terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

kubernetes_cron_job.job_template.spec.template.metadata.annotations are always removed in state

Open lwsanty opened this issue 3 years ago • 4 comments

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.0.0
Kubernetes provider version: 2.1.0, 2.3.0
Kubernetes version: 1.19.9-gke.1400

Affected Resource(s)

kubernetes_cron_job

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "kubernetes_cron_job" "job" {
  count = var.job.enabled ? 1 : 0
  depends_on = [
    kubernetes_config_map.job_checks_configmap
  ]

  metadata {
    name      = "job"
    namespace = "job"
    annotations = {
      configmap-checksum = local.configmap_checksum
    }
  }
  spec {
    concurrency_policy            = "Forbid"
    failed_jobs_history_limit     = var.job.failedJobsHistoryLimit
    schedule                      = var.job.cron
    starting_deadline_seconds     = var.job.startingDeadlineSeconds
    successful_jobs_history_limit = var.job.successfulJobsHistoryLimit
    suspend                       = var.job.suspend
    job_template {
      metadata {}
      spec {
        backoff_limit = var.job.backoffLimit
        template {
          metadata {
            annotations = {
              configmap-checksum = local.configmap_checksum
            }
          }
...

Debug Output

  # module.job.kubernetes_cron_job.job[0] will be updated in-place
  ~ resource "kubernetes_cron_job" "job" {
        id = "job/job"


      ~ spec {
            # (6 unchanged attributes hidden)

          ~ job_template {
              ~ metadata {
                  ~ annotations = {
                      - "configmap-checksum" = "${some_removed_checksum_here}" -> null
                    }
                    # (2 unchanged attributes hidden)
                }

                # (1 unchanged block hidden)
            }
        }
        # (1 unchanged block hidden)
    }

Panic Output

Steps to Reproduce

  1. update terraform to 1.0.0
  2. terraform apply
  3. see Debug Output
  4. terraform apply
  5. the same

Expected Behavior

What should have happened? No changes detected

Actual Behavior

What actually happened? Seems like tf always trying to fix the resources state but never able to, at the same time it should not remove the annotations

Important Factoids

References

  • It was working with terraform 0.15.3 so probably 0.15.4 and/or 0.15.5 screwed it up

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

lwsanty avatar Jun 15 '21 11:06 lwsanty

@lwsanty Can you share some details about how the value of local.configmap_checksum gets set?

alexsomesan avatar Jul 07 '21 13:07 alexsomesan

@alexsomesan sure

locals {
  check_total_seconds = 20
  check_step_seconds  = 2

  check_memcached_script = <<EOF
import asyncio
import sys
import aiomcache
async def print_version(host, port):
    print((await aiomcache.Client(host, port).version()).decode())
asyncio.run(print_version(sys.argv[1], sys.argv[2]))
EOF

  check_db_script = <<EOF
import asyncio
import sys
from databases import Database
async def connect_db(conn_str):
    await Database(conn_str).connect()
asyncio.run(connect_db(sys.argv[1]))
EOF

  check_script = <<EOF
script=$${1}
args=$${2}
if ! sh -c "timeout ${local.check_total_seconds} sh -c 'until python3 $${script} $${args}; do sleep ${local.check_step_seconds}; done'"
then
    echo "failed"
    exit 1
else
	echo succeeded
fi
EOF

  configmap_checksum = sha512(format("%s%s%s", sha512(local.check_memcached_script), sha512(local.check_db_script), sha512(local.check_script)))
}

lwsanty avatar Jul 13 '21 14:07 lwsanty

This is another perpetual diff. I was able to reproduce it on updates. Annotations are not able to update in-place on the Job resource (I'm assuming it's similar here in the cron_job resource). They are only successfully added on Create. We might need to look at patch operations relating to JobSpec.

dak1n1 avatar Jul 21 '21 16:07 dak1n1

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

github-actions[bot] avatar Jul 22 '22 00:07 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Sep 20 '22 02:09 github-actions[bot]