search

terraform-google-modules / terraform-google-kubernetes-engine

Configures opinionated GKE clusters
https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google
Apache License 2.0
1.15k stars 1.17k forks source link

module "gke" output "endpoint" is an external ip for a private cluster with private endpoint configured #2070

Open zaphod72 opened 1 month ago

zaphod72 commented 1 month ago

TL;DR

The "gke" module's output "endpoint" should be the internal endpoint ip for private clusters with private endpoint configured. If I deploy the first example from https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/beta-private-cluster then the output module.gke.endpoint should be the internal endpoint ip.

Expected behavior

Expect to have an accessible endpoint output from module.gke.endpoint when I create a private cluster with private endpoint configured. Alternatively an output module.gke.internal_endpoint should be available.

Observed behavior

A public IP is output which can not be accessed

Terraform Configuration

The "simple usage" example on the docs page will repro.
https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/beta-private-cluster#usage

Terraform Version

Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.1.0
+ provider registry.terraform.io/hashicorp/google-beta v5.43.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0

Additional information

No response

wyardley commented 1 month ago

Agree that this would be the ideal behavior.

Seems like that's the intent, based on https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/b0585ddf7042633833584ff5c0801621bcacbab2/autogen/main/main.tf.tmpl#L146-L149

Reading that, I'm curious if setting deploy_using_private_endpoint in the config fixes this issue for you - looks like it's maybe not set in the snippet you mention?

Side note if it helps you in the meantime: looks like private_cluster_config.private_endpoint of the google_container_cluster resource has that value, and could probably be used directly.

zaphod72 commented 1 month ago

deploy_using_private_endpoint does fix it. Thanks for finding that! There's only 84 inputs on that module, not sure how I missed it 😁 .

zaphod72 commented 1 month ago

So this is probably a docs/examples issue, where using deploy_using_private_endpoint in the examples would resolve it.

wyardley commented 1 month ago

Yeah, I don't know the backstory there, so hopefully someone from Google will have an idea of whether this is the intended behavior. I just came across it looking at the code, but agree with you that it would be nice to have slightly different behavior as well as some docs tweaks -- either having two separate outputs for public / private endpoints and / or making sure the private endpoint is used at least in the case where there's no public one.

Either way, hope this helps in the meantime.