v1.58.0 ibm_container_cluster_config: new endpoint_type returning self-signed private endpoint

[toddgiguere]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

v1.58.0 and v1.58.1

Affected Resource(s)

• ibm_container_cluster_config

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

data "ibm_container_cluster_config" "cluster_config" {
  cluster_name_id = "my-cluster-id"
  endpoint_type   = "private"
}

Debug Output

Panic Output

Expected Behavior

When using the new endpoint_type parameter to retrieve "private" cluster config endpoint, was expecting the returned host value to be the properly signed private endpoint, and not the self-signed endpoint.

Actual Behavior

With the new endpoint_type feature, when specifying a type of "private", the host returned is the endpoint that is self-signed, and the ca_certificate is also empty string.

This endpoint cannot then be used to properly configure helm or kubernetes providers as they will throw the error:

Error: Kubernetes cluster unreachable: Get "https://c111.private.us-east.containers.cloud.ibm.com:31613/version": x509: certificate signed by unknown authority

The endpoint is also different when a cluster is deployed with public disabled, and you choose an endpoint_type of default vs private, even though both options should result in same private endpoint.

For example (using same OCP 4.12, with public disabled):
ibm_container_cluster_config with endpoint_type = null
results in
data.ibm_container_cluster_config.cluster_config.host =
"https://c100-e.private.us-east.containers.cloud.ibm.com:32402"
data.ibm_container_cluster_config.cluster_config.ca_certificate = ""

same terraform deployment but with endpoint_type = "private"
results in
data.ibm_container_cluster_config.cluster_config.host =
"https://c100.private.us-east.containers.cloud.ibm.com:32402"
data.ibm_container_cluster_config.cluster_config.ca_certificate = ""

Steps to Reproduce

1. terraform apply

Important Factoids

This becomes a greater problem with OCP 4.13 and beyond, as the default endpoint will return the VPE endpoint, but if the private endpoint is desired it will result in a self-signed endpoint with no CA to specify, and helm provider cannot be configured properly.

References

• #0000