Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31076

Hypershift Operator Keyvault for Azure Etcd Encryption is Hardcoded to Public Cloud

XMLWordPrintable

    • Moderate
    • No
    • Hypershift Sprint 251, Hypershift Sprint 252, Hypershift Sprint 253, Hypershift Sprint 254
    • 4
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The hypershift operator introduced Azure customer-managed keys etcd encryption in https://github.com/openshift/hypershift/pull/3183.  The implementation will not work in any non-Azure Public Cloud as the keyvault URL is hardcoded: https://github.com/openshift/hypershift/blob/cd4d4c69a64d8983da04d7bb26ea39a72109e135/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go#L4871 to vault.azure.net, which is only the public cloud keyvault domain suffix.  The cloud-specific keyvault domain suffixes are here: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#dns-suffixes-for-object-identifiers
          

      Version-Release number of selected component (if applicable):

          Since https://github.com/openshift/hypershift/pull/3183 was merged

      How reproducible:

          Every time

      Steps to Reproduce:

          1. 
          2.
          3.
          

      Actual results:

          The keyvault domain is hardcoded to work specifically for public cloud, but will not for azure gov cloud when using etcd encryption with customer-managed keys

      Expected results:

          The keyvault domain to fetch from will use the correct cloud's domain suffix as outlined here: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#dns-suffixes-for-object-identifiers

      Additional info:

          

            rh-ee-mraee Mulham Raee
            bvesel@redhat.com Benjamin Vesel
            Feilian Xie Feilian Xie
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: