New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add PSACT to cluster_v2 resource and data-source #1117
Conversation
836d070
to
f916a1c
Compare
Please let know if I can do anything else to contribute. |
@lazyfrosch, would you mind implementing this for the |
I could look into it, should be an easy change as well. Would love to get some feedback from the maintainers though |
Looks like setting PSACT will cause problems with Currently working on a workaround. It might me time to switch
|
A workaround for our module would be something like the following, adding the path for PSACT config file, if PSACT is enabled. This at least will avoid constant changes being supposed. Any thoughts? locals {
# see https://github.com/rancher/webhook/blob/3cefe89c44f502905b63200d875486d3590b081e/pkg/resources/provisioning.cattle.io/v1/cluster/mutator.go#L160
rancher_psact_mount_path = "/etc/rancher/rke2/config/rancher-psact.yaml"
# Default parameter to enable PSACT in RKE2
# Normally this is set by the rancher-webhook mutation (but we need to set it here for Terraform when a PSACT is selected)
kube_apiserver_arg_psact = var.default_psa_template != null && var.default_psa_template != "" ? ["admission-control-config-file=${local.rancher_psact_mount_path}"] : []
kube_apiserver_arg = var.kubernetes_apiserver_use_defaults ? concat(local.kube_apiserver_arg_psact, var.kubernetes_apiserver_args) : var.kubernetes_apiserver_args
}
# ...
resource "rancher2_cluster_v2" "cluster" {
# ...
rke_config {
machine_global_config = yamlencode({
cni = "calico"
# disable = [
# "rke2-ingress-nginx"
# ]
kube-apiserver-arg = local.kube_apiserver_arg
tls-san = [
module.vip_control_plane_address.fqdn,
]
})
}
# ...
} |
@lazyfrosch Thanks for opening this! This has already been implemented for the Did you ever find a workaround for Terraform displaying constant changes with |
@a-blender I'm doing a workaround in setting The change is done by a MutatingWebhook with the rancher-webhook deployment. It is not easy to implement this properly within the provider. |
@lazyfrosch Ahh, so the problem is that when PSACT is enabled for a v2 prov cluster via Terraform, Rancher webhook will auto add |
@a-blender exactly, Terraform would try to revert it, while the MutationWebhook is always editing it back. Part of the problem is the string/YAML format of that field, where it is hard to ignore certain elements changing. |
@lazyfrosch Yeah, I'm looking at lifecycle ignore_changes but I don't think we can ignore a meta arg within a string. But based on the multi-structural nature of a machine global config, we may want to keep the type as encoded YAML because we don't know what subfields will be string vs list. Honestly, the more I investigate this the more I like your solution. I think it'd be fine to require setting Discussing options with my team. |
I confirmed with the following less verbose configuration, when PSACT is set that Terraform doesn't try to apply changes to
Terraform plan I will open a docs PR for this. Otherwise lgtm, @lazyfrosch can you please resolve the test file conflicts? |
Will rebase it later... the resolve editor in web is not that good 🤣 |
f6f4bbb
to
cbc95b8
Compare
Rebased |
@lazyfrosch Amazing thanks. Could you give more details on what/how you tested this? Did you verify that deploying a workload functions properly with |
Yeah just create a new namespace and a deployment, it will fail without proper security context settings. Migration from 1.24 can be a bit tricky for PSP to PSACT reason, but this is not a Rancher specific problem. When you are on 1.24 and enable PSA, both features will check the resources created. |
@lazyfrosch Gotcha, I'll test on my end as well. Can you update the |
Will do on Monday |
@lazyfrosch No worries, are trying to get this merged today for the 2.7.5 TF release so I'll test PSA functionality on my end and post my results here. Thanks for all your help. |
Test TemplateTest steps
main.tf
PSA template name is set correctly in the spec All test cases pass without the CIS profile being explicitly sent via Terraform, but according to the docs setting CIS is not required to verify that PSA functions correctly. This lgtm (with a separate PR to update the docs, but I'd rather get this in now so it can be tested). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Issue: #1112 (partial implementation for RKE2)
Feature
Implement setting the default PSACT using Terraform.
Solution
Add a new property to be set using Terraform, similar to default PSP.
Testing
Engineering Testing
Manual Testing
Automated Testing
QA Testing Considerations
Regressions Considerations
None expected, if unset, Rancher < 2.7.2 should be fine.