Skip to content

Unable to use the new DNS endpoint exclusively. #2216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TheKangaroo opened this issue Dec 16, 2024 · 7 comments · May be fixed by #2217
Open

Unable to use the new DNS endpoint exclusively. #2216

TheKangaroo opened this issue Dec 16, 2024 · 7 comments · May be fixed by #2217
Labels
bug Something isn't working enhancement New feature or request triaged Scoped and ready for work

Comments

@TheKangaroo
Copy link
Contributor

TheKangaroo commented Dec 16, 2024
edited
Loading

TL;DR

My goal is to use only the DNS endpoint on my GKE clusters:
image

This is not possible at the moment because I need to set:

  enable_private_endpoint       = true
  deploy_using_private_endpoint = true

for the DNS endpoint to be enabled. However, enable_private_endpoint will create an empty master_authorized_networks_config {} block in this line, and applying this will re-enable access via IPv4.
image

I created a PR to fix this, but I'm not 100% sure if it breaks anything unrelated to DNS endpoints.

Another thing I observed while experimenting with this setting is that removing master_authorized_networks_config {} won't actually change my cluster to disable IPv4 access. The code seems to work for both cases: with master_authorized_networks_config {} and IPv4 enabled, and omitted with IPv4 disabled. Maybe this is just a limitation in the API, where changing master_authorized_networks_config {} to (empty) does not trigger an update. 🤔

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

n.a.

Terraform Version

tofu version                                                                                          app-publisher-dev-7ed19f10be
OpenTofu v1.8.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.84.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/random v3.5.1

Additional information

No response
@TheKangaroo TheKangaroo added the bug Something isn't working label Dec 16, 2024
@TheKangaroo TheKangaroo linked a pull request Dec 16, 2024 that will close this issue
Open
@apeabody
Copy link
Collaborator

Thanks @TheKangaroo - Interesting, it looks like the presence of the (empty) master_authorized_networks_config block is actually being used as a substitute for enabled: https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/container/resource_container_cluster.go#L5035

@apeabody
Copy link
Collaborator

apeabody commented Dec 19, 2024
edited
Loading

Interesting @TheKangaroo - So currently the module's enable_private_endpoint actuates the provider's private_cluster_config.enable_private_endpoint which actuates the API's PrivateClusterConfig.enablePrivateEndpoint which is deprecated. The recommendation is to use ControlPlaneEndpointsConfig.IPEndpointsConfig.enable_public_endpoint, however ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled is currently hardcoded to true in the Provider.

As masterAuthorizedNetworksConfig is part of ControlPlaneEndpointsConfig.IPEndpointsConfig, if masterAuthorizedNetworksConfig is created using the Provider, it is likely resulting in the side-effect of ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled = true.

@apeabody
Copy link
Collaborator

Here is a PR to add Provider support for ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled: hashicorp/terraform-provider-google#20369

@TheKangaroo
Copy link
Contributor Author

Ah, I think I understand now. Thanks for reviewing the current implementation and providing the explanation. Since we can already use DNS endpoints and disabling IP endpoints would just be an added benefit, I'm fine with waiting for hashicorp/terraform-provider-google#20369.

@apeabody apeabody added triaged Scoped and ready for work enhancement New feature or request labels Jan 22, 2025
@apeabody apeabody mentioned this issue Mar 7, 2025
Closed
@ecourreges-orange ecourreges-orange marked this as a duplicate of #2302 Mar 10, 2025
@asafhm
Copy link

asafhm commented Apr 27, 2025

Here is a PR to add Provider support for ControlPlaneEndpointsConfig.IPEndpointsConfig.enabled: hashicorp/terraform-provider-google#20369

That provider's PR is merged. Can we fix this in the module?

@TheKangaroo
Copy link
Contributor Author

I haven't been able to find the time to work on the PR since then, but I will do so as soon as possible.

@TheKangaroo
Copy link
Contributor Author

I just checked and saw that @apeabody already improved the dns endpoint config a couple of days ago (1c6ff12).
Is my understanding correct, that after these changes we only need to add something like:

   dynamic "control_plane_endpoints_config" {
-    for_each = var.dns_allow_external_traffic != null ? [1] : []
+    for_each = var.dns_allow_external_traffic != null || var.master_authorized_networks == null ? [1] : []
     content {
+      ip_endpoints_config {
+        enabled = var.master_authorized_networks == null ? false : true
+      }
       dns_endpoint_config {
         allow_external_traffic = var.dns_allow_external_traffic
       }
    }
  }

and let master_authorized_networks default to null

   variable "master_authorized_networks" {
     type        = list(object({ cidr_block = string, display_name = string }))
     description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
-    default     = []
+    default     = null
   }

to actually disable ip endpoints on empty master_authoritzed_networks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request triaged Scoped and ready for work
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix!: allow dns endpoints only TheKangaroo/terraform-google-kubernetes-engine
3 participants
@apeabody @TheKangaroo @asafhm