[BUG] rke2 machineSelectorFiles.fileSources have multiple duplicate entries

kinarashah commented 1 month ago

Rancher Server Setup

Rancher version: v2.9.1

Information about the Cluster

Kubernetes version: Any
Cluster Type (Local/Downstream):
- If downstream, what type of cluster? RKE2 Node driver cluster

Provider Information

What is the version of the Rancher v2 Terraform Provider in use? Built locally off master commit - 8356b631d76f5fd69276906c405233571beb6bdc
What is the version of Terraform in use? Terraform v1.9.8

Describe the bug

The default value of dynamic field using terraform provider should be consistent with Rancher API. dynamic is false when editing cluster object using API/UI but set to true using terraform.
Multiple duplicate entries for fileSources are added to the cluster object under machineSelectorFiles. Only one entry is expected for the same secret and hash value.

To Reproduce

Provision a RKE2 node driver cluster using terraform, make sure to set default_pod_security_admission_configuration_template_name. I set it to "rancher-restricted".
After the cluster is provisioned, edit snapshot_retention or any other cluster field to trigger cluster reconciliation.

Observe that a new entry is added to the cluster object:

- fileSources:
  - configMap:
      name: ""
    secret:
      items:
      - dynamic: true
        hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
        key: admission-config-psact
        path: /etc/rancher/rke2/config/rancher-psact.yaml
      name: molmedocis-admission-configuration-psact
  machineLabelSelector:
    matchLabels:
      rke.cattle.io/control-plane-role: "true"
- fileSources:
  - configMap:
      name: ""
    secret:
      items:
      - hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
        key: admission-config-psact
        path: /etc/rancher/rke2/config/rancher-psact.yaml
      name: molmedocis-admission-configuration-psact
  machineLabelSelector:
    matchLabels:
      rke.cattle.io/control-plane-role: "true" (edited)

Re-edit a field on the cluster object to trigger cluster reconciliation again.
A new fileSource gets added to the cluster object with duplicate values on every cluster update.

Expected Result

Only one unique fileSource is added to the machineSelectorFiles on cluster edits if the secret or the hash value doesn't change.

SURE-9071

nicgrobler commented 1 month ago

We got bitten by this during the upgrade of downstream cluster (rancher 2.9.2, rke2 1.28.13) - the issue is that it creates a new entry, with a different hash (in our case), and this then causes the upgrade to stall as it then complains that the psact secret ‘doesn’t contain the expected contents’ - the fix is to remove the duplicate block from the cluster object / ensure the new hash matches the existing entries. The moment you do this, the error goes away and the upgrade progresses

kinarashah commented 2 weeks ago

@nicgrobler This was using terraform as well, correct? I wanted to verify as my fix is scoped to terraform. If you see multiple entries being added via API/UI lmk as that'd be a different issue.

Josh-Diamond commented 1 day ago

Ticket #1426 - Test Results - ✅

Verified on Rancher v2.10.0 with Rancher2 v6.0.0-rc3:

Scenario	Test Result	Result
1.	Provision downstream RKE2 AWS Node driver cluster => edit cluster and force reconciliation => confirm no duplicate entries are seen in `machineSelectorFiles.fileSources`	✅

Scenario 1 - ✅

Provision a downstream RKE2 AWS Node driver cluster
Once active, modify snapshot_retention and apply changes
Once cluster updates and is active, edit YAML of cluster object and verify machineSeletorFiles.fileSources
Verified - No duplicates seen in machineSelectorFiles.fileSources after cluster update; as expected

rancher / terraform-provider-rancher2