2265465 – 2 FIPS CLUSTERS - REGIONAL DR Granular PersistentVolume at-rest encryption Supportability

Bug 2265465 - 2 FIPS CLUSTERS - REGIONAL DR Granular PersistentVolume at-rest encryption Supportability

Summary: 2 FIPS CLUSTERS - REGIONAL DR Granular PersistentVolume at-rest encryption Su...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	documentation
Sub Component:
Version:	4.14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Anjana Suparna Sriram
QA Contact:	Neha Berry
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-22 06:10 UTC by Alexander
Modified:	2024-11-03 12:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-02-27 09:22:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OCSBZM-7819	0	None	None	None	2024-11-03 12:28:57 UTC

Description Alexander 2024-02-22 06:10:46 UTC

Description of problem (please be detailed as possible and provide log
snippests):

Hub and secondary cluster are both on ODF 4.14

FIPS is enabled on both clusters

Regional DR was implemented and is working, tested failback and failover are both working fine. https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html-single/configuring_openshift_data_foundation_disaster_recovery_for_openshift_workloads/index#regional-dr-deployment-workflow_rdr

Storageclasses are encrypted using Granular PersistentVolume at-rest encryption without clusterwide encryption. https://red-hat-storage.github.io/ocs-training/training/ocs4/ocs4-encryption.html#_granular_persistentvolume_at_rest_encryption_without_cluster_wide_encryption_kubernetes_auth_method_serviceaccounts


Could you please advise on the following scenario? 

FIPS is enabled on both clusters and there is a requirement for the encrypted PVs to be replicated without being decrypted. Could the ACM be configured to replicate without having to decrypt the PVs?
Would OADP be better suited for this?



Version of all relevant components (if applicable):

2 Clusters ODF 4.14
FIPS Enabled on both


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
This is currently a PoC and will be deployed for a customer this year. 

Is there any workaround available to the best of your knowledge?
N/A


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?N/A


Can this issue reproducible? Yes Cu PoC 


Can this issue reproduce from the UI? N/A


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Enable FIPS on both clusters
2.https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html-single/configuring_openshift_data_foundation_disaster_recovery_for_openshift_workloads/index#regional-dr-deployment-workflow_rdr
3.


Actual results: PVs are mirrored but they are decrypted and re-encrypted again 


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.