Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inconsistent output of kubrenetes_secret data source during apply #2444

Open
L1ghtman2k opened this issue Mar 18, 2024 · 0 comments
Open

inconsistent output of kubrenetes_secret data source during apply #2444

L1ghtman2k opened this issue Mar 18, 2024 · 0 comments
Labels
acknowledged Issue has undergone initial review and is in our work queue. bug

Comments

@L1ghtman2k
Copy link

L1ghtman2k commented Mar 18, 2024
edited

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.7.5
Kubernetes provider version: (default for this terraform)
Kubernetes version: 1.29.3

Affected Resource(s)

  • data "kubernetes_secret"

Terraform Configuration Files

...

resource "null_resource" "wait_for_secret" {
  depends_on = [
    module.ccp
  ]

  provisioner "local-exec" {
    interpreter = ["/bin/bash", "-c"]
    environment = {
      KUBECONFIG = var.kubeconfig
    }
    command = <<EOT
      #!/bin/bash
      set -e
      namespace=test
      secret_name=test
      retries=40
      delay=5
      count=0
      while [[ $count -lt $retries ]]
      do
        secret=$(kubectl get secret -n $namespace $secret_name --ignore-not-found)
        if [[ -n "$secret" ]]; then
          echo "Secret $secret_name found in namespace $namespace."
          exit 0
        fi
        echo "Secret $secret_name not found in namespace $namespace. Retrying..."
        sleep $delay
        count=$((count + 1))
      done
      echo "Secret $secret_name not found in namespace $namespace after $retries retries, or it does not have rootPassword. Exiting..."
      exit 1
    EOT
  }

  triggers = {
    always_run = timestamp()
  }
}

data "kubernetes_secret_v1" "vaultauth" {
  depends_on = [
    null_resource.wait_for_vault_token
  ]
  metadata {
    name      = "test"
    namespace = "test"
  }
  binary_data = {
    token = ""
  }
}

output "vault_token" {
  value = base64decode(data.kubernetes_secret_v1.vaultauth.binary_data.token)
  sensitive = true
}

Steps to Reproduce

  1. create "test" namespace
  2. terraform apply. While applying(wait_for_secret is running), create a "test" kubernetes secret, with .data.token set to something
  3. check output, the token will be empty

if the secret already exists, the issue remains.

if terraform refresh is ran, then output is corrected to the expected value

Expected Behavior

token should not be empty

Actual Behavior

token is empty

Important Factoids

It seems to me that this behavior is only present when the kubernetes_secret has:

  depends_on = [
    null_resource.wait_for_vault_token
  ]

If the secret exists, and depends_on is removed, then the token is displayed as expected.

References

It seems to me this issue is related: #1221

Workaround

I use "external" data source to fetch the secret, similar to what is described in the comment of the above issue:
#1221 (comment)

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@L1ghtman2k L1ghtman2k added the bug label Mar 18, 2024
@iBrandyJackson iBrandyJackson added the acknowledged Issue has undergone initial review and is in our work queue. label Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged Issue has undergone initial review and is in our work queue. bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@L1ghtman2k @iBrandyJackson