Applying CRD and chart on same TF

[moreiramarti]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.3.2
Provider version: 2.7.1
Kubernetes version: 1.21

Affected Resource(s)

• helm_release

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.

Error: unable to build kubernetes objects from release manifest: resource mapping not found for name: "ingress-nginx-controller" namespace: "" from "": no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
ensure CRDs are installed first
 
with module.eks_services.helm_release.ingress_nginx,
on .terraform/modules/eks_services/ingress-nginx.tf line 1, in resource "helm_release" "ingress_nginx":
  1: resource "helm_release" "ingress_nginx" {

Panic Output

Steps to Reproduce

1. terraform apply

Expected Behavior

This behavior seems expected since v2.7.0 (PR)

Is it possible to have on option to disable manifest rendering during plan ?

Actual Behavior

Important Factoids

References

• 🌱 Bump k8s.io/client-go from 0.27.1 to 0.28.1 #1234

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[anapsix]

Seeing the same error while installing cert-manager and aws-load-balancer-controller in the same TF module and same run, with aws-load-balancer-controller having depends_on = [ helm_release.cert-manager ].

# Versions testes

- K8s v1.22 (EKS)
- Terraform 1.3.2 and 1.3.3
- Helm provider 2.7.0 and 2.7.1

│
│ Error: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "aws-load-balancer-serving-cert" namespace: "kube-system" from "": no matches for kind "Certificate" in version "cert-manager.io/v1alpha2"
│ ensure CRDs are installed first, resource mapping not found for name: "aws-load-balancer-selfsigned-issuer" namespace: "kube-system" from "": no matches for kind "Issuer" in version "cert-manager.io/v1alpha2"
│ ensure CRDs are installed first, unable to recognize no matches for kind "IngressClassParams" in version "elbv2.k8s.aws/v1beta1"]
│ 
│   with module.k8s.helm_release.aws-load-balancer-controller,
│   on ../../../modules/core/k8s/aws-load-balancer-controller.tf line 1, in resource "helm_release" "aws-load-balancer-controller":
│    1: resource "helm_release" "aws-load-balancer-controller" {
│ 

Downgrading to 2.6.0 resolves the issue.

terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.6.0"
    }
}

[wadexu007]

Same issue here, I need terraform apply -target to apply CRDs Resource first, then apply the remaining resources.

suggest to remove CRDs check in provider >= 2.7.0.

[mamoit]

@BBBmau I see you added the upstream-terraform label.
Is this an upstream issue of terraform itself?
If so, how should it be resolved correctly.

If not, can't there just be a flag in this provider to disable the render during the plan like @moreiramarti suggested?
Or is it too much of a workaround?

[dhirschfeld]

I'm unable to deploy Traefik with the latest version of this provider. helm install installs the Traefik Helm Chart with no problems but this provider now complains that the CRDs aren't available before installing the Helm Chart... which installs the CRDs 😞

Can we please get an escape hatch to disable this behaviour?

[jrhouston]

Hi @moreiramarti the provider should only try and render a manifest at plan time if you have manifest = true in the experiments block in the provider config. As a workaround you can set it to false when you are doing the first install, then set it to true when you want to see the rendered manifest.

Perhaps there is a case for having two toggles for manifest rendering, one for create time and one for update.

[moreiramarti]

Hi @jrhouston

Indeed, I had this option activated.
Switching to false solve my issue but having 2 toggles is a great idea IMO.

Thank you for your feedback

[github-actions]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[dhirschfeld]

ugh, a stale bot.

[alex-english-elvt]

Also having this issue with external-secrets-operator

[TheGthr]

I am also facing this issue while deploying Grafana Alloy using the v2.15.0 of the helm provider, is there any other workaround?

[luis02lopez]

Would be nice to have dependency, depends_on is not working for this case.