Cannot create cert-manager selfSigned Issuer using kubernetes-alpha 0.3.1

[jbg]

Terraform, Provider, Kubernetes versions

tf:
Terraform v0.14.8
+ provider registry.terraform.io/hashicorp/kubernetes-alpha v0.3.1

k8s:
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", ...}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.6-eks-49a6c0", ...}

Affected Resource(s)

• kubernetes_manifest

Terraform Configuration Files

resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer" {
  provider = kubernetes-alpha

  manifest = {
    "apiVersion" = "cert-manager.io/v1alpha2"
    "kind" = "Issuer"
    "metadata" = {
      "labels" = {"app.kubernetes.io/name" = "aws-load-balancer-controller"}
      "name" = "aws-load-balancer-selfsigned-issuer"
      "namespace" = "kube-system"
    }
    "spec" = {"selfSigned" = {}}
  }
}

Debug Output

Error: API response status: Failure

  on modules/aws-load-balancer-controller/main.tf line 847,
  in resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer":847:
  resource "kubernetes_manifest" "issuer_aws_load_balancer_selfsigned_issuer" {

admission webhook "webhook.cert-manager.io" denied the request: spec: Required
value: at least one issuer must be configured

Expected Behavior

The resource is created with the same spec as if I had used this in YAML:

spec:
  selfSigned: {}

Actual Behavior

The selfSigned key is missing in the resource sent to k8s, resulting in the error.

References

• Possibly a variant of "Empty blocks in the manifest may cause inconsistent state after apply" from Known issues #158 "Known Issues", but this is causing an error rather than inconsistent state.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[alexsomesan]

@jbg What you are seeing here is a response from the cert-manager admission web-hook (as denoted by the API response status message). This is not an error in the provider, rather the webhook communicating that at least one issuer must be configured

Are you installing the web-hook at the same time as the issuer_aws_load_balancer_selfsigned_issuer resource?

[jbg]

The error is being returned by the webhook because kubernetes-alpha is stripping out the selfSigned key from the spec (presumably because the value of the key is an empty map). If I manually kubectl apply the exact same YAML structure as the structure I'm passing to kubernetes-alpha it works fine. It's very clearly an issue with the provider. Sorry if I didn't make that clear in the issue description.

The webhook is already installed.

[jbg]

Also, forgot to mention, the same manifest applies correctly in 0.2.x

[alexsomesan]

@jbg Thanks for the clarification. That puts some perspective on the whole issue.

We do have an ongoing battle with the empty blocks in this provider. In most cases, apart from one other known situation in CRD "subresources", they all get swallowed by the API and replaced with nil and that upsets Terraform because it's not expecting parts of the configuration to "disappear". For that reason we don't allow empty blocks in configuration, but this is more like a stopgap until we can find a universal solution to the issue. I'll look into what needs to happen in this case too.

[puzzloholic]

Maybe adding option feature in lifecycle will solve cases like these?

lifecycle {
   strip_empty_block = false
}

[devurandom]

We do have an ongoing battle with the empty blocks in this provider. In most cases, apart from one other known situation in CRD "subresources", they all get swallowed by the API and replaced with nil and that upsets Terraform because it's not expecting parts of the configuration to "disappear".

You mean Terraform complains like this?

When applying changes to kubernetes_manifest.REDACTED, provider "provider["registry.terraform.io/hashicorp/kubernetes-alpha"]" produced an unexpected new value: .object.spec.selfSigned.crlDistributionPoints: was cty.ListValEmpty(cty.String), but now null.

---

Maybe adding option feature in lifecycle will solve cases like these?

lifecycle {
   strip_empty_block = false
}

You are describing a hypothetical future meta argument, right? (https://www.terraform.io/docs/language/meta-arguments/lifecycle.html does not document strip_empty_block.)

---

I managed to workaround this by specifying:

spec:
  selfSigned:
    crlDistributionPoints: [""] # Any value, to workaround https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/167