Kubernetse Engine - Unable to update k8s resources using deploymentmanager.v2beta.typeProvider [118975726]

Assigned

Feature Request

Status Update

No update yet.

Description

ra...@capside.com

created issue #1

Nov 5, 2018 04:05PM

# Summary

We want to apply the Google Cloud related Kubernetes configuration in the same deployment manager manifest withing the cluster resource, that way we will be able to provide a working cluster in a fast and reproducible way.

This seems to be support by using `deploymentmanager.v2beta.typeProvider`, but when creating k8s resources with deployment manager on a Private Cluster with IP Alias running in a Shared VPC fails while reaching the Kubernetes Master endpoint with `ERROR_EXCLUDED_IP`.

## What is the expected correct behavior?

Deployment Manager creates the k8s resources by accessing to the Kubernetes API in the Master endpoint and applying the manifests described in the deployment to reach the desired state.

## What is the current bug behavior?

Deployment manager raises a `ERROR_EXCLUDED_IP` while creating the k8s resources.

## Steps to reproduce

1-. Spin up a Private Virtual Cluster in a Shared VPC and IP Alias enabled with Deployment Manager .

2-. Add Deployment Manager typeProvider for k8s APIs.

```jinja
{% set K8S_ENDPOINTS = {
'v1': 'api/v1',
'apps-v1beta1': 'apis/apps/v1beta1',
'extensions-v1beta1': 'apis/extensions/v1beta1',
'rbac-v1': 'apis/

rbac.authorization.k8s.io/v1',
}
%}

{% for typeSuffix, endpoint in K8S_ENDPOINTS.iteritems() %}
- name: k8s-{{ typeSuffix }}-type
type: deploymentmanager.v2beta.typeProvider
properties:
options:
validationOptions:
schemaValidation: IGNORE_WITH_WARNINGS
inputMappings:
- fieldName: name
location: PATH
methodMatch: ^(GET|DELETE|PUT)$
value: $.ifNull($.

resource.properties.metadata.name, $.

resource.name)
- fieldName:

metadata.name
location: BODY
methodMatch: ^(PUT|POST)$
value: $.ifNull($.

resource.properties.metadata.name, $.

resource.name)
- fieldName: Authorization
location: HEADER
value: >
$.concat("Bearer ", $.googleOauth2AccessToken())
descriptorUrl: https://$(ref.gke-cluster.endpoint)/swaggerapi/{{ endpoint }}
metadata:
dependsOn:
- gke-cluster
{% endfor %}

4-. Add a k8s type such as a ConfigMap.

```
{% set K8S_CONFIGMAPS_COLLECTION = '/api/v1/namespaces/{namespace}/configmaps' %}

- name: k8s-ip-masq-agent-configmap
type: {{ env.project }}/k8s-v1-type:{{ K8S_CONFIGMAPS_COLLECTION }}
properties:
apiVersion: v1
kind: ConfigMap
namespace: kube-system
metadata:
name: ip-masq-agent
namespace: kube-system
data:
config: |
nonMasqueradeCIDRs:
-

10.20.30.40/21
resyncInterval: 60s
metadata:
dependsOn:
- k8s-v1-type
```

5-. Update the deployment with Deployment Manager, it will raise a `ERROR_EXCLUDED_IP` while trying to reach the master endpoint.

```bash
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1540676776334-5793cc3f792b0-8f737bb6-92faa03b]: errors:
- code: ERROR_PROCESSING_REQUEST
message: 'Error fetching URL

https://172.23.0.98:443/api/v1/namespaces/default/services,
reason: ERROR_EXCLUDED_IP'
```

## Relevant logs and/or screenshots

```bash
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1540676776334-5793cc3f792b0-8f737bb6-92faa03b]: errors:
- code: ERROR_PROCESSING_REQUEST
message: 'Error fetching URL

https://172.23.0.98:443/api/v1/namespaces/default/services,
reason: ERROR_EXCLUDED_IP'
```

## Workarounds

None found so far, apart from setting the cluster public. This issue has been reproduced both in GKE 1.10.6 and 1.10.7.

Comments

xc...@google.com <xc...@google.com> #2Nov 6, 2018 08:41PM

I have forwarded this request to the engineering team. We will update this issue with any progress updates and a resolution.

Best Regards,
Josh Moyer
Google Cloud Platform Support

ra...@capside.com <ra...@capside.com> #3Nov 7, 2018 09:00AM

This is not only useful for IP addresses, but also for many other resources. I understand that names are currently used as identifiers, so this request is probably not trivial to implement. Maybe distinguishing between a (numeric, automatically generated) identifier and a (textual) label is the way to go?

pw...@google.com <pw...@google.com> #4Nov 7, 2018 08:28PM

Is it any hope? We have migrated our IP address to the server with different role, and now the name of this IP address resource doesn't match its role at all. It seems to be trivial enough to momentary reserve static IP address of the old named resource, drop resource, and immediately recreate it with the new name and the old IP address.

ra...@capside.com <ra...@capside.com> #5Nov 9, 2018 12:02PM

This would also improve life when using the Google Deployment Manager (since it otherwise error's out if you've changed a name of an IP)

xc...@google.com <xc...@google.com> #6Nov 11, 2018 09:11PM

Assigned to xc...@google.com.

Over 3 years to get something as basic as renaming a static IP address. Any progress here?

ra...@capside.com <ra...@capside.com> #7Nov 12, 2018 07:35AM

Yes, I have a customer who has this exact issue too! Any updates or workarounds would be very appreciated!

xc...@google.com <xc...@google.com> #8Nov 13, 2018 01:30AM

Any progress in here?

Message last modified on Nov 13, 2018 01:37AM

xc...@google.com <xc...@google.com> #9Nov 13, 2018 01:50AM

I would like this feature as well.

xc...@google.com <xc...@google.com> #10Nov 14, 2018 12:58AM

Hello, any progress in here? Please is very frustrating.

xc...@google.com <xc...@google.com> #11Nov 15, 2018 11:52PM

Hi, open request for more than 3 years for a simple change. Please proceed that.

xc...@google.com <xc...@google.com> #12Nov 15, 2018 11:56PM

+1. :(

xc...@google.com <xc...@google.com> #13Nov 22, 2018 07:48PM

Reassigned to gc...@google.com.

We need this.

[Deleted User] <[Deleted User]> #14Dec 28, 2018 06:18PM

please add this!

ta...@gmail.com <ta...@gmail.com> #15Jan 16, 2019 01:48PM

+1 !

IssueTracker