fix: nil pointer dereferences in private cluster creation and reconciliation

[pkieszcz]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fixes two nil pointer dereference issues when creating/reconciling private GKE clusters with PSC (Private Service Connect) mode - i.e., when enablePrivateEndpoint: true without specifying controlPlaneCidrBlock.

Fix 1: Creation path (related to #1503)

In createCluster, cluster.NetworkConfig.DefaultEnablePrivateNodes was accessed before NetworkConfig was initialized.

Changes:

• Initialize NetworkConfig before accessing DefaultEnablePrivateNodes
• Set EnablePrivateNodes on PrivateClusterConfig to match (GCP SDK requires both fields to have the same value)

Fix 2: Reconciliation path

In checkDiffAndPrepareUpdate, clusterUpdate.DesiredControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig was assigned without initializing the parent structs.

Changes:

• Initialize DesiredControlPlaneEndpointsConfig and IpEndpointsConfig before assigning AuthorizedNetworksConfig

Which issue(s) this PR fixes:
Fixes #1497

Special notes for your reviewer:

This PR combines the fix from #1503 (which was closed) with an additional fix for the reconciliation path. Both issues have the same root cause and affect private cluster functionality.

Reproduction steps:

1. Create a GKE cluster with enablePrivateEndpoint: true and no controlPlaneCidrBlock (PSC mode)
2. Fix 1: Controller panics during cluster creation
3. Fix 2: If cluster is created successfully, controller panics during reconciliation when master_authorized_networks_config differs

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Fix nil pointer dereferences when creating/reconciling private GKE clusters with PSC mode

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pkieszcz
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-gcp ready!

Name	Link
🔨 Latest commit	b42c715
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-cluster-api-gcp/deploys/696e1dae078a1b0008dcddf0
😎 Deploy Preview	https://deploy-preview-1591--kubernetes-sigs-cluster-api-gcp.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: pkieszcz / name: Piotr Kieszczyński (b42c715)

[k8s-ci-robot]

Welcome @pkieszcz!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-gcp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-gcp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @pkieszcz. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[salasberryfin]

/ok-to-test

[salasberryfin]

Thanks @pkieszcz. It would also be nice to have a test for this specific reconcile loop, as it would make it easy to spot simple errors like this one.

[salasberryfin]

It's probably worth changing this too:

existingCluster.GetControlPlaneEndpointsConfig().GetIpEndpointsConfig().GetAuthorizedNetworksConfig()

compareMasterAuthorizedNetworksConfig() deals with nil values and it's safe to use but what if any of the intermediate methods on existingCluster returns nil?