-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes provider should be able to use output from google_container_engine #12869
Comments
Hi @drzero42 I believe that one of the main reasons GKE resources don't interact very well with Kubernetes provider is #12393 (core bug). That's not something to be solved within the context of any provider - it affects other providers too. This bug would cause the K8S provider to appear as unconfigured during the
because the provider defaults to The other thing you mentioned is base64 decoding of the PEM data. I believe the See this gist: https://gist.github.com/radeksimko/1a2cc98c5536bd4aa92e960ed7a47cf0 Can you provide more context/details about what isn't working for you in regards to Thanks! |
@radeksimko I don't believe the problem I am experiencing is related to #12393 since I only added the kubernetes provider setup after having GKE resources up and running with Terraform. The GCP resources in general seem fairly wonky, with amongst other things timeouts happening during provisioning of the GKE cluster, and as mentioned in #12393, the kubernetes provider not able to figure out that it needs to wait for the google provider to do it's things. However, having worked around that, I still believe that the kubernetes provider and google_container_cluster resource should agree if the certs and keys should be base64 or not. Based on your gist, which really helps me, my problems with base64decode seems to have mainly been me not really understanding the datastructure provided by google_container_engine resources. The documentation does not really indicate that it is a list, where I need to access the first element (google_container_cluster.primary.master_auth.0.client_certificate), so I was just accessing things directly (google_container_cluster.primary.master_auth.client_certificate) and the error message was not entirely understandable to me, leading to my confusion. I thought I might have misunderstood the syntax needed for base64decode and various other internal functions. Better examples in the documentation would be awesome. |
Thanks for further explanation @drzero42 , that's helpful. I did discuss this issue with a few other maintainers in the past weeks and we more or less agreed that we could make the Kubernetes provider detect whether a base64-decodable string was passed and if not it would decode it. Does that sound as a good solution to you? |
Yes, that sounds like a decent solution :) |
I know this is super old, but couldn't |
@radeksimko, it looks like #12393 is closed (although maybe not fixed). Could you advise on how to consolidate these to work in a single run of terraform? |
@Qix- You are correct - I already mentioned that in the original issue :) |
@drzero42 I think you're right. the issue I had is that the
And now all is well. It should be noted, I believe, this means that RPCs into the Kubernetes are coming as a superuser. That probably isn't a concern though since the user running terraform can probably destroy and recreate the cluster. Thanks for the response! |
Hi all! Sorry for the long silence here. Providers are no longer developed in this repository, so we're going to close this out to reflect that. If you are still seeing trouble using the Kubernetes provider with Google Container Engine, please open an issue in the Kubernetes provider repository. The issue that Radek mentioned above is now consolidated into #4149, which is a core-side issue representing the idea of better supporting "multi-layer" Terraform configurations where results from one provider are used to configure another. That issue remains open to track that use-case. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Kubernetes provider was introduced in Terraform 0.9.1. It can take client_certificate, client_key and cluster_ca_certificate to create connection to the Kubernetes cluster. When the cluster is created by the google_container_engine resource, this information is available as attributes. However, it is base64 encoded, and the Kubernetes provider expects these in normal PEM format.
The Kubernetes provider should be changed to be able to accept these in base64 (or the google_container_engine resource should provide them as normal PEM strings).
A workaround would probably be to use the base64decode function for variable interpolation, but I can't seem to get that work.
The text was updated successfully, but these errors were encountered: