Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private cluster contacted on localhost #2238

Open
tback opened this issue Jan 10, 2025 · 3 comments
Open

Private cluster contacted on localhost #2238

tback opened this issue Jan 10, 2025 · 3 comments
Assignees
@apeabody
Labels
bug Something isn't working triaged Scoped and ready for work

Comments

@tback
Copy link

tback commented Jan 10, 2025

TL;DR

I created a private cluster wie the official private-cluster and auth modules. After updating the modules terraform tries to connect to it on localhost.

Expected behavior

I expect terraform to authenticate against the cluster and correctly and connect to the privtate cluster on it's public api endpoint.

Observed behavior

Error: Get "http://localhost/api/v1/namespaces/redacted": dial tcp [::1]:80: connect: connection refused
    with kubernetes_namespace.redacted,
    on kubernetes.tf line 99, in resource "kubernetes_namespace" "tls":
    line: resource "kubernetes_namespace" "redacted" {

Terraform Configuration

provider "helm" {
  kubernetes {
    cluster_ca_certificate = module.gke_auth.cluster_ca_certificate
    host                   = module.gke_auth.host
    token                  = module.gke_auth.token
  }
}

provider "kubernetes" {
  cluster_ca_certificate = module.gke_auth.cluster_ca_certificate
  host                   = module.gke_auth.host
  token                  = module.gke_auth.token
}

module "gke_auth" {
  source = "terraform-google-modules/kubernetes-engine/google//modules/auth"

  project_id   = google_project.REDACTED.project_id
  cluster_name = local.cluster_name
  location     = local.region

  depends_on = [
    google_project.REDACTED
  ]
}

module "gke_REDACTED" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
  version = "~> 35.0"

  project_id = google_project.REDACTED.project_id
  name       = local.cluster_name

  regional = true
  region   = local.region
  zones    = local.zones

  enable_private_nodes = true

  network            = google_compute_network.REDACTED.name
  subnetwork         = google_compute_subnetwork.REDACTED.name
  ip_range_pods      = "pods"
  ip_range_services  = "services"
  initial_node_count = 1

  http_load_balancing             = false
  network_policy                  = true
  remove_default_node_pool        = true
  horizontal_pod_autoscaling      = true
  enable_vertical_pod_autoscaling = true
  logging_service                 = "none"
  monitoring_service              = "none"

  depends_on = [
    module.project_services,
    module.cloud_router,
  ]

  grant_registry_access = true
  registry_project_ids = [
    "REDACTED",
  ]

  node_pools = [
    {
      name               = "default-node-pool"
      machine_type       = "e2-standard-8"
      node_locations     = join(",", local.zones)
      min_count          = 1
      max_count          = 10
      local_ssd_count    = 0
      disk_size_gb       = 100
      disk_type          = "pd-standard"
      image_type         = "COS_CONTAINERD"
      enable_gcfs        = false
      auto_repair        = true
      auto_upgrade       = true
      preemptible        = false
      initial_node_count = 1
    },
  ]

  node_pools_metadata = {
    all = {
      block-project-ssh-keys = true
    }
  }

}

Terraform Version

Terraform v1.10.4
on darwin_arm64
...
+ provider registry.terraform.io/hashicorp/google v6.15.0
+ provider registry.terraform.io/hashicorp/google-beta v6.15.0
+ provider registry.terraform.io/hashicorp/helm v2.17.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.35.1
...
+ provider registry.terraform.io/mongodb/mongodbatlas v1.25.0
...

Additional information

The cluster has been running for about two years. GKE, terraform, terraform modules have been updated multiple times.
@tback tback added the bug Something isn't working label Jan 10, 2025
@tback
Copy link
Author

tback commented Jan 10, 2025

related to #1675

@tback
Copy link
Author

tback commented Jan 13, 2025

I finally found a workaround after reading https://stackoverflow.com/a/76219587/246241.
A partial apply on the module fixes this the time being (probably until the next change on the cluster):

terraform apply -target module.gke_REDACTED

@apeabody apeabody self-assigned this Jan 22, 2025
@apeabody
Copy link
Collaborator

Thanks @tback - I believe this is also aligned with hashicorp/terraform-provider-kubernetes#1479 which we have been tracking for a while.

I wonder if an explicit dependency on the cluster module could help, have you tried something like this?

module "gke_auth" {
  source = "terraform-google-modules/kubernetes-engine/google//modules/auth"

  project_id   = google_project.REDACTED.project_id
  cluster_name = module.gke_REDACTED.name
  location     = module.gke_REDACTED.location

  depends_on = [
    google_project.REDACTED
  ]
}

Even further, you probably don't need to use the gke_auth module unless you are generating a kubeconfig file. Here is a possible example:

data "google_client_config" "default" {}

provider "kubernetes" {
  host                   = "https://${module.gke_REDACTED.endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(module.gke_REDACTED.ca_certificate)
}

@apeabody apeabody added the triaged Scoped and ready for work label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@apeabody apeabody

Labels
bug Something isn't working triaged Scoped and ready for work
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tback @apeabody