Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use the new DNS endpoint exclusively. #2216

Open
TheKangaroo opened this issue Dec 16, 2024 · 4 comments · May be fixed by #2217
Open

Unable to use the new DNS endpoint exclusively. #2216

TheKangaroo opened this issue Dec 16, 2024 · 4 comments · May be fixed by #2217
Labels
bug Something isn't working

Comments

@TheKangaroo
Copy link
Contributor

TheKangaroo commented Dec 16, 2024
edited
Loading

TL;DR

My goal is to use only the DNS endpoint on my GKE clusters:
image

This is not possible at the moment because I need to set:

  enable_private_endpoint       = true
  deploy_using_private_endpoint = true

for the DNS endpoint to be enabled. However, enable_private_endpoint will create an empty master_authorized_networks_config {} block in this line, and applying this will re-enable access via IPv4.
image

I created a PR to fix this, but I'm not 100% sure if it breaks anything unrelated to DNS endpoints.

Another thing I observed while experimenting with this setting is that removing master_authorized_networks_config {} won't actually change my cluster to disable IPv4 access. The code seems to work for both cases: with master_authorized_networks_config {} and IPv4 enabled, and omitted with IPv4 disabled. Maybe this is just a limitation in the API, where changing master_authorized_networks_config {} to (empty) does not trigger an update. 🤔

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

n.a.

Terraform Version

tofu version                                                                                          app-publisher-dev-7ed19f10be
OpenTofu v1.8.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.84.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/random v3.5.1

Additional information

No response
@TheKangaroo TheKangaroo added the bug Something isn't working label Dec 16, 2024
@TheKangaroo TheKangaroo linked a pull request Dec 16, 2024 that will close this issue
Open
@apeabody
Copy link
Contributor

Thanks @TheKangaroo - Interesting, it looks like the presence of the (empty) master_authorized_networks_config block is actually being used as a substitute for enabled: https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/container/resource_container_cluster.go#L5035

@apeabody
Copy link
Contributor

apeabody commented Dec 19, 2024
edited
Loading

Interesting @TheKangaroo - So currently the module's enable_private_endpoint actuates the provider's private_cluster_config.enable_private_endpoint which actuates the API's PrivateClusterConfig.enablePrivateEndpoint which is deprecated. The recommendation is to use ControlPlaneEndpointsConfig.IPEndpointsConfig.enable_public_endpoint, however ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled is currently hardcoded to true in the Provider.

As masterAuthorizedNetworksConfig is part of ControlPlaneEndpointsConfig.IPEndpointsConfig, if masterAuthorizedNetworksConfig is created using the Provider, it is likely resulting in the side-effect of ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled = true.

@apeabody
Copy link
Contributor

Here is a PR to add Provider support for ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled: hashicorp/terraform-provider-google#20369

@TheKangaroo
Copy link
Contributor Author

Ah, I think I understand now. Thanks for reviewing the current implementation and providing the explanation. Since we can already use DNS endpoints and disabling IP endpoints would just be an added benefit, I'm fine with waiting for hashicorp/terraform-provider-google#20369.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix!: allow dns endpoints only TheKangaroo/terraform-google-kubernetes-engine
2 participants
@apeabody @TheKangaroo