kubectl configuration file issue MacOSX

[hawksight]

On MacOS using podman (& podman machine), although I assume it would be the same for Docker Desktop users too.
In order to use Kind k8s api, you need to open the apiServerAdress on 0.0.0.0 rather than the default 127.0.0.1.

Eg a kind config file with:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  apiServerAddress: 0.0.0.0

If you leave it as default (127.0.0.1) then everything just times out, but the configuration file is correct, eg.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDCATED>
    server: https://127.0.0.1:56152
  name: kind-terraform-1-23

So I translated that config file into this awesome provider instead:

terraform {
  required_providers {
    kind = {
      source = "kyma-incubator/kind"
      version = "0.0.11"
    }
  }
}

resource "kind_cluster" "default" {
  name = var.cluster_name
  # Get latest available here: https://hub.docker.com/r/kindest/node/tags
  node_image = "kindest/node:v1.23.1"
  kind_config {
    kind = "Cluster"
    api_version = "kind.x-k8s.io/v1alpha4"
    networking {
      api_server_address = "0.0.0.0"
    }
  }
}

This was almost perfect until I tried to connect to the new cluster. I kept getting the following error:

(⎈ |kind-terraform-1-23:default)➜  kind-terraform git:(pf/terraform-kind-env) ✗ k get pods
Unable to connect to the server: tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config

A bit of a red herring as I found that the generated config file was slightly incorrect. The api_server_address input wasn't propagated to the config file. Neither the separate one, or the config in my default KUBECONFIG file.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://:56509
  name: kind-terraform-1-23

It's a simple fix to edit the server field to include the 0.0.0.0 but I think this works when calling kind natively, without the module.

# Command
k config set clusters.<CLUSTER_NAME>.server https://0.0.0.0:<EXISTING_PORT>
# Example
k config set clusters.kind-terraform-1-23.server https://0.0.0.0:56509

I couldn't see where the kubectl config is generated but perhaps the custom setting isn't being passed or is being passed blank somewhere?
I have a workaround but thought others might see the same thing, so thought I'd share here to save some pain working it out.

[ EDIT ]
I looked in terraform state tf state show kind_cluster.default and the endpoint setting is also blank endpoint = "https://:57355" for example.

Also tried explicitly setting the address to 127.0.0.1 and that populates the config and state as expected:

  kind_config {
    kind = "Cluster"
    api_version = "kind.x-k8s.io/v1alpha4"
    networking {
      api_server_address = "127.0.0.1"
    }
  }

[tehcyx]

Hi @hawksight,

Thanks for all the info. I'll have to try this myself and check that I can deliver a fix for it quickly. It seems straight forward from what you're observing.

[tehcyx]

Hi @hawksight ,

I've tried with the latest release of the provider:

resource "kind_cluster" "test" {
  name = "test"
  wait_for_ready = true
  kind_config {
	kind = "Cluster"
	api_version = "kind.x-k8s.io/v1alpha4"

	networking {
		api_server_address = "0.0.0.0"
	}
  }
}

I'm unable to reproduce your issue. In my test, the above config produces this kubeconfig:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data:  <too long>
    server: https://0.0.0.0:33277
  name: kind-tf-acc-networking-6623214493857607277
contexts:
- context:
    cluster: kind-tf-acc-networking-6623214493857607277
    user: kind-tf-acc-networking-6623214493857607277
  name: kind-tf-acc-networking-6623214493857607277
current-context: kind-tf-acc-networking-6623214493857607277
kind: Config
preferences: {}
users:
- name: kind-tf-acc-networking-6623214493857607277
  user:
    client-certificate-data:  <too long>
    client-key-data: <too long>

You can check out the extra test, that I added for this specifically on this branch: https://github.com/tehcyx/terraform-provider-kind/tree/api_server_networking

If you're able to double check your provider version and if that matches the current release, as well as maybe if possible check, that the test is working on your machine too, as it should fail, if the config is not set correctly. Do you have only podman on your machine or both podman and docker?

Does the api server change work on vanilla kind without terraform for you?

the endpoint setting is also blank endpoint = "https://:57355" for example.

