Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: ReplicationGroup.elasticache.aws.upbound.io/v1beta2 fails to sync when transitEncryptionEnabled is false #1654

Open
1 task done
alexinthesky opened this issue Jan 30, 2025 · 4 comments
Open
1 task done

[Bug]: ReplicationGroup.elasticache.aws.upbound.io/v1beta2 fails to sync when transitEncryptionEnabled is false #1654

alexinthesky opened this issue Jan 30, 2025 · 4 comments
Labels
bug Something isn't working needs:triage

Comments

@alexinthesky
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

  • elasticache.aws.upbound.io/v1beta2 ReplicationGroup

Resource MRs required to reproduce the bug

apiVersion: elasticache.aws.upbound.io/v1beta2
kind: ReplicationGroup
metadata:
  name: pr507-preview-redis
spec:
  forProvider:
    atRestEncryptionEnabled: "true"
    autoMinorVersionUpgrade: "true"
    automaticFailoverEnabled: true
    description: Redis pr507-preview-redis-with-replica
    engine: redis
    engineVersion: "7.0"
    multiAzEnabled: true
    nodeType: cache.t3.small
    numCacheClusters: 2
    parameterGroupName: default.redis7
    port: 6379
    region: eu-west-3
    securityGroupIdSelector:
      matchLabels:
        access: elasticache
    subnetGroupNameSelector:
      matchLabels:
        xnetworks: pr507-preview

Steps to Reproduce

apply the replicationgroup

What happened?

resource son't sync

Relevant Error Output Snippet

Normal   CreatedExternalResource       19m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  Successfully requested creation of external resource
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async create failed: failed to create the resource: [{0 waiting for ElastiCache Replication Group (pr507-preview-redis) create: operation error ElastiCache: DescribeReplicationGroups, https response error StatusCode: 403, RequestID: e3096e84-3611-4080-88b4-ea1a5f2f5686, api error ExpiredToken: The security token included in the request is expired  []}]
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 7789d1d4-031d-4af1-ba07-0048efcdd4e1, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 500b7d6c-856a-4562-bb23-151e8b8c5b4d, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 5f87b96b-eff8-4d2d-97b5-5338c577b969, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 341026d0-aa81-44ba-b5ec-ac81949e434c, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  10m                   managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 93c99cea-a4e1-4fd4-ba91-3d5f3886a86d, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  9m59s                 managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 4d6d6d4f-f2ab-449f-ab05-96ed030d9279, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  9m58s                 managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 1ecc552c-762e-4d90-bd70-bc387f6993b8, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  9m56s                 managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 31997516-2128-4e7e-9e53-1153537d1382, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]
  Warning  CannotUpdateExternalResource  30s (x13 over 9m53s)  managed/elasticache.aws.upbound.io/v1beta2, kind=replicationgroup  (combined from similar events): async update failed: failed to update the resource: [{0 modifying ElastiCache Replication Group (pr507-preview-redis) authentication: operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode: 400, RequestID: c7df7c2f-ee90-4f70-9825-5b244db36d27, InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.  []}]

Crossplane Version

1.15.2

Provider Version

1.19.0

Kubernetes Version

v1.29.12-eks-2d5f260

Kubernetes Distribution

EKS

Additional Info

No response
@alexinthesky alexinthesky added bug Something isn't working needs:triage labels Jan 30, 2025
@alexinthesky alexinthesky changed the title [Bug]: ReplicationGroup.elasticache.aws.upbound.io/v1beta2 failes to provision when transitEncryptionEnabled is false [Bug]: ReplicationGroup.elasticache.aws.upbound.io/v1beta2 fails to sync when transitEncryptionEnabled is false Jan 30, 2025
@alexinthesky
Copy link
Contributor Author

/test-examples="examples/elasticache/v1beta2/replicationgroup.yaml"

@jeanduplessis
Copy link
Collaborator

@alexinthesky the /test-examples command on work on PRs.

@alexinthesky
Copy link
Contributor Author

alexinthesky commented Jan 31, 2025
edited
Loading

yup launched here weirdly enough

https://github.com/crossplane-contrib/provider-upjet-aws/actions/runs/13070127593/job/36469720998#step:8:6670
authTokenUpdateStrategy: ROTATEc got added to the specs and applied successfully without in-transit-encryption

@alexinthesky
Copy link
Contributor Author

alexinthesky commented Feb 4, 2025
edited
Loading

@jeanduplessis is it possible that the test succeeds because it deletes the object right after creation and does not go into any update loop ( in the above example, authTokenUpdateStrategy: ROTATE ) gets pulled into the object's state and then copied over to the specs, which required an update. I don't see the update in the test logs as it seems a delete accures.

