Add ConflictsWith to provider authentication config

[dak1n1]

Description

In the past, we relied on Kubernetes client-go to determine the order of precedence when given a list of mutually-exclusive parameters for authenticating to the Kubernetes cluster. This lead to some confusion, since client-go's decision could override even an explicit provider configuration. For example, if a token were specified in the Kubernetes provider config, and the environment variable KUBE_CONFIG_PATH was present, client-go would silently decide to use the KUBE_CONFIG_PATH to authenticate to the cluster.

In order to create a more explicit configuration, and more predictable behavior, this PR adds ConflictsWith to specific provider authentication attributes, effectively disallowing the use of conflicting methods of authentication, such as config_path and token. The provider now generates an error to tell the user that these options are mutually exclusive.

Acceptance tests

• Have you added an acceptance test for the functionality being added?
• Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ TESTARGS="-run 'TestAccKubernetesProviderConfig'" make testacc
=== RUN   TestAccKubernetesProviderConfig_config_path
--- PASS: TestAccKubernetesProviderConfig_config_path (3.68s)
=== RUN   TestAccKubernetesProviderConfig_config_paths
--- PASS: TestAccKubernetesProviderConfig_config_paths (2.90s)
=== RUN   TestAccKubernetesProviderConfig_config_paths_env
--- PASS: TestAccKubernetesProviderConfig_config_paths_env (2.33s)
=== RUN   TestAccKubernetesProviderConfig_config_paths_env_wantError
--- PASS: TestAccKubernetesProviderConfig_config_paths_env_wantError (0.43s)
=== RUN   TestAccKubernetesProviderConfig_host_env_wantError
--- PASS: TestAccKubernetesProviderConfig_host_env_wantError (0.55s)
=== RUN   TestAccKubernetesProviderConfig_host
--- PASS: TestAccKubernetesProviderConfig_host (8.68s)
PASS

Release Note

Release note for CHANGELOG:

Display an error when the provider is configured with mutually-exclusive authentication options.

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[dak1n1]

I moved the provider blocks into the root module, since that's best practice.

[dak1n1]

I moved this provider config into the root module.

[dak1n1]

This provider config was moved into the root module.

[dak1n1]

I did a bunch of Progressive Apply testing and I wasn't able to find a difference between having this check enabled vs disabled.

[jrhouston]

Did you do your testing across different versions of Terraform and can you share your testing strategy? I'm still pretty uncertain about reliably reproducing the illusive progressive apply issue.

You can look at the issue that caused us to revert this change in the Helm provider for context: hashicorp/terraform-provider-helm#647

[dak1n1]

The SDK now seems to allow us to set a default for TypeList! 🎉 I didn't see the feature added, but it worked for me when I defined my own function of type schema.EnvDefaultFunc.

[dak1n1]

These checks are just meant to ensure the various configuration attributes are not initialized with any default/empty values. For example, if the provider thinks we've set host = "", it won't let us set config_path = "~/.kube/config" because of the ConflictsWith.

[jrhouston]

Thanks for doing this @dak1n1 – this mostly looks great, especially all the tests you've added and config examples you've tidied up.

I added a few questions about the conflicts with stuff, and there seems to be a problem with sourcing the KUBE_CONFIG_PATHS environment variable.

[jrhouston]

It seems like the insecure option can actually be part of the kubeconfig file but is called insecure-skip-tls-verify https://github.com/kubernetes/kubernetes/blob/f4a156eb29d51b73f52d69ab4c5f96e440eebc41/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/types.go#L86

Is there a good reason to also have it here when using config_path in that case?

[dak1n1]

Nope, my mistake! I thought it was a command-line override that works anywhere. I'll have to fix that. But I'm going to hold off doing anything with this PR until we have that meeting next week.

[dak1n1]

Just to give you a status update: I'll fix the things you mentioned as soon as I can get the needed functionality into the SDK. (Since we don't want to enable ConflictsWith in "fatal error" mode, the SDK work will be needed before this PR can progress).

[jrhouston]

Wouldn't this also conflict with cluster_ca_certificate since it's just for when using a kubeconfig file?

[jrhouston]

Just a nit but because there's a bunch of stuff inside this conditional i would invert it so that if !exists returns early so the rest of the logic is just the body of the function.

[jrhouston]

This doesn't actually seem to be working for me on your branch:

When I use KUBE_CONFIG_PATH it works fine:

KUBE_CONFIG_PATH=~/.kube/config terraform plan                              ✘ 1 conflictswith ✱ ◼
kubernetes_config_map.testy: Refreshing state... [id=default/testo]

No changes. Infrastructure is up-to-date.

That Terraform did not detect any differences between your configuration and the remote system(s). As a result, there
are no actions to take.

But when I try to use KUBE_CONFIG_PATHS:

KUBE_CONFIG_PATHS=~/.kube/config terraform plan                             ✘ 1 conflictswith ✱ ◼
kubernetes_config_map.testy: Refreshing state... [id=default/testo]
╷
│ Error: Get "http://localhost/api/v1/namespaces/default/configmaps/testo": dial tcp [::1]:80: connect: connection refused
│
│
╵

However if I set config_paths in the config it works fine. So I suspect something isn't right with the default function here.

[dak1n1]

Nice, thanks for testing! I'll have to check this out.

[jrhouston]

Did you do your testing across different versions of Terraform and can you share your testing strategy? I'm still pretty uncertain about reliably reproducing the illusive progressive apply issue.

You can look at the issue that caused us to revert this change in the Helm provider for context: hashicorp/terraform-provider-helm#647

[jrhouston]

Given that I couldn't get KUBE_CONFIG_PATHS to work locally as mentioned above, I'm confused by how this test passes 🤯

[jrhouston]

Ah, I see this probably passes because the validation on the provider block doesn't error but terraform breaks gives an error at apply time because the list is empty.

I added some logging to the provider block where I can see that configPathsEnv is being called, but when I do a d.Get("config_paths") in the providerConfigure function it comes up empty. 😢

[jrhouston]

I found the nesting of functions here a bit confusing to read – I think I would have preferred just one big string with the provider block in it so I can see exactly what is being tested. I see you are trying not to repeat yourself here and avoid copypasta though.

[dak1n1]

There's a PR that I tested out today, which gives us the conflictsWith warning level messages. It's working, but it will take some time for it to be reviewed and released. Probably sometime in June. hashicorp/terraform-plugin-sdk#745

[hashicorp-cla]

All committers have signed the CLA.