Comments (6)
Root cause
When updating the private registries on an RKE1 downstream cluster Rancher always skips the entry whose password is empty. Rancher thinks the reason for an empty password is it has been migrated to a Secret, so skipping the entry can avoid wiping out the password from the Secret. The logic works well in most cases except the following one: once the username and password are set for a private registry on the RKE1 downstream cluster, we will not be able to unset those two values at the same time in the cases where the private registry does not require login anymore or the username and password are set by mistake at the first place.
What was fixed, or what changes have occurred
The logic is updated such that now when updating the private registries on an RKE1 downstream cluster Rancher skips the private registry only if it meets all the following conditions:
- its password is empty
- it can be found in the list of existing private registries
- its username is unchanged
Areas or cases that should be tested
A matrix of cases can be derived from creating/updating a DS RKE1 cluster with/without a private registry that does/doesn't have a username and/or password. In all cases, the cattle-private-registry Secret, whose name is recorded at .State.privateRegistrySecret
on the mgmt cluster, should be updated properly.
What areas could experience regressions?
The same as the above.
Are the repro steps accurate/minimal?
Yes.
Note that it is not necessary to use Terraform as the bug is on the Rancher side, not the tf-provider-rancher2.
from rancher.
The issue can validated on the latest v2.9-head tag
from rancher.
This issue is waiting for an alpha/RC to properly test.
from rancher.
QA TEST PLAN
# | Scenario |
---|---|
1 | Unset private registry username from downstream RKE1 cluster |
2 | Unset private registry password from downstream RKE1 cluster |
3 | Unset both the private registry username and password from downstream RKE1 cluster |
from rancher.
Reproduced the issue on v2.8.4
for scenario 1. See below:
# | Scenario | Result |
---|---|---|
1 | Unset private registry username from downstream RKE1 cluster | ❌ |
REPRODUCTION STEPS
- Setup Rancher v2.8.3.
- Provisioned a downstream RKE1 node driver cluster with an authenticated registry.
- Took note of the
cattle-private-registry
secret and it's values. - Updated the private registry to unset the username.
- Validated that the
cattle-private-registry
is still there and hasdata/.dockerconfigjson
still present and same value.
Now that this has been reproduced, will attempt to now validate with a tag that has the fix.
from rancher.
Validated that this is addressed in v2.9.0-alpha7
. See details below:
ENVIRONMENT DETAILS
- Rancher install: Docker
- Rancher version:
v2.9.0-alpha7
TEST RESULT
# | Scenario | Result |
---|---|---|
1 | Unset private registry username from downstream RKE1 cluster | ✅ |
2 | Unset private registry password from downstream RKE1 cluster | ✅ |
3 | Unset both the private registry username and password from downstream RKE1 cluster | ✅ |
VALIDATION STEPS
Scenario 1
- Setup Rancher via the rancher2 Terraform provider. Sample
main.tf
below:
terraform {
required_providers {
rancher2 = {
source = "rancher/rancher2"
version = "4.1.0"
}
}
}
provider "rancher2" {
api_url = var.rancher_api_url
token_key = var.rancher_admin_bearer_token
insecure = true
}
########################
# CREATE RKE1 CLUSTER
########################
resource "rancher2_cluster" "cluster" {
name = var.cluster_name
default_pod_security_admission_configuration_template_name = var.default_pod_security_admission_configuration_template_name
rke_config {
kubernetes_version = var.kubernetes_version
network {
plugin = var.network_plugin
}
private_registries {
url = var.private_registry_url
user = var.private_registry_username
password = var.private_registry_password
}
}
}
########################
# CREATE NODE TEMPLATE
########################
