Containers API - cluster config update

mihivagyok commented 11 months ago

in case of Openshift, honor the endpoint type when generating the token based kubeconfig

Test: ROKS 4.12 on VPC (Public Service Endpoint is disabled)

Both configs contain the Private Service Endpoint - as that is the default for the cluster.

➜ go run main.go -clustername ck6414bl0a61qv1bo690 -path /Users/adam/terraform/terraform_output
➜ cat /Users/adam/terraform/terraform_output/6189e52cfb76e60b485d8d90acc513b9337734242accf8dbfbbb943f777f92d8_ck6414bl0a61qv1bo690_k8sconfig/config.yml      
apiVersion: v1
clusters:
- cluster:
server: https://c108-e.private.eu-gb.containers.cloud.ibm.com:31579
name: console-vpe-412/ck6414bl0a61qv1bo690
- cluster:
server: https://c108-e.private.eu-gb.containers.cloud.ibm.com:31579
name: c108-e-private-eu-gb-containers-cloud-ibm-com:31579
contexts:
- context:
cluster: console-vpe-412/ck6414bl0a61qv1bo690
namespace: default
user: ""
name: console-vpe-412/ck6414bl0a61qv1bo690
- context:
cluster: c108-e-private-eu-gb-containers-cloud-ibm-com:31579
namespace: default
user: IAM#iksroch2@us.ibm.com/c108-e-private-eu-gb-containers-cloud-ibm-com:31579
name: default/c108-e-private-eu-gb-containers-cloud-ibm-com:31579/IAM#iksroch2@us.ibm.com
current-context: default/c108-e-private-eu-gb-containers-cloud-ibm-com:31579/IAM#iksroch2@us.ibm.com
kind: Config
preferences: {}
users:
- name: IAM#iksroch2@us.ibm.com/c108-e-private-eu-gb-containers-cloud-ibm-com:31579
user:
token: sha256~XXXXXXXX

Both configs contain the Virtual Privat Endpoint - as that is configured for the command

➜ go run main.go -clustername ck6414bl0a61qv1bo690 -path /Users/adam/terraform/terraform_output -endpoint vpe
➜ cat /Users/adam/terraform/terraform_output/6189e52cfb76e60b485d8d90acc513b9337734242accf8dbfbbb943f777f92d8_ck6414bl0a61qv1bo690_k8sconfig/config.yml
apiVersion: v1
clusters:
- cluster:
server: https://ck6414bl0a61qv1bo690.vpe.private.eu-gb.containers.cloud.ibm.com:31579
name: console-vpe-412/ck6414bl0a61qv1bo690
- cluster:
server: https://ck6414bl0a61qv1bo690.vpe.private.eu-gb.containers.cloud.ibm.com:31579
name: ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579
contexts:
- context:
cluster: console-vpe-412/ck6414bl0a61qv1bo690
namespace: default
user: ""
name: console-vpe-412/ck6414bl0a61qv1bo690
- context:
cluster: ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579
namespace: default
user: IAM#iksroch2@us.ibm.com/ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579
name: default/ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579/IAM#iksroch2@us.ibm.com
current-context: default/ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579/IAM#iksroch2@us.ibm.com
kind: Config
preferences: {}
users:
- name: IAM#iksroch2@us.ibm.com/ck6414bl0a61qv1bo690-vpe-private-eu-gb-containers-cloud-ibm-com:31579
user:
token: sha256~XXXXXX

mihivagyok commented 11 months ago

ROKS cluster on Classic infrastructure - endpointType = vpe shall fail

➜ go run main.go -clustername ck62u6gd0o9mufuad97g -path /Users/adam/terraform/terraform_output -endpoint vpe
...
{"incidentID":"338264d4-b1fb-4318-a0b4-2e0534e02a14","code":"E1cdd","description":"The endpoint type 'vpe' is only supported for clusters on VPC Gen 2.","type":"BadRequest","recoveryCLI":"Remove the '--endpoint vpe' flag or provide a cluster on VPC Gen 2."}
2023/09/25 12:38:40 Request failed with status code: 400, ServerErrorResponse: {"incidentID":"338264d4-b1fb-4318-a0b4-2e0534e02a14","code":"E1cdd","description":"The endpoint type 'vpe' is only supported for clusters on VPC Gen 2.","type":"BadRequest","recoveryCLI":"Remove the '--endpoint vpe' flag or provide a cluster on VPC Gen 2."}
exit status 1

mihivagyok commented 11 months ago

Test ROKS 4.13 on VPC

Public Service Endpoint is disabled
Private Service Endpoint is available
Virtual Private Endpoint is available

Default case, endpoint is not defined

➜ go run main.go -clustername ck626cbl03i2mqa6gdgg -path /Users/adam/terraform/terraform_output
...
Debug: type is openshift trying login to get token
2023/09/25 18:34:43 Get "https://ck626cbl03i2mqa6gdgg.vpe.private.eu-gb.containers.cloud.ibm.com:32290/.well-known/oauth-authorization-server": dial tcp: lookup ck626cbl03i2mqa6gdgg.vpe.private.eu-gb.containers.cloud.ibm.com: no such host
exit status 1

This error is expected. The MasterURL is configured to use VPE in ROKS 4.13. If the test executor cannot reach it, it shall fail. The result is the same like with the master version of bluemix-go.

If the code runs on a test executor which has access to VPE, the same call is successful.

➜ go run main.go -clustername ck626cbl03i2mqa6gdgg -path /Users/adam/terraform/terraform_output
...
Got the token and user  IAM#iksroch2@us.ibm.com
/Users/adam/terraform/terraform_output/fcf646e4a29caf41590242a9870b276008142b5991e66f5874f0c30d1be53a37_ck626cbl03i2mqa6gdgg_k8sconfig/config.yml

kubeconfig:
```
apiVersion: v1
clusters:
```
cluster: server: https://c108-e.private.eu-gb.containers.cloud.ibm.com:32290 name: console-vpe-413/ck626cbl03i2mqa6gdgg
cluster: server: https://ck626cbl03i2mqa6gdgg.vpe.private.eu-gb.containers.cloud.ibm.com:32290 name: ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 contexts:
context: cluster: console-vpe-413/ck626cbl03i2mqa6gdgg namespace: default user: "" name: console-vpe-413/ck626cbl03i2mqa6gdgg
context: cluster: ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 namespace: default user: IAM#iksroch2@us.ibm.com/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 name: default/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com current-context: default/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com kind: Config preferences: {} users:
name: IAM#iksroch2@us.ibm.com/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 user: token: sha256~XXXXXXX

The first kubeconfig is using the Private Service Endpont, and the second kubeconfig contains the Virtual Private Endpoint URL as server address.

To have the kubeconfigs with the same server address settings, use the -endpoint vpe or the -endpoint private options:

VPE

➜ go run main.go -clustername ck626cbl03i2mqa6gdgg -path /Users/adam/terraform/terraform_output -endpoint vpe
...
Got the token and user  IAM#iksroch2@us.ibm.com
/Users/adam/terraform/terraform_output/fcf646e4a29caf41590242a9870b276008142b5991e66f5874f0c30d1be53a37_ck626cbl03i2mqa6gdgg_k8sconfig/config.yml

kubeconfig with VPE only
```
apiVersion: v1
clusters:
```
cluster: server: https://ck626cbl03i2mqa6gdgg.vpe.private.eu-gb.containers.cloud.ibm.com:32290 name: console-vpe-413/ck626cbl03i2mqa6gdgg
cluster: server: https://ck626cbl03i2mqa6gdgg.vpe.private.eu-gb.containers.cloud.ibm.com:32290 name: ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 contexts:
context: cluster: console-vpe-413/ck626cbl03i2mqa6gdgg namespace: default user: "" name: console-vpe-413/ck626cbl03i2mqa6gdgg
context: cluster: ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 namespace: default user: IAM#iksroch2@us.ibm.com/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 name: default/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com current-context: default/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com kind: Config preferences: {} users:
name: IAM#iksroch2@us.ibm.com/ck626cbl03i2mqa6gdgg-vpe-private-eu-gb-containers-cloud-ibm-com:32290 user: token: sha256~sBzDZeDuALARavYUCTu3YdexE_w8S2x3nCf47oqvGyE

Private Service Endpoint

➜ go run main.go -clustername ck626cbl03i2mqa6gdgg -path /Users/adam/terraform/terraform_output -endpoint private
...
Got the token and user  IAM#iksroch2@us.ibm.com
/Users/adam/terraform/terraform_output/fcf646e4a29caf41590242a9870b276008142b5991e66f5874f0c30d1be53a37_ck626cbl03i2mqa6gdgg_k8sconfig/config.yml

kubeconfig with Private Service Endpoint only
```
apiVersion: v1
clusters:
```
cluster: certificate-authority: ca.pem server: https://c108.private.eu-gb.containers.cloud.ibm.com:32290 name: console-vpe-413/ck626cbl03i2mqa6gdgg
cluster: server: https://c108-e.private.eu-gb.containers.cloud.ibm.com:32290 name: c108-e-private-eu-gb-containers-cloud-ibm-com:32290 contexts:
context: cluster: console-vpe-413/ck626cbl03i2mqa6gdgg namespace: default user: "" name: console-vpe-413/ck626cbl03i2mqa6gdgg
context: cluster: c108-e-private-eu-gb-containers-cloud-ibm-com:32290 namespace: default user: IAM#iksroch2@us.ibm.com/c108-e-private-eu-gb-containers-cloud-ibm-com:32290 name: default/c108-e-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com current-context: default/c108-e-private-eu-gb-containers-cloud-ibm-com:32290/IAM#iksroch2@us.ibm.com kind: Config preferences: {} users:
name: IAM#iksroch2@us.ibm.com/c108-e-private-eu-gb-containers-cloud-ibm-com:32290 user: token: sha256~XXXXXXX

IBM-Cloud / bluemix-go

Containers API - cluster config update #396