feat: support using internal certs for the local auth endpoint#1626
Open
banschikovde wants to merge 5 commits into
Open
feat: support using internal certs for the local auth endpoint#1626banschikovde wants to merge 5 commits into
banschikovde wants to merge 5 commits into
Conversation
banschikovde
force-pushed
the
feature/add-use_internal_ca_certs-for-local-auth-endpoint-
branch
2 times, most recently
from
80bd398 to
908cb37
Compare
Collaborator
|
Hello @banschikovde, thanks for the contribution! sorry for the late response, is this still valuable? If so, please resolve any conflicts, rebase off of main and I will get it reviewed. Thank you! |
matttrach
added
the
area/authentication
matttrach
added
the
area/provisioning
matttrach
changed the title
matttrach
added
the
release/v14
matttrach
reviewed
Feb 20, 2026
| d.Clear("local_auth_endpoint") | ||
| } else { | ||
| d.SetNew("local_auth_endpoint", flattenClusterV2LocalAuthEndpoint(newConfig)) | ||
| d.SetNew("local_auth_endpoint", newObj) |
Collaborator
There was a problem hiding this comment.
maybe I am missing something, but why are we cutting out the flattener here?
Author
There was a problem hiding this comment.
flattenClusterV2LocalAuthEndpoint serializes only API fields (ca_certs, enabled, fqdn) and does not include the Terraform-only use_internal_ca_certs flag. If we used the flattener here in CustomizeDiff, that flag would be stripped from the planned object. By passing newObj directly (which already is []interface{} from d.GetChange()), we preserve it.
Collaborator
There was a problem hiding this comment.
I really appreciate the test additions, thank you!
This was referenced Apr 27, 2026
Collaborator
|
please rebase and resolve any conflicts? |
banschikovde
force-pushed
the
feature/add-use_internal_ca_certs-for-local-auth-endpoint-
branch
from
908cb37 to
4a7e500
Compare
Author
|
@matttrach |
matttrach
requested changes
May 29, 2026
| Provides a Rancher v2 Cluster v2 resource. This can be used to create node-driver and custom RKE2 and K3s Clusters for Rancher v2 environments and retrieve their information. | ||
| ======= | ||
| Provides a Rancher v2 Cluster v2 resource. This can be used to create RKE2 and K3s Clusters for Rancher v2 environments and retrieve their information. | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Collaborator
There was a problem hiding this comment.
It looks like you have unresolved conflicts here.
Collaborator
|
Please resolve the conflicts and Copilot suggestions. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for configuring rancher2_cluster_v2.local_auth_endpoint to use the cluster’s internally generated CA certificates, avoiding dependency cycles that occur when users try to source the CA via a data.rancher2_cluster lookup.
Changes:
- Added
use_internal_ca_certsto thelocal_auth_endpointschema and implemented create/update/read logic to fetch and apply the internal CA when enabled. - Introduced a small helper (
decodeCACertIfBase64) with unit tests to normalize CA cert formats when reading Rancher’s management cluster CA. - Updated docs and unit tests to cover/reflect the new flag behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
rancher2/util_certs.go |
Adds helper to decode CA certs when Rancher returns base64-encoded data. |
rancher2/util_certs_test.go |
Adds unit coverage for the base64 decode helper. |
rancher2/structure_cluster_v2_test.go |
Updates cluster v2 structure test fixtures to include the new local auth endpoint flag in state. |
rancher2/structure_cluster_v2_local_auth_endpoint_test.go |
Updates local auth endpoint structure tests to include/use the new flag. |
rancher2/schema_cluster_v2_rke_config_local_auth_endpoint.go |
Extends the local auth endpoint schema with use_internal_ca_certs and marks ca_certs as computed. |
rancher2/resource_rancher2_cluster_v2.go |
Implements internal CA fetching and state/diff handling for use_internal_ca_certs. |
docs/resources/cluster_v2.md |
Documents the new flag and related behavior (but currently contains unresolved merge-conflict markers). |
Comments suppressed due to low confidence (1)
docs/resources/cluster_v2.md:544
- This HCL example block still contains unresolved Git merge-conflict markers. Resolve the conflict and remove the marker lines so the example is valid.
<<<<<<< HEAD
}
fleet_agent_deployment_customization {
scheduling_customization {
Comment on lines
+7
to
+11
| <<<<<<< HEAD | ||
| Provides a Rancher v2 Cluster v2 resource. This can be used to create node-driver and custom RKE2 and K3s Clusters for Rancher v2 environments and retrieve their information. | ||
| ======= | ||
| Provides a Rancher v2 Cluster v2 resource. This can be used to create RKE2 and K3s Clusters for Rancher v2 environments and retrieve their information. | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Comment on lines
+503
to
+507
| <<<<<<< HEAD | ||
| You can configure a Priority Class and or Pod Disruption Budget to be automatically deployed for the cattle cluster agent and fleet agent when provisioning or updating downstream clusters. | ||
| ======= | ||
| You can configure a Priority Class and or Pod Disruption Budget to be automatically deployed for the cattle cluster agent when provisioning or updating downstream clusters. | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Comment on lines
+512
to
+516
| <<<<<<< HEAD | ||
| The example below demonstrates how to set the `scheduling_customization` field to deploy a Priority Class and Pod Disruption Budget for both the cattle cluster agent and fleet agent. | ||
| ======= | ||
| The example below demonstrates how to set the `scheduling_customization` field to deploy a Priority Class and Pod Disruption Budget. Currently, this field is only supported for the cluster agent. | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Comment on lines
+570
to
+576
| <<<<<<< HEAD | ||
| } | ||
| } | ||
| ======= | ||
| } | ||
| } | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Comment on lines
+1033
to
+1039
| <<<<<<< HEAD | ||
| * `override_resource_requirements` - (Optional, list) Override resource requirements overrides the default value for requests and/or limits. | ||
| + `scheduling_customization` - (Optional, list) Supported in Rancher 2.11.0 and above for `cluster_agent_deployment_customization`, and in Rancher 2.14.0 and above for `fleet_agent_deployment_customization`. Defines the configuration of a Priority Class and or Pod Disruption Budget, and requires the `cluster-agent-scheduling-customization` feature to be enabled. | ||
| ======= | ||
| * `override_resource_requirements` - (Optional, list) Override resource requirements overrides the default value for requests and/or limits. | ||
| + `scheduling_customization` - (Optional, list) Supported in Rancher 2.11.0 and above. Defines the configuration of a Priority Class and or Pod Disruption Budget. Currently only supported in the `cluster_agent_deployment_customization` field, and requires the `cattle_cluster_agent_scheduling_customization` feature to be enabled. | ||
| >>>>>>> 7e799591 (feat(cluster_v2): add use_internal_ca_certs option for local_auth_endpoint) |
Comment on lines
+483
to
+500
| func getClusterCACert(c *Config, clusterV1ID string) (string, error) { | ||
| if c == nil { | ||
| return "", fmt.Errorf("provider config is nil") | ||
| } | ||
| if clusterV1ID == "" { | ||
| return "", fmt.Errorf("cluster_v1_id is empty") | ||
| } | ||
| client, err := c.ManagementClient() | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| cluster := &Cluster{} | ||
| err = client.APIBaseClient.ByID(managementClient.ClusterType, clusterV1ID, cluster) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| return decodeCACertIfBase64(cluster.CACert), nil | ||
| } |
Comment on lines
+502
to
+524
| func setClusterV2LocalAuthEndpointInternalFlag(d *schema.ResourceData, c *Config, cluster *ClusterV2) error { | ||
| if cluster == nil || c == nil { | ||
| return fmt.Errorf("setting local auth endpoint internal flag: missing data") | ||
| } | ||
| lae := cluster.Spec.LocalClusterAuthEndpoint | ||
| useInternal := false | ||
| if cluster.Status.ClusterName != "" && lae.CACerts != "" { | ||
| caCert, err := getClusterCACert(c, cluster.Status.ClusterName) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if lae.CACerts == caCert { | ||
| useInternal = true | ||
| } | ||
| } | ||
| if v, ok := d.Get("local_auth_endpoint").([]interface{}); ok && len(v) > 0 { | ||
| if m, ok := v[0].(map[string]interface{}); ok { | ||
| m["use_internal_ca_certs"] = useInternal | ||
| d.Set("local_auth_endpoint", []interface{}{m}) | ||
| } | ||
| } | ||
| return nil | ||
| } |
Comment on lines
+31
to
+37
| testClusterV2LocalAuthEndpointInterfaceUseInternal = []interface{}{ | ||
| map[string]interface{}{ | ||
| "ca_certs": "ca_certs", | ||
| "enabled": true, | ||
| "fqdn": "fqdn", | ||
| "use_internal_ca_certs": true, | ||
| }, |
Comment on lines
73
to
76
| { | ||
| testClusterV2LocalAuthEndpointInterface, | ||
| testClusterV2LocalAuthEndpointInterfaceUseInternal, | ||
| testClusterV2LocalAuthEndpointConf, | ||
| }, |
Member
|
Hi @banschikovde, In your use case, are you using that CA certificate to issue a certificate for the local authentication endpoint? If so, how did you accomplish that? Could you provide some details about your use case and the approach you took? Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Resolves #1299
Problem
When enabling the
local_auth_endpointfor a cluster, users could not opt into using the internally generated CA certificate.Attempting to retrieve the CA certificate through a
data.rancher2_clusterdata source led to a dependency cycle, and only an external CA could be configured directly.Solution
use_internal_ca_certsboolean flag inside thelocal_auth_endpointblock, mutually exclusive withca_certs.use_internal_ca_certsis true during create, update, and read operations.Testing
Engineering Testing
make buildto compile the provider.go test ./rancher2 -run TestExpandClusterV2LocalAuthEndpoint -count=1 -vafter enabling the new flag.make testto confirm all unit tests pass with the new logic.Automated Testing
TestExpandClusterV2LocalAuthEndpointand updated existing tests to assert state preservation ofuse_internal_ca_certs.ca_certsanduse_internal_ca_certs.QA Testing Considerations
use_internal_ca_certson a cluster withlocal_auth_endpointcorrectly pulls internal CA data without requiring explicitca_certs.ca_certsshould behave unchanged, while togglinguse_internal_ca_certsshould swap to internal CA seamlessly.Regressions Considerations
local_auth_endpointfields; verify that state refresh and plan outputs remain stable.use_internal_ca_certswith other cluster CA options.