Closed fpacifici closed 1 month ago
Any workaround for this? Or is it just to manage the firewall rules ourselves?
edit: Looks like autopilot clusters don't support mutatting webhooks (https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/how-to/mutation). Seems like add_cluster_firewall_rules
and master_ipv4_cidr_block
are not intended to be used on private autopilot clusters if the master CIDR block is not set (or because the master CIDR is not exposed?)
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
TL;DR
Version
30.3.0
mademaster_ipv4_cidr_block
default to null for private autopilot clusters. Ifadd_cluster_firewall_rules
is true andmaster_ipv4_cidr_block
is not provided plan and apply fail with a tricky error to troubleshoot (null value in a list).Expected behavior
I am not 100% sure what the expected behavior should be here. I see the reason for not defaulting to
10.0.0.0/28
(https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/1902). Though I am not sure whether it should be possible to enableadd_cluster_firewall_rules
without specifying amaster_ipv4_cidr_block
for the cluster.Either way, I think a clearer validation error message or docs would be a good idea (see observed behavior).
Observed behavior
When creating a private autopilot cluster with
add_cluster_firewall_rules
, if I do not setmaster_ipv4_cidr_block
explicitly, rather than getting a validation error I get this:Terraform Configuration
I can provide more details if needed, but I noticed that the issue is fairly easy to repro as long as
add_cluster_firewall_rules
is true andmaster_ipv4_cidr_block
is not provided. The stack trace above shows wheremaster_ipv4_cidr_block
is expected to not be null.cluster_endpoint_for_nodes = var.master_ipv4_cidr_block