Cannot create cert-manager selfSigned Issuer

[kyschouv]

This appears to be the same behavior as seen in the kubernetes-alpha provider:
hashicorp/terraform-provider-kubernetes-alpha#167

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.0.3
Kubernetes provider version: 2.4.1
Kubernetes version: 1.21.2

Affected Resource(s)

kubernetes_manifest

Terraform Configuration Files

resource "kubernetes_manifest" "aso_issuer" {
  manifest = {
    "apiVersion" = "cert-manager.io/v1"
    "kind" = "Issuer"
    "metadata" = {
      "name" = "azureoperator-selfsigned-issuer"
      "namespace" = "operators"
    }
    "spec" = {
      "selfSigned" = {}
    }
  }
}

Steps to Reproduce

Apply the above resource.

Expected Behavior

It should deploy the resource.

Actual Behavior

I get an error. It appears to be stripping the selfSigned portion of the manifest.

kubernetes_manifest.aso_issuer: Creating...
╷
│ Error: API response status: Failure
│
│   with kubernetes_manifest.aso_issuer,
│   on azure-service-operator.tf line 2, in resource "kubernetes_manifest" "aso_issuer":
│    2: resource "kubernetes_manifest" "aso_issuer" {
│
│ admission webhook "validate.webhooks.cert-manager.io" denied the request:
│ spec: Required value: at least one issuer must be configured
╵

[alexsomesan]

@kyschouv What you are seeing here is an error response from the Cert Manager validation web hook. It's trying to signal that the Issuer CR must actually contain at least one "issuer" entry in the "spec" section.

I haven't used Cert Manger myself, but this is how the error message reads to me. It's not a provider problem, as far as I can tell.

[kyschouv]

@alexsomesan This is the same form as the yaml that cert-manager specifies to use to create a selfSigned issuer. It needs an empty object for selfSigned in the spec. I even used the yaml to tf tooling to convert the sample from cert-manager. The problem is that the kubernetes Terraform provider (and the kubernetes-alpha provider, as seen in the linked issue) replaces that with a null value (or removes it - I'm not entirely sure), and then cert-manager doesn't know what to do with it (since it's expecting an empty object, not a null).

This is definitely something I can deploy fine with yaml. But converting that yaml to hcl and deploying it with kubernetes_manifest fails. That seems like the provider is probably doing something wrong, or at least needs a workaround if this is just due to hcl behavior.

[t-winter]

I have the same problem and the problem actually appears to originate in the terraform kubernetes provider. The reasoning behind this conclusion is as follows:

• deployment via kubectl of the following manifest works as expected:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {}

• the plan generated by terraform using the contains way attributes more than expected:

  # kubernetes_manifest.cluster_issuer will be created
  + resource "kubernetes_manifest" "cluster_issuer" {
      + manifest = {
          + apiVersion = "cert-manager.io/v1"
          + kind       = "ClusterIssuer"
          + metadata   = {
              + name = "selfsigned-local"
            }
          + spec       = {
              + selfSigned = {}
            }
        }
      + object   = {
          + apiVersion = "cert-manager.io/v1"
          + kind       = "ClusterIssuer"
          + metadata   = {
              + name = "selfsigned-local"
            }
          + spec       = {
              + acme       = {
                  + disableAccountKeyGeneration = (known after apply)
                  + email                       = (known after apply)
                  + enableDurationFeature       = (known after apply)
                  + externalAccountBinding      = {
                      + keyAlgorithm = (known after apply)
                      + keyID        = (known after apply)
                      + keySecretRef = {
                          + key  = (known after apply)
                          + name = (known after apply)
                        }
                    }
                  + preferredChain              = (known after apply)
                  + privateKeySecretRef         = {
                      + key  = (known after apply)
                      + name = (known after apply)
                    }
                  + server                      = (known after apply)
                  + skipTLSVerify               = (known after apply)
                  + solvers                     = (known after apply)
                }
              + ca         = {
                  + crlDistributionPoints = (known after apply)
                  + ocspServers           = (known after apply)
                  + secretName            = (known after apply)
                }
              + selfSigned = {
                  + crlDistributionPoints = (known after apply)
                }
              + vault      = {
                  + auth      = {
                      + appRole        = {
                          + path      = (known after apply)
                          + roleId    = (known after apply)
                          + secretRef = {
                              + key  = (known after apply)
                              + name = (known after apply)
                            }
                        }
                      + kubernetes     = {
                          + mountPath = (known after apply)
                          + role      = (known after apply)
                          + secretRef = {
                              + key  = (known after apply)
                              + name = (known after apply)
                            }
                        }
                      + tokenSecretRef = {
                          + key  = (known after apply)
                          + name = (known after apply)
                        }
                    }
                  + caBundle  = (known after apply)
                  + namespace = (known after apply)
                  + path      = (known after apply)
                  + server    = (known after apply)
                }
              + venafi     = {
                  + cloud = {
                      + apiTokenSecretRef = {
                          + key  = (known after apply)
                          + name = (known after apply)
                        }
                      + url               = (known after apply)
                    }
                  + tpp   = {
                      + caBundle       = (known after apply)
                      + credentialsRef = {
                          + name = (known after apply)
                        }
                      + url            = (known after apply)
                    }
                  + zone  = (known after apply)
                }
            }
        }
    }

the above is geenrated from the following ressource:

resource "kubernetes_manifest" "cluster_issuer" {
  manifest = {
    apiVersion = "cert-manager.io/v1"
    kind       = "ClusterIssuer"
    metadata = {
      name = "selfsigned-local"
    }
    spec = {
      selfSigned = {}
    }
  }
}

[bweir]

Can confirm, I am experiencing this right now:

Error: API response status: Failure

  on cert_manager.tf line 50, in resource "kubernetes_manifest" "self_signed_cluster_issuer":
  50: resource "kubernetes_manifest" "self_signed_cluster_issuer" {

admission webhook "webhook.cert-manager.io" denied the request: spec: Required
value: at least one issuer must be configured

The YAML works fine:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: self-signed-cluster-issuer
  namespace: cert-manager
spec:
  selfSigned: {}

The error suggests that the kubernetes_manifest resource removes the empty object before submitting the manifest to the cluster:

resource "kubernetes_manifest" "