[Feature] Please add validation on the ca_certs provider argument

[matttrach]

Environment Information

• Terraform version: v1.5.7
• Rancher2 Provider version: v8.3.1
• Rancher version: v2.12.3
• Operating System of the Rancher Node: SLEMicro 6.1
• Operating System of the machine running Terraform: darwin_arm64
• Kubernetes Distro (k3s/rke2): rke2
• Kubernetes Version: v1.32.9+rke2r1
• Infrastructure Provider (AWS/GCP/vSphere/etc): AWS
• What is the scope of the token given to the provider? admin

Describe the Problem

The provider is failing to bootstrap with a panic. 
  # rancher2_bootstrap.admin will be created
   resource "rancher2_bootstrap" "admin" {
       current_password   = (sensitive value)
       id                               = (known after apply)
       initial_password       = (sensitive value)
       password                  = (sensitive value)
       temp_token              = (sensitive value)
       temp_token_id         = (known after apply)
       token                         = (sensitive value)
       token_id                    = (known after apply)
       token_ttl                    = 7200
       token_update            = true
       ui_default_landing    = "ember"
         url      = (known after apply)
         user   = (known after apply)
     }


 Error: Request cancelled
   with rancher2_bootstrap.admin,
   on main.tf line 14, in resource "rancher2_bootstrap" "admin":
   14: resource "rancher2_bootstrap" "admin" {

 The plugin.(*GRPCProvider).ApplyResourceChange request was cancelled.

 Stack trace from the terraform-provider-rancher2_v8.3.1 plugin:
 panic: runtime error: invalid memory address or nil pointer dereference
 [signal SIGSEGV: segmentation violation code=0x2 addr=0x8 pc=0x1051a9658]
 goroutine 83 [running]:
 github.com/rancher/norman/clientbase.(*APIOperations).DoByID(0x0, {0x106050223, 0x7}, {0x106056f8d, 0xb}, {0x1065fdb40, 0x14000750a80})
 github.com/rancher/norman@v0.5.2/clientbase/ops.go:250 +0x58
 github.com/rancher/rancher/pkg/client/generated/management/v3.(*SettingClient).ByID(0x140001318c8, {0x106056f8d, 0xb})
 github.com/rancher/rancher/pkg/client@v0.0.0/generated/management/v3/zz_generated_setting.go:120 +0x68
 github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).getK8SDefaultVersion(0x140006cc180)
 github.com/rancher/terraform-provider-rancher2/rancher2/config.go:133 +0xfc
 github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).ManagementClient(0x140006cc180)
 github.com/rancher/terraform-provider-rancher2/rancher2/config.go:250 +0x1dc
 github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).RestartClients(0x140006cc180)
 github.com/rancher/terraform-provider-rancher2/rancher2/config.go:216 +0x100
 github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).UpdateToken(0x14000990060?, {0x140000584b0?, 0x10604d291?})
 github.com/rancher/terraform-provider-rancher2/rancher2/config.go:205 +0x48
 github.com/rancher/terraform-provider-rancher2/rancher2.bootstrapDoLogin(0x1400110f3b0, {0x106aecae0, 0x140006cc180})
 github.com/rancher/terraform-provider-rancher2/rancher2/resource_rancher2_bootstrap.go:255 +0x3dc
 github.com/rancher/terraform-provider-rancher2/rancher2.resourceRancher2BootstrapCreate(0x1400110f3b0, {0x106aecae0, 0x140006cc180})
 github.com/rancher/terraform-provider-rancher2/rancher2/resource_rancher2_bootstrap.go:27 +0x4c
 github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0x14000998c80, 0x1400113c0f0, 0x14001110c60, {0x106aecae0, 0x140006cc180})
 github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x500
 github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0x1400099a000, 0x1400007b828, 0x1400113c0f0, 0x14001110c60)
 github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x6c
 github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0x14000130690, {0x106a1aee0?, 0x140008208b8?}, 0x1400110ee00)
 github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x674
 github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x106a1aee0, 0x14000130690}, {0x106b28418, 0x14001138150}, 0x1400111f080, 0x0)
 github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x1c0
 google.golang.org/grpc.(*Server).processUnaryRPC(0x140008b6000, {0x106b28418, 0x140011380c0}, 0x140007c6600, 0x14000f81ce0, 0x107e762e0, 0x0)
 google.golang.org/grpc@v1.70.0/server.go:1400 +0xca8
 google.golang.org/grpc.(*Server).handleStream(0x140008b6000, {0x106b28ef8, 0x1400076a000}, 0x140007c6600)
 google.golang.org/grpc@v1.70.0/server.go:1810 +0x910
 google.golang.org/grpc.(*Server).serveStreams.func2.1()
 google.golang.org/grpc@v1.70.0/server.go:1030 +0x84
 created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 44
 google.golang.org/grpc@v1.70.0/server.go:1041 +0x13c

