Skip to content

Cluster proxy config #1683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 4, 2025
Merged

Cluster proxy config #1683

merged 2 commits into from
Nov 4, 2025

Conversation

@bigkevmcd
Copy link
Contributor

@bigkevmcd bigkevmcd commented Oct 3, 2025

Issue:

This is a reworking of #1589 with a couple of fixes and some cleanups

Problem

Terraform Provider is lacking ClusterProxyConfig support.

Solution

This adds support for ClusterProxyConfigs to the terraform provider.

resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
  cluster_id = "c-wt9cd"
  enabled = true
}

Testing

Engineering Testing

Manual Testing

Terraform ClusterProxyConfigs

Starting hcl

$ cat main.tf outputs.tf 
resource "rancher2_cluster_proxy_config_v2" "testing" {
  cluster_id = "local"
  enabled = true
}

resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
  cluster_id = "c-wt9cd"
  enabled = false
}
output "testing_cluster_proxy_cluster_id" {
  value = rancher2_cluster_proxy_config_v2.testing.cluster_id
}

output "testing_cluster_proxy_enabled" {
  value = rancher2_cluster_proxy_config_v2.testing.enabled
}

Initial ClusterProxyConfigs

$ kubectl get clusterproxyconfigs -A
No resources found

Initial apply

$ terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - rancher/rancher2 in /home/kevin/Source/Rancher/terraform-provider-rancher2
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # rancher2_cluster_proxy_config_v2.cluster-1 will be created
  + resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
      + annotations = (known after apply)
      + cluster_id  = "c-wt9cd"
      + enabled     = false
      + id          = (known after apply)
      + labels      = (known after apply)
    }

  # rancher2_cluster_proxy_config_v2.testing will be created
  + resource "rancher2_cluster_proxy_config_v2" "testing" {
      + annotations = (known after apply)
      + cluster_id  = "local"
      + enabled     = true
      + id          = (known after apply)
      + labels      = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + testing_cluster_proxy_cluster_id = "local"
  + testing_cluster_proxy_enabled    = true
rancher2_cluster_proxy_config_v2.cluster-1: Creating...
rancher2_cluster_proxy_config_v2.testing: Creating...
rancher2_cluster_proxy_config_v2.cluster-1: Creation complete after 1s [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.testing: Creation complete after 1s [id=local/clusterproxyconfig]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

testing_cluster_proxy_cluster_id = "local"
testing_cluster_proxy_enabled = true

Subsequent Apply with no changes

terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - rancher/rancher2 in /home/kevin/Source/Rancher/terraform-provider-rancher2
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
rancher2_cluster_proxy_config_v2.testing: Refreshing state... [id=local/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Refreshing state... [id=c-wt9cd/clusterproxyconfig]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # rancher2_cluster_proxy_config_v2.cluster-1 will be updated in-place
  ~ resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
      + annotations = (known after apply)
        id          = "c-wt9cd/clusterproxyconfig"
      + labels      = (known after apply)
        # (2 unchanged attributes hidden)
    }

  # rancher2_cluster_proxy_config_v2.testing will be updated in-place
  ~ resource "rancher2_cluster_proxy_config_v2" "testing" {
      + annotations = (known after apply)
        id          = "local/clusterproxyconfig"
      + labels      = (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.
rancher2_cluster_proxy_config_v2.testing: Modifying... [id=local/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Modifying... [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Modifications complete after 1s [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.testing: Modifications complete after 1s [id=local/clusterproxyconfig]

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

Outputs:

testing_cluster_proxy_cluster_id = "local"
testing_cluster_proxy_enabled = true

Apply with update to enabled for cluster

terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - rancher/rancher2 in /home/kevin/Source/Rancher/terraform-provider-rancher2
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
rancher2_cluster_proxy_config_v2.cluster-1: Refreshing state... [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.testing: Refreshing state... [id=local/clusterproxyconfig]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # rancher2_cluster_proxy_config_v2.cluster-1 must be replaced
-/+ resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
      + annotations = (known after apply)
      ~ enabled     = false -> true # forces replacement
      ~ id          = "c-wt9cd/clusterproxyconfig" -> (known after apply)
      + labels      = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # rancher2_cluster_proxy_config_v2.testing will be updated in-place
  ~ resource "rancher2_cluster_proxy_config_v2" "testing" {
      + annotations = (known after apply)
        id          = "local/clusterproxyconfig"
      + labels      = (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.
rancher2_cluster_proxy_config_v2.cluster-1: Destroying... [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.testing: Modifying... [id=local/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Destruction complete after 1s
rancher2_cluster_proxy_config_v2.testing: Modifications complete after 1s [id=local/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Creating...
rancher2_cluster_proxy_config_v2.cluster-1: Creation complete after 1s [id=c-wt9cd/clusterproxyconfig]

Apply complete! Resources: 1 added, 1 changed, 1 destroyed.

Outputs:

testing_cluster_proxy_cluster_id = "local"
testing_cluster_proxy_enabled = true

Listing ClusterProxyConfigs

kubectl get clusterproxyconfigs -A
NAMESPACE   NAME                 AGE
c-wt9cd     clusterproxyconfig   60s
local       clusterproxyconfig   2m17s

Destroying ClusterProxyConfigs

 terraform destroy -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - rancher/rancher2 in /home/kevin/Source/Rancher/terraform-provider-rancher2
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
rancher2_cluster_proxy_config_v2.cluster-1: Refreshing state... [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.testing: Refreshing state... [id=local/clusterproxyconfig]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # rancher2_cluster_proxy_config_v2.cluster-1 will be destroyed
  - resource "rancher2_cluster_proxy_config_v2" "cluster-1" {
      - cluster_id = "c-wt9cd" -> null
      - enabled    = true -> null
      - id         = "c-wt9cd/clusterproxyconfig" -> null
    }

  # rancher2_cluster_proxy_config_v2.testing will be destroyed
  - resource "rancher2_cluster_proxy_config_v2" "testing" {
      - cluster_id = "local" -> null
      - enabled    = true -> null
      - id         = "local/clusterproxyconfig" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Changes to Outputs:
  - testing_cluster_proxy_cluster_id = "local" -> null
  - testing_cluster_proxy_enabled    = true -> null
rancher2_cluster_proxy_config_v2.testing: Destroying... [id=local/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Destroying... [id=c-wt9cd/clusterproxyconfig]
rancher2_cluster_proxy_config_v2.cluster-1: Destruction complete after 1s
rancher2_cluster_proxy_config_v2.testing: Destruction complete after 1s

Destroy complete! Resources: 2 destroyed.

Automated Testing

QA Testing Considerations

Regressions Considerations

@bigkevmcd bigkevmcd force-pushed the cluster-proxy-config branch 4 times, most recently from fa938c9 to 01c30df Compare October 3, 2025 11:19
@bigkevmcd bigkevmcd requested a review from jiaqiluo October 17, 2025 09:45
@bigkevmcd bigkevmcd force-pushed the cluster-proxy-config branch from 01c30df to 78edbc2 Compare October 17, 2025 09:45
@jiaqiluo jiaqiluo requested a review from matttrach October 17, 2025 16:47
@jiaqiluo
Copy link
Member

jiaqiluo commented Oct 17, 2025
edited
Loading

Hi @bigkevmcd, thank you for raising the PR!

Hi @rancher/collie team, it seems that ClusterProxyConfig is part of your area, could you review and follow up on this PR? Thanks!
cc @olblak , @samjustus

@jiaqiluo jiaqiluo requested review from olblak and samjustus and removed request for jiaqiluo October 17, 2025 17:42
JonCrowther
JonCrowther reviewed Oct 20, 2025
View reviewed changes
rancher2/resource_rancher2_cluster_proxy_config_v2.go Outdated
Comment on lines 130 to 132
if IsNotFound(err) || IsForbidden(err) {
return obj, "removed", nil
}
Copy link

@JonCrowther JonCrowther Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the operation is forbidden, why set the state as "removed"? Shouldn't it just be a regular error then?

Copy link
Contributor Author

@bigkevmcd bigkevmcd Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question...I'll assume it was copied from another resource.

And for some resources, not treating "forbidden" as an error is probably ok...but not for ClusterProxyConfig resources, because they have a fixed name...so, I've fixed this, in the reading of the resources too.

@bigkevmcd bigkevmcd force-pushed the cluster-proxy-config branch from 78edbc2 to 89259c7 Compare October 21, 2025 07:41
@belgaied2 @bigkevmcd
feat: Added a resource cluster_proxy_config_v2
55bfbab 
This allows enabling JWT tokens on downstream clusters.

Co-authored-by: Mohamed Belgaied <[email protected]>
Signed-off-by: Kevin McDermott <[email protected]>
@bigkevmcd bigkevmcd force-pushed the cluster-proxy-config branch from 2487702 to 55bfbab Compare October 21, 2025 12:26
@bigkevmcd bigkevmcd self-assigned this Nov 4, 2025
@samjustus
Copy link

samjustus commented Nov 4, 2025

#1466

@matttrach matttrach mentioned this pull request Nov 4, 2025
Open
@github-actions github-actions bot mentioned this pull request Nov 4, 2025
Open
matttrach
matttrach approved these changes Nov 4, 2025
View reviewed changes
Copy link
Collaborator

@matttrach matttrach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the tests!

@matttrach matttrach merged commit e2a374a into rancher:main Nov 4, 2025
8 checks passed
github-actions bot pushed a commit that referenced this pull request Nov 4, 2025
@bigkevmcd @belgaied2 @github-actions
feat: cluster proxy config (#1683)
d8142bd 
Signed-off-by: Kevin McDermott <[email protected]>
Co-authored-by: Mohamed Belgaied <[email protected]>
(cherry picked from commit e2a374a)
@github-actions github-actions bot mentioned this pull request Nov 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matttrach matttrach matttrach approved these changes

@olblak olblak Awaiting requested review from olblak

@samjustus samjustus Awaiting requested review from samjustus

+1 more reviewer

@JonCrowther JonCrowther JonCrowther approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bigkevmcd bigkevmcd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@bigkevmcd @jiaqiluo @samjustus @matttrach @JonCrowther @pmatseykanets @belgaied2