terraform-provider-kubernetes-alpha icon indicating copy to clipboard operation
terraform-provider-kubernetes-alpha copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Cannot create cert-manager selfSigned Issuer using kubernetes-alpha 0.3.1

Open jbg opened this issue 4 years ago • 6 comments
trafficstars

Terraform, Provider, Kubernetes versions

tf:
Terraform v0.14.8
+ provider registry.terraform.io/hashicorp/kubernetes-alpha v0.3.1

k8s:
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", ...}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.6-eks-49a6c0", ...}

Affected Resource(s)

  • kubernetes_manifest

Terraform Configuration Files

resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer" {
  provider = kubernetes-alpha

  manifest = {
    "apiVersion" = "cert-manager.io/v1alpha2"
    "kind" = "Issuer"
    "metadata" = {
      "labels" = {"app.kubernetes.io/name" = "aws-load-balancer-controller"}
      "name" = "aws-load-balancer-selfsigned-issuer"
      "namespace" = "kube-system"
    }
    "spec" = {"selfSigned" = {}}
  }
}

Debug Output

Error: API response status: Failure

  on modules/aws-load-balancer-controller/main.tf line 847,
  in resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer":847:
  resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer" {

admission webhook "webhook.cert-manager.io" denied the request: spec: Required
value: at least one issuer must be configured

Expected Behavior

The resource is created with the same spec as if I had used this in YAML:

spec:
  selfSigned: {}

Actual Behavior

The selfSigned key is missing in the resource sent to k8s, resulting in the error.

References

  • Possibly a variant of "Empty blocks in the manifest may cause inconsistent state after apply" from #158 "Known Issues", but this is causing an error rather than inconsistent state.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

jbg avatar Mar 12 '21 09:03 jbg

@jbg What you are seeing here is a response from the cert-manager admission web-hook (as denoted by the API response status message). This is not an error in the provider, rather the webhook communicating that at least one issuer must be configured

Are you installing the web-hook at the same time as the issuer_aws_load_balancer_selfsigned_issuer resource?

alexsomesan avatar Mar 12 '21 11:03 alexsomesan

The error is being returned by the webhook because kubernetes-alpha is stripping out the selfSigned key from the spec (presumably because the value of the key is an empty map). If I manually kubectl apply the exact same YAML structure as the structure I'm passing to kubernetes-alpha it works fine. It's very clearly an issue with the provider. Sorry if I didn't make that clear in the issue description.

The webhook is already installed.

jbg avatar Mar 12 '21 11:03 jbg

Also, forgot to mention, the same manifest applies correctly in 0.2.x

jbg avatar Mar 12 '21 12:03 jbg

@jbg Thanks for the clarification. That puts some perspective on the whole issue.

We do have an ongoing battle with the empty blocks in this provider. In most cases, apart from one other known situation in CRD "subresources", they all get swallowed by the API and replaced with nil and that upsets Terraform because it's not expecting parts of the configuration to "disappear". For that reason we don't allow empty blocks in configuration, but this is more like a stopgap until we can find a universal solution to the issue. I'll look into what needs to happen in this case too.

alexsomesan avatar Mar 15 '21 07:03 alexsomesan

Maybe adding option feature in lifecycle will solve cases like these?

lifecycle {
   strip_empty_block = false
}

puzzloholic avatar Apr 03 '21 02:04 puzzloholic

We do have an ongoing battle with the empty blocks in this provider. In most cases, apart from one other known situation in CRD "subresources", they all get swallowed by the API and replaced with nil and that upsets Terraform because it's not expecting parts of the configuration to "disappear".

You mean Terraform complains like this?

When applying changes to kubernetes_manifest.REDACTED, provider "provider["registry.terraform.io/hashicorp/kubernetes-alpha"]" produced an unexpected new value: .object.spec.selfSigned.crlDistributionPoints: was cty.ListValEmpty(cty.String), but now null.

Maybe adding option feature in lifecycle will solve cases like these?

lifecycle {
   strip_empty_block = false
}

You are describing a hypothetical future meta argument, right? (https://www.terraform.io/docs/language/meta-arguments/lifecycle.html does not document strip_empty_block.)

I managed to workaround this by specifying:

spec:
  selfSigned:
    crlDistributionPoints: [""] # Any value, to workaround https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/167

devurandom avatar Apr 25 '21 11:04 devurandom