Elasticache ReplicationGroup connection secret is empty

[akunafin]

What happened?

I'm creating an AWS Elasticache replication group and expect connection endpoint to be published into a secret with the help of publishConnectionDetailsTo setting. I see that secret is successfully created, but the only data that it has:
data: attribute.auth_token: ""

How can we reproduce it?

Create an elasticache replicationgroup using xpkg.upbound.io/upbound/provider-aws-elasticache:v0.46.1.

What environment did it happen in?

• Crossplane Version: v1.14.5
• Provider Version: v0.46.1
• Kubernetes Version: 1.23
• Kubernetes Distribution: EKS

[mbbush]

Thanks for the bug report @akunafin.

Could you please include a complete manifest that shows the problem? That will make it much easier to reproduce. Based on a very quick look at the elasitcache replication group terraform provider docs, it looks like "" is the expected value of auth_token unless you're setting it to something else using spec.forProvider.authTokenSecretRef

[akunafin]

Thanks for your reply @mbbush!

The main problem is not that auth_token is an empty string. The main problem is that there is no connection endpoint in this secret. For now I had to hardcode this endpoint in the manifest of the application, but that's definitely not the way it should work. I want to reference this secret in the manifest of my application in order for it to connect to the this cluster.

This is a ReplicationGroup manifest that I'm using:

apiVersion: elasticache.aws.upbound.io/v1beta1
kind: ReplicationGroup
metadata:
  annotations:
    uptest.upbound.io/timeout: "3600"
  name: replicationgroup
spec:
  forProvider:
    automaticFailoverEnabled: true
    description: redis
    nodeType: {{ .Values.redis_node_type | default "cache.t2.micro" }}
    numberCacheClusters: 2
    parameterGroupName: default.redis7
    port: 6379
    region: {{ .Values.global.region }}
    securityGroupIdRefs:
      - name: elasticache-securitygroup
    subnetGroupNameRef:
      name: elasticache-subnetgroup
  publishConnectionDetailsTo:
    name: elasticache-endpoint

Manifest of the secret object created:

apiVersion: v1
data:
  attribute.auth_token: ""
kind: Secret
metadata:
    secret.crossplane.io/owner-uid: 149419d9-1e7f-4c14-9438-438433643de8
  name: elasticache-endpoint
  namespace: operators
  resourceVersion: "1346910711"
  uid: 2db2140d-f69d-4dd1-9bff-360e6acab7fb
type: connection.crossplane.io/v1alpha1

[mbbush]

By default the connection secrets only contain values designated as sensitive by terraform. If you also want a non-sensitive value in your secret, like the endpoint, take a look at https://docs.crossplane.io/knowledge-base/guides/connection-details/

I think I found another example somewhere of explicitly how to get values from the status into the composition's secret, but kubectl explain composition.spec.resources.connectionDetails may also help you.

[turkenf]

@akunafin, also you can find more information from here about how to add sensitive fields.

[akunafin]

@mbbush thanks for a useful reference! I managed to achieve what I wanted with the composition.
However I still think that it makes sense for provider to put an endpoint into the connection secret even if it's not sensitive.

[dhumphries-sainsburys]

I agree with @akunafin it keeps all the things you need to connect to the instance together in a practical way and is the same way other providers use this field. The CRD spec even says that these kinds of things should be published to this secret as specified here

[turkenf]

This issue covered in this PR #1322