-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_kubernetes_cluster
- Support in-place update of network_profile.network_policy
#26176
Conversation
401111b
to
0ffcc13
Compare
azurerm_kubernetes_cluster
- Relax network_profile.network_policy
azurerm_kubernetes_cluster
- Support in-place update of network_profile.network_policy
…ofile.network_policy`
Thanks for this PR @jkroepke. This feature in requested over in #25597 which contains an explanation for why we're halting the addition of new preview features to the AKS resource. Given the explanation linked above we're unable to add support for this behaviour at this point in time so I'm going to close this PR for the time being. When a resolution is reached and/or the feature has come out of preview and is available in a stable API version we will be happy to re-open this. Thanks again for your effort and understanding on this! |
@stephybun I disagree. If Issue you mention is about allow network_policy to "none", and starts about an discussion about the API Version. However, this PR does not allow the "none" value, nor changing the API version. It simply removing the ForceNew flag. There is new feature introduction in this PR. I can't understand, whats the connection between removing a ForeNew flag and #25597 This PR is just removing an limitation which not longer exists at Microsoft API side. Please note that install a Network Policy Engine on existing cluster is GA. The page https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay?tabs=kubectl does not mention preview somewhere. |
@jkroepke, allowing any kind of update on the Your tests check that |
In summarize to unblock this PR, I can re-introduce ForceNew flag which triggers if is the new value is empty and the old not? |
I test that in an local test to validate that statement: func TestAccKubernetesCluster_advancedNetworkingAzureAzurePolicyUpdate(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test")
r := KubernetesClusterResource{}
data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, ""),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, "azure"),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(),
check.That(data.ResourceName).Key("network_profile.0.network_policy").HasValue("azure"),
),
},
data.ImportStep(),
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, ""),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(),
check.That(data.ResourceName).Key("network_profile.0.network_policy").HasValue("azure"),
),
},
data.ImportStep(),
})
}
func TestAccKubernetesCluster_advancedNetworkingAzureCalicoPolicyUpdate(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test")
r := KubernetesClusterResource{}
data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, ""),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, "calico"),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(),
check.That(data.ResourceName).Key("network_profile.0.network_policy").HasValue("calico"),
),
},
data.ImportStep(),
{
Config: r.advancedNetworkingWithOptionalPolicyConfig(data, ""),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("network_profile.0.network_policy").Exists(),
check.That(data.ResourceName).Key("network_profile.0.network_policy").HasValue("calico"),
),
},
data.ImportStep(),
})
}
It turn out, omit the value would not uninstall the Network Policy. Uninstall the Network Policy requires an explicit But I would agree that this may confuse end-users, too. I re-add the ForceNew condition which should deny that mention situation. But in any situation, a preview feature is not used in this PR. |
Thanks for doing some local testing and apologies for needing to drill down into the details here @jkroepke, but given the explanation in the comment I linked we're trying to be careful about introducing functionality that may need to be removed in future. The documentation for this also appears ambiguous, some operations are preview whereas others are not, so being diligent here will save us some potential headaches in the future. It would help if you could explain the specific use case you're trying to support? i.e. updating the Furthermore
If we're omitting the value sent, then what is the API sending back/what is the cluster falling back on for its network policy? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jkroepke. Could you please address the comments left regarding the tests? Existing test configs can be re-used and several of the specific Exists
and HasValue
checks are taken care of by the ImportStep
and can be removed.
Would you also mind updating the documentation?
internal/services/containers/kubernetes_cluster_network_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/containers/kubernetes_cluster_network_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/containers/kubernetes_cluster_network_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/containers/kubernetes_cluster_network_resource_test.go
Outdated
Show resolved
Hide resolved
internal/services/containers/kubernetes_cluster_network_resource_test.go
Outdated
Show resolved
Hide resolved
Co-authored-by: stephybun <steph@hashicorp.com>
I looked at the documentation also looked at the PR where the change to cilium was introduced. I feel that the current description still matches, no idea what I can improve here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jkroepke LGTM 👍
@jkroepke running the tests locally revealed that the Updating the condition and running the test again results in plan diff:
To me it looks like there are some issues with the API and I think we will need to revert this change. Update: |
I really ask myself, why I did not had that behavior and what I did wrong. Edit: tbh. I did not re-run the tests after the code suggestions again. |
@jkroepke I ran the tests in TeamCity and they all passed, but tests that are supposed to check updates don't flag if the update causes the resource to be recreated. You can really only see that behaviour if you're looking at the API requests/responses that the provider is sending while the test is running, or by building the provider locally and running through the steps manually. This was in part a mistake on my end and one of the review comments I left was also false. You did everything correct in that you followed instruction, I was not thorough enough in my review and too eager to have this merged, so the fault is with me. I'm looking at this in detail and will open a PR shortly to fix the behaviour. |
What I have to configure that I see the output that you shows me? That would help me in the future to indicate if the behavior is correctly. |
I assume you're referring to the output in this comment? This is just the output from running the test locally after I updated the If you're asking how to view the API requests/responses from the tests, this can't be configured as output in the tests. You either need to check the debug logs, or be running the tests with a proxy that can capture the traffic. I hope that answers your questions. |
<Actions> <action id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8"> <h3>Bump Terraform `azurerm` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>changes detected:
	"hashicorp/azurerm" updated from "3.107.0" to "3.108.0" in file ".terraform.lock.hcl"</p> <details> <summary>3.108.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.108.0
FEATURES:

