test_encryption_at_rest: k8s-master never settles when vault is added post-deploy

Bug #1893278 reported by Kevin W Monroe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charmed Kubernetes Testing
Fix Released
High
Cory Johns

Bug Description

CI deploys stock Charmed K8s. When we run test_encryption_at_rest, vault is not present. Vault is added to do the test, but k8s-masters get stuck with:

waiting: Waiting for encryption info from Vault to secure secrets

I'm guessing this is because ck 1.19 now includes an identity encryption provider even when vault isn't present (to pass the CIS k8s benchmark). Perhaps vault can't mount the encrypted_config_path with its loopback device because there's now an encryption_config.yaml in there?

Changed in charmed-kubernetes-testing:
assignee: nobody → Kevin W Monroe (kwmonroe)
Revision history for this message
Cory Johns (johnsca) wrote :

That error means it's not getting the expected relation data from Vault (or the flags driven by that data are not being set properly). I've usually seen this when deploying on AWS without a single-subnet VPC due to the ongoing issue discussed in this stuck PR: https://github.com/openstack-charmers/charm-interface-vault-kv/pull/6

There may be other causes for it, though.

Changed in charmed-kubernetes-testing:
importance: Undecided → High
milestone: none → 1.19
Revision history for this message
Cory Johns (johnsca) wrote :
Changed in charmed-kubernetes-testing:
assignee: Kevin W Monroe (kwmonroe) → Cory Johns (johnsca)
status: New → In Progress
Cory Johns (johnsca)
Changed in charmed-kubernetes-testing:
status: In Progress → Fix Committed
Changed in charmed-kubernetes-testing:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.