This I actually expect, as the endpoint is marked as a computed field, so it is read from the kubeconfig itself, so if kubeconfig doesn't know, terraform will not know.

PS: The test-suite takes a while to run, on my branch you can run just the networking tests (which is two tests) with this command TF_ACC=1 go test ./kind -v -run TestAccClusterNetworking from the root of the project folder. If you keep the generated kubeconfig in the kind folder open, you can catch the produced kubeconfig for the second test if you're quick.

[hawksight]

Hey @tehcyx, thanks for looking into this and now I feel silly because you are correct that when I create a cluster with kind without the terraform provider, I get the same issue:

kind create cluster --name=test --config kind-cluster.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  # ipFamily: ipv6
  apiServerAddress: 0.0.0.0

k config view | yq e .clusters -

- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://:51376
  name: kind-test

Looking at my base cluster, I must have already patched it as it is set to https://localhost:50231.

I've had a look for issues on kind and have found people had a similar issue with solution here:
kubernetes-sigs/kind#2445 (comment)

I have only podman as I removed docker for licence reasons.

kind version 0.11.1
podman version 3.4.4
Using previously-installed kyma-incubator/kind v0.0.11

I created a new directory for terraform and setup fresh. So I had the latest version of your provider as above.
I think this is probably a kind issue and possibly only with podman as the container driver.

From running the tests as you suggested, both tests do pass:

go: downloading github.com/pelletier/go-toml v1.8.1
go: downloading github.com/hashicorp/terraform-plugin-sdk v1.15.0
go: downloading k8s.io/client-go v0.20.2
go: downloading sigs.k8s.io/kind v0.11.1
go: downloading github.com/imdario/mergo v0.3.9
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
go: downloading k8s.io/apimachinery v0.20.2
go: downloading k8s.io/klog/v2 v2.4.0
go: downloading github.com/apparentlymart/go-cidr v1.1.0
go: downloading github.com/hashicorp/hcl/v2 v2.6.0
go: downloading github.com/hashicorp/logutils v1.0.0
go: downloading github.com/hashicorp/terraform-json v0.5.0
go: downloading github.com/hashicorp/terraform-plugin-test v1.4.3
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
go: downloading github.com/zclconf/go-cty v1.5.1
go: downloading google.golang.org/grpc v1.27.1
go: downloading github.com/gogo/protobuf v1.3.1
go: downloading golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.0.2
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/alessio/shellescape v1.4.1
go: downloading github.com/spf13/cobra v1.1.1
go: downloading gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
go: downloading github.com/mattn/go-isatty v0.0.12
go: downloading github.com/go-logr/logr v0.2.0
go: downloading golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
go: downloading github.com/hashicorp/terraform-svchost v0.0.0-20191011084731-65d371908596
go: downloading github.com/hashicorp/go-getter v1.4.2-0.20200106182914-9813cbd4eb02
go: downloading github.com/hashicorp/terraform-config-inspect v0.0.0-20191212124732-c6ae6269b9d7
go: downloading github.com/golang/protobuf v1.4.3
go: downloading github.com/hashicorp/go-hclog v0.9.2
go: downloading github.com/hashicorp/go-plugin v1.3.0
go: downloading github.com/hashicorp/terraform-exec v0.1.1
go: downloading github.com/apparentlymart/go-textseg/v12 v12.0.0
go: downloading github.com/zclconf/go-cty-yaml v1.0.2
go: downloading golang.org/x/text v0.3.4
go: downloading github.com/json-iterator/go v1.1.10
go: downloading sigs.k8s.io/yaml v1.2.0
go: downloading github.com/google/gofuzz v1.1.0
go: downloading golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
go: downloading golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e
go: downloading k8s.io/utils v0.0.0-20201110183641-67b214c5f920
go: downloading gopkg.in/yaml.v2 v2.3.0
go: downloading google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013
go: downloading cloud.google.com/go/storage v1.6.0
go: downloading cloud.google.com/go v0.54.0
go: downloading github.com/aws/aws-sdk-go v1.31.9
go: downloading google.golang.org/api v0.20.0
go: downloading google.golang.org/protobuf v1.25.0
go: downloading github.com/google/uuid v1.1.2
go: downloading github.com/hashicorp/go-checkpoint v0.5.0
go: downloading github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d
go: downloading github.com/oklog/run v1.0.0
go: downloading github.com/BurntSushi/toml v0.3.1
go: downloading github.com/evanphx/json-patch/v5 v5.2.0
go: downloading github.com/google/go-cmp v0.5.2
go: downloading github.com/evanphx/json-patch v4.9.0+incompatible
go: downloading go.opencensus.io v0.22.3
go: downloading github.com/jmespath/go-jmespath v0.3.0
go: downloading github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
=== RUN   TestAccClusterNetworking
=== PAUSE TestAccClusterNetworking
=== CONT  TestAccClusterNetworking
enabling experimental podman provider
Creating cluster "tf-acc-networking-5823928497647793318" ...
 • Ensuring node image (kindest/node:v1.21.1) 🖼  ...
 ✓ Ensuring node image (kindest/node:v1.21.1) 🖼
 • Preparing nodes 📦   ...
 ✓ Preparing nodes 📦
 • Writing configuration 📜  ...
 ✓ Writing configuration 📜
 • Starting control-plane 🕹️  ...
 ✓ Starting control-plane 🕹️
 • Installing CNI 🔌  ...
 ✓ Installing CNI 🔌
 • Installing StorageClass 💾  ...
 ✓ Installing StorageClass 💾
enabling experimental podman provider
enabling experimental podman provider
enabling experimental podman provider
enabling experimental podman provider
enabling experimental podman provider
Creating cluster "tf-acc-networking-5823928497647793318" ...
 • Ensuring node image (kindest/node:v1.21.1) 🖼  ...
 ✓ Ensuring node image (kindest/node:v1.21.1) 🖼
 • Preparing nodes 📦   ...
 ✓ Preparing nodes 📦
 • Writing configuration 📜  ...
 ✓ Writing configuration 📜
 • Starting control-plane 🕹️  ...
 ✓ Starting control-plane 🕹️
 • Installing CNI 🔌  ...
 ✓ Installing CNI 🔌
 • Installing StorageClass 💾  ...
 ✓ Installing StorageClass 💾
 • Waiting ≤ 5m0s for control-plane = Ready ⏳  ...
 ✓ Waiting ≤ 5m0s for control-plane = Ready ⏳
 • Ready after 30s 💚
enabling experimental podman provider
enabling experimental podman provider
enabling experimental podman provider
enabling experimental podman provider
--- PASS: TestAccClusterNetworking (219.99s)
PASS
ok  	github.com/kyma-incubator/terraform-provider-kind/kind	220.406s

