Closed rodrigc closed 1 year ago
@devoncrouse @hyder @Djelibeybi In older versions of this module,
there was a variable enable_operator_instance_principal
.
That variable is now gone.
So looks like on the cluster I set up, the operator host does not have instance_principal configured, so I cannot run any kubectl commands against the cluster.
In this doc: https://oracle-terraform-modules.github.io/terraform-oci-oke/guide/operator_identity.html it mentions that instance_principal is disabled by default, but it does not mention how to enable it.
How do I enable instance_principal in the 5.x branch?
In this doc: https://oracle-terraform-modules.github.io/terraform-oci-oke/guide/operator_identity.html
You can also turn on and off the feature at any time without impact on the operator or the cluster.
How can I turn on/off the instance_principal feature? It is not clear to me from the docs how to do this?
According to this doc: Enabling Instance Principal Authorization for Terraform, I can set instance_principal by doing this in the provider:
provider "oci" {
auth = "InstancePrincipal"
region = "${var.region}"
}
Is that the way?
You now need to use these 2:
create_iam_resources = true create_iam_operator_policy = "always"
Note: please stop tagging folks in your comments. GitHub will notify the right people automatically.
Hi @rodrigc - as Ali mentioned above, the following two inputs control the creation of dynamic group and policy resources to grant the operator instance access to manage the associated cluster:
We also have newer versions of the 5.x pre-release published now that address many issues you may run into while evaluating - please have a look at using the latest when you get a chance.
Thanks for the clarification.
At the bare minimum, it is possible to just specify:
create_iam_resources = true
Since the default value of create_iam_operator_policy
is auto
,
and this logic in module-iam.tf:
create_iam_operator_policy = anytrue([
var.create_iam_operator_policy == "always",
var.create_iam_operator_policy == "auto" && local.operator_enabled
])
will toggle this to true if create_operator = true
.
Quite involved to figure this out!
Yes, the default "auto" is intended to work like you've noted for the policy. Many users lack the ability to create identity resources in their environments, so the overall creation input is defaulted to false.
Based on the explanation in this issue, I took a whack at clarifying some of the docs: https://github.com/oracle-terraform-modules/terraform-oci-oke/pull/777
I'll think about how to clarify the docs for operator and bastion.
To me, it is really weird that you can specify:
create_bastion = true
create_operator = true
and then have an operator host where kubectl
does not work.
Some clarifying text might help with understanding.
Closing this issue, since an explanation of how to correctly configure this with 5.x was provided.
I agree with your point above @rodrigc and appreciate the feedback - we'll think about improving this as well.
Community Note
Terraform Version and Provider Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Log into bastion to get access to operator:
should be able to access the pods in the kubernetes cluster
Actual Behavior
Steps to Reproduce
kubectl