search

hashicorp / terraform-provider-kubernetes

Terraform Kubernetes provider
https://www.terraform.io/docs/providers/kubernetes/
Mozilla Public License 2.0
1.58k stars 968 forks source link

Cannot create cert-manager selfSigned Issuer #1352

Closed kyschouv closed 1 year ago

kyschouv commented 3 years ago

This appears to be the same behavior as seen in the kubernetes-alpha provider: https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/167

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.0.3
Kubernetes provider version: 2.4.1
Kubernetes version: 1.21.2

Affected Resource(s)

kubernetes_manifest

Terraform Configuration Files

resource "kubernetes_manifest" "aso_issuer" {
  manifest = {
    "apiVersion" = "cert-manager.io/v1"
    "kind" = "Issuer"
    "metadata" = {
      "name" = "azureoperator-selfsigned-issuer"
      "namespace" = "operators"
    }
    "spec" = {
      "selfSigned" = {}
    }
  }
}

Steps to Reproduce

Apply the above resource.

Expected Behavior

It should deploy the resource.

Actual Behavior

I get an error. It appears to be stripping the selfSigned portion of the manifest.

kubernetes_manifest.aso_issuer: Creating...
╷
│ Error: API response status: Failure
│
│   with kubernetes_manifest.aso_issuer,
│   on azure-service-operator.tf line 2, in resource "kubernetes_manifest" "aso_issuer":
│    2: resource "kubernetes_manifest" "aso_issuer" {
│
│ admission webhook "validate.webhooks.cert-manager.io" denied the request:
│ spec: Required value: at least one issuer must be configured
╵
alexsomesan commented 3 years ago

@kyschouv What you are seeing here is an error response from the Cert Manager validation web hook. It's trying to signal that the Issuer CR must actually contain at least one "issuer" entry in the "spec" section.

I haven't used Cert Manger myself, but this is how the error message reads to me. It's not a provider problem, as far as I can tell.

kyschouv commented 3 years ago

@alexsomesan This is the same form as the yaml that cert-manager specifies to use to create a selfSigned issuer. It needs an empty object for selfSigned in the spec. I even used the yaml to tf tooling to convert the sample from cert-manager. The problem is that the kubernetes Terraform provider (and the kubernetes-alpha provider, as seen in the linked issue) replaces that with a null value (or removes it - I'm not entirely sure), and then cert-manager doesn't know what to do with it (since it's expecting an empty object, not a null).

This is definitely something I can deploy fine with yaml. But converting that yaml to hcl and deploying it with kubernetes_manifest fails. That seems like the provider is probably doing something wrong, or at least needs a workaround if this is just due to hcl behavior.

t-winter commented 3 years ago

I have the same problem and the problem actually appears to originate in the terraform kubernetes provider. The reasoning behind this conclusion is as follows:

bweir commented 2 years ago

Can confirm, I am experiencing this right now:

Error: API response status: Failure

  on cert_manager.tf line 50, in resource "kubernetes_manifest" "self_signed_cluster_issuer":
  50: resource "kubernetes_manifest" "self_signed_cluster_issuer" {

admission webhook "webhook.cert-manager.io" denied the request: spec: Required
value: at least one issuer must be configured

The YAML works fine:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: self-signed-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

The error suggests that the kubernetes_manifest resource removes the empty object before submitting the manifest to the cluster:

resource "kubernetes_manifest" "self_signed_cluster_issuer" {
    manifest = {
        apiVersion = "cert-manager.io/v1"
        kind = "ClusterIssuer"
        metadata = {
          name = "self-signed-cluster-issuer"
        }
        spec = {
          selfSigned = {}
        }
    }
}
artificial-aidan commented 2 years ago

So I just dug into this a bunch, and have some tests to reproduce it, I'll get some stuff up tomorrow.

There is a hack that kind of works for now:

spec:
  selfSigned:
    crlDistributionPoints: []

This will create the issuer, but also error out with: When applying changes to kubernetes_manifest.webhook_issuer, provider "provider[\"registry.terraform.io/hashicorp/kubernetes\"]" produced an unexpected new value: │ .object.spec.selfSigned.crlDistributionPoints: was cty.ListValEmpty(cty.String), but now null.

But at least it applies.

Skaronator commented 2 years ago

This issue seems to be fixed in the 2.6.0 release fyi

github-actions[bot] commented 1 year ago

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.