Created attachment 1953330 [details] Configuring the encryption while creating SC Description of problem (please be detailed as possible and provide log snippests): On an ODF 4.13 cluster, While setting up new storageclass encryption is enabled with Vault kubernetes auth method. In this case PVC provisioning is failing with following error. failed to provision volume with StorageClass "encrypt": rpc error: code = Internal desc = failed to setup encryption for image ocs-storagecluster-cephblockpool/csi-vol-807e9e27-bf0d-4eb6-a800-f746da57362d: failed to save the passphrase for 0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d: saving passphrase at 0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d request to vault failed: failed to put secret: backendPath=odf/, backendV2=false, namespace=, secretID=0001-0011-openshift-storage-0000000000000001-807e9e27-bf0d-4eb6-a800-f746da57362d: get auth token for namespace: Error making API request. URL: PUT https://<vault Enterprose instance>:8200/v1/auth/kubernetes/login Code: 403. Errors: * 1 error occurred: * permission denied Version of all relevant components (if applicable): Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Is there any workaround available to the best of your knowledge? Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. Setup service accounts, auth method for the intended namespace by following steps mention in this link: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.12/html/managing_and_allocating_storage_resources/storage-classes_rhodf#configuring-access-to-kms-using-vaulttenantsa_rhodf 2. [UI] Go to "Storage > StorageClasses". 3. [UI] Create StorageClass using "rbd" provisioner. 4. [UI] Opt for "Kubernetes" authentication method. 5. [UI] Create PVC on configured namespace on step 1. Actual results: PVC provision is failed with Error as mention in the description. Expected results: PVC provision should be successful. Additional info: While debugging this issue found that 'vaultNamespace' value is not getting populated in the 'csi-kms-connection-details' configmap. After adding that value manually in the config map then PVC provision. is successful.
workaround is present... we can directly add one extra field to the ConfigMap from the CLI for un-blocking happy path testing (if blocked)...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Data Foundation 4.13.0 enhancement and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3742