-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optional data in kubernetes secret causes destroy on every apply #1168
Comments
Hi @innovate-invent! Have you tried using Terraform's ignore_changes lifecycle meta-argument? |
That is a reasonable workaround but should not be required. A check needs to be added to the provider to differentiate if the optional input has been specified and is empty or is unspecified and should not force a value on the deployment. |
@innovate-invent I am not sure I understand your issue clearly. You mention in the issue description that the Also, can you please clarify what changes are performed to the secret when you say: "2. app modifies secret"? This part is important as out-side modifications is something Terraform by default tries to guard against. This is the reason why @redeux suggested above that you use the |
The issue is that the data field is optional. When omitted, I expect terraform to not track the value of that field. It currently overwrites the value with a null on apply. I wrote a draft fix to illustrate the issue: #1171 |
@alexsomesan asked that I elaborate on why I need this functionality in my PR. This is required for the kubernetes dashboard. I translated the recommended dashboard deployment from k8s documents to terraform: https://github.com/brinkmanlab/cloud_recipes/blob/master/aws/dashboard.tf You will need to inquire with the Kubernetes dev team as to why they chose to use secrets in this way. |
@innovate-invent I think I understand the issue better now. It looks to me like that secret is only used as an output from the Dashboard app to communicate the authentication key that it generated. In this case, I really don't see a need for that secret to be managed as a resource, and you could just make it a datasource. This of course only works if the Dashboard is actually able to create the secret if it's not present. |
Are you sure the code is handling the 'optional=true,computed=true' aspect of the schema correctly? The code does not check if the data is unset and tries to assign a null value to the data. When optional=true you need to use the GetOk function rather than Get to fetch it. |
Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you! |
bump |
Please use ignore_changes as needed to suppress those diffs. This is indeed a canonical way to solve this type of issues in Terraform and fully endorsed by us. |
Terraform Version, Provider Version and Kubernetes Version
Affected Resource(s)
kubernetes_secret
Terraform Configuration Files
Steps to Reproduce
terraform apply
--> create secretterraform apply
--> tries to recreate secretExpected Behavior
Secret left unmodified
Actual Behavior
Important Factoids
kuberentes dashboard modifies the secret after it has been created
Community Note
The text was updated successfully, but these errors were encountered: