-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_kubernetes_cluster
- support for the plugin certificate_authority
for istio addon
#26543
base: main
Are you sure you want to change the base?
azurerm_kubernetes_cluster
- support for the plugin certificate_authority
for istio addon
#26543
Conversation
94361ed
to
142b21a
Compare
babb579
to
5dd7643
Compare
} | ||
resource "azurerm_key_vault_certificate" "test" { | ||
count = length(var.certificate_names) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that this would reduce the size of the test config, but we tend to not use dynamic configurations in the provider tests and prefer the test configs to be purely declarative for clarity purposes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in latest commit
@@ -58,6 +58,21 @@ func TestAccKubernetesCluster_serviceMeshProfile(t *testing.T) { | |||
}) | |||
} | |||
|
|||
func TestAccKubernetesCluster_serviceMeshProfileWithCertificateAuthority(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is touching add-on functionality would you mind moving this test into the kubernetes_cluster_addons_resource_test.go
and follow the test naming convention in that file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in latest commit
update: update tests to addon test file
9de3d42
to
defb182
Compare
certificate_authority { | ||
plugin { | ||
key_vault_id = azurerm_key_vault.test.id | ||
root_cert_object_name = azurerm_key_vault_certificate.test_cert1.name | ||
cert_chain_object_name = azurerm_key_vault_certificate.test_cert2.name | ||
cert_object_name = azurerm_key_vault_certificate.test_cert3.name | ||
key_object_name = azurerm_key_vault_key.test.name | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like there's an unnecessary level of nesting here, since plugin
can also contain at most 1 element could the schema be flattened and simplified to
certificate_authority { | |
plugin { | |
key_vault_id = azurerm_key_vault.test.id | |
root_cert_object_name = azurerm_key_vault_certificate.test_cert1.name | |
cert_chain_object_name = azurerm_key_vault_certificate.test_cert2.name | |
cert_object_name = azurerm_key_vault_certificate.test_cert3.name | |
key_object_name = azurerm_key_vault_key.test.name | |
} | |
} | |
certificate_authority { | |
key_vault_id = azurerm_key_vault.test.id | |
root_cert_object_name = azurerm_key_vault_certificate.test_cert1.name | |
cert_chain_object_name = azurerm_key_vault_certificate.test_cert2.name | |
cert_object_name = azurerm_key_vault_certificate.test_cert3.name | |
key_object_name = azurerm_key_vault_key.test.name | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this mainly because:
- It reflects the request structure passed to the AKS API.
- If there are new properties to add under certificate_authority that do not correlate with these plugin settings, it will be easier to manage.
In this case, I believe the benefits of adding an extra layer outweigh the downsides
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It reflects the request structure passed to the AKS API.
We don't always map API property names or object structures 1:1 in the provider since the provider has it's own patterns of exposing Azure functionality, and often what's exposed in the API needs simplification for a better user experience in Terraform. In the case of AKS which is a complicated and huge resource, proactively flattening objects also simplifies the code and reduces the cognitive load when working with the resource. It might seem minor for something like this but it adds up over time.
If there are new properties to add under certificate_authority that do not correlate with these plugin settings, it will be easier to manage.
This can be managed by introducing an additional block under certificate_authority
for properties that do not correlate to plugin
settings, or by introducing them as root layer properties at that point in time, when and if that even happens. In this particular case the properties key_vault_id
, root_cert_object_name
etc. relate much more to certificate_authority
than to plugin
, so further nesting under plugin
is actually obfuscating than helpful for the user in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Community Note
Description
Adds new property
certificate_authority
forazurerm_kubernetes_cluster
istio addon. This configuration allows users to bring their own root certificate and keys for Istio CA in the Istio-based service mesh add-on for Azure Kubernetes Service.PR Checklist
For example: “
resource_name_here
- description of change e.g. adding propertynew_property_name_here
”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_kubernetes_cluster
- support for thecertificate_authority
property underservice_mesh_profile
This is a (please select all that apply):
Related Issue(s)
Closes #26311
Note
If this PR changes meaningfully during the course of review please update the title and description as required.