Windows security options set incorrect default values

[david-garcia-garcia]

Terraform Version, Provider Version and Kubernetes Version

Terraform v1.9.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.116.0
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/newrelic/newrelic v3.42.3
Kubernetes provider version:
Kubernetes version: 1.29.5

Affected Resource(s)

kubernetes_daemonset

I believe any resource containing a container def has the same issue.

Terraform Configuration Files

resource "kubernetes_deployment_v1" "example" {
  metadata {
    name = "example"
  }
  spec {
    template {
      spec {
        security_context {
          windows_options {
            host_process              = true
            run_as_username           = "NT AUTHORITY\\SYSTEM"
          }
        }

        host_network = true
      }
    }
  }
}

Debug Output

Error: Failed to update daemonset: DaemonSet.apps "newrelic-windows-2004" is invalid: [spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpecName: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpec: Invalid value: "": gmsaCredentialSpec cannot be an empty string]

Expected Behavior

gmsa_credential_spec and gmsa_credential_spec_name should not be required. It is currently impossible to create a container using windows options and not specifying those, because looks like the API call is setting them to empty strings, which is incorrect.

Looks like in the implementation this was incorrectly set as required?

https://github.com/hashicorp/terraform-provider-kubernetes/pull/2289/commits/812e23e118af8290bbd90530dbf8b32fec2149e0

Actual Behavior

Should apply OK.

References

https://github.com/hashicorp/terraform-provider-kubernetes/issues/1623

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[david-garcia-garcia]

This comment here also points to the opposie also happening, someone trying to set gmsa values, but not runAsUser:

https://github.com/hashicorp/terraform-provider-kubernetes/issues/1623#issuecomment-1986572069

[github-actions[bot]]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!