1992945 – Vault config does not get updated during SC creation, if csi-kms-connection-details has custom KMS ID

Bug 1992945 - Vault config does not get updated during SC creation, if csi-kms-connection-details has custom KMS ID

Summary: Vault config does not get updated during SC creation, if csi-kms-connection-d...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	management-console
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	gowtham
QA Contact:	Elad
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-12 05:49 UTC by Rachael
Modified:	2023-08-09 16:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-08-27 09:22:35 UTC
Embargoed:

Attachments	(Terms of Use)
Screen recording of storageclass creation (13.99 MB, video/webm) 2021-08-12 05:49 UTC, Rachael	no flags	Details
View All

Description Rachael 2021-08-12 05:49:59 UTC

Created attachment 1813321 [details]
Screen recording of storageclass creation

Description of problem (please be detailed as possible and provide log
snippets):
During Storage class creation using RBD provisioner, the vault config or connection details can be modified in the storageclass creation page for encryption enabled SCs. 

However, when there is a custom KMS ID, for eg: "test-vault" instead of "1-vault", "2-vault" and so on, changing the vault connection details in the SC creation page does not get reflected in the UI and the newly created SC uses the old encryptionKMSID instead of the new one. 

The csi-kms-connection-details configmap gets updated, but the SC does not use the newly updated KMSID.

Version of all relevant components (if applicable):
OCP: 4.8.0-0.nightly-2021-08-09-135211
OCS: ocs-operator.v4.8.0

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes, since the newly created SC does not use the updated vault config

Is there any workaround available to the best of your knowledge?
Not that I am aware of. Editing the parameters of an SC is not allowed afaik.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:
No

Steps to Reproduce:
1. Create an encryption enabled RBD storageclass and provide the vault config.
2. Under workloads -> configmap in the openshift-storage namespace, click on csi-kms-connection-details and go to the YAML tab. The output should look similar to this:

kind: ConfigMap
apiVersion: v1
metadata:
  name: csi-kms-connection-details
  namespace: openshift-storage
[...]
data:
  1-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"rbd-encryption","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"ocs/rbd","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}

3. Create another encryption enabled RBD SC and change the vault config in the SC creation page by clicking on "Change connection details" in the Connection details section

4. The csi-kms-connection-details configmap should now look like:

kind: ConfigMap
apiVersion: v1
metadata:
  name: csi-kms-connection-details
  namespace: openshift-storage
[...]
data:
  1-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"rbd-encryption","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"ocs/rbd","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  2-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.in:8201","VAULT_BACKEND_PATH":"rbd-encryption2","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"rbd-encryption","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  
5. Edit the configmap above, by adding a new KMSID with a custom name under the data section as shown below and click on save

kind: ConfigMap
apiVersion: v1
metadata:
  name: csi-kms-connection-details
  namespace: openshift-storage
[...]
data:
  1-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"rbd-encryption","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"ocs/rbd","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  2-vault-2: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault-2","VAULT_ADDR":"https://vault.qe.rh-ocs.in:8201","VAULT_BACKEND_PATH":"rbd-encryption2","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"rbd-encryption","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  test-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault-3","VAULT_ADDR":"https://vault.qe.rh-ocs.in:8203","VAULT_BACKEND_PATH":"rbd","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"test-namespace","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}

6. In the storageclass creation page, create a new encryption enabled RBD SC. In the Connection details section, edit the vault config by clicking on "Change connection details" and click on Save

7. Check if the connection details displayed is updated with the new values

Actual results:
The Connection details does not get updated with the new values. On creating the SC, it uses the old encryptionKMSID, even though the csi-kms-connection-details configmap has a new KMSID entry with the updated vault config.

kind: ConfigMap
apiVersion: v1
metadata:
  name: csi-kms-connection-details
  namespace: openshift-storage
[...]
data:
  1-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"rbd-encryption","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"ocs/rbd","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  2-vault-2: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault-2","VAULT_ADDR":"https://vault.qe.rh-ocs.in:8201","VAULT_BACKEND_PATH":"rbd-encryption2","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"rbd-encryption","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  4-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"kv-v2","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"kv-v2","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  5-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault","VAULT_ADDR":"https://vault.qe.rh-ocs.com:8200","VAULT_BACKEND_PATH":"kv-v2","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"kv-v2","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}
  test-vault: >-
    {"KMS_PROVIDER":"vaulttokens","KMS_SERVICE_NAME":"vault-3","VAULT_ADDR":"https://vault.qe.rh-ocs.in:8203","VAULT_BACKEND_PATH":"rbd","VAULT_TLS_SERVER_NAME":"","VAULT_NAMESPACE":"test-namespace","VAULT_TOKEN_NAME":"ocs-kms-token","VAULT_CACERT_FILE":"","VAULT_CLIENT_CERT_FILE":"","VAULT_CLIENT_KEY_FILE":""}

$ oc get sc test-pv-encryption-3 -o yaml
allowVolumeExpansion: false
apiVersion: storage.k8s.io/v1
kind: StorageClass
[...]
parameters:
  clusterID: openshift-storage
  csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage
  csi.storage.k8s.io/fstype: ext4
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
  csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage
  encrypted: "true"
  encryptionKMSID: test-vault
  imageFeatures: layering
  imageFormat: "2"
  pool: ocs-storagecluster-cephblockpool
provisioner: openshift-storage.rbd.csi.ceph.com
reclaimPolicy: Delete
volumeBindingMode: Immediate

Expected results:
The new SC should use the updated vault connection details (encryptionKMSID) that was provided during the SC creation

Additional info: Screen recording with the reproducer steps has been attached

Comment 3 Sanjal Katiyar 2021-08-16 15:33:03 UTC

Just FYI, from the UI side:
Some KMS related issues have been resolved for OCP 4.9 (https://bugzilla.redhat.com/show_bug.cgi?id=1969965 & https://bugzilla.redhat.com/show_bug.cgi?id=1969989). And this OCP 4.9 fix can solve this BZ(#1992945) as well (In case we are targeting this for OCP 4.9 ?)
Please refer https://github.com/openshift/console/pull/9409 to see the attached screenshots. We have added a dropdown now if there are multiple KMS connections.

For OCP 4.8 depending upon how things are implemented from the UI, if you will create a subsequent connection from the UI itself you will not face this issue, but, you are creating the subsequent connections patching the yaml directly this why it is happening (cause it is affecting the sorted order of the configMap we are polling, and for current 4.8 implementation we always pick the last element of the configMap).

Note You need to log in before you can comment on or make changes to this bug.