Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TridentBackendConfig credentials don't support AWS China partition secret ARN(hardcode bug) #913

Open
liyifei-aws opened this issue Jul 18, 2024 · 0 comments
Open

TridentBackendConfig credentials don't support AWS China partition secret ARN(hardcode bug) #913

liyifei-aws opened this issue Jul 18, 2024 · 0 comments
Labels
bug tracked

Comments

@liyifei-aws
Copy link

Describe the bug
logs:
time="2024-07-17T18:35:40Z" level=info msg="deferred syncing TridentBackendConfig 'netapp-trident/backend-tbc-ontap-nas', requeuing; reconcile deferred; problem initializing storage driver 'ontap-nas': error initializing ontap-nas AWS driver; secret ARN arn:aws-cn:secretsmanager:cn-north-1:xxxx㊙️xxxxxx is invalid" crdControllerEvent=add logLayer=crd_frontend logSource=trident-crd-controller requestID=4d710533-272e-4ecd-a10e-de474f7bd0d2 requestSource=CRD workflow="cr=reconcile"

The logs show that using the secret ARN is not effective. After tracing the error message, we found the root cause in the source code is that the code checking the ARN is hardcoded to the AWS partition and does not take into account that the China partition is aws-cn.

source bug location:

trident/storage_drivers/ontap/awsapi/aws.go

Line 37 in d8039ae

secretARNRegex = regexp.MustCompile(`^arn:aws:secretsmanager:(?P<region>[^:]+):(?P<accountID>\d{12}):secret:(?P<secretName>[A-z0-9/_+=.@-]+)-[A-z0-9/_+=.@-]{6}$`)

Environment
EKS 1.29 AWS China cn-north-1

  • Trident version: 100.2406.0
  • Trident installation flags used: [e.g. -d -n trident --use-custom-yaml]
  • Container runtime: [e.g. Docker 19.03.1-CE]
  • Kubernetes version: [e.g. 1.15.1]
  • Kubernetes orchestrator: [e.g. OpenShift v3.11, Rancher v2.3.3]
  • Kubernetes enabled feature gates: [e.g. CSINodeInfo]
  • OS: [e.g. RHEL 7.6, Ubuntu 16.04]
  • NetApp backend types: AWS
  • Other:

To Reproduce
Steps to reproduce the behavior:

Expected behavior

cat <<EOF | kubectl apply -f -
apiVersion: trident.netapp.io/v1
kind: TridentBackendConfig
metadata:
name: backend-tbc-ontap-nas
namespace: $TRIDENT_NAMESPACE
spec:
version: 1
storageDriverName: ontap-nas
backendName: tbc-ontap-nas
labels:
k8scluster: posit-workbench-cluster-dev1
backend: xxxxx-nasbackend
aws:
fsxFilesystemID: $FSX_ID
apiRegion: cn-north-1
managementLIF: $SVM_DNS_NAME
credentials:
name: "arn:aws-cn:secretsmanager:cn-north-1:xxxx:secret:xxxxx"
type: awsarn
EOF

Additional context
Add any other context about the problem here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug tracked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vasum0406 @liyifei-aws