-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubernetes_manifest does not wait for dependencies #1782
Comments
Hello, Thanks for raising this. Unfortunately, this is not a bug, but a known limitation. The limitation stems from the way Terraform itself arranges the operations of planning and applying. All resources that are part of the same operation are first planned for and only after all resources are finished planning do they begin to get applied. Meanwhile, the There is a simple work-around to this issue: split your configuration into two (or more) applies. The first apply should create all the CRDs, then you can move on to a second apply operation to create the CR objects and any other K8s resources you may need. We will try to make this aspect more clear in the provider documentation. Hope this is useful and unblocks your work. |
What advantage does validating the manifest during the apply phase have? I'm at a loss here as to the rationale between the limitation/constraint on the usage of this and the down-wind complexity this decision brings to people using this provider. The provider would work equally effectively if the CRD was validated at the apply stage, because you'd need all the variable values interpolated from the spec to even know if they're valid - so it has to validate again later anyway (i.e. you're already on the wrong side of the airtight hatch-way when it comes to spec validation). CRD's are inherently a runtime consideration, dynamically updatable on the fly in the cluster, and something where static planning of them during the plan phase offers nothing? Helm and other providers don't error in similar ways and preventing people being able to deploy a cluster and the dependant resources in a single pass feels like a bad call. I'm happy to do up a PR to give this the punt to the right location if folks buy into it? |
I have to agree on everything that @steve-gray is saying.
I don't see a contradiction here to what @steve-gray is suggesting. Why can't we plan a CR based on a CRD that doesn't exist yet? Terraform doesn't have to be that strict and also isn't in practice in so many cases. I'm mostly working with the Another approach that would match the way for example Helm works is to add a
That's not as simple as it sounds like. Many workflows just don't work like that. We're for example using Terragrunt and its mocking features to run ALL plans first and then ALL applies. So splitting this up into different modules wouldn't solve the issue. I would like to see this discussion reopened. Thanks in advance. |
Assuming you are creating argocd helm_release and then running a manifest
It will not work because helm_release needs to be run and depends_on for kubernetes manifest will not work |
I agree with @steve-gray and @pathob here; failing because you can't validate that the manifest will apply correctly because the control plane isn't available is a bug. In my opinion, the situation where the api server cannot be contacted should not fail the plan or apply but rather put those resources into a "known after apply" stage. At this point, a plan will "succeed" and an apply will handle any upcoming error as the resources are actually applied. If the appropriate |
up, pls! |
This incident happens when your cluster doesn't have the required CRD applied, that makes terraform will fail when plan or applying the manifest. There is a workaround for this by using separate kubernetes manifest (yaml) file Somehow the here is my tf file for reference:
|
@suryastef kubectl_manifest workaround works, though for a reason I cannot explain the error showed now after the resource was applied (while the resources applied successfully). I added
|
There is a bit of misunderstanding in this conversation. The manifest isn't just getting validated during plan, at least not for value consistency. The one and only reason why we need the CRD present at plan time is so that we can synthesise the type structure of the resource to conform to Terraform's wire and state storage format, which are strongly typed. Not fully defining the type structure of the manifest during the first plan would result in broken state situations further down the road as apply adds and removes attributes. This is dictated by the way Terraform itself is designed and not something us as provider maintainers can change or avoid. One of the strong-points of Terraform compared to plain-text tools (e.g. Helm) is the ability to granularly vet and validate the planned changes before they are actually performed. Depending on the criticality of your use-case, this fact may or may not be important for you, but we have a lot of users with complex use-cases that value this feature and we cannot degrade this experience as whole. As was mentioned above, there are community providers available that will handle the manifest as a blob of text instead of a typed structure. The downsides are that you will not be able to see changes to its individual attributes during planning, but more importantly you will not be able to reference attribute values in expressions on other resources or outputs. Weigh the trade-offs and chose what works best for you, but please consider the size and diversity of the Terraform user base before dismissing a design decision as "a bug". |
Is there any other workaround than putting:
into every manifest and run terraform apply twice like this:
? |
I would actually suggest to not only have a validate boolean which we can trigger by certain expressions, but also have a boolean to trigger skip validation if dependency not satisfied. |
Kubernetes_manifest does not wait for dependencies.
Terraform Version, Provider Version and Kubernetes Version
Affected Resource(s)
Terraform Configuration Files
Panic Output
The plugin returned an unexpected error from plugin.(*GRPCProvider).ReadResource: rpc error: code = Unknown desc = no matches for kind "RecurringJob" in version "longhorn.io/v1beta1"
Steps to Reproduce
Expected Behavior
We were expecting the kubernetes_manifest plugin to wait on dependencies and then check the status of the manifest.
Actual Behavior
We're getting an error because the CRD was not deployed
The text was updated successfully, but these errors were encountered: