Can not set internal annotations to specify load balancer ssl certs #60
Comments
|
Hi @udangel-r7 Allowing users to specify internal ( |
|
Hi, I am also affected by this change. Is there any known workaround to configure SSL for the load balancers on AWS? |
|
The same problem exists when your LB shall not have an external IP, e.g., in development environments with only internal IPs. I'd be happy if this issue can be solved. Thank you. |
|
Is there a previous version of Terraform where internal annotations are allowed? |
|
Hi, same issue for me, as I need to specify the well known I've read #50 (comment) and understand that the root issue from the terraform point of view is more with dynamic kubernetes annotations that potentially change all the time like those listed at https://kubernetes.io/docs/reference/labels-annotations-taints/ :
As maintaining the list of such annotations exhaustively can seem overwhelming if not impossible as time goes, what about allowing to whitelist annotations by configuration? I guess doing so at the provider level would be practical: What do you think? PS: I'll use the pod security context's Edit: #325 is a better alternative as it does not require the user to actively maintain the whitelist. |
|
This is pretty annoying, why enforce this at all? Doesn't kubernetes API prevent this? |
|
Actually there is a good list regarding the aws specific annotations here: https://gist.github.com/mgoodness/1a2926f3b02d8e8149c224d25cc57dc1 I think a whitelist would be the best solution currently. |
|
Further broken use cases include assigning an ELB to a service: https://gist.github.com/mgoodness/1a2926f3b02d8e8149c224d25cc57dc1 And allowing syscalls in pods: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod |
|
By my opinion this check is unneeded, it's up to user to not use these annotations, and use them when he knows what he is doing. |
|
Same here, I am trying to make storage class to be default. And I need Using of this annotation is not restricted by Kubernetes and documented there https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/ |
|
Same problem with azure internal load balancer: |
|
Any possibility allow annotation usage e.g. change this check to just output warning or something? Now this means that everyone using e.g. internal load balancers in azure or aws or otherwise defining additional parameters to those fail? Or is there any easy way to make those work in other ways? |
|
Please read #50 (comment), which explains why this check exists. |
|
I think that especially because of the reasoning behind #50 this is a big issue for many of us. Unfortunately, the usage after this change showed that some tasks that were possible before are not possible anymore. For those of us who rely on these features (internal load balancers, aws certificates, ...) this makes those things really hard do achieve. Therefore, I would be really interested in feasible solution such as some whitelisting of certain annotations or similar. |
|
Same problem here, when having the external IP for a loadbalancer inside a different resource group on azure: Whitelisting these necessary annotations would be highly appreciated. |
|
I'm also now hit with the bug and having the list of approved annotations would seriously help. I'm not a developer and had never even ventured into Go before, but managed to piece together the following extension to the existing function validateAnnotations in I've tested the above and it works with my specific use case of needing an internal load balancer in Azure for provisioning a POC. Whilst i understand why the check for internal providers was built in the first place, this is severely impacting the usefulness of the Kubernetes provider without the ability for this exception. If there is appetite for me to submit a pull request i'm more than happy to but I suspect there is a significantly more efficient way of the above check :). I'll also have to figure out the part of that stops the attempt to re-enable the load balancer every time as this is what happens when I re-run: |
|
Are there plan to support annotations? Specifically creating kubernetes service's with internal private elbs |
|
Here's another set of "internal" kubernetes.io annotations that are disallowed: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/ingress-resources.md#annotations. This ingress controller is absolutely unusable without whitelisting the large list. C'mon guys, the examples where this is blocking people for legitimate usage are far outweighing and far outnumbering the original reasons for blocking it, and severely degrades the usability of this provider. Please revert #50 or reduce its scope. |
|
Now that development is starting back up on this, it would be great to have this revisited. I would love to use this in some different projects, but kube2iam used the internal annotations to allow pods to assume an IAM role. |
|
I'm not a go developer, so I won't open a pull request, but here's my solution for this problem: Idea: @pdecat / Solution: @mb290 Here's an example: provider "kubernetes" {
internal_annotations_whitelist = [
"storageclass.kubernetes.io/is-default-class",
]
}
resource "kubernetes_storage_class" "gp2" {
metadata {
name = "gp2"
annotations {
"storageclass.kubernetes.io/is-default-class" = "true"
}
}
storage_provisioner = "kubernetes.io/aws-ebs"
parameters {
type = "gp2"
encrypted = "true"
}
}I don't know is it known, but if you're using |
|
Haha, lack of support of internal annotations just made this and couple of other Kubernetes resources useless. Especially in enterprise. Thanks for removing this. Now automation of this just got much complicated. |
|
@jakubigla For similar reason, we've started using https://github.com/sl1pm4t/terraform-provider-kubernetes instead of the official... It has no problem with internal annotations, there's a lot of beta APIs are supported, which we're using (ingress, clusterrole, etc)... Worth a try instead of using (for example) dumb hacks with null_provider |
|
So is there's any progress with this? I mean it's 2019 and April already hello? @pdecat @AlexBoulyga Anyone? Help? Devops can't live without terraform! |
Thanks a lot, I would prefer that the official provider support k8s annotation, but ¯_(ツ)_/¯ |
|
@Xyrodileas, most of us have gone off the reservation and built our own version of the provider to get around this problem. I created PR #244 for the main provider to address the problem in the way suggested by one of the contributors. Others, like sl1pm4t / terraform-provider-kubernetes, have forked the code since Hashicorp seems uninterested in making this provider capable of real-world deployments. Either way, the only real workaround at this point is to either build your own custom provider or use the local-exec hack to run kubectl. |
|
Is this still stalled? I'm trying to use External DNS, and I've run into this issue. It's very annoying. I don't like this idea of terraform making decisions about what I can and can't do in k8s. I've run into other issues like this (not being able to set automountServiceAccountToken on deployments). Is there a workaround for this particular issue? |
|
@erick-thompson Workaround is currently to shell out to Regarding Alternatively there's also a number of forks of the provider, such as this one, which appear to be a good option (I haven't gone down this path just yet). Or of course you could also build a provider locally based on any of the PRs that have been submitted to solve this issue. |
|
I ended up using that workaround for the service account token, but I wish I had those hours back, when I was trying to debug what was going on and how to fix it. For this issue, I'll likely just use terraform to create the yaml file and apply it later. The problem is that I provision the cluster (in my case AKS) from the same terraform as I wanted to configure the service for, so I can't use local-exec unless I do something to ensure that the kubectl config is set up correctly. |
Yeah, I hear you. It's one thing to make questionable design decisions; it's another thing entirely to not document them!
I'm on EKS so I'm not sure what's available for AKS, but I'm using |
|
I took a similar approach and used " |
|
Plan works, apply produces this... |
|
This should now be fixed by the merge of #325 |
|
Can we have a release tagged with the fix included, please? |
|
Hi. Yes, a release is coming in the next couple of days.
I’m aiming for it to include PodAffinity as well, so I'm looking into
getting that ready as well.
On Fri 17. May 2019 at 19:46, Pavel Eremeev ***@***.***> wrote:
Can we have a release tagged with the fix included, please?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#60>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAIL5G7ACG2BGC4GUM6OMI3PV3VQLANCNFSM4DYLP6HQ>
.
--
— Sent from my phone.
|
|
This has now been released in 1.7.0: https://github.com/terraform-providers/terraform-provider-kubernetes/blob/master/CHANGELOG.md#170-may-22-2019 |
|
Rock on 🤘
On Thu, May 23, 2019 at 12:22 AM Tim Malone ***@***.***> wrote:
This has now been released in 1.7.0:
https://github.com/terraform-providers/terraform-provider-kubernetes/blob/master/CHANGELOG.md#170-may-22-2019
🎉 🚀
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#60>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD7LG3B6DRAAGEAKPQZPTDPWYLYHANCNFSM4DYLP6HQ>
.
--
- Robert Ross
|
|
Thank you @tdmalone for taking the torch on this provider! |
|
I am still getting an error - maybe my syntax is incorrect?
Error: In the error message |
|
Can you try with quotes? |
|
I tried before with quotes and I got: |
|
With terraform 0.12+, you need to specify annotations as a map and with an equal sign: |
This worked! Thank you. I was losing my mind. I'm new to Terraform - where could I have found this in reference docs? For this specific issue, neither https://www.terraform.io/docs/providers/kubernetes/r/secret.html#annotations nor https://www.terraform.io/docs/configuration/syntax.html were that helpful. p.s. for posterity's sake, the correct annotation is "kubernetes.io/service-account.name" - just in case someone ends up reading this comment in more detail. Changed in my comment above. |
That specific use case is missing from the docs. Edit: I've noticed a few examples were outdated for terraform 0.12, working on a PR. |
|
This ticket should probably be closed - as the original issue is now resolved :) |
|
+1 to close this issue. The docs should be fine now: #501 |
|
Closed |
|
This still isn't working for me with an AWS NLB. I've checked the versions as well. |
ghost
locked and limited conversation to collaborators
and others
With the recent change of disallowing internal annotations it is no longer possible to setup internal annotations.
I want to use these internal annotations to provide SSL certificates/arn configuration for the load balancers. Any idea for a workaround?
Affected Resource(s)
Terraform Configuration Files
The text was updated successfully, but these errors were encountered: