feat(ske): add ephemeral ske kubeconfig#1448
Open
h3adex wants to merge 1 commit into
Open
Conversation
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
2 times, most recently
from
e7a7211 to
21ffd96
Compare
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
from
21ffd96 to
42e7091
Compare
Contributor
Author
|
|
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
9 times, most recently
from
638204f to
ad810c1
Compare
Contributor
Author
|
E2E Tests |
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
3 times, most recently
from
cd6a220 to
0d06641
Compare
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
from
0d06641 to
72e2165
Compare
|
This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it. |
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
from
72e2165 to
23b550f
Compare
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
2 times, most recently
from
dd0520a to
08623d4
Compare
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
from
08623d4 to
096316e
Compare
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
h3adex
force-pushed
the
feat/add-ephemeral-resource-ske-kubeconfig
branch
from
096316e to
7e5049b
Compare
rubenhoenle
requested changes
Jun 23, 2026
| ) | ||
|
|
||
| const ( | ||
| defaultKubeconfigExpiration = 1800 |
Member
There was a problem hiding this comment.
Suggested change
| defaultKubeconfigExpiration = 1800 | |
| defaultKubeconfigExpirationSeconds = 1800 |
Please add a time unit to that one
| }, | ||
| "expiration": schema.Int64Attribute{ | ||
| Description: "Expiration time of the kubeconfig in seconds. Must be between `600` (10m) and `14400` (4h). " + | ||
| "Defaults to `1800` (30m) for optimal security during Terraform operations, which is more restrictive than the API default of `3600` (1h).", |
Member
There was a problem hiding this comment.
Suggested change
| "Defaults to `1800` (30m) for optimal security during Terraform operations, which is more restrictive than the API default of `3600` (1h).", | |
| "Defaults to `1800` (30m) for optimal security during Terraform operations.", |
Isn't the point of Terraform that users don't have to care about the underlying APIs? 😄
| // Defaulted to 1800s (30m) for better security than the API default (3600s). | ||
| expiration := conversion.Int64ValueToPointer(model.Expiration) | ||
| if expiration == nil { | ||
| expiration = new(int64) |
Member
There was a problem hiding this comment.
Suggested change
| expiration = new(int64) | |
| expiration = new(int64(defaultKubeconfigExpiration)) |
| *expirationStringPtr = strconv.FormatInt(*expiration, 10) | ||
| } | ||
|
|
||
| payload := ske.CreateKubeconfigPayload{ |
Member
There was a problem hiding this comment.
If you turn the order around you don't need the ugly expirationStringPtr variable.
payload := ske.CreateKubeconfigPayload{}
if expiration != nil {
payload.ExpirationSeconds = new(strconv.FormatInt(*expiration, 10))
}But I have so many questions in my mind here.
- Why is
ExpirationSecondsa string in the API? - Why is the
expirationparameter in thisgetKubeconfigfunction implementation a pointer type? I thought there was a default expiration time? What you're doing is critical since you risk that there's no expiration set by accident.
| for _, tt := range tests { | ||
| t.Run(tt.description, func(t *testing.T) { | ||
| server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
| expectedPath := fmt.Sprintf("/v2/projects/%s/regions/%s/clusters/%s/kubeconfig", projectId, region, clusterName) |
Member
There was a problem hiding this comment.
I don't think this is needed, please use the SDK mocks instead if possible. See the link below for reference.
| project_id = var.project_id | ||
| # cluster_name is unknown during the plan phase because stackit_ske_cluster.cluster.id is computed. | ||
| # This forces Terraform to defer the Open call until the Apply phase, after the cluster is ready. | ||
| cluster_name = stackit_ske_cluster.cluster.id != "" ? stackit_ske_cluster.cluster.name : "" |
Member
There was a problem hiding this comment.
I don't think this will work as you expect it. The internal id attribute of the cluster resource might be already set BEFORE the cluster creation wait handler is called / finished.
Member
There was a problem hiding this comment.
This isn't currently the case, but I would like to see some actual long-term working strategy here please.
| project_id = var.project_id | ||
| # cluster_name is unknown during the plan phase because stackit_ske_cluster.cluster.id is computed. | ||
| # This forces Terraform to defer the Open call until the Apply phase, after the cluster is ready. | ||
| cluster_name = stackit_ske_cluster.cluster.id != "" ? stackit_ske_cluster.cluster.name : "" |
| # if inputs are known, which would trigger a 404 before the cluster exists. | ||
| ephemeral "stackit_ske_kubeconfig" "example" { | ||
| project_id = stackit_ske_cluster.example.project_id | ||
| cluster_name = stackit_ske_cluster.example.id != "" ? stackit_ske_cluster.example.name : "" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the
stackit_ske_kubeconfigephemeral resource. The default expiration has been reduced to 30 minutes. Since these credentials only need to persist for the duration of a Terraform run, where even slow Helm deployments rarely exceed a 10-15 minute window, a 60-minute expiration is excessive.Tested example code:
https://professional-service.git.onstackit.cloud/professional-service-best-practices/professional-service/pulls/18
Checklist
make fmtexamples/directory)make generate-docs(will be checked by CI)make test(will be checked by CI)make lint(will be checked by CI)