fix(bucket): retry the release until COSI provisions the BucketInfo Secret#3320
Draft
Andrey Kolkov (androndo) wants to merge 1 commit into
Draft
fix(bucket): retry the release until COSI provisions the BucketInfo Secret#3320Andrey Kolkov (androndo) wants to merge 1 commit into
Andrey Kolkov (androndo) wants to merge 1 commit into
Conversation
…ecret The -credentials Secret rendered by system/bucket was gated on a Helm lookup of the COSI-provisioned BucketInfo Secret. COSI provisions that Secret asynchronously, after the BucketAccess is granted, and Helm only re-evaluates lookup during a real install/upgrade attempt — so when the Secret appeared after the release's last render, the -credentials Secret was silently skipped and never created (nothing triggers another render). Consumers such as the platform backup flow then hang forever on the missing Secret (CredentialsProjectionPending). Fail the render instead of skipping: the parent HelmRelease already sets install/upgrade remediation retries to -1, so helm-controller keeps retrying (re-rendering) the release until the COSI Secret exists, at which point the credentials materialise. A bucket whose credentials are not usable yet now reports not-Ready instead of Ready, and a Secret that exists but carries no BucketInfo key fails with a clear message instead of a cryptic b64dec error. The bucket chainsaw e2e now asserts the child release converges to Ready and both projected -credentials Secrets exist, and the S3 access check authenticates with keys taken from the projected Secrets rather than the raw COSI BucketInfo, proving the user-facing Secrets carry working credentials. Fixes #3247 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Fixes #3247. The
-credentialsSecret rendered bysystem/bucket(packages/system/bucket/templates/user-credentials.yaml) was gated on a Helmlookupof the COSI-provisioned BucketInfo Secret. COSI provisions that Secret asynchronously, after the BucketAccess is granted, and Helm re-evaluateslookuponly during a real install/upgrade attempt — so when the COSI Secret appeared after the release's last render, the-credentialsSecret was silently skipped and never created (nothing triggers another render; the release is otherwise unchanged). Consumers such as the platform backup flow (backupstrategy-controllerprojectingbucket-cozy-backups-system-credentials) then hang forever inCredentialsProjectionPending.The fix makes the render fail instead of silently skipping while the COSI Secret is missing. The parent HelmRelease (rendered by
apps/bucket) already setsinstall/upgraderemediationretries: -1, so helm-controller keeps retrying — and each retry re-renders, re-evaluating thelookup— until the COSI Secret exists and the credentials materialise. This is the "bounded requeue re-render" option from #3247, implemented with machinery already in place; no controller changes, no new images, and it works on the currently pinned Flux 2.8.x.Side effects, both intentional:
BucketInfokey fails with a clear message instead of a crypticb64decnil error.Why not the other #3247 options: an event-driven projection in cozystack-controller needs a watch on
objectstorage.k8s.ioCRDs that don't exist yet when the controller starts on fresh bootstraps (plus cache/RBAC surface); replacing the lookup withvaluesFrom+targetPathcannot carry the BucketInfo JSON through helm-controller's--setparsing —literal: truefixes that but only exists since helm-controller 1.6 (Flux 2.9), while the platform pins Flux 2.8.x. This chart-only fix can later be superseded by thevaluesFrom literalapproach after a Flux bump.Tests
helm-unittestsuite for the gate (kubernetesProvider-mocked lookup): renders one Secret per user with trimmed endpoint once the COSI Secrets exist; fails with the retry message while one is missing; fails on a Secret withoutBucketInfo; renders nothing for a user-less bucket.bucket-test-systemrelease converges to Ready and both projected-credentialsSecrets exist, and the S3 access check (mc) authenticates with keys taken from the projected Secrets instead of the raw COSI BucketInfo — proving end-to-end that the user-facing Secrets carry working credentials.make -C packages/system/bucket testpasses.helm lintfailure on_namespace.hostis pre-existing on main (chart has no defaults for the platform-injected_namespace).Downstream repositories
Release note
🤖 Generated with Claude Code