kubernetes_cluster -pod_cidrs/service_cidrs

[qiqingzhang]

public pr for kubernetes_cluster supports pod_cidrs/service_cidrs

test result after update：

TestAccKubernetesCluster_serviceCidrs：

TestAccKubernetesCluster_podCidrs：

[stephybun]

Thanks for this PR @heiazuo.

I can't seem to find any docs on Namespace Resources. The test fails because the preview feature isn't enabled on the subscription. Registering it doesn't seem to work - usually when a preview feature is being registered I see the state as Registering but in this case it's stuck on Pending

$ az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableNamespaceResourcesPreview')].{Name:name,State:properties.state}"
Name                                                        State
----------------------------------------------------------  -------
Microsoft.ContainerService/EnableNamespaceResourcesPreview  Pending

[stephybun]

Can we rename this to

Suggested change

	func TestAccKubernetesCluster_namespace(t *testing.T) {
	func TestAccKubernetesCluster_namespaceToggle(t *testing.T) {

[stephybun]

And this to

Suggested change

	func (KubernetesClusterResource) namespaceEnabled(data acceptance.TestData, enabled bool) string {
	func (KubernetesClusterResource) namespace(data acceptance.TestData, enabled bool) string {

[stephybun]

Suggested change

	* `namespace_resources_enabled` - (Optional) It can be enabled/disabled on creation and updation of the managed cluster. The default value is false.
	* `namespace_resources_enabled` - (Optional) Specifies whether Namespace Resources should be enabled. Defaults to `false`.

[stephybun]

Suggested change

	* `pod_cidrs` - (Optional) One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. Changing this forces a new resource to be created.
	* `pod_cidrs` - (Optional) A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

[stephybun]

Suggested change

	* `service_cidrs` - (Optional) One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. Changing this forces a new resource to be created.
	* `service_cidrs` - (Optional) A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

[ms-henglu]

Hi @stephybun - It seems Microsoft.ContainerService/EnableNamespaceResourcesPreview needs to be manually approved, I'll contact service team see if this is a private preview feature.

[ms-henglu]

Hi @stephybun - Just confirmed with service team, this feature is not ready to be exposed.

@heiazuo , would you please help remove this property?

[stephybun]

One more question, what happens if both service_cidr and service_cidrs or pod_cidr and pod_cidrs are supplied, does the API accept that?

[qiqingzhang]

One more question, what happens if both service_cidr and service_cidrs or pod_cidr and pod_cidrs are supplied, does the API accept that?

Hi @stephybun, user can not set service_cidr and service_cidrs at the same time, we have validation function to check:
validateKubernetesCluster

[stephybun]

Thanks for your patience @qiqingzhang, left a few more suggestions in-line, would you mind taking a look at them? Thanks!

[stephybun]

This validation makes sure that docker_bridge_cidr, dns_service_ip and service_cidr are either all set or empty rather than preventing the user from setting both service_cidr/service_cidrs and pod_cidr/pod_cidrs. In any case after trying this out it is indeed possible to set both _cidr and _cidrs.

However it seems this validation may no longer be relevant or needed since AKS no longer supports docker for the container runtime (see #18119). Could you please update the validation here while you're at it?

[ms-henglu]

About depreciating docker_bridge_cidr, I think it's better to make another PR for it.

[stephybun]

Could we also add a test case where we're providing both an IPv4 and IPv6 address?

[ms-henglu]

Sure

[ms-henglu]

Hi @stephybun ,

I've added a commit to update this PR, and it allows user to supply both service_cidr and service_cidrs or pod_cidr and pod_cidrs.

[stephybun]

I'm assuming this needs to be set in order to be able to provide both an IPv4 and IPv6 address? In which case we should probably add some validation in the create method to inform users as well as a note in the docs?

[ms-henglu]

Thanks! I've added that info in the doc. But I think maybe leave the complicated validation to the service side?

[stephybun]

The service side error message isn't particularly descriptive. AKS is complex enough as it is, so it would be beneficial to the users if we returned a more informative message such as
fmt.Errorf("dual-stack networking must be enabled and ip_versions must be set to [IPv4, IPv6] in order to specify multiple %s", field")
Can you please add that in?

[ms-henglu]

Sorry I misunderstood, it's not necessary to set ip_versions = ["IPv4", "IPv6"] in order.

[stephybun]

I'm not sure what you mean by order but the test TestAccKubernetesCluster_serviceCidrsDualStack will fail if ip_versions isn't set to ["IPv4", "IPv6"], this is what we should add validation for.

[ms-henglu]

Got it, I'll test it and add this validation.

[ms-henglu]

Hi @stephybun , I just tried, it still works.

resource "azurerm_kubernetes_cluster" "test" {
  name                = "henglu96"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  dns_prefix          = "henglu96"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_DS2_v2"
  }

  network_profile {
    network_plugin     = "kubenet"
    dns_service_ip     = "10.1.1.10"
    docker_bridge_cidr = "172.18.0.1/16"
    service_cidrs      = ["10.1.1.0/24", "2002::1234:abcd:ffff:c0a8:101/120"]
    ip_versions        = ["IPv6", "IPv4"] // Please notice here
  }

  identity {
    type = "SystemAssigned"
  }
}

[stephybun]

@ms-henglu, the order of the arguments IPv4/IPv6 is irrelevant here. If a user supplies the following configuration

  network_profile {
    network_plugin     = "kubenet"
    dns_service_ip     = "10.1.1.10"
    docker_bridge_cidr = "172.18.0.1/16"
    service_cidrs      = ["10.1.1.0/24", "2002::1234:abcd:ffff:c0a8:101/120"]
    ip_versions        = ["IPv4"] // <---- Only one ip family
  }

It won't be accepted by the API

{
  "code": "InvalidNetworkingConfig",
  "message": "Service CIDRs do not match IP families.",
  "subcode": "",
  "target": "networkProfile.serviceCIDRs"
}

[ms-henglu]

Got it, I'll add validation for this case.

[ms-henglu]

@stephybun , I've added this check, thanks!

[stephybun]

Thanks @ms-henglu and @qiqingzhang, LGTM 🌈

[github-actions]

This functionality has been released in v3.26.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.