Skip to content

How to resolve the error "Secret -admission-configuration-psact does not contain the expected content" when updating RKE2 clusters via Rancher2 Terraform Provider

Article Number: 000021585

Environment

  • SUSE Rancher v2.6.x - v2.9.x
  • Rancher2 Terraform Provider <= v5.1.x
  • A Rancher-provisioned RKE2 cluster, managed via Terraform, with the default_pod_security_admission_configuration_template_name field set

Situation

After setting the "default_pod_security_admission_configuration_template_name" argument on a rancher2_cluster_v2 resource, which defines cluster configuration under "defaultPodSecurityAdmissionConfigurationTemplateName", any  further change to the cluster configuration results in a new entry on the cluster.provisioning.cattle.io resource in Rancher, per the example below: 

machineSelectorFiles:
    - fileSources:
      - configMap:
          name: ""
        secret:
          items:
          - hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
            key: admission-config-psact
            path: /etc/rancher/rke2/config/rancher-psact.yaml
          name: <cluster-name>-admission-configuration-psact
      machineLabelSelector:
        matchLabels:
          rke.cattle.io/control-plane-role: "true" 

These blocks are not overwritten, instead, a new one is added each time. Thus, subsequent changes to the cluster result in multiple blocks, per the following example:

    - fileSources:
      - configMap:
          name: ""
        secret:
          items:
          - dynamic: true
            hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
            key: admission-config-psact
            path: /etc/rancher/rke2/config/rancher-psact.yaml
          name: <cluster-name>-admission-configuration-psact
      machineLabelSelector:
        matchLabels:
          rke.cattle.io/control-plane-role: "true"
    - fileSources:
      - configMap:
          name: ""
        secret:
          items:
          - hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
            key: admission-config-psact
            path: /etc/rancher/rke2/config/rancher-psact.yaml
          name: <cluster-name>-admission-configuration-psact
      machineLabelSelector:
        matchLabels:
          rke.cattle.io/control-plane-role: "true"

The issue arises when there is a change on the "defaultPodSecurityAdmissionConfigurationTemplateName" parameter, which changes the hash of this block. Having multiple identical blocks pointing at the same secret under "machineSelectorFiles", but with different hashes, causes Rancher to error out and blocks sending the plan to the downstream cluster with the following error:

Secret <cluster-name>-admission-configuration-psact does not contain the expected content

Cause

This behavior is the result of a bug that duplicates the file reference for the PSACT secret instead of overwriting it, whenever there is a change in the cluster from Terraform. The issue was tracked in GitHub issue #1426.

Resolution

The issue is fixed in version v5.2.0 and above of the Rancher2 Terraform Provider. Users should upgrade the provider to a version containing the fix and which is compatible with their Rancher instance.

The workaround for this issue, in affected versions of the Rancher 2 Terraform Provider, is to delete all of the older admission-config-psact blocks described above, which contain a different hash to the current one, from the cluster.provisioning.cattle.io resource for the affected cluster.

A good option is to just leave the last one generated (often the one on the bottom), so there is only one, and it is the most recent, per the example below.

The cluster.provisioning.cattle.io resource can be edited by navigating to Cluster Management in the Rancher UI, and clicking Edit YAML for the relevant RKE2 cluster. After removing the older admission-config-psact blocks click Save to save the changes.

machineSelectorFiles:
      - fileSources:
          - configMap:
              name: ''
            secret:
              items:
                - hash: OBe4tz0Nne3By2yPn/e6L/FC3QzGlllyoYTPU/b8eeQ=
                  key: admission-config-psact
                  path: /etc/rancher/rke2/config/rancher-psact.yaml
              name: <cluster-name>-admission-configuration-psact
        machineLabelSelector:
          matchLabels:
            rke.cattle.io/control-plane-role: 'true'