Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityGroup in Composition is created twice #378

Closed
janwillies opened this issue Oct 12, 2020 · 8 comments
Closed

SecurityGroup in Composition is created twice #378

janwillies opened this issue Oct 12, 2020 · 8 comments
Labels
bug Something isn't working

Comments

@janwillies
Copy link
Contributor

What happened?

A security group in a crossplane composition is created twice:

CannotCreateExternalResource 24s managed/securitygroup.ec2.aws.crossplane.io failed to create the SecurityGroup resource: InvalidGroup.Duplicate: The security group 'cnp-test-1-7blj8' already exists for VPC 'vpc-abcdef'

Manual creation works fine (outside of a composition).

How can we reproduce it?

composition.yaml:

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Composition
metadata:
  name: cnp-sg
  labels:
    provider: aws
spec:
  writeConnectionSecretsToNamespace: crossplane-system
  reclaimPolicy: Delete
  compositeTypeRef:
    apiVersion: kubernetes.cnp.example.org/v1alpha1
    kind: CompositeControlPlane    
  resources:
  - base:
      apiVersion: ec2.aws.crossplane.io/v1beta1
      kind: SecurityGroup
      spec:
        forProvider:
          region: eu-central-1
          description: allow access
          ingress:
          - fromPort: 443
            toPort: 443
            ipProtocol: tcp
            ipRanges:
            - cidrIp: 192.168.0.0/24
              description: test
          vpcId: vpc-abcdef
        reclaimPolicy: Delete
        providerConfigRef:
          name: aws-provider        
    patches:
    - fromFieldPath: "metadata.labels"
      toFieldPath: "metadata.labels"
    - fromFieldPath: "metadata.annotations"
      toFieldPath: "metadata.annotations"
    - fromFieldPath: "metadata.name"
      toFieldPath: "spec.forProvider.groupName"

xrd.yaml

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: CompositeResourceDefinition
metadata:
  name: compositecontroleplanes.kubernetes.cnp.example.org
spec:
  defaultCompositionRef:
    name: cnp-sg
  claimNames:
    kind: ControlPlane
    plural: controlplanes
  crdSpecTemplate:
    group: kubernetes.cnp.example.org
    version: v1alpha1
    names:
      kind: CompositeControlPlane
      listKind: CompositeControlPlaneList
      plural: compositecontroleplanes
      singular: compositecontroleplane
    validation:
      openAPIV3Schema:
        type: object
        properties:
          spec: {}

xrc.yaml

apiVersion: kubernetes.cnp.example.org/v1alpha1
kind: ControlPlane
metadata:
  name: cnp-test-1
spec: {}

What environment did it happen in?

Crossplane version: v0.13.0
provider-aws: v0.12.0
@janwillies janwillies added the bug Something isn't working label Oct 12, 2020
@mothershipper
Copy link

There may be a second part to this that affects how it works with compositions, but we've noticed that unlike the RDSInstance CRD, the SecurityGroup CRD checks the CRD for an external-name annotation, and decides the security group does not exist if the CRD has yet to be updated. This will cause the controller to try and double create the security group if it's still in progress of bringing one up.

https://github.com/crossplane/provider-aws/blob/master/pkg/controller/ec2/securitygroup/controller.go#L103-L105

@negz
Copy link
Member

negz commented Nov 3, 2020

It's possible this could be due to crossplane/crossplane#1910.

@janwillies
Copy link
Contributor Author

Not propagating the annotations solves this issue. E.g. removing the following from the composition:

    - fromFieldPath: "metadata.annotations"
      toFieldPath: "metadata.annotations"

@muvaf
Copy link
Member

muvaf commented Feb 24, 2021

Is there an action item for this? We can't prevent patching the external name annotation since it's valid for other use cases. Also copying the full annotations is kind of fine to some extent if your composition has only one base. So, I'm not sure what we can do here. Feel free to reopen.

@muvaf muvaf closed this as completed Feb 24, 2021
@janwillies janwillies mentioned this issue Mar 10, 2021
Closed
@mf-lit
Copy link

mf-lit commented Mar 11, 2021

I've run into this issue but with an IAMPolicy rather than a SecurityGroup #590

@muvaf I'm not clear however why this issue was closed? If we need to explicitly set the name of an an IAMPolicy (or for that matter a SecurityGroup) then we need to pass the crossplane.io/external-name annotation.

@muvaf
Copy link
Member

muvaf commented Mar 11, 2021

@mf-lit The problem happens only when you do the full copy of the annotations. It'd work if you specify the certain keys you want to patch like the following:

- fromFieldPath: "metadata.annotations[crossplane.io/external-name]"
  toFieldPath: "metadata.annotations[crossplane.io/external-name]"

@mf-lit
Copy link

mf-lit commented Mar 15, 2021

@muvaf Ah ok, good tip, thanks. 👍

I'm still curious though, to me it seems like the inability to pass full annotations would be useful, but since the issue was closed I'm guessing there's a reason not to allow it - what is that?

@muvaf
Copy link
Member

muvaf commented Mar 15, 2021

It's about the operation itself. When you give the full metadata.annotations it replaces the whole map which includes identifiers provider use for talking with AWS. For example, if external name annotation is empty, it decides to create the resource.

@muvaf muvaf mentioned this issue Mar 24, 2021
Closed
@alexandru-crossover alexandru-crossover mentioned this issue Nov 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@negz @janwillies @muvaf @mf-lit @mothershipper