2044288 – [KMS] allowVolumeExpansion should be set to False for encrypted SC created during deployment

Bug 2044288 - [KMS] allowVolumeExpansion should be set to False for encrypted SC created during deployment

Summary: [KMS] allowVolumeExpansion should be set to False for encrypted SC created du...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	ocs-operator
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	ODF 4.10.0
Assignee:	afrahman
QA Contact:	Rachael
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-24 11:19 UTC by Rachael
Modified:	2023-08-09 17:00 UTC (History)
CC List:	11 users (show)
Fixed In Version:	4.10.0-171
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-21 09:12:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	red-hat-storage ocs-operator pull 1557	None	open	Set allowVolumeExpansion to False for encrypted SC	2022-02-24 12:01:55 UTC
Github	red-hat-storage ocs-operator pull 1559	None	open	[review comment] Set allowVolumeExpansion to False for encrypted SC	2022-02-24 15:21:48 UTC
Github	red-hat-storage ocs-operator pull 1560	None	open	Bug 2044288: [release-4.10] Set allowVolumeExpansion to False for encrypted SC	2022-02-24 15:37:08 UTC

Description Rachael 2022-01-24 11:19:46 UTC

Description of problem (please be detailed as possible and provide log
snippets):

In 4.10, when storageclass encryption is enabled during deployment a new RBD storageclass is created with encryption enabled. This storageclass has allowVolumeExpansion set to True. Since we do not officially support PV resize of encrypted volumes in ODF 4.10, this value should be set to False.

$ oc get sc ocs-storagecluster-ceph-rbd-encrypted -o yaml
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    description: Provides RWO Filesystem volumes, and RWO and RWX Block volumes
  creationTimestamp: "2022-01-24T10:41:31Z"
  name: ocs-storagecluster-ceph-rbd-encrypted
  resourceVersion: "143491"
  uid: 0fe99640-3fd6-4b01-93dd-841f0305eb46
parameters:
  clusterID: openshift-storage
  csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage
  csi.storage.k8s.io/fstype: ext4
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
  csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage
  encrypted: "true"
  encryptionKMSID: vault-sa
  imageFeatures: layering
  imageFormat: "2"
  pool: ocs-storagecluster-cephblockpool
provisioner: openshift-storage.rbd.csi.ceph.com
reclaimPolicy: Delete
volumeBindingMode: Immediate



Version of all relevant components (if applicable):
---------------------------------------------------

OCP: 4.10.0-0.nightly-2022-01-22-102609
ODF: odf-operator.v4.10.0      full_version=4.10.0-113


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

No 


Is there any workaround available to the best of your knowledge?
n/a

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
Yes

If this is a regression, please provide more details to justify this:
No


Steps to Reproduce:
-------------------
1. Install the ODF Operator
2. Create a storagesystem
3. On the Security and network page, enable storageclass encryption and fill out the required KMS details and proceed with the deployment.
4. After the storagesystem creation is complete, check the list of storageclasses


Actual results:
---------------
The storageclass ocs-storagecluster-ceph-rbd-encrypted has allowVolumeExpansion set to True. 

$ oc get sc
NAME                                    PROVISIONER                             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2 (default)                           kubernetes.io/aws-ebs                   Delete          WaitForFirstConsumer   true                   4h16m
gp2-csi                                 ebs.csi.aws.com                         Delete          WaitForFirstConsumer   true                   4h15m
gp3-csi                                 ebs.csi.aws.com                         Delete          WaitForFirstConsumer   true                   4h15m
ocs-storagecluster-ceph-rbd             openshift-storage.rbd.csi.ceph.com      Delete          Immediate              true                   6m29s
ocs-storagecluster-ceph-rbd-encrypted   openshift-storage.rbd.csi.ceph.com      Delete          Immediate              true                   6m29s


Expected results:
-----------------

Since PV resize of encrypted volume is not officially supported in ODF 4.10, this value should be set to False.

Comment 2 Martin Bukatovic 2022-02-01 17:41:36 UTC

Reproducer is clear, providing QE ack.

Note You need to log in before you can comment on or make changes to this bug.