Make IgnoreUpdate secrets optional

brandond · brandond · commit acc2fdf9c273 · 2025-03-03T13:47:46.000-08:00
Fixes issue where nonexistent secret with ignoreUpdate set would cause the plan to endlessly requeue due to errors. If it is ignored for purposes of plan hash, it should be optional.

Signed-off-by: Brad Davidson &lt;brad.davidson@rancher.com&gt;
diff --git a/pkg/upgrade/handle_upgrade.go b/pkg/upgrade/handle_upgrade.go
@@ -40,7 +40,7 @@ func (ctl *Controller) handlePlans(ctx context.Context) error {
 			// validate plan, and generate events for transitions
 			validated := upgradeapiv1.PlanSpecValidated
 			validated.CreateUnknownIfNotExists(obj)
-			if err := upgradeplan.Validate(obj); err != nil {
+			if err := upgradeplan.Validate(obj, secretsCache); err != nil {
 				if !validated.IsFalse(obj) {
 					recorder.Eventf(obj, corev1.EventTypeWarning, "ValidateFailed", "Failed to validate plan: %v", err)
 				}
diff --git a/pkg/upgrade/job/job.go b/pkg/upgrade/job/job.go
@@ -288,6 +288,7 @@ func New(plan *upgradeapiv1.Plan, node *corev1.Node, controllerName string) *bat
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName: secret.Name,
+					Optional:   pointer.Bool(secret.IgnoreUpdates),
 				},
 			},
 		})
diff --git a/pkg/upgrade/plan/plan.go b/pkg/upgrade/plan/plan.go
@@ -79,15 +79,17 @@ func DigestStatus(plan *upgradeapiv1.Plan, secretCache corectlv1.SecretCache) (u
 		}
 
 		for _, s := range plan.Spec.Secrets {
-			secret, err := secretCache.Get(plan.Namespace, s.Name)
-			if err != nil {
-				return plan.Status, err
-			}
 			if !s.IgnoreUpdates {
+				secret, err := secretCache.Get(plan.Namespace, s.Name)
+				if err != nil {
+					return plan.Status, err
+				}
+
 				secretHash, err := hash.SecretHash(secret)
 				if err != nil {
 					return plan.Status, err
 				}
+
 				h.Write([]byte(secretHash))
 			}
 		}
@@ -239,7 +241,7 @@ func sha256sum(s ...string) string {
 }
 
 // Validate performs validation of the plan spec, raising errors for any conflicting or invalid settings.
-func Validate(plan *upgradeapiv1.Plan) error {
+func Validate(plan *upgradeapiv1.Plan, secretCache corectlv1.SecretCache) error {
 	if drainSpec := plan.Spec.Drain; drainSpec != nil {
 		if drainSpec.DeleteEmptydirData != nil && drainSpec.DeleteLocalData != nil {
 			return ErrDrainDeleteConflict
@@ -262,5 +264,16 @@ func Validate(plan *upgradeapiv1.Plan) error {
 	if delay := plan.Spec.PostCompleteDelay; delay != nil && delay.Duration < 0 {
 		return ErrInvalidDelay
 	}
-	return nil
+
+	sErrs := []error{}
+	for _, secret := range plan.Spec.Secrets {
+		if secret.IgnoreUpdates {
+			continue
+		}
+		if _, err := secretCache.Get(plan.Namespace, secret.Name); err != nil {
+			sErrs = append(sErrs, err)
+		}
+	}
+
+	return merr.NewErrors(sErrs...)
 }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func (ctl *Controller) handlePlans(ctx context.Context) error {`
`40`	`40`	`// validate plan, and generate events for transitions`
`41`	`41`	`validated := upgradeapiv1.PlanSpecValidated`
`42`	`42`	`validated.CreateUnknownIfNotExists(obj)`
`43`		`- if err := upgradeplan.Validate(obj); err != nil {`
	`43`	`+ if err := upgradeplan.Validate(obj, secretsCache); err != nil {`
`44`	`44`	`if !validated.IsFalse(obj) {`
`45`	`45`	`recorder.Eventf(obj, corev1.EventTypeWarning, "ValidateFailed", "Failed to validate plan: %v", err)`
`46`	`46`	`}`