Skip to content

fix: nil pointer dereferences in private cluster reconciliation (v1.11.0-beta.0) #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pkieszcz wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: nil pointer dereferences in private cluster reconciliation (v1.11.0-beta.0) #1

pkieszcz wants to merge 1 commit into from

Conversation

@pkieszcz
Copy link
Collaborator

@pkieszcz pkieszcz commented Jan 19, 2026
edited
Loading

Summary

Patches CAPG v1.11.0-beta.0 to fix nil pointer dereferences when creating/reconciling private GKE clusters with PSC (Private Service Connect) mode - i.e., when enablePrivateEndpoint: true without specifying controlPlaneCidrBlock.

Fixes

1. Creation path (NetworkConfig initialization)

In createCluster, cluster.NetworkConfig.DefaultEnablePrivateNodes was accessed before NetworkConfig was initialized.

Changes:

  • Initialize NetworkConfig before accessing DefaultEnablePrivateNodes
  • Set EnablePrivateNodes on PrivateClusterConfig to match (GCP SDK requires both fields to have the same value)

2. Reconciliation path (DesiredControlPlaneEndpointsConfig initialization)

In checkDiffAndPrepareUpdate, clusterUpdate.DesiredControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig was assigned without initializing the parent structs.

Changes:

  • Initialize DesiredControlPlaneEndpointsConfig and IpEndpointsConfig before assigning AuthorizedNetworksConfig

Related upstream issues

Image

Built and pushed to Artifact Registry:

europe-central2-docker.pkg.dev/bitropy-management/images/capg-controller:v1.11.0-beta.0-patched

Rebuild instructions

git clone -b v1.11.0-beta.0-patched https://github.com/Bitropy/cluster-api-provider-gcp.git
cd cluster-api-provider-gcp
docker build -t europe-central2-docker.pkg.dev/bitropy-management/images/capg-controller:v1.11.0-beta.0-patched .
docker push europe-central2-docker.pkg.dev/bitropy-management/images/capg-controller:v1.11.0-beta.0-patched

Usage in CAPI Operator

In argocd/applicationsets/capi-operator.yaml:

infrastructure:
  gcp:
    version: v1.11.0-beta.0
    deployment:
      serviceAccountName: capg-manager
      containers:
      - name: manager
        imageUrl: europe-central2-docker.pkg.dev/bitropy-management/images/capg-controller:v1.11.0-beta.0-patched

GCPManagedControlPlane requirements

When using private endpoint, master_authorized_networks_config must be set in the GCPManagedControlPlane spec:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: GCPManagedControlPlane
spec:
  clusterNetwork:
    privateCluster:
      enablePrivateEndpoint: true
      enablePrivateNodes: true
  # Required when enablePrivateEndpoint is true
  master_authorized_networks_config:
    gcp_public_cidrs_access_enabled: false

Prerequisites

Grant Artifact Registry read access to the management cluster's compute service account:

gcloud artifacts repositories add-iam-policy-binding images \
  --project=bitropy-management \
  --location=europe-central2 \
  --member="serviceAccount:<PROJECT_NUMBER>-compute@developer.gserviceaccount.com" \
  --role="roles/artifactregistry.reader"

@pkieszcz
fix: nil pointer dereferences in private cluster reconciliation
53cc350 
Fixes two nil pointer dereference issues when creating/reconciling
private GKE clusters:

1. Creation path: Initialize NetworkConfig before accessing
   DefaultEnablePrivateNodes. Also set EnablePrivateNodes on
   PrivateClusterConfig to match (GCP SDK requires both to be equal).

2. Reconciliation path: Initialize DesiredControlPlaneEndpointsConfig
   and IpEndpointsConfig before assigning AuthorizedNetworksConfig
   in checkDiffAndPrepareUpdate.

Both issues occur when using private clusters with PSC (Private Service
Connect) mode, i.e., enablePrivateEndpoint: true without specifying
controlPlaneCidrBlock.

Related issues:
- kubernetes-sigs#1497
- kubernetes-sigs#1503

Signed-off-by: Piotr Kieszczyński <piotr.kieszczynski@gmail.com>
@pkieszcz pkieszcz force-pushed the v1.11.0-beta.0-patched branch from e69b757 to 53cc350 Compare January 19, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkieszcz