[BUG] 4.1.0 - tf want to unset rke_config.services.kube_api.admission_configuration when default_pod_security_admission_configuration_template_name is set

gorantornqvist-sr commented 2 months ago

Rancher Server Setup

Rancher version: 2.8.3
Installation option (Docker install/Helm Chart): helm chart
- If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE1 v1.27.11
Proxy/Cert Details: noprox/self-signed

Information about the Cluster

Kubernetes version: RKE1 v1.27.11
Cluster Type (Local/Downstream): Downstream
- If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): vSphere

User Information

What is the role of the user logged in? Admin
- If custom, define the set of permissions:

Provider Information

What is the version of the Rancher v2 Terraform Provider in use? 4.1.0
What is the version of Terraform in use? v1.2.7

Describe the bug

When rancher2_cluster.default_pod_security_admission_configuration_template_name set, terraform wants to remove rke_config.services.kube_api.admission_configuration each time it is run, see screenshot.

To Reproduce

Set default_pod_security_admission_configuration_template_name
tf apply
looks like rancher rewrites the default_pod_security_admission_configuration_template_name content to the cluster yaml part to rke_config.services.kube_api.admission_configuration ?
tf plan - shows it wants to remove rke_config.services.kube_api.admission_configuration
if rke_config.services.kube_api.admission_configuration is removed either by terraform or manually in GUI, rancher rewrites it.

Actual Result

Expected Result

tf apply/plan should not try to remove the rancher generated contents

Screenshots

Additional context

pwurbs commented 1 month ago

I face the same

pwurbs commented 1 month ago

There is another negative impact: When applying the plan, then it brought back the formerly removed defaultPodSecurityPolicyTemplateName config parameter in the cluster configuration. This then enabled back the (useless) configuration of a PSP for a Rancher project.

I mitigated the issue by redundantly added admission_configuration to the kube-api in cluster config in TF configuration. This stops the Rancher TF provider from removing it from the Rancher generated rke_config.

As an alternative, rke_config[0].services[0].kube_api[0].admission_configuration can be added to ignore_changes

gorantornqvist-sr commented 1 month ago

This workaround appears to work:

resource "rancher2_cluster" "cluster" {

  lifecycle {
    ignore_changes = [
        rke_config[0].services[0].kube_api[0].admission_configuration
    ]
  }
}

pwurbs commented 1 month ago

For me too

rancher / terraform-provider-rancher2