apiVersion: elasticache.aws.upbound.io/v1beta2
kind: ReplicationGroup
metadata:
  annotations:
    crossplane.io/external-create-pending: "2025-01-30T19:46:34Z"
    crossplane.io/external-create-succeeded: "2025-01-30T19:46:34Z"
    crossplane.io/external-name: pr507-preview-redis
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"elasticache.aws.upbound.io/v1beta2","kind":"ReplicationGroup","metadata":{"annotations":{},"name":"pr507-preview-redis"},"spec":{"forProvider":{"atRestEncryptionEnabled":"true","autoMinorVersionUpgrade":"true","automaticFailoverEnabled":true,"description":"Redis pr507-preview-redis-with-replica","engine":"redis","engineVersion":"7.0","multiAzEnabled":true,"nodeType":"cache.t3.small","numCacheClusters":2,"parameterGroupName":"default.redis7","port":6379,"region":"eu-west-3","securityGroupIdSelector":{"matchLabels":{"access":"elasticache","xnetworks.aws.web3factory.consensys.net/name":"pr507-preview-apac"}},"subnetGroupNameSelector":{"matchLabels":{"xnetworks.aws.web3factory.consensys.net/name":"pr507-preview-apac"}}},"providerConfigRef":{"name":"pr507-preview"}}}
  creationTimestamp: "2025-01-30T19:46:33Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 4
  name: pr507-preview-redis
  resourceVersion: "2030945"
  uid: 3bfaf804-c48c-48cf-ab14-9bd32f96af9a
spec:
  deletionPolicy: Delete
  forProvider:
    atRestEncryptionEnabled: "true"
    autoMinorVersionUpgrade: "true"
    automaticFailoverEnabled: true
    description: Redis pr507-preview-redis-with-replica
    engine: redis
    engineVersion: "7.0"
    ipDiscovery: ipv4
    maintenanceWindow: tue:01:00-tue:02:00
    multiAzEnabled: true
    networkType: ipv4
    nodeType: cache.t3.small
    numCacheClusters: 2
    parameterGroupName: default.redis7
    port: 6379
    region: eu-west-3
    replicasPerNodeGroup: 1
    securityGroupIdRefs:
    - name: elasticache-pr507-preview-apac
    securityGroupIdSelector:
      matchLabels:
        access: elasticache
        xnetworks.aws.web3factory.consensys.net/name: pr507-preview-apac
    securityGroupIds:
    - sg-09dbc8071f8709380
    snapshotWindow: 05:00-06:00
    subnetGroupName: pr507-preview-apac
    subnetGroupNameRef:
      name: pr507-preview-apac
    subnetGroupNameSelector:
      matchLabels:
        xnetworks.aws.web3factory.consensys.net/name: pr507-preview-apac
    tags:
      crossplane-kind: replicationgroup.elasticache.aws.upbound.io
      crossplane-name: pr507-preview-redis
      crossplane-providerconfig: pr507-preview
  initProvider: {}
  managementPolicies:
  - '*'
  providerConfigRef:
    name: pr507-preview
status:
  atProvider:
    arn: arn:aws:elasticache:eu-west-3:199401564210:replicationgroup:pr507-preview-redis
    atRestEncryptionEnabled: "true"
    autoMinorVersionUpgrade: "true"
    automaticFailoverEnabled: true
    clusterEnabled: false
    clusterMode: disabled
    dataTieringEnabled: false
    description: Redis pr507-preview-redis-with-replica
    engine: redis
    engineVersion: "7.0"
    engineVersionActual: 7.0.7
    id: pr507-preview-redis
    ipDiscovery: ipv4
    kmsKeyId: ""
    maintenanceWindow: tue:01:00-tue:02:00
    memberClusters:
    - pr507-preview-redis-001
    - pr507-preview-redis-002
    multiAzEnabled: true
    networkType: ipv4
    nodeType: cache.t3.small
    numCacheClusters: 2
    numNodeGroups: 1
    parameterGroupName: default.redis7
    port: 6379
    primaryEndpointAddress: pr507-preview-redis.zjborf.ng.0001.euw3.cache.amazonaws.com
    readerEndpointAddress: pr507-preview-redis-ro.zjborf.ng.0001.euw3.cache.amazonaws.com
    replicasPerNodeGroup: 1
    securityGroupIds:
    - sg-09dbc8071f8709380
    snapshotRetentionLimit: 0
    snapshotWindow: 05:00-06:00
    subnetGroupName: pr507-preview-apac
    tags:
      crossplane-kind: replicationgroup.elasticache.aws.upbound.io
      crossplane-name: pr507-preview-redis
      crossplane-providerconfig: pr507-preview
    tagsAll:
      crossplane-kind: replicationgroup.elasticache.aws.upbound.io
      crossplane-name: pr507-preview-redis
      crossplane-providerconfig: pr507-preview
    transitEncryptionEnabled: false
    transitEncryptionMode: ""
  conditions:
  - lastTransitionTime: "2025-01-30T19:56:07Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-02-04T08:49:06Z"
    message: 'update failed: async update failed: failed to update the resource: [{0
      modifying ElastiCache Replication Group (pr507-preview-redis) authentication:
      operation error ElastiCache: ModifyReplicationGroup, https response error StatusCode:
      400, RequestID: 3c1510f6-4886-4092-8eed-ccfd2103fd5f, InvalidParameterValue:
      The AUTH token modification is only supported when encryption-in-transit is
      enabled.  []}]'
    reason: ReconcileError
    status: "False"
    type: Synced
  - lastTransitionTime: "2025-02-04T08:49:06Z"
    message: 'async update failed: failed to update the resource: [{0 modifying ElastiCache
      Replication Group (pr507-preview-redis) authentication: operation error ElastiCache:
      ModifyReplicationGroup, https response error StatusCode: 400, RequestID: 3c1510f6-4886-4092-8eed-ccfd2103fd5f,
      InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit
      is enabled.  []}]'
    reason: AsyncUpdateFailure
    status: "False"
    type: LastAsyncOperation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeanduplessis @alexinthesky