Fix: dns endpoint for external traffic

[mmorejon]

Fix #2231

This is not an enhancement; it is a bug.

[mmorejon]

@apeabody , could you check this minor fix? 🙏

[apeabody]

/gcbrun

[apeabody]

Thanks for the contribution @mmorejon!

I've triggered the tests to gauge the impact of always creating this block for now.

[apeabody]

/gcbrun

[apeabody]

Thanks for the contribution @mmorejon!

LGTM - Pending all green test result

[apeabody]

/gcbrun

[apeabody]

/gcbrun

[apeabody]

Hi @mmorejon - It appears the TestSaferClusterIapBastion test is consistently failing. I haven't looked into it yet, so it's certainly possible the test/example needs to be updated, rather than your per-say your change.

Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:25Z command.go:100: Running command gcloud with args [beta compute ssh safer-cluster-iap-bastion-bastion --tunnel-through-iap --verbosity=error --project ci-gke-16636728-df61 --zone us-central1-a -q --command=curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -sS https://gke-8adb62e58fde4356b90939f5e09bf0b0a0df-520208420566.us-central1.gke.goog/version -k]
Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:29Z command.go:185: control_plane_endpoints_config.dns_endpoint_config.allow_external_traffic is disabled, permission denied

[mmorejon]

Hi @mmorejon - It appears the TestSaferClusterIapBastion test is consistently failing. I haven't looked into it yet, so it's certainly possible the test/example needs to be updated, rather than your per-say your change.

Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:25Z command.go:100: Running command gcloud with args [beta compute ssh safer-cluster-iap-bastion-bastion --tunnel-through-iap --verbosity=error --project ci-gke-16636728-df61 --zone us-central1-a -q --command=curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -sS https://gke-8adb62e58fde4356b90939f5e09bf0b0a0df-520208420566.us-central1.gke.goog/version -k]
Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:29Z command.go:185: control_plane_endpoints_config.dns_endpoint_config.allow_external_traffic is disabled, permission denied

Thanks @apeabody for let me know! After a quick search I found an error reference in Google docs, maybe it can help to fix the error. [link]

[apeabody]

Hi @mmorejon - It appears the TestSaferClusterIapBastion test is consistently failing. I haven't looked into it yet, so it's certainly possible the test/example needs to be updated, rather than your per-say your change.

Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:25Z command.go:100: Running command gcloud with args [beta compute ssh safer-cluster-iap-bastion-bastion --tunnel-through-iap --verbosity=error --project ci-gke-16636728-df61 --zone us-central1-a -q --command=curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -sS https://gke-8adb62e58fde4356b90939f5e09bf0b0a0df-520208420566.us-central1.gke.goog/version -k]
Step #67 - "verify safer-cluster-iap-bastion-local": TestSaferClusterIapBastion 2025-01-23T01:19:29Z command.go:185: control_plane_endpoints_config.dns_endpoint_config.allow_external_traffic is disabled, permission denied

Thanks @apeabody for let me know! After a quick search I found an error reference in Google docs, maybe it can help to fix the error. [link]

Sure - My initial suspicion is this needs to be changed to true: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/examples/safer_cluster_iap_bastion/cluster.tf#L28

[apeabody]

/gcbrun

[apeabody]

Thanks @mmorejon!