chore: data source -> resource talos_cluster_kubeconfig

Move `talos_cluster_kubeconfig` data source to a resource so that kubernetes client certs can be regenerated when nearing expiry. Fixes: #155 Signed-off-by: Noel Georgi <[email protected]>
siderolabs · Jul 9, 2024 · f26a591 · f26a591
1 parent 78fd0d3
commit f26a591
Show file tree

Hide file tree

Showing 12 changed files with 812 additions and 99 deletions.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ endif
 
 ifneq ($(origin CI), undefined)
 	RUNARGS += -parallel=3
-	RUNARGS += -timeout=20m
+	RUNARGS += -timeout=25m
 	RUNARGS += -exec="sudo -E"
 endif
 

diff --git a/docs/resources/cluster_kubeconfig.md b/docs/resources/cluster_kubeconfig.md
@@ -0,0 +1,109 @@
+---
+page_title: "talos_cluster_kubeconfig Resource - talos"
+subcategory: ""
+description: |-
+  Retrieves the kubeconfig for a Talos cluster
+---
+
+# talos_cluster_kubeconfig (Resource)
+
+Retrieves the kubeconfig for a Talos cluster
+
+## Example Usage
+
+```terraform
+resource "talos_machine_secrets" "this" {}
+
+data "talos_machine_configuration" "this" {
+  cluster_name     = "example-cluster"
+  machine_type     = "controlplane"
+  cluster_endpoint = "https://cluster.local:6443"
+  machine_secrets  = talos_machine_secrets.this.machine_secrets
+}
+
+data "talos_client_configuration" "this" {
+  cluster_name         = "example-cluster"
+  client_configuration = talos_machine_secrets.this.client_configuration
+  nodes                = ["10.5.0.2"]
+}
+
+resource "talos_machine_configuration_apply" "this" {
+  client_configuration        = talos_machine_secrets.this.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.this.machine_configuration
+  node                        = "10.5.0.2"
+  config_patches = [
+    yamlencode({
+      machine = {
+        install = {
+          disk = "/dev/sdd"
+        }
+      }
+    })
+  ]
+}
+
+resource "talos_machine_bootstrap" "this" {
+  depends_on = [
+    talos_machine_configuration_apply.this
+  ]
+  node                 = "10.5.0.2"
+  client_configuration = talos_machine_secrets.this.client_configuration
+}
+
+
+resource "talos_cluster_kubeconfig" "this" {
+  depends_on = [
+    talos_machine_bootstrap.this
+  ]
+  client_configuration = talos_machine_secrets.this.client_configuration
+  node                 = "10.5.0.2"
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `client_configuration` (Attributes) The client configuration data (see [below for nested schema](#nestedatt--client_configuration))
+- `node` (String) controlplane node to retrieve the kubeconfig from
+
+### Optional
+
+- `endpoint` (String) endpoint to use for the talosclient. If not set, the node value will be used
+- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `kubeconfig_raw` (String, Sensitive) The raw kubeconfig
+- `kubernetes_client_configuration` (Attributes) The kubernetes client configuration (see [below for nested schema](#nestedatt--kubernetes_client_configuration))
+
+<a id="nestedatt--client_configuration"></a>
+### Nested Schema for `client_configuration`
+
+Required:
+
+- `ca_certificate` (String) The client CA certificate
+- `client_certificate` (String) The client certificate
+- `client_key` (String, Sensitive) The client key
+
+
+<a id="nestedatt--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `update` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+
+
+<a id="nestedatt--kubernetes_client_configuration"></a>
+### Nested Schema for `kubernetes_client_configuration`
+
+Read-Only:
+
+- `ca_certificate` (String) The kubernetes CA certificate
+- `client_certificate` (String) The kubernetes client certificate
+- `client_key` (String, Sensitive) The kubernetes client key
+- `host` (String) The kubernetes host
+
diff --git a/examples/resources/talos_cluster_kubeconfig/resource.tf b/examples/resources/talos_cluster_kubeconfig/resource.tf
@@ -0,0 +1,46 @@
+resource "talos_machine_secrets" "this" {}
+
+data "talos_machine_configuration" "this" {
+  cluster_name     = "example-cluster"
+  machine_type     = "controlplane"
+  cluster_endpoint = "https://cluster.local:6443"
+  machine_secrets  = talos_machine_secrets.this.machine_secrets
+}
+
+data "talos_client_configuration" "this" {
+  cluster_name         = "example-cluster"
+  client_configuration = talos_machine_secrets.this.client_configuration
+  nodes                = ["10.5.0.2"]
+}
+
+resource "talos_machine_configuration_apply" "this" {
+  client_configuration        = talos_machine_secrets.this.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.this.machine_configuration
+  node                        = "10.5.0.2"
+  config_patches = [
+    yamlencode({
+      machine = {
+        install = {
+          disk = "/dev/sdd"
+        }
+      }
+    })
+  ]
+}
+
+resource "talos_machine_bootstrap" "this" {
+  depends_on = [
+    talos_machine_configuration_apply.this
+  ]
+  node                 = "10.5.0.2"
+  client_configuration = talos_machine_secrets.this.client_configuration
+}
+
+
+resource "talos_cluster_kubeconfig" "this" {
+  depends_on = [
+    talos_machine_bootstrap.this
+  ]
+  client_configuration = talos_machine_secrets.this.client_configuration
+  node                 = "10.5.0.2"
+}
diff --git a/hack/release.toml b/hack/release.toml
@@ -20,6 +20,14 @@ pre_release = true
         title = "Talos Cluster Health"
         description = """\
 `talos_cluster_health` data source now has a way to skip running the Kubernetes components health check by setting `skip_kubernetes_checks` to `true`.
+"""
+
+    [notes.talos_cluster_kubeconfig]
+        title = "Talos Cluster Kubeconfig"
+        description = """\
+`talos_cluster_kubeconfig` data source is now deprecated and will be removed in the next minor release.
+Use `talos_cluster_kubeconfig` resource instead.
+The `talos_cluster_kubeconfig` resource will regenerate kubernetes client config when the time to expiry is less than a month.
 """
 
