-
Notifications
You must be signed in to change notification settings - Fork 967
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lifecycle ignore_changes do not work with "kubernetes_manifest" #1378
Comments
To add a little more detail to the issue reported here: The diff of resulting manifest shows something like this: terraform plan
If the
the result is that the panic output
|
I think this is actually the same issue I was describing elsewhere: hashicorp/terraform#29443 It prevents from using manifests that get finalizers added. |
I have this issue when trying to deploy a Cloud Run Anthos (knative) app to Terraform using the example in the docs: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service#example-usage---cloud-run-anthos |
This PR #1333 add managefields option. My field causing issue is "not important" so I could remove the content. So TF will erase the content at each run (which is not really idempotent) but at least "solve" run error issue. |
This comment was marked as resolved.
This comment was marked as resolved.
@gabeio |
@jbg in certain cases like resources depending on one another |
Unfortunately for us, the field we wish to ignore is an ArgoCD It is initially set in terraform when the ArgoCD This allows the SHA to be updated independently of terraform (something that is a hard requirement in our scenario as we want our customers to self-serve their own application configuration changes). Without this ignore_changes feature working, we can run the terraform stack as many times as we want until a change is made outside of terraform to the target revision field. After this, once the terraform is re-run, we always end up with the following error:
The solution it suggests at the bottom of the error output:
Will not work for us because this would mean the terraform run would reset the |
I got this issue as well and fixed it using the computed_fields = [
"spec.source.targetRevision",
] Not tested but this may also work with the finalizers: computed_fields = [
"metadata.finalizers",
] |
We were seeing this with Can confirm that @maikelvl 's workaround worked for us too, in our case:
|
Hey,
it is not helping me. any other recommendation? |
unfortunately the same issue with a few crds data "http" "crds" {
url = "https://raw.githubusercontent.com/external-secrets/external-secrets/helm-chart-0.9.11/deploy/crds/bundle.yaml"
}
data "kubectl_file_documents" "crds" {
content = data.http.crds.response_body
}
resource "kubernetes_manifest" "crds" {
for_each = data.kubectl_file_documents.crds.manifests
manifest = yamldecode(each.value)
computed_fields = [
"metadata.annotations",
"metadata.finalizers",
"metadata.labels",
"spec.conversion.webhook.clientConfig",
]
} causes a diff on
causing this error on apply
|
with computed_fields specified to the individual field names: computed_fields = [
"metadata.annotations",
"metadata.finalizers",
"metadata.labels",
"spec.conversion.webhook.clientConfig.caBundle",
"spec.conversion.webhook.clientConfig.service.name",
"spec.conversion.webhook.clientConfig.service.namespace",
"spec.conversion.webhook.clientConfig.service.path",
"spec.conversion.webhook.clientConfig.service.port",
"spec.conversion.webhook.clientConfig.url",
] the plan looks like this ~ spec = {
~ conversion = {
~ webhook = {
~ clientConfig = {
~ service = {
~ name = "external-secrets-webhook" -> (known after apply)
~ namespace = "kube-secrets" -> (known after apply)
~ path = "/convert" -> (known after apply)
# (1 unchanged element hidden)
}
# (2 unchanged elements hidden)
}
# (1 unchanged element hidden)
}
# (1 unchanged element hidden)
}
# (5 unchanged elements hidden)
} still the same error:
so I guess edit: no success on ignoring changes either, tried the following without success: lifecycle {
ignore_changes = [
object.spec.conversion.webhook.clientConfig.service.name,
object.spec.conversion.webhook.clientConfig.service.namespace,
object.spec.conversion.webhook.clientConfig.service.path,
]
} |
Has there been any progress on this from anyone? I'm hitting
and neither computed_fields = [
"webhooks[\"validation.istio.io\"].failurePolicy"
]; nor lifecycle = {
ignore_changes = [
"object.webhooks[\"validation.istio.io\"].failurePolicy"
];
}; help with this problem |
|
Oh yeah forgot to test that, i did try |
That error message is passed through from the k8s API server, which knows to call out the element by its |
The output snippets I'm seeing reported here point to an API-side error:
The API is signalling that there was an ownership conflict on some attributes of the resource, where both Terraform and some other actor on the cluster are trying to change the value of that attribute leading to an ambiguity about who is the authoritative source of truth for that value. This type of error isn't resolvable using either It helps to keep in mind that the API server tracks "ownership" of attributes as different clients attempt to make changes to them. The mechanism is described in detailed here. Without knowing exactly what other process is trying to make changes to that resource, it's hard to offer a more pinpointed explanation, but I do hope this gets everyone on the right track. |
I had two errors related to this, one was something in |
@MagicRB the splat syntax ( |
Splat wont work, you need to hard code the list index where the offending attribute occurs. I'll share the exact xode once I get to my laptop. (Again it'll be nix syntax but should be readable nonetheless) |
Hey @MagicRB could you share that nix code to filter |
@llanza7 i fear that if youve never used Nix than its not the right tool for this. I'd use sanitizeKubernetesManifest = manifest:
(filterAttrs (n: const (n != "status")) manifest)
// (optionalAttrs (manifest ? "metadata") {
metadata = filterAttrs (n: _: n != "creationTimestamp") manifest.metadata;
}); assuming you have the k8s manifest as a nix expression, if not then del(.metadata.creationTimestamp) | del(.status) does the same thing but using jq |
while that code works, i havent figured out a way to fix this for |
Terraform Version, Provider Version and Kubernetes Version
Affected Resource(s)
Steps to Reproduce
terraform apply
- to create new resourcesterraform apply
- to test the provider will not do any changesExpected Behavior
The provider should ignore the fields added by k8s controllers, like finalizers
Actual Behavior
The provider detects changes on the resources and tries to update (delete the finalizers). Adding lifecycle.ignore_changes does not work for this resource.
Additional Notes
This bug is same as the one reported in kubernetes alpha provider here
Community Note
The text was updated successfully, but these errors were encountered: