search

rancher / terraform-provider-rancher2

Terraform Rancher2 provider
https://www.terraform.io/docs/providers/rancher2/
Mozilla Public License 2.0
263 stars 228 forks source link

rancher2_cloud_credential secret created in wrong cluster #947

Closed mh013370 closed 1 year ago

mh013370 commented 2 years ago

Rancher version v2.6.5 rancher2 provider version: 1.23.0 rke2 version: 1.22.7

I have a minio i'm trying to use to store etcd backups for a workload rke2 cluster and so i'm trying to configure it to do so. I'd previously used it to store rke1 backups via this provider, so I've set this up in the past.

I've deployed a rancher2_cluster_v2 cluster successfully that's running several workloads. It comes up successfully and isn't a problem point.

To configure the etcd backups, i've added an etcd block to rancher2_cluster_v2.rke_config and created a rancher2_cloud_credential with an s3_credential_config as follows:

resource "rancher2_cluster_v2" "my_cluster" {
  rke_config {
    etcd {
      snapshot_schedule_cron = "0 */12 * * *"
      snapshot_retention = 10
      s3_config {
        bucket = "backups"
        endpoint = "https://minio.host:9000"
        cloud_credential_name = rancher2_cloud_credential.credentials.name
      }
    }
  }
}

resource "rancher2_cloud_credential" "credentials" {
  name = "rancher-creds"
  s3_credential_config {
    access_key = <ACCESS_KEY>
    secret_key = <SECRET_KEY>
  }
}

This fails when applied because the rancher2_cluster_v2 can't locate the rancher-creds secret. Looking into it, i see that the secret gets created in the rancher management cluster in the cattle-global-data namespace and not in the workload cluster i'm attempting to configure etcd backups for. There's not a way to say which cluster(s) this credential is for through the provider.

Am i configuring this incorrectly or should it be possible for workload rancher clusters to read credential secrets from the management rancher cluster?

I attempted to configure the etcd backups manually through the Rancher UI after configuring the rancher2_cloud_credential to see if this is a problem with the rancher2_cluster_v2 resource, but it results in the same problem. The Rancher UI allows me to select the S3 cloud credential i created, but the secret for that credential is in the management rancher cluster and not the workload cluster i'm trying to configure.

Any help appreciated!

moshiaiz commented 1 year ago

Hi @michael81877,

Under "s3_config", instead of setting the name as shown here: cloud_credential_name = rancher2_cloud_credential.credentials.name

Use the id of the Cloud Credential: cloud_credential_name = rancher2_cloud_credential.credentials.id

This worked for me. Now there are no errors when applying the configuration.

mh013370 commented 1 year ago

Hi @michael81877,

Under "s3_config", instead of setting the name as shown here: cloud_credential_name = rancher2_cloud_credential.credentials.name

Use the id of the Cloud Credential: cloud_credential_name = rancher2_cloud_credential.credentials.id

This worked for me. Now there are no errors when applying the configuration.

Thanks for this!