Open vojkny opened 1 year ago
@knyttl GKE Auto pilot has special rules for access-scopes. Can you review its doc below? Does it make sense to you?
https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
I have read those and re-read them and these special rules shouldn't be an issue. All the roles I wanted to add should be allowed. Also, in case these were not allowed, it would be better to die than then trying to recreate the cluster infinitely.
@knyttl where did you find below statement? Choosing Auto Pilot, there are many features pre-configured. Here is the comparison between Auto Pilot and Regular GKE. You may see its behavior of setup is different from the regular one.
All the roles I wanted to add should be allowed
My case is this:
And I see no reason why I would not be able to add:
+ "https://www.googleapis.com/auth/bigquery",
+ "https://www.googleapis.com/auth/devstorage.read_write",
+ "https://www.googleapis.com/auth/logging.write",
+ "https://www.googleapis.com/auth/monitoring",
+ "https://www.googleapis.com/auth/pubsub",
There is nothing mentioned this would be impossible?
@melinath can you take a look at this?
I failed to repro this issue with the following config:
resource "google_container_cluster" "primary" {
name = "terraform-autopilot"
location = "us-central1"
enable_autopilot = true
release_channel {
channel = "RAPID"
}
cluster_autoscaling {
auto_provisioning_defaults {
oauth_scopes = [
"https://www.googleapis.com/auth/bigquery",
"https://www.googleapis.com/auth/devstorage.read_write",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/pubsub",
"https://www.googleapis.com/auth/userinfo.email",
]
}
}
}
@vojkny could you please re-share the config you used? Otherwise this issue may be obsolete.
sorry, the configuration is here: https://gist.github.com/vojkny/de77dcab27bf1a5d7c935f27db260f2e
@vojkny can you please verify if this is still an issue?
Hi we abandoned this topic.
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
google_container_cluster
Terraform Configuration Files
Debug Output
The full output is here:
https://gist.github.com/knyttl/f915d5c201342b38e113c104a7ca7db6
But the crucial part is:
Expected Behavior
It seems the oauth_scopes are not set at all:
So every terraform run tries to recreate fully the cluster.
References