Support for providing custom ca cert from Key Vault KS Istio Add-on

gigabytte commented 5 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Looking for support similar to that of provided azapi reference below. The Ability to provide custom ca cert for Istio mesh via key vault.

resource "azapi_update_resource" "aks_istio_ca" {
  type        = "Microsoft.ContainerService/managedClusters@2024-02-02-preview"
  resource_id = module.main.aks_cluster_id["aks"]
  body = jsonencode({
    properties = {
      serviceMeshProfile = {
        mode = "Istio"
        istio = {
          components = {
            ingressGateways = [
              {
                mode    = "Internal"
                enabled = true
              }
            ]
          }
          revisions = ["asm-1-20"]
          **certificateAuthority = {
            plugin = {
              rootCertObjectName  = "root-cert"
              certObjectName      = "ca-cert"
              keyObjectName       = "ca-key"
              certChainObjectName = "cert-chain"
              keyVaultId          = module.main.vault_id["akv"]
            }**
          }
        }

      }
    }
  })
}

New or Affected Resource(s)/Data Source(s)

azurerm_3.107.0

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks1"
  ....

  service_mesh_profile {
    mode = "Istio"
    ...
    certificate_authority = {
      root_name  = "root-cert"
      cert_name      = "ca-cert"
      key_name       = "ca-key"
      cert_chain_name = "cert-chain"
      key_vault_id          = "<some_akv_resource_id>"
    }
  }

References

No response

gigabytte commented 3 months ago

Great work, thanks for the quick feedback and feature implementation. Issues Ive found so far while upgrading an existing mesh without custom CA certs. Looks like API call requires the definition of Istio ASM version when applying a PATCH call against the mesh. Meaning provider should expose the revisions attribute.

Example json body

"serviceMeshProfile": {
      "mode": "Istio",
      "istio": {
        "components": {
          "ingressGateways": [
            {
              "enabled": true,
              "mode": "Internal"
            }
          ],
          "egressGateways": [
            {
              "enabled": true
            }
          ]
        },
        "certificateAuthority": {
          "plugin": {
            "keyVaultId": "/subscriptions/854c9ddb-fe9e-4aea-8d58-99ed88282881/resourceGroups/ddama-test/providers/Microsoft.KeyVault/vaults/my-akv",
            "certObjectName": "ca-cert",
            "keyObjectName": "ca-key",
            "rootCertObjectName": "root-cert",
            "certChainObjectName": "cert-chain"
          }
        },
        "revisions": [
          "asm-1-17"
        ]
      }
    }

https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update?view=rest-aks-2024-05-01&tabs=HTTP

Error docs: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-general-troubleshooting

Error reported from Azure:
│ Error: updating Kubernetes Cluster (Subscription: "xxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "xxxxxxxxxxxxxxxx"
│ Kubernetes Cluster Name: "xxxxxxxxxxxxx"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {
│   "code": "BadRequest",
│   "details": null,
│   "message": "Requested change in revisions is not allowed. Reason: ServiceMeshProfile revision field must not be empty.",
│   "subcode": ""
│  }
│ 
│   with module.main.module.aks["xxxxxxx"].azurerm_kubernetes_cluster.main,
│   on .terraform/modules/main.aks/main.tf line 39, in resource "azurerm_kubernetes_cluster" "main":
│   39: resource "azurerm_kubernetes_cluster" "main" {

gigabytte commented 3 months ago

@stephybun due to error above can we reopen this issue?

stephybun commented 3 months ago

@gigabytte this PR exposes the revisions attribute, however due to the behaviour of the API this field will be added as a Required attribute which is a breaking change. Since https://github.com/hashicorp/terraform-provider-azurerm/issues/25724 is tracking the feature request for this field I'd prefer to not re-open this and would suggest subscribing to the issue and/or the PR for updates.

We're currently heads down in preparation for the next major release of the provider which will include this change, so please bear with us..

github-actions[bot] commented 2 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm