Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CCE] data/opentelekomcloud_cce_cluster_kubeconfig_v3 user.client-certificate-data validity forces replacement #2381

Open
Nemental opened this issue Nov 28, 2023 · 2 comments
Open

[CCE] data/opentelekomcloud_cce_cluster_kubeconfig_v3 user.client-certificate-data validity forces replacement #2381

Nemental opened this issue Nov 28, 2023 · 2 comments
Assignees
@anton-sidelnikov
Labels
otc-issue Blocked by OTC issues

Comments

@Nemental
Copy link
Contributor

Terraform provider version

Terraform v1.5.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.35.12

Affected Resource(s)

  • data/opentelekomcloud_cce_cluster_kubeconfig_v3

Terraform Configuration Files

data "opentelekomcloud_cce_cluster_kubeconfig_v3" "k8s_config_cce-dev-shared-kubernetes-shared" {
  cluster_id = opentelekomcloud_cce_cluster_v3.cce-dev-shared-kubernetes-shared.id
}

resource "local_file" "k8s_config_cce-dev-shared-kubernetes-shared" {
  content         = data.opentelekomcloud_cce_cluster_kubeconfig_v3.k8s_config_cce-dev-shared-kubernetes-shared.kubeconfig
  filename        = "path/to/config"
  file_permission = "0644"
}

Debug Output/Panic Output

  # local_file.k8s_config_cce-dev-shared-kubernetes-shared must be replaced
-/+ resource "local_file" "k8s_config_cce-dev-shared-kubernetes-shared" {
      ~ content              = jsonencode(
          ~ {
              ~ users           = [
                  ~ {
                        name = "user"
                      ~ user = {
                          ~ client-certificate-data = "XXXXX" -> "XXXXX"
                            # (1 unchanged attribute hidden)
                        }
                    },
                ]
                # (6 unchanged attributes hidden)
            } # forces replacement
        )
      ~ content_base64sha256 = "XXXXX" -> (known after apply)
      ~ content_base64sha512 = "XXXXX" -> (known after apply)
      ~ content_md5          = "XXXXX" -> (known after apply)
      ~ content_sha1         = "XXXXX" -> (known after apply)
      ~ content_sha256       = "XXXXX" -> (known after apply)
      ~ content_sha512       = "XXXXX" -> (known after apply)
      ~ id                   = "XXXXX" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

  1. terraform apply

Expected Behavior

Maybe an argument to specify absolute date instead of duration?

Actual Behavior

Kubeconfig forces replacement because of certificate validity, which is calculated based on duration-argument and current timestamp.

Important Factoids

References
@anton-sidelnikov anton-sidelnikov self-assigned this Dec 1, 2023
@anton-sidelnikov
Copy link
Member

anton-sidelnikov commented Dec 4, 2023
edited

Hi @Nemental what i figured out that client-certificate not depends on duration value it recreates each time when you request API, i'm sure that some logic beneath, based on current timestamp or maybe something else, but this is backend and we can't fix that. But you can create customer issue on helpcenter maybe we can get some updates for API.

Anyway, I can add additional parameter if you want, like expiry_date = "2024-02-01", from which we can calculate duration like:

		currentTime := time.Now()
		t, err := time.Parse(time.RFC3339, fmt.Sprintf("%sT00:00:00Z", expiryDate))
		if err != nil {
			return fmterr.Errorf("error Parsing Expiration Date: %s", err)
		}
		duration = int(t.Sub(currentTime).Hours() / 24)

this won't fix our problen, but can be usefull, what you think?

@Nemental
Copy link
Contributor Author

Nemental commented Dec 4, 2023
edited

@anton-sidelnikov
I'll open a customer issue to address this topic... Maybe they'll add an API parameter to specify an absolute date or something like this.
I already tried a solution approach similar to yours but couldn't finish due to lack of time... (:
I'ld appreciate an additional parameter like expiry_date, because it's way better like my temporary solution ;)

  lifecycle {
    ignore_changes = [content]
  }

@anton-sidelnikov anton-sidelnikov added the otc-issue Blocked by OTC issues label Dec 4, 2023
@anton-sidelnikov anton-sidelnikov mentioned this issue Dec 4, 2023
Merged
5 tasks
otc-zuul bot pushed a commit that referenced this issue Dec 4, 2023
@anton-sidelnikov
[CCE] expiry_date attribute in `data-source/opentelekomcloud_cce_clus…
beb04db 
…ter_kubeconfig_v3` (#2388)

[CCE] expiry_date attribute in `data-source/opentelekomcloud_cce_cluster_kubeconfig_v3`

Summary of the Pull Request
PR Checklist

 Refers to: #2381
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Acceptance Steps Performed
=== RUN   TestAccCCEKubeConfigV3DataSource_basic
=== PAUSE TestAccCCEKubeConfigV3DataSource_basic
=== CONT  TestAccCCEKubeConfigV3DataSource_basic
--- PASS: TestAccCCEKubeConfigV3DataSource_basic (586.51s)
PASS

Process finished with the exit code 0

Process finished with exit code 0

Reviewed-by: Vladimir Vshivkov
Reviewed-by: Artem Lifshits
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anton-sidelnikov anton-sidelnikov

Labels
otc-issue Blocked by OTC issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nemental @anton-sidelnikov