Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix double base64-encoding of ca_bundle field #1296

Merged
merged 4 commits into from
Jan 29, 2024
Merged

Fix double base64-encoding of ca_bundle field #1296

merged 4 commits into from
Jan 29, 2024

Conversation

adamkpickering
Copy link
Contributor

@adamkpickering adamkpickering commented Jan 24, 2024
edited by zube bot
Loading

Issue:

For #1297

Problem

The user reports that configuring a rancher_catalog_v2 resource with the ca_bundle field set fails. This is because the caBundle field in the configured ClusterRepo resource is base64-encoded twice. For more details, the JIRA issue gives a pretty good description.

Also note that there is a discrepancy between the documentation for configuring a repo/catalog via the Rancher UI, and the documentation for the ca_bundle field in the rancher_catalog_v2 resource:

Git-based chart repositories: You must add a base64 encoded copy of the CA certificate in DER format to the spec.caBundle field of the chart repo link

ca_bundle - (Optional) PEM encoded CA bundle which will be used to validate the repo's certificate (string) link

Solution

The cleanest solution, as far as @nicholasSUSE and I can tell, is to slightly change the behavior of the ca_bundle field so that the user sets it to a base64-encoded DER value. When expanding the terraform object into a ClusterRepo, the rancher2 provider base64-decodes the passed ca_bundle value and sets the spec.caBundle field of the ClusterRepo to the result, which is of type []byte. When the encoding/json package marshals the ClusterRepo struct created by the rancher2 provider, it automatically base64-encodes the caBundle field (see the docs for json.Marshal), which appears to be what the Rancher API expects.

Testing

This issue can be reproduced by running the terraform provider against a v2.7.6 Rancher cluster. Note that running it against a version of Rancher run via go run main.go or dlv doesn't work - it seems that the terraform provider chokes on the fact that something (I never figured out what) has the version dev.

Engineering Testing

Manual Testing

On a Rancher v2.7.6 deployment running in k3d, I did the following tests using the terraform provider:

  • Creating a ClusterRepo resource with the caBundle field set.
  • Creating a ClusterRepo resource without the caBundle field set.
  • Deleting a ClusterRepo resource.
  • Updating a ClusterRepo resource by changing the name field in the terraform resource. This failed, but I determined that this failure is present on the master branch and thus not related to this PR. This seems wrong to me, but also seems like it may just be due to how the Rancher API works. I'm new to the Rancher project, so can someone who has more experience with Rancher check this?

Automated Testing

I updated the ca_bundle field in the expandCatalogV2 and flattenCatalogV2 unit tests to reflect the HCL value being base64-encoded DER, and the ClusterRepo value being a []byte containing unencoded DER.

QA Testing Considerations

I don't think there is any issue with changing the behavior of the ca_bundle field, since it is broken as is. I could easily be wrong though...

Regressions Considerations

@snasovich snasovich requested a review from a team January 26, 2024 14:44
nicholasSUSE
nicholasSUSE approved these changes Jan 26, 2024
View reviewed changes
Copy link
Contributor

@nicholasSUSE nicholasSUSE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approved, but please wait for @rohitsakala review before merging

nicholasSUSE
nicholasSUSE reviewed Jan 29, 2024
View reviewed changes
rancher2/structure_catalog_v2.go
@@ -26,7 +29,8 @@ func flattenCatalogV2(d *schema.ResourceData, in *ClusterRepo) error {
}
d.Set("resource_version", in.ObjectMeta.ResourceVersion)

d.Set("ca_bundle", string(in.Spec.CABundle))
encodedCABundle := base64.StdEncoding.EncodeToString(in.Spec.CABundle)
Copy link
Contributor

@nicholasSUSE nicholasSUSE Jan 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's test the following:

output "some_NAME" {
  value = <the_catalog_resource>.ca_bundle
}

to validate this

@nicholasSUSE nicholasSUSE merged commit 9a2cd64 into rancher:master Jan 29, 2024
1 check passed
@adamkpickering adamkpickering deleted the sure-7108 branch January 30, 2024 18:30
@adamkpickering adamkpickering mentioned this pull request Jan 30, 2024
Closed
@zube zube bot removed the [zube]: To Test label Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasSUSE nicholasSUSE nicholasSUSE approved these changes

@rohitsakala rohitsakala rohitsakala approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adamkpickering @rohitsakala @nicholasSUSE