     [notes.updates]

diff --git a/pkg/talos/provider.go b/pkg/talos/provider.go
@@ -53,5 +53,6 @@ func (p *talosProvider) Resources(_ context.Context) []func() resource.Resource
 		NewTalosMachineSecretsResource,
 		NewTalosMachineConfigurationApplyResource,
 		NewTalosMachineBootstrapResource,
+		NewTalosClusterKubeConfigResource,
 	}
 }
diff --git a/pkg/talos/provider_test.go b/pkg/talos/provider_test.go
@@ -219,7 +219,7 @@ resource "talos_machine_bootstrap" "this" {
 {{ end }}
 
 {{ if .WithRetrieveKubeConfig }}
-data "talos_cluster_kubeconfig" "this" {
+resource "talos_cluster_kubeconfig" "this" {
   depends_on = [
     talos_machine_bootstrap.this
   ]
@@ -231,7 +231,7 @@ data "talos_cluster_kubeconfig" "this" {
 {{ if .WithClusterHealth }}
 data "talos_cluster_health" "this" {
   depends_on = [
-    data.talos_cluster_kubeconfig.this
+    talos_cluster_kubeconfig.this
   ]
 
   timeouts = {

diff --git a/pkg/talos/talos_cluster_kubeconfig_data_source.go b/pkg/talos/talos_cluster_kubeconfig_data_source.go
@@ -33,13 +33,6 @@ type talosClusterKubeConfigDataSourceModelV0 struct { //nolint:govet
 	Timeouts                      timeouts.Value                `tfsdk:"timeouts"`
 }
 
-type kubernetesClientConfiguration struct {
-	Host              types.String `tfsdk:"host"`
-	CACertificate     types.String `tfsdk:"ca_certificate"`
-	ClientCertificate types.String `tfsdk:"client_certificate"`
-	ClientKey         types.String `tfsdk:"client_key"`
-}
-
 var _ datasource.DataSource = &talosClusterKubeConfigDataSource{}
 
 // NewTalosClusterKubeConfigDataSource implements the datasource.DataSource interface.
@@ -53,7 +46,8 @@ func (d *talosClusterKubeConfigDataSource) Metadata(_ context.Context, req datas
 
 func (d *talosClusterKubeConfigDataSource) Schema(ctx context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
 	resp.Schema = schema.Schema{
-		Description: "Retrieves the kubeconfig for a Talos cluster",
+		DeprecationMessage: "Use `talos_cluster_kubeconfig` resource instead. This data source will be removed in the next minor version of the provider.",
+		Description:        "Retrieves the kubeconfig for a Talos cluster",
 		Attributes: map[string]schema.Attribute{
 			"id": schema.StringAttribute{
 				Computed: true,
@@ -126,6 +120,9 @@ func (d *talosClusterKubeConfigDataSource) Schema(ctx context.Context, _ datasou
 	}
 }
 
+// Read implements the datasource.DataSource interface.
+//
+//nolint:dupl
 func (d *talosClusterKubeConfigDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
 	var obj types.Object
 

diff --git a/pkg/talos/talos_cluster_kubeconfig_data_source_test.go b/pkg/talos/talos_cluster_kubeconfig_data_source_test.go