Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opentelekomcloud_cce_cluster_v3 using wrong default value which results in wrong authentication mode #2784

Open
CHS-OTC opened this issue Jan 15, 2025 · 2 comments
Open

opentelekomcloud_cce_cluster_v3 using wrong default value which results in wrong authentication mode #2784

CHS-OTC opened this issue Jan 15, 2025 · 2 comments
Assignees
@anton-sidelnikov

Comments

@CHS-OTC
Copy link

CHS-OTC commented Jan 15, 2025

Hello,

the opentelekomcloud_cce_cluster_v3 ressource is using the wrong default value.
The TF docs say that if "authentication_mode" is not set, then the default value "rbac" is used.
But that is not true. Instead it uses the value "x509" which is not the correct default value for current CCE versions. "rbac" should be used as it is described in the OTC TF provider docs.

The wrong "x509" value causes the permission management of current cluster versions to not be effective.

From OTC provider docs:
authentication_mode - (Optional) Authentication mode of the cluster, possible values are rbac and authenticating_proxy. Defaults to rbac. Changing this parameter will create a new cluster resource.

Terraform provider version

opentelekomcloud v1.36.28

Affected Resource(s)

opentelekomcloud_cce_cluster_v3

Terraform Configuration Files

resource "opentelekomcloud_cce_cluster_v3" "cluster_1" {
name = "cluster-tf-x509"
description = "Create cluster"

cluster_type = "VirtualMachine"
flavor_id = "cce.s1.small"
vpc_id = "xxx"
subnet_id = "xxx"
container_network_type = "overlay_l2"
kube_proxy_mode = "ipvs"
}

Debug Output/Panic Output

no error as the cluster itself is getting created.

Steps to Reproduce

  1. terraform apply

Expected Behavior

Creates CCE cluster with rbac authentication

Actual Behavior

Creates CCE cluster with x509 authentication.
From the TFstatefile:
"attributes": {
"annotations": null,
"authenticating_proxy": [],
"authenticating_proxy_ca": null,
"authentication_mode": "x509",
@anton-sidelnikov anton-sidelnikov self-assigned this Jan 16, 2025
@anton-sidelnikov
Copy link
Member

Hi @CHS-OTC, in our case better not to change default value for ForceNew parameter, i will change doc with some additional notes

@anton-sidelnikov anton-sidelnikov mentioned this issue Jan 16, 2025
Merged
5 tasks
otc-zuul bot pushed a commit that referenced this issue Jan 16, 2025
@anton-sidelnikov
[Doc] authentication_mode doc update (#2788)
3a8a0b0 
[Doc] authentication_mode doc update

Summary of the Pull Request
Updating doc regarding latest changes for authentication_mode attribute
PR Checklist

 Refers to: #2784
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Reviewed-by: Artem Lifshits
@dombisza
Copy link
Contributor

dombisza commented Jan 17, 2025
edited
Loading

Hi @anton-sidelnikov I understand that now it is really hard to change since it will trigger cluster re-creation unless its in ignore_changes, but now the terraform provider is using an unsupported default value. The OTC API should also reject these request. Bug ticket has been raised by the backend squad to not allow cluster creation with x509, so once that fix is released users cannot deploy clusters with the default value and you will be forced to change authentication_mode nevertheless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anton-sidelnikov anton-sidelnikov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dombisza @anton-sidelnikov @CHS-OTC