Bug 2293621 - bug in encryption key rotation steps while removing key slot
Summary: bug in encryption key rotation steps while removing key slot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: rook
Version: 4.16
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ODF 4.16.0
Assignee: Niraj Yadav
QA Contact: Parag Kamble
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-21 11:23 UTC by Rakshith
Modified: 2024-07-17 13:25 UTC (History)
5 users (show)

Fixed In Version: 4.16.0-131
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-07-17 13:25:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github red-hat-storage rook pull 671 0 None open BUG 2293621: osd: use old passphrase to kill the luks slot 2024-06-24 11:10:00 UTC
Github rook rook pull 14367 0 None Merged osd: Use old passphrase to kill the LUKS slot 2024-06-24 11:10:04 UTC
Red Hat Product Errata RHSA-2024:4591 0 None None None 2024-07-17 13:25:23 UTC

Description Rakshith 2024-06-21 11:23:43 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

Rook has a bug related to encryption key rotation.
The case is actually very hard to hit.
When this particular bug is hit, the key rotation jobs will start to fail.
There is no risk to OSD data.

```
While adding a new encryption key to slot 1
if there exists a key in slot 1 which is not
equal to the one we want to update it with,
we kill the slot and then add the new key to it.

While killing the slot, the existing code uses
the new key, which is not valid in such cases.

This patch modifies the code to use the key in
slot 0 (the one that we know works) to kill the slot.
```




Is there any workaround available to the best of your knowledge?
manually delete fetch key from kms and delete keyslot 1. 


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
5

Can this issue reproducible?
Very difficult to reproduce from manual deletion of key rotation jobs.
The job has to be deleted right before a particular step which is nearly impossible

Can this issue reproduce from the UI?
no

If this is a regression, please provide more details to justify this:
not a regression.

Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 7 Sunil Kumar Acharya 2024-06-25 12:09:21 UTC 
Please update the RDT flag/text appropriately.
Comment 10 errata-xmlrpc 2024-07-17 13:25:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:4591
Note You need to log in before you can comment on or make changes to this bug.