System CA certs don't get used

[evandp]

👋 I noticed a difference in behavior between this provider and the hashicorp/kubernetes provider when it comes to cluster ca certs.

I have a k8s cluster with cert-manager running with letsencrypt as the root of trust. My environment has the ISRG Root X1 certificate available locally.

Here is an example of me creating a namespace with the kubernetes provider without specifying the cluster_ca_certificate which works as expected.

provider "kubernetes" {
  host  = var.host
  token = var.token
}

resource "kubernetes_namespace" "my_namespace" {
  metadata = {
    name = "my-namespace"
  }
}

But if I do the same thing with the kubectl provider it doesn't use the system CA cert and get an x509: certificate signed by unknown authority error when I run terraform apply.

provider "kubectl" {
  host  = var.host
  token = var.token
}

resource "kubectl_manifest" "my_namespace" {
  yaml_body     = <<-YAML
  apiVersion: v1
  kind: Namespace
  metadata:
    name: my-namespace
  YAML
}

It looks like the kubectl provider doesn't look for system certs because I can specify it manually and have it work.

provider "kubectl" {
  host  = var.host
  token = var.token
  cluster_ca_certificate = file("isrg_x1.pem")
}

resource "kubectl_manifest" "my_namespace" {
  yaml_body     = <<-YAML
  apiVersion: v1
  kind: Namespace
  metadata:
    name: my-namespace
  YAML
}

Am I right in suspecting the kubectl provider doesn't look through system CA certs? If so, I'd appreciate that this feature gets added so that cluster_ca_certificate doesn't need to get set manually.