Skip to main content
Pure Technical Services

Pure Storage VMware Appliance: GPG Key Expiry

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Issue

On September 10th 2022, the GNU Privacy Guard (GPG) key used by the Pure Storage VMware Appliance (OVA), remote vSphere plugin and VM analytics collector repositories expired. There were no alerts in place to notify Pure Storage of this. With the secure way in which the OVAs are installed, managed and upgraded, there is no way to update the public GPG key used on the OVA directly once it has expired.

GPG keys are used by Pure Storage to authenticate between the OVA and the repositories we maintain to update the VM Analytics Collector, vSphere Remote Plugin and OVA itself. When running puresw list or puresw update, the OVA will query the repository. If there are issues with the GPG key, the OVA will not be able to download any updates. 

Impact

This issue affects the OVA, remote vSphere plugin offline installations, remote vSphere plugin online installations and the VM analytics collector.

Existing deployments of these three services will not be able to upgrade to new versions of the OVA, remote vSphere plugin and the VM analytics collector without redeploying the OVA and associted service.

Existing deployments of these three services will continue to function normally outside of upgrades.

New deployments of the VM analytics collector and remote vSphere plugin would have failed to install from September 10th to September 15th.

Remediation

Pure Storage has released an updated OVA that can be deployed to new deployments of the OVA, remote vSphere plugin and the VM analytics collector. Unfortunately, the path to valid GPG keys for existing deployments is not as simple. For existing deployments that need to upgrade to new versions, the OVA and vSphere plugin or collector hosted on the OVA need to be re-deployed.

Online deployment of the remote vSphere plugin

  1. The existing remote vSphere plugin should be disconnected from the environment it is connected to by following these steps. If these steps aren't possible with the current vSphere plugin deployment, they can be followed after deploying the new OVA.
  2. Follow the steps here to deploy a new OVA using the online deployment procedure.
  3. It is not currently possible to migrate the existing array data from the existing vSphere plugin to the recently deployed vSphere plugin.
    1. Existing FlashArray connections and Pure1 connections will need to be recreated by following this KB.

Offline deployment of the remote vSphere plugin

  1. The existing remote vSphere plugin should be disconnected from the environment it is connected to by following these steps. If these steps aren't possible with the current vSphere plugin deployment, they can be followed after deploying the new OVA.
  2. Follow the steps here to deploy a new OVA using the offline deployment procedure.
  3. It is not currently possible to migrate the existing array data from the existing vSphere plugin to the recently deployed vSphere plugin.
    1. Existing FlashArray connections and Pure1 connections will need to be recreated by following this KB.

VM analytics collector

  1. Follow the steps here to deploy a new OVA with the VM analytics collector.
  2. Import the configuration from your existing collector to the new one by following these steps.
  3. The existing collector will need to be disconnected from the environment by following these steps then deleting the VM from disk in vSphere.
  4. If the new collector starts gathering data before the existing collector has been decommissioned and they both have the same access to the same vCenters, there should be no gap in data reported to Pure1.

Prevention

To correct the GPG key expiry, the new OVA has a public GPG key that will not expire.

Pure Storage is evaluating additional options to eliminate the possibility of this situation in the future. This section will be updated once decisions have been made about the best path forward.