Details
-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15
-
No
-
Hypershift Sprint 246
-
1
-
False
-
-
-
Bug Fix
-
In Progress
Description
Description of problem:
AWS KMS on HyperShift makes use of two UNIX sockets via which the KMS plugins are run. Each unix socket should run connect to independent KMS instances i.e. with their own AWS ARNs. However, as of today both the active KMS socket as well as the backup KMS socket seem to be using the same ARN which essentially translates that the backup KMS instance never gets used.
Version-Release number of selected component (if applicable):
HyperShift - main branch (PR #423) GitHub indicates all the following hypershift versions would be affected. v0.1.15, v0.1.14, v0.1.13, v0.1.12, v0.1.11, v0.1.10, v0.1.9, v0.1.8, v0.1.7, v0.1.6, v0.1.5, v0.1.4, v0.1.3, v0.1.2, v0.1.1, v0.1.0, 2.0.0-20220406093220, 2.0.0-20220323110745, 2.0.0-20220319120001, 2.0.0-20220317155435
How reproducible:
Always
Steps to Reproduce:
1. By creating a HyperShift cluster 2. Checking if backup KMS instance was ever used
Actual results:
Active KMS instance's ARN is used even by the backup KMS socket
Expected results:
Backup KMS socket should use it's own backupKey.ARN
Additional info:
should use backupKey.ARN instead of activeKey.ARN in the func call
