09 09:09:05 UTC

Description Rachael 2021-06-23 12:23:14 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

In OCS 4.8, when the cluster deployed with cluster-wide encryption using KMS and kv-v2 as the secret engine is uninstalled, the keys in vault created for the OSDs are not deleted. 

Before uninstall:
=================

$ oc get pvc |grep deviceset
ocs-deviceset-thin-0-data-0m27q8   Bound    pvc-8422bf20-677b-43d3-905d-10468f87ac40   512Gi      RWO            thin                          95m
ocs-deviceset-thin-1-data-0sq227   Bound    pvc-ac1ecb3f-cfb6-42f0-bc3f-5d1052af0987   512Gi      RWO            thin                          95m
ocs-deviceset-thin-2-data-0xzszb   Bound    pvc-755ea6d9-0fc8-4409-b210-a6a2962c0389   512Gi      RWO            thin                          95m


$ vault kv list kv-v2
Keys
----
NOOBAA_ROOT_SECRET_PATH/
rook-ceph-osd-encryption-key-ocs-deviceset-thin-0-data-0m27q8
rook-ceph-osd-encryption-key-ocs-deviceset-thin-1-data-0sq227
rook-ceph-osd-encryption-key-ocs-deviceset-thin-2-data-0xzszb

After uninstall:
================

$ oc get pvc
No resources found in openshift-storage namespace.

$ oc get pv
No resources found

$ vault kv list kv-v2
Keys
----
NOOBAA_ROOT_SECRET_PATH/
rook-ceph-osd-encryption-key-ocs-deviceset-thin-0-data-0m27q8
rook-ceph-osd-encryption-key-ocs-deviceset-thin-1-data-0sq227
rook-ceph-osd-encryption-key-ocs-deviceset-thin-2-data-0xzszb


Version of all relevant components (if applicable):
OCP: 4.8.0-0.nightly-2021-06-19-005119
OCS: ocs-operator.v4.8.0-424.ci

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
No

Is there any workaround available to the best of your knowledge?
Yes, deleting the metadata from vault, after the uninstall deletes the keys.

$ vault kv get kv-v2/rook-ceph-osd-encryption-key-ocs-deviceset-thin-0-data-0m27q8
====== Metadata ======
Key              Value
---              -----
created_time     2021-06-23T10:06:30.650103555Z
deletion_time    2021-06-23T11:46:35.045328495Z
destroyed        false
version          1

$ vault kv metadata delete kv-v2/rook-ceph-osd-encryption-key-ocs-deviceset-thin-0-data-0m27q8
Success! Data deleted (if it existed) at: kv-v2/metadata/rook-ceph-osd-encryption-key-ocs-deviceset-thin-0-data-0m27q8

$ vault kv list kv-v2
Keys
----
NOOBAA_ROOT_SECRET_PATH/
rook-ceph-osd-encryption-key-ocs-deviceset-thin-1-data-0sq227
rook-ceph-osd-encryption-key-ocs-deviceset-thin-2-data-0xzszb

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:
No

Steps to Reproduce:
Follow the steps here: https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.8/html-single/deploying_openshift_container_storage_on_vmware_vsphere/index?lb_target=preview#assembly_uninstalling-openshift-container-storage_rhocs


Actual results:
The keys in vault are not deleted after uninstall

Expected results:
The keys should be deleted.
Comment 2 Mudit Agarwal 2021-06-23 14:48:45 UTC 
Requires doc text as a known issue
Comment 3 Sébastien Han 2021-06-23 15:27:18 UTC 
Rachael, can we get a mustgather or simply the rook-ceph-operator logs to understand a bit more what going on here?
Thanks!
Comment 5 Sébastien Han 2021-06-24 09:06:15 UTC 
The bug is not only affecting kv v2 but also v1.
The bug is not experienced when the PVC reclaim policy is Retain.
Comment 6 Sébastien Han 2021-06-24 09:59:59 UTC 
(In reply to Sébastien Han from comment #5)
> The bug is not only affecting kv v2 but also v1.
> The bug is not experienced when the PVC reclaim policy is Retain.

**Disregard this comment**. I mixed things up, I'm still looking.
Comment 7 Sébastien Han 2021-06-24 13:20:35 UTC 
Ok after some local debugging there is no bug per se.
What we see is the remaining metadata but if you inspect the Secret, you won't see any data, for instance:

BEFORE DELETION:

runner@fv-az72-598:~/work/rook/rook$ kubectl exec -ti vault-0 -- vault kv get -ca-cert /vault/userconfig/vault-server-tls/vault.crt rook/ver2/mybucketkey
====== Metadata ======
Key              Value
---              -----
created_time     2021-06-24T10:20:52.07073694Z
deletion_time    n/a
destroyed        false
version          1

=== Data ===
Key    Value
---    -----
key    IdCRBZ+sAA7D87dqUO6F+Hn7MQ24SDhb4lnTqB7QNf4=


AFTER DELETION:
runner@fv-az72-598:~/work/rook/rook$ kubectl exec -ti vault-0 -- vault kv get -ca-cert /vault/userconfig/vault-server-tls/vault.crt rook/ver2/mybucketkey
====== Metadata ======
Key              Value
---              -----
created_time     2021-06-24T12:33:02.669280958Z
deletion_time    2021-06-24T12:40:46.483734597Z
destroyed        false
version          1

Do not get confused "version 1" is the versioned number of the key, the revision if you will.

Updated the doc text too.
I'm moving this to MODIFIED since I believe the doc text is sufficient.
Comment 8 Sébastien Han 2021-06-24 13:40:42 UTC 
Moving back to ASSIGNED for an eng fix, we also need a clone for the Doc I suppose?
Comment 9 Sébastien Han 2021-06-24 14:36:02 UTC 
Ok final info on this one, the key is not deleted, it's a soft delete that can be undone.
Comment 16 Shay Rozen 2021-08-22 20:39:54 UTC 
The docs are verified but I don't think it need to be in known issues but in some release notes. It's no so bad :)
@olakra @muagarwa @
Comment 17 Sébastien Han 2021-08-23 13:30:58 UTC 
Agreed, that sounds good as a release note item. It's by-design so not really a known issue, depending on how you define "issue" though :)
Comment 18 Mudit Agarwal 2021-08-26 05:18:29 UTC 
Known issues are put into release notes, so I am little confused here.
Do you want to include this in documentation or just release notes?
Comment 19 Shay Rozen 2021-08-30 08:13:58 UTC 
But we understand that it is not an issue but by design so isn't there any other place to put this information?
Maybe add it as a note in uninstall instructions? @muagarwa
Comment 25 Shay Rozen 2021-10-18 11:31:32 UTC 
Duplicated this BZ for documentation and closing it as not a bug.
Note You need to log in before you can comment on or make changes to this bug.