* **New Data Source:** `azurerm_role_management_policy` ([#25900](hashicorp/terraform-provider-azurerm#25900 **New Resource:** `azurerm_role_management_policy` ([#25900](https://github.com/hashicorp/terraform-provider-azurerm/issues/25900))

ENHANCEMENTS:

* provider: support subscription ID hinting when using Azure CLI authentication ([#26282](hashicorp/terraform-provider-azurerm#26282 `serviceconnector`: updating to use API Version `2024-04-01` ([#26248](hashicorp/terraform-provider-azurerm#26248 `azurerm_container_groups` - can now be created with a User Assigned Identity when running Windows ([#26308](hashicorp/terraform-provider-azurerm#26308 `azurerm_kubernetes_cluster` - updating the `network_profile.network_policy` property to `azure` and `calico` when it hasn't been previously set is supported ([#26176](hashicorp/terraform-provider-azurerm#26176 `azurerm_kubernetes_cluster` - respect Pod Distruption Budgets when rotating the `default_node_pool` ([#26274](hashicorp/terraform-provider-azurerm#26274 `azurerm_lb_backend_address_pool` - support for the `synchronous_mode` property ([#26309](hashicorp/terraform-provider-azurerm#26309 `azurerm_private_endpoint` - support symultaneous creation of multiple resources of this type per subnet ([#26006](https://github.com/hashicorp/terraform-provider-azurerm/issues/26006))

BUG FIXES:

* `azurerm_express_route_circuit_peering`, `azurerm_express_route_circuit`, `azurerm_express_route_gateway`, `azurerm_express_route_port` - split create and update ([#26237](hashicorp/terraform-provider-azurerm#26237 `azurerm_lb_backend_address_pool_address` - when using this resource, values are no longer reset on `azurerm_lb_backend_address_pool` ([#26264](hashicorp/terraform-provider-azurerm#26264 `azurerm_route_filter` - spliting create and update so lifecycle ignore changes works correctly ([#26266](hashicorp/terraform-provider-azurerm#26266 `azurerm_route_server` - spliting create and update so lifecycle ignore changes works correctly ([#26266](hashicorp/terraform-provider-azurerm#26266 `azurerm_synapse_workspace` - updates the client used in all operations of `azurerm_synapse_workspace_sql_aad_admin` to prevent this resource from modifying the same resource as `azurerm_synapse_workspace_aad_admin` ([#26317](hashicorp/terraform-provider-azurerm#26317 `azurerm_virtual_network` - correctly parse network securty group IDs ([#26283](https://github.com/hashicorp/terraform-provider-azurerm/issues/26283))

DEPRECATIONS:

* Data Source: `azurerm_network_interface` - the `enable_ip_forwarding` and `enable_accelerated_networking` properties have been deprecated and superseded by the `ip_forwarding_enabled` and `accelerated_networking_enabled` properties ([#26293](hashicorp/terraform-provider-azurerm#26293 `azurerm_api_management` - the `policy` block has been deprecated is superseded by the `azurerm_api_management_policy` resource ([#26305](hashicorp/terraform-provider-azurerm#26305 `azurerm_kubernetes_cluster` - the `ebpf_data_plane` property has been deprecated and superseded by the `network_data_plane` property ([#26251](hashicorp/terraform-provider-azurerm#26251 `azurerm_network_interface` - the `enable_ip_forwarding` and `enable_accelerated_networking` properties have been deprecated and superseded by the `ip_forwarding_enabled` and `accelerated_networking_enabled` properties ([#26293](hashicorp/terraform-provider-azurerm#26293 `azurerm_synapse_workspace` - the `aad_admin` and `sql_aad_admin` blocks have been deprecated and superseded by the `azurerm_synapse_workspace_aad_admin` and `azurerm_synapse_workspace_sql_aad_admin` resources ([#26317](https://github.com/hashicorp/terraform-provider-azurerm/issues/26317))


</pre> </details> </details> <a href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/244/">Jenkins pipeline link</a> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Community Note
Description
This is an follow-up PR from #23342
Reading the AKS docs https://learn.microsoft.com/en-us/azure/aks/use-network-policies it's now possible to upgrade from none to calico, azure or cillium. It also possible to uninstall calico and azure.
There are now too many situation that they are allowed are now. Removing the ForceNew flag should be the best option here.
PR Checklist
For example: “
resource_name_here
- description of change e.g. adding propertynew_property_name_here
”Changes to existing Resource / Data Source
Testing
I had to add
node_resource_group = "${azurerm_resource_group.test.name}-nodes"
to each test.Running tests in a location with a long name, e.g.
germanywestcentral
, results into an error:Had to use
germanywestcentral
becausewesteurope
was full.Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_kubernetes_cluster
- Changingnetwork_profile.network_policy
does not force recreation.This is a (please select all that apply):
Related Issue(s)
Fixes #0000
Note
If this PR changes meaningfully during the course of review please update the title and description as required.