resource "rancher2_node_template" "node_template" {
name = var.node_template_name
engine_insecure_registry = [var.insecure_registry]
amazonec2_config {
access_key = var.aws_access_key
secret_key = var.aws_secret_key
ami = var.aws_ami
region = var.aws_region
security_group = [var.aws_security_group_name]
subnet_id = var.aws_subnet_id
vpc_id = var.aws_vpc_id
zone = var.aws_zone
root_size = var.aws_root_size
instance_type = var.aws_instance_type
}
}
########################
# CREATE ETCD NODE POOL
########################
resource "rancher2_node_pool" "etcd_node_pool" {
cluster_id = rancher2_cluster.cluster.id
name = var.etcd_node_pool_name
hostname_prefix = var.node_hostname_prefix
node_template_id = rancher2_node_template.node_template.id
quantity = var.etcd_node_pool_quantity
control_plane = false
etcd = true
worker = false
}
########################
# CREATE CP NODE POOL
########################
resource "rancher2_node_pool" "control_plane_node_pool" {
cluster_id = rancher2_cluster.cluster.id
name = var.control_plane_node_pool_name
hostname_prefix = var.node_hostname_prefix
node_template_id = rancher2_node_template.node_template.id
quantity = var.control_plane_node_pool_quantity
control_plane = true
etcd = false
worker = false
}
########################
# CREATE WORKER NODE POOL
########################
resource "rancher2_node_pool" "worker_node_pool" {
cluster_id = rancher2_cluster.cluster.id
name = var.worker_node_pool_name
hostname_prefix = var.node_hostname_prefix
node_template_id = rancher2_node_template.node_template.id
quantity = var.worker_node_pool_quantity
control_plane = false
etcd = false
worker = true
}
- Provisioned a downstream RKE1 node driver cluster with an authenticated registry.
- Took note of the
cattle-private-registry
secret and its values. - Updated the registry to unset the username.
- Validated that the
cattle-private-registry
secret does not have same value found indata/.dockerconfigjson
.- It is updated to have the taken out username.
- Reverted the change and ensured the value in
data/.dockerconfigjson
reverted as well.
Scenario 2
- Repeated scenario 1, but unset the password instead of the username.
- The
cattle-private-registry
secret is updated so thatdata/.dockerconfigjson
reflects the change.
- The
Scenario 3
- Repeated scenario 1, but unset both the username and password.
- The
cattle-private-registry
secret is updated so thatdata/.dockerconfigjson
reflects the change.
- The
from rancher.
Related Issues (20)
- [BUG]hpa cannot display detailed information
- [v2.8] KDM Update for K8s Aug 2024 patch release
- Add support for SUSE Liberty 8 & 9 to Rancher
- [v2.9] KDM Update for K8s Aug 2024 patch release
- [BUG] [Windows] Rancher cli prints file permission warning on Windows HOT 1
- [Forwardport 2.10] KDM Update for K8s Aug 2024 patch release
- [RFE] [2.8] Bump system-agent to v0.3.8-rc.3 HOT 1
- [BUG] Upgrade 1.29 to 1.30 failed due to cillium nsenter error HOT 2
- [BUG] Etcd Restore Does Not Respect spec.answers on RKE1
- [BUG] [2.8] RoleTemplate Sync can not handle semantic differences. HOT 1
- [BUG] [2.8] If project namespace is terminating, creating a CRTB produces an error in the logs HOT 1
- [BUG] cattle-cluster-agent crashes after upgrade to 2.9.0 HOT 3
- [BUG]ui-offline-preferred 'dynamic' value not working HOT 2
- Move webhook to scratch image
- [BUG] Error rancher-partner-charts
- RKE2 and K3S - KDM Update for K8s August 2024 patch release for Rancher 2.8 HOT 3
- RKE2 and K3S - KDM Update for K8s August 2024 patch release for Rancher 2.9 HOT 4
- RKE2 and K3S - KDM Update for K8s August 2024 patch release for Rancher 2.10 HOT 2
- Regarding the Rancher desktop (Windows), I am unable to run my product UI is not loading. (The filename, directory name, or volume label syntax is incorrect.)
- [RFE] Ability to define a description for Kubeconfig token
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rancher.