How to resolve the error "Secret -admission-configuration-psact does not contain the expected content" when updating RKE2 clusters via Rancher2 Terraform Provider
Article Number: 000021585
Environment
- SUSE Rancher v2.6.x - v2.9.x
- Rancher2 Terraform Provider <= v5.1.x
- A Rancher-provisioned RKE2 cluster, managed via Terraform, with the default_pod_security_admission_configuration_template_name field set
Situation
After setting the "default_pod_security_admission_configuration_template_name" argument on a rancher2_cluster_v2 resource, which defines cluster configuration under "defaultPodSecurityAdmissionConfigurationTemplateName", any further change to the cluster configuration results in a new entry on the cluster.provisioning.cattle.io resource in Rancher, per the example below:
machineSelectorFiles:
- fileSources:
- configMap:
name: ""
secret:
items:
- hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
These blocks are not overwritten, instead, a new one is added each time. Thus, subsequent changes to the cluster result in multiple blocks, per the following example:
- fileSources:
- configMap:
name: ""
secret:
items:
- dynamic: true
hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
- fileSources:
- configMap:
name: ""
secret:
items:
- hash: LW5oTV9pmpX7+xWMjgC3IgbHtLkSMlCgyaKXG13CihA=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: "true"
The issue arises when there is a change on the "defaultPodSecurityAdmissionConfigurationTemplateName" parameter, which changes the hash of this block. Having multiple identical blocks pointing at the same secret under "machineSelectorFiles", but with different hashes, causes Rancher to error out and blocks sending the plan to the downstream cluster with the following error:
Secret <cluster-name>-admission-configuration-psact does not contain the expected content
Cause
This behavior is the result of a bug that duplicates the file reference for the PSACT secret instead of overwriting it, whenever there is a change in the cluster from Terraform. The issue was tracked in GitHub issue #1426.
Resolution
The issue is fixed in version v5.2.0 and above of the Rancher2 Terraform Provider. Users should upgrade the provider to a version containing the fix and which is compatible with their Rancher instance.
The workaround for this issue, in affected versions of the Rancher 2 Terraform Provider, is to delete all of the older admission-config-psact blocks described above, which contain a different hash to the current one, from the cluster.provisioning.cattle.io resource for the affected cluster.
A good option is to just leave the last one generated (often the one on the bottom), so there is only one, and it is the most recent, per the example below.
The cluster.provisioning.cattle.io resource can be edited by navigating to Cluster Management in the Rancher UI, and clicking Edit YAML for the relevant RKE2 cluster. After removing the older admission-config-psact blocks click Save to save the changes.
machineSelectorFiles:
- fileSources:
- configMap:
name: ''
secret:
items:
- hash: OBe4tz0Nne3By2yPn/e6L/FC3QzGlllyoYTPU/b8eeQ=
key: admission-config-psact
path: /etc/rancher/rke2/config/rancher-psact.yaml
name: <cluster-name>-admission-configuration-psact
machineLabelSelector:
matchLabels:
rke.cattle.io/control-plane-role: 'true'