 Error: The terraform-provider-rancher2_v8.3.1 plugin crashed!

 This is always indicative of a bug within the plugin. It would be immensely
 helpful if you could report the crash with the plugin's maintainers so that it
 can be fixed. The output above should help diagnose the issue.

Here is my config:

locals {
  rancher_domain  = var.rancher_domain
  ca_certs               = var.ca_certs
  admin_password = var.admin_password
}

provider "rancher2" {
  api_url   = "https://${local.rancher_domain}"
  bootstrap = true
  ca_certs  = local.ca_certs
  timeout   = "300s"
}

resource "rancher2_bootstrap" "admin" {
  initial_password = local.admin_password
  password            = local.admin_password
  token_update     = true
  token_ttl             = 7200 # 2 hours
}

[matttrach]

It seems to be having trouble getting the k8s-version from the config, so maybe I am using an invalid k8s version for rke2 and Rancher.

[matttrach]

v1.32.9 is the latest v1.32.x release, https://github.com/rancher/rke2/releases/tag/v1.32.9%2Brke2r1 it was released Sept 18th.

[matttrach]

https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/rancher-v2-12-3/
It appears that v1.32 of kubernetes is supported for Rancher v2.12.3

[matttrach]

ok, looking at the trace in more detail it seems the apiClient.Ops call is returning a nil apiClient, which is causing a panic when we try to use the apiClient's DoByID function.
I see a potential race condition since we are using the management client after calling restart clients. Maybe our use of the management client is failing because the restart clients call haven't finished updating the client object.
github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).ManagementClient(0x140006cc180)
github.com/rancher/terraform-provider-rancher2/rancher2/config.go:250 +0x1dc
github.com/rancher/terraform-provider-rancher2/rancher2.(*Config).RestartClients(0x140006cc180)

I think maybe the call to updateToken is the culprit using the management client. I am going to try removing the updateToken call by explicitly setting the update_token argument to false.

[matttrach]

This didn't work, so I am going to try stripping down the arguments to the provider to as little options as possible.

[matttrach]

I rebooted my workstation (the computer running Terraform), upgraded to the latest macOs version, uninstalled and reinstalled Nix, and cleared a lot of disk space in the process. The panic is no longer happening... I can only guess that I was running into disk i/o issues and it was surfacing race conditions that are otherwise hard to reach. I am slowly adding back options to see if the problem is completely gone now.

[matttrach]

OK, I was able to reproduce. It has something to do with the ca_certs argument on the provider.

[matttrach]

OK, so I was setting the ca_certs argument to the base64 encoded string value, when I added base64decode to the argument input everything worked.
So this works:

locals {
  rancher_domain  = var.rancher_domain
  ca_certs               = base64decode(var.ca_certs) # assuming the variable is base64 encoded
  admin_password = var.admin_password
}

# WARNING! sending base64 encoded data in the ca_certs argument causes a panic
provider "rancher2" {
  api_url   = "https://${local.rancher_domain}"
  bootstrap = true
  ca_certs  = local.ca_certs
  timeout   = "300s"
}

resource "rancher2_bootstrap" "admin" {
  initial_password = local.admin_password
  password            = local.admin_password
  token_update     = true
  token_ttl             = 7200 # 2 hours
}

[matttrach]

This is a bug in the provider, it should be validating the format of any string provided by the user before acting on it.
That being said, since this only affects the single input and only if the wrong data format is given this will be low priority.