CARM ack-role-account-map ConfigMap updates are not propagated to ACK controllers #2088
Labels
area/runtime
Issues or PRs as related to controller runtime, common reconciliation logic, etc
kind/bug
Categorizes issue or PR as related to a bug.
priority/critical-urgent
Highest priority. Must be actively worked on as someone's top priority right now.
Describe the bug
CARM
ack-role-account-map
ConfigMap updates are not propagated to ACK controllers.Maybe related to #2011.
Steps to reproduce
I performed the following scenario:
ack-role-account-map
ConfigMap11111111111
in thedata
field in the toAfter changing the value of "11111111111" AWS subscription id to a dummy value (adding the
2
at the end of the value), I still managed to create a Role and a Policy in thens-ack-test
namespace (see below the Namespace spec). This is not the desired behaviour, since that role doesn't exist (with the2
character at the end of the string).After I restarted the IAM controller's pod, got 403s, the expected behaviour, since that role is not a valid one
Vice-versa, if I start with a CARM wrong configuration (wrong assumedrole names), I get 403s as expected, and after I fix the role name in
ack-role-account-map
to match the correct assumedrole, I still receive 403s when trying to create resources.This makes me think that although the log messages say that the runtime cache is updated, the change is not propagated to ACK controllers.
Expected outcome
When
ack-role-account-map
is edited, ACK controllers will use the updated values from thedata
field.Environment
Tested with the latest version of IAM controller (
v1.3.8
that contains the updatedv0.34.0
runtime version, which also integrated this PR Resolve race condition between CARM ConfigMap and reconciler for annotated namespaces runtime#138)The namespace where I tried to create a Role and a Policy with the IAM controller
The text was updated successfully, but these errors were encountered: