-
Bug
-
Resolution: Done
-
Normal
-
4.15
-
Moderate
-
No
-
Hypershift Sprint 251, Hypershift Sprint 252, Hypershift Sprint 253, Hypershift Sprint 254
-
4
-
False
-
Description of problem:
The hypershift operator introduced Azure customer-managed keys etcd encryption in https://github.com/openshift/hypershift/pull/3183. The implementation will not work in any non-Azure Public Cloud as the keyvault URL is hardcoded: https://github.com/openshift/hypershift/blob/cd4d4c69a64d8983da04d7bb26ea39a72109e135/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go#L4871 to vault.azure.net, which is only the public cloud keyvault domain suffix. The cloud-specific keyvault domain suffixes are here: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#dns-suffixes-for-object-identifiers
Version-Release number of selected component (if applicable):
Since https://github.com/openshift/hypershift/pull/3183 was merged
How reproducible:
Every time
Steps to Reproduce:
1.
2.
3.
Actual results:
The keyvault domain is hardcoded to work specifically for public cloud, but will not for azure gov cloud when using etcd encryption with customer-managed keys
Expected results:
The keyvault domain to fetch from will use the correct cloud's domain suffix as outlined here: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#dns-suffixes-for-object-identifiers
Additional info:
- links to
-
RHEA-2024:0041
OpenShift Container Platform 4.16.z bug fix update