terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

inconsistent output of kubrenetes_secret data source during apply

Open L1ghtman2k opened this issue 1 year ago • 0 comments

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.7.5
Kubernetes provider version: (default for this terraform)
Kubernetes version: 1.29.3

Affected Resource(s)

  • data "kubernetes_secret"

Terraform Configuration Files

...

resource "null_resource" "wait_for_secret" {
  depends_on = [
    module.ccp
  ]

  provisioner "local-exec" {
    interpreter = ["/bin/bash", "-c"]
    environment = {
      KUBECONFIG = var.kubeconfig
    }
    command = <<EOT
      #!/bin/bash
      set -e
      namespace=test
      secret_name=test
      retries=40
      delay=5
      count=0
      while [[ $count -lt $retries ]]
      do
        secret=$(kubectl get secret -n $namespace $secret_name --ignore-not-found)
        if [[ -n "$secret" ]]; then
          echo "Secret $secret_name found in namespace $namespace."
          exit 0
        fi
        echo "Secret $secret_name not found in namespace $namespace. Retrying..."
        sleep $delay
        count=$((count + 1))
      done
      echo "Secret $secret_name not found in namespace $namespace after $retries retries, or it does not have rootPassword. Exiting..."
      exit 1
    EOT
  }

  triggers = {
    always_run = timestamp()
  }
}

data "kubernetes_secret_v1" "vaultauth" {
  depends_on = [
    null_resource.wait_for_vault_token
  ]
  metadata {
    name      = "test"
    namespace = "test"
  }
  binary_data = {
    token = ""
  }
}

output "vault_token" {
  value = base64decode(data.kubernetes_secret_v1.vaultauth.binary_data.token)
  sensitive = true
}

Steps to Reproduce

  1. create "test" namespace
  2. terraform apply. While applying(wait_for_secret is running), create a "test" kubernetes secret, with .data.token set to something
  3. check output, the token will be empty

if the secret already exists, the issue remains.

if terraform refresh is ran, then output is corrected to the expected value

Expected Behavior

token should not be empty

Actual Behavior

token is empty

Important Factoids

It seems to me that this behavior is only present when the kubernetes_secret has:

  depends_on = [
    null_resource.wait_for_vault_token
  ]

If the secret exists, and depends_on is removed, then the token is displayed as expected.

References

It seems to me this issue is related: https://github.com/hashicorp/terraform-provider-kubernetes/issues/1221

Workaround

I use "external" data source to fetch the secret, similar to what is described in the comment of the above issue: https://github.com/hashicorp/terraform-provider-kubernetes/issues/1221#issuecomment-905507838

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

L1ghtman2k avatar Mar 18 '24 03:03 L1ghtman2k