-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubernetes_cluster
-gmsa
#16437
kubernetes_cluster
-gmsa
#16437
Conversation
k8s_cluster
supports gmsa_profile
k8s_cluster
supports gmsa_profile
kubernetes_cluster
supports gmsa_profile
kubernetes_cluster
supports gmsa_profile
kubernetes_cluster
-gmsa_profile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR @heiazuo.
In the AKS resource as well as throughout the provider we typically don't expose an enabled
field for blocks, since the behaviour should be if block is present -> enabled, if block is absent -> disabled.
Since both the DNS server and root domain name can be left empty/omitted I think these might be better as their own individual properties
gmsa_enabled
gmsa_dns_server
gmsa_root_domain_name
Optional: true, | ||
Elem: &pluginsdk.Resource{ | ||
Schema: map[string]*pluginsdk.Schema{ | ||
"enabled": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we not expose this field for toggling GMSA, as with the other blocks in the AKS resource and across most of the provider the behaviour should be if block is present -> enabled, if block is absent -> disabled.
@@ -852,6 +852,28 @@ func resourceKubernetesCluster() *pluginsdk.Resource { | |||
string(containerservice.LicenseTypeWindowsServer), | |||
}, false), | |||
}, | |||
"gmsa_profile": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_profile
doesn't add any informational value, so i'd suggest removing it.
"gmsa_profile": { | |
"gmsa": { |
77a67f6
to
75040b8
Compare
Hi @stephybun , would you please take another look? Thanks! |
Hi @stephybun , would you please take a look at this PR? Thanks! |
"gmsa": { | ||
Type: pluginsdk.TypeList, | ||
Optional: true, | ||
Elem: &pluginsdk.Resource{ | ||
Schema: map[string]*pluginsdk.Schema{ | ||
"gmsa_dns_server": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
}, | ||
"gmsa_root_domain_name": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If both gmsa_dns_server
and gmsa_root_domain_name
are optional, then if a user wants to enable gmsa without specifying either of those properties they would have to add an empty block to their config like below
gmsa {}
Is this a valid use case? If so then I think we should flatten this block and create three separate properties like was suggested initially. This would be more consistent with the resource and the provider.
Hi @stephybun, I modified it according to the suggestion, please take a look again. |
"gmsa_dns_server": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
}, | ||
"gmsa_root_domain_name": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the changes last made I'm assuming even though gmsa can be enabled without specifying a dns server and root domain it isn't a functional configuration. In that case we can use a block, but should specify AtLeastOneOf
so at least one or the other property must be specified for the block.
"gmsa_dns_server": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
}, | |
"gmsa_root_domain_name": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
}, | |
"gmsa": { | |
Type: pluginsdk.TypeList, | |
Optional: true, | |
MaxItems: 1, | |
Elem: &pluginsdk.Resource{ | |
Schema: map[string]*pluginsdk.Schema{ | |
"dns_server": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server"}, | |
}, | |
"root_domain": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.root_domain"}, | |
}, | |
}, | |
}, | |
}, |
05f536d
to
835d8a8
Compare
Hi @stephybun, changes have been made as suggested, would you please take a look at this PR? Thanks! |
835d8a8
to
21d6288
Compare
21d6288
to
40f1bb8
Compare
Is it gonna to be finished soon ? I'm waiting for this to be able rollout Windows Nodes. Any ETA will be appreciated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @qiqingzhang, sorry for the delayed re-review here.
While playing around with this I noticed that once gmsa is enabled for a cluster it isn't possible to disable it. We should add some logic to CustomizeDiff
that will ForceNew the resource if a user tries to remove the gmsa block.
Once that's done we can take another look through.
Thanks!
Hi @stephybun , I've added a commit to fix it, please take another look, thanks! |
|
||
A `gmsa` block supports the following: | ||
|
||
* `dns_server` - (Optional) Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please confirm with the service team whether setting dns_server
and root_domain
to empty is a valid configuration for the cluster? This isn't mentioned in the documentation anywhere?
"dns_server": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | ||
}, | ||
"root_domain": { | ||
Type: pluginsdk.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringIsNotEmpty, | ||
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the API has changed since it now throws an error if only one or the other is set. Depending on the answer to my question in the other comment left in-line, these should either both become Required or RequiredWith.
"dns_server": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | |
}, | |
"root_domain": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | |
}, | |
"dns_server": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
RequiredWith: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | |
}, | |
"root_domain": { | |
Type: pluginsdk.TypeString, | |
Optional: true, | |
ValidateFunc: validation.StringIsNotEmpty, | |
RequiredWith: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"}, | |
}, |
Hi @stephybun , I've confirmed with service team, if both |
Thanks for clarifying @ms-henglu. To avoid the case where a user would need to add in an empty gmsa block in their config just to enable it I think we need to make the following adjustments to the schema
Once that's done this should be good to go! |
Hi @stephybun , Thanks for the suggestion, I've updated the schema, would you please take another look? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @qiqingzhang @ms-henglu LGTM 🍕
This functionality has been released in v3.22.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Closes #16386
create a public pull request for
k8s_cluster
supportsgmsa
test result: