[2.13] add validation for etcd s3 cloud credential #985
Conversation
6e65218 to
84d8969
Compare
crobby
left a comment
There was a problem hiding this comment.
I think what's here seems good from a frameworks perspective. lg to me once Jake's question is addressed.
…Config.etcd.s3.cloudCredentialName
84d8969 to
0aef5a2
Compare
|
|
||
| // validateS3Secret checks if the S3 cloud credential secret referenced in the cluster exists. | ||
| func (p *provisioningAdmitter) validateS3Secret(oldCluster, cluster *v1.Cluster) (*admissionv1.AdmissionResponse, error) { | ||
| if cluster.Name == localCluster { |
There was a problem hiding this comment.
I think you need a check here if oldCluster == nil, so that you still validate on create, otherwise it will likely panic.
There was a problem hiding this comment.
This will not happen.
I thought about this case while writing the function, and it turned out that the oldCluster and cluster will be pointers to an empty cluster object, &v1.Cluster{}. They are from the ClusterOldAndNewFromRequest function:
https://github.com/rancher/webhook/blob/main/pkg/generated/objects/provisioning.cattle.io/v1/objects.go#L19-L20
There was a problem hiding this comment.
Ah that makes sense, approved.
Issue:
rancher/rancher#50987
Problem
While creating a node driver or custom RKE2/k3s cluster, if the secret used for saving etcd backups to S3 does not exist, then the cluster will be stuck waiting for node ref, and Rnacher will generate empty plans for nodes.
Note that this bug can only be triggered when creating or updating the cluster programmatically or via editing YAML.
Solution
Add validation for the etcd S3 cloud credential to reject the request for creating or updating the provisioning cluster if the provided secret does not exist.
CheckList