Skip to content

validate: add s3 profile fields validation in validate clusters #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
parikshithb wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

validate: add s3 profile fields validation in validate clusters #361

parikshithb wants to merge 4 commits into from

Conversation

@parikshithb
Copy link
Member

@parikshithb parikshithb commented Jan 7, 2026
edited
Loading

Add S3 store profile fields validation in the validate clusters command to ensure fields are same between hub and managed clusters.

  • s3bucket
  • endpoint
  • region
  • caCertificate
  • S3 secret field
  • doc updates

Testing:

Pass scenario:

./ramenctl validate clusters --output out/v_clu_1
⭐ Using config "config.yaml"
⭐ Using report "out/v_clu_1"

🔎 Validate config ...
   ✅ Config validated

🔎 Validate clusters ...
   ✅ Gathered data from cluster "hub"
   ✅ Gathered data from cluster "dr2"
   ✅ Gathered data from cluster "dr1"
   ✅ Inspected S3 profiles
   ✅ Checked S3 profile "minio-on-dr2"
   ✅ Checked S3 profile "minio-on-dr1"
   ✅ Clusters validated

✅ Validation completed (48 ok, 0 stale, 0 problem)

clusters:
  - name: dr1
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  - name: dr2
    ramen:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  hub:
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system

Fail scenario: edited to provide incorrect bucket name wrong-bucket in dr2 configmap:

./ramenctl validate clusters --output out/v_clu_2
⭐ Using config "config.yaml"
⭐ Using report "out/v_clu_2"

🔎 Validate config ...
   ✅ Config validated

🔎 Validate clusters ...
   ✅ Gathered data from cluster "hub"
   ✅ Gathered data from cluster "dr1"
   ✅ Gathered data from cluster "dr2"
   ✅ Inspected S3 profiles
   ✅ Checked S3 profile "minio-on-dr1"
   ✅ Checked S3 profile "minio-on-dr2"
   ❌ Issues found during validation

❌ validation failed (47 ok, 0 stale, 1 problem)

clustersStatus:
  clusters:
  - name: dr1
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  - name: dr2
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              description: '"wrong-bucket" does not match hub "bucket"'
              state: problem ❌
              value: wrong-bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  hub:
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system

Fail scenario: edited hub configmap to remove one of the profiles bucket name(empty value), which was propgated to dr clusters. Other validation problems seen in check s3 and drcluster which are expected:

./ramenctl validate clusters --output out/v_clu_3
⭐ Using config "config.yaml"
⭐ Using report "out/v_clu_3"

🔎 Validate config ...
   ✅ Config validated

🔎 Validate clusters ...
   ✅ Gathered data from cluster "hub"
   ✅ Gathered data from cluster "dr1"
   ✅ Gathered data from cluster "dr2"
   ✅ Inspected S3 profiles
   ✅ Checked S3 profile "minio-on-dr2"
   ❌ Failed to check S3 profile "minio-on-dr1"
   ❌ Issues found during validation

❌ validation failed (43 ok, 0 stale, 5 problem)


clustersStatus:
  clusters:
  - name: dr1
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              description: value is empty
              state: problem ❌
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  - name: dr2
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              description: value is empty
              state: problem ❌
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  hub:
    drClusters:
      state: ok ✅
      value:
      - conditions:
        - state: ok ✅
          type: Fenced
        - state: ok ✅
          type: Clean
        - description: 'minio-on-dr1: failed to get profile minio-on-dr1 for caller
            drpolicy validation, s3 bucket has not been configured in s3 profile minio-on-dr1'
          state: problem ❌
          type: Validated
        name: dr1
        phase: Available
      - conditions:
        - state: ok ✅
          type: Fenced
        - state: ok ✅
          type: Clean
        - state: ok ✅
          type: Validated
        name: dr2
        phase: Available
    ramen:
      configmap:
        s3StoreProfiles:
          state: ok ✅
          value:
          - s3Bucket:
              description: value is empty
              state: problem ❌
            s3ProfileName: minio-on-dr1
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr1
                namespace: ramen-system
          - s3Bucket:
              state: ok ✅
              value: bucket
            s3ProfileName: minio-on-dr2
            s3SecretRef:
              state: ok ✅
              value:
                name: ramen-s3-secret-dr2
                namespace: ramen-system
  s3:
    profiles:
      state: ok ✅
      value:
      - accessible:
          state: ok ✅
          value: true
        name: minio-on-dr2
      - accessible:
          description: 'failed to access bucket "" for profile "minio-on-dr1": operation
            error S3: HeadBucket, https response error StatusCode: 400, RequestID:
            , HostID: , api error BadRequest: Bad Request'
          state: problem ❌
        name: minio-on-dr1

Fixes #358

@parikshithb parikshithb marked this pull request as draft January 7, 2026 11:43
@parikshithb parikshithb requested a review from nirs January 7, 2026 11:44
nirs
nirs reviewed Jan 7, 2026
View reviewed changes
@parikshithb parikshithb requested a review from nirs January 7, 2026 16:11
nirs
nirs reviewed Jan 8, 2026
View reviewed changes
@parikshithb
Copy link
Member Author

parikshithb commented Jan 9, 2026

linter issues fix: #363

@parikshithb parikshithb requested a review from nirs January 12, 2026 09:55
nirs
nirs reviewed Jan 12, 2026
View reviewed changes
Copy link
Member

@nirs nirs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@parikshithb parikshithb force-pushed the val_clu_prof branch 2 times, most recently from 14b5bf9 to d663a00 Compare January 14, 2026 12:00
nirs
nirs reviewed Jan 14, 2026
View reviewed changes
@parikshithb
report: simplify S3 profile field names
e8ea1aa 
Remove s3 prefix from JSON field names since context is clear
from parent.

Signed-off-by: Parikshith <parikshithb@gmail.com>
@parikshithb
validate: add s3Bucket field validation
cdc964d 
Add s3Bucket field validation in the validate clusters command:

- Hub: validate field is not empty
- Managed clusters: validate field is not empty and matches hub value

Add lookup helper for hub profile comparison. Update tests and
report structure.

Signed-off-by: Parikshith <parikshithb@gmail.com>
@parikshithb
validate: add s3CompatibleEndpoint and s3Region validation
f31ed9b 
Extend S3 profile validation to include s3CompatibleEndpoint and
s3Region fields. Updated tests.

Signed-off-by: Parikshith <parikshithb@gmail.com>
@parikshithb
validate: add caCertificate fingerprint validation
42209d2 
Add validation for caCertificate field in S3 profiles using SHA-256
fingerprints:

- Hub: validate PEM format and compute fingerprint
- Managed clusters: validate PEM format and compare fingerprint with hub

Add Fingerprint() helper for computing SHA-256 fingerprints and
CertificateFingerprint() for PEM certificates. The generic Fingerprint()
will be reused for future S3 secret field validation.

Update tests and report structure.

Assisted-by: Cursor/Claude Sonnet 4.5
Signed-off-by: Parikshith <parikshithb@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nirs nirs nirs left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve S3 profiles validation in validate clusters command

2 participants

@parikshithb @nirs