When setting a custom DataStore schema and using ETCD as DataStore, Kamaji failed to provision the TenantControlPlane and raising ETCD error:
ERROR unable to create the DataStore user privileges {"controller": "tenantcontrolplane", "controllerGroup": "kamaji.clastix.io", "controllerKind": "TenantControlPlane", "resource": "datastore-setup", "error": "unable to grant privileges: cannot grant privileges: etcdserver: role name already exists"
After checking in the ETCD, the user and the role have been correctly created, however the user is not linked to role.
And so the privileges have not been fully granted, and Kamaji retry to grant them, however the first things it does is creating the role, which already exists.
The first granting of privileges failed with this ETCD error:
{"level":"warn","ts":"2024-10-21T09:27:21.340896Z","logger":"etcd-client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c1e0/kamaji-etcd-0.kamaji-etcd.kamaji-system.svc.cluster.local:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: role name not found"}
After looking at the code, I found an issue:
e.Client.RoleGrantPermission(ctx, user, key, etcdclient.GetPrefixRangeEnd(key), permission)
In this function the 2nd parameter should be the role name but we pass the username.
If the DataStore schema has not been customize, both role and user have the same value.
When setting a custom DataStore schema and using ETCD as DataStore, Kamaji failed to provision the TenantControlPlane and raising ETCD error:
ERROR unable to create the DataStore user privileges {"controller": "tenantcontrolplane", "controllerGroup": "kamaji.clastix.io", "controllerKind": "TenantControlPlane", "resource": "datastore-setup", "error": "unable to grant privileges: cannot grant privileges: etcdserver: role name already exists"After checking in the ETCD, the user and the role have been correctly created, however the user is not linked to role. And so the privileges have not been fully granted, and Kamaji retry to grant them, however the first things it does is creating the role, which already exists.
The first granting of privileges failed with this ETCD error:
{"level":"warn","ts":"2024-10-21T09:27:21.340896Z","logger":"etcd-client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00014c1e0/kamaji-etcd-0.kamaji-etcd.kamaji-system.svc.cluster.local:2379","attempt":0,"error":"rpc error: code = FailedPrecondition desc = etcdserver: role name not found"}After looking at the code, I found an issue:
e.Client.RoleGrantPermission(ctx, user, key, etcdclient.GetPrefixRangeEnd(key), permission)In this function the 2nd parameter should be the role name but we pass the username. If the DataStore schema has not been customize, both role and user have the same value.https://github.com/clastix/kamaji/blob/master/internal/datastore/etcd.go#L65