And on the second test, I get the same apparent issue as the config file looked like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://:52511
  name: kind-tf-acc-networking-7925541741874413366
contexts:
- context:
    cluster: kind-tf-acc-networking-7925541741874413366
    user: kind-tf-acc-networking-7925541741874413366
  name: kind-tf-acc-networking-7925541741874413366
current-context: kind-tf-acc-networking-7925541741874413366
kind: Config
preferences: {}
users:
- name: kind-tf-acc-networking-7925541741874413366
  user:
    client-certificate-data: <REDACTED>
    client-key-data: <REDACTED>

For reference test 1 output:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://127.0.0.1:52283
  name: kind-tf-acc-networking-7925541741874413366
contexts:
- context:
    cluster: kind-tf-acc-networking-7925541741874413366
    user: kind-tf-acc-networking-7925541741874413366
  name: kind-tf-acc-networking-7925541741874413366
current-context: kind-tf-acc-networking-7925541741874413366
kind: Config
preferences: {}
users:
- name: kind-tf-acc-networking-7925541741874413366
  user:
    client-certificate-data: <REDACTED>
    client-key-data: <REDACTED>

I really did have to be quick to copy those :)

[tehcyx]

Interesting edge case to say the least. So the fix is to manually override kubeconfig after creation as of now?

Hopefully they can fix it upstream and I can then create a new version of the provider that can pull in the new kind version.

[tehcyx]

Let's close this issue and wait to see that we'll have this fixed on upstream.