How to resolve the error "Secret -admission-configuration-psact does not contain the expected content" when updating RKE2 clusters via Rancher2 Terraform Provider
This document (000021585) is provided subject to the disclaimer at the end of this document.
Environment
- SUSE Rancher v2.6.x - v2.9.x
- Rancher2 Terraform Provider <= v5.1.x
- A Rancher-provisioned RKE2 cluster, managed via Terraform, with the default_pod_security_admission_configuration_template_name field set
Situation
After setting the " default_pod_security_admission_configuration_template_name" argument on a rancher2_cluster_v2 resource, which defines cluster configuration under "defaultPodSecurityAdmissionConfigurationTemplateName", any further change to the cluster configuration results in a new entry on the cluster.provisioning.cattle.io resource in Rancher, per the example below:
machineSelectorFiles:
- fileSources:
- configMap:
name: ""
secret:
items:
- hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
These blocks are not overwritten, instead, a new one is added each time. Thus, subsequent changes to the cluster result in multiple blocks, per the following example:
- fileSources:
- configMap:
name: ""
secret:
items:
- dynamic: true
hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
- fileSources:
- configMap:
name: ""
secret:
items:
- hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
The issue arises when there is a change on the "defaultPodSecurityAdmissionConfigurationTemplateName" parameter, which changes the hash of this block. Having multiple identical blocks pointing at the same secret under "machineSelectorFiles", but with different hashes, causes Rancher to error out and blocks sending the plan to the downstream cluster with the following error:
Secret <cluster-name>-admission-configuration-psact does not contain the expected content
Resolution
The workaround for this issue is to delete all of the older admission-config-psact blocks described above, which contain a different hash to the current one, from the cluster.provisioning.cattle.io resource.
A good option is to just leave the last one generated (often the one on the bottom), so there is only one, and it is the most recent, per the example below.
The cluster.provisioning.cattle.io resource can be edited by navigating to Cluster Management in the Rancher UI, and clicking Edit YAML for the relevant RKE2 cluster. After removing the older admission-config-psact blocks click Save to save the changes.
machineSelectorFiles:
- fileSources:
- configMap:
name: ''
secret:
items:
- hash: OBe4tz0Nne3By2yPn/e6L/FC3QzGlllyoYTPU/b8eeQ=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: 'true'
Cause
This behavior is the result of a bug that duplicates the file reference for the PSACT secret instead of overwriting it, whenever there is a change in the cluster from Terraform. This is tracked in GitHub issue #1426.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.