cert-manager certificates manifest - Provider produced inconsistent result after apply e.g `24h` should be `24h0m0s`

[laukaichung]

Terraform, Provider, Kubernetes versions

Terraform version: v0.15.3
Provider version: v0.3.3
Kubernetes version: 1.2.1

Affected Resource(s)

Terraform Configuration Files

resource "kubernetes_manifest" "linkerd_webhook_issuer" {
  depends_on = [kubernetes_namespace.linkerd]
  provider = kubernetes-alpha
  manifest = {
    apiVersion = "cert-manager.io/v1"
    kind       = "Issuer"
    metadata = {
      name      = "webhook-issuer"
      namespace = "linkerd"
    }

    spec = {
      ca = {
        secretName = "webhook-issuer-tls"
      }
    }
  }
}

resource "kubernetes_manifest" "linkerd_proxy_injector" {
  depends_on = [kubernetes_manifest.linkerd_webhook_issuer]
  provider = kubernetes-alpha

  manifest = {
    apiVersion = "cert-manager.io/v1"
    kind       = "Certificate"
    metadata = {
      name      = "linkerd-proxy-injector"
      namespace = "linkerd"
    }

    spec = {
      secretName   = "linkerd-proxy-injector-k8s-tls"
      duration  = "24h"
      renewBefore    = "1h"
      commonName   = "linkerd-proxy-injector.linkerd.svc"
      dnsNames  = ["linkerd-proxy-injector.linkerd.svc"]
      isCA   = false
      usages  = ["server auth"]
      issuerRef  = {
        name = "webhook-issuer"
        kind = "Issuer"
      }
      privateKey      = {
        algorithm = "ECDSA"
      }
    }
  }
}

Debug Output

Panic Output

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to kubernetes_manifest.linkerd_proxy_injector,
│ provider "provider[\"registry.terraform.io/hashicorp/kubernetes-alpha\"]"
│ produced an unexpected new value: .object.spec.duration: was
│ cty.StringVal("24h"), but now cty.StringVal("24h0m0s").
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to kubernetes_manifest.linkerd_proxy_injector,
│ provider "provider[\"registry.terraform.io/hashicorp/kubernetes-alpha\"]"
│ produced an unexpected new value: .object.spec.renewBefore: was
│ cty.StringVal("1h"), but now cty.StringVal("1h0m0s").
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to kubernetes_manifest.linkerd_proxy_injector,
│ provider "provider[\"registry.terraform.io/hashicorp/kubernetes-alpha\"]"
│ produced an unexpected new value: .object.spec.isCA: was cty.False, but now
│ null.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Steps to Reproduce

1. Follow Linkerd instructions to create issuer and cert manifest: (Official Doc)
2. terraform apply

Expected Behavior

No error after Terraform apply.

Actual Behavior

After changing the values as per the instructions: 24h > 24h0m0s , 1h > 1h0m0s and remove isCA: false, terraform works fine and the certs are able to be created. The cert-manager doesn't use these time format 24h0m0s but just 24h.

Important Factoids

References

• GH-1234

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[mattduguid]

similar issue, solved with same workaround

application_certificate_duration = "2160h0m0s" # 90 days application_certificate_renew_before = "360h0m0s" # 15 days