Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8415

ACM Policy that applies stringdata in a secret regression with templates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • ACM 2.8.5
    • ACM 2.8.3
    • GRC
    • None
    • 2
    • False
    • None
    • False
    • GRC Sprint 2023-20, GRC Sprint 2023-21
    • Moderate
    • -
    • No

      Description of problem:

      I think this problem only happens in ACM 2.8.2 and 2.8.3.  The OPP policyset created a secret for Observability which used templates to pull data from multiple places.  Because the templates used the lookup function, there is a period of time the policy becomes compliant but the secret content contains "<no value>" for a couple fields while other OPP components are still starting.  Once those values are available, the secret is supposed to be updated with the new content.  Instead, the secret is not updated and the policy changes to and stays NonCompliant.  The NonCompliant message reported in the policy is:

        - compliant: NonCompliant
          history:
          - eventName: policies.policy-ocm-test.1792fed43627f156
            lastTimestamp: "2023-10-30T21:09:56Z"
            message: 'NonCompliant; violation - Error updating the object `test-object-storage`,
              the error is `Secret in version "v1" cannot be handled as a Secret: illegal
              base64 data at input byte 4`'

       

      Version-Release number of selected component (if applicable): ACM 2.8.3 (and 2.8.2)

      How reproducible: Easy on only these two versions.  I have a recreate testcase

      Steps to Reproduce:

      1. Apply the generator project I created
      2. Make sure the secret is created - you can double check that the <no value> exists in the secret
      3. Update the generator project to point to the correct names and re-apply the generator project

      Note: The field in number 3 should change from buceeHost and buceeName to bucketHost and bucketName, respectively in the input-acm-observability/policy-ocm-observability.yaml file.

      Actual results: NonCompliant due to secret update failure

      Expected results: Compliance should not be NonCompliant

      Additional info: Sample being provided

            rh-ee-jeluo Jeffrey Luo (Inactive)
            gparvin-redhat Gus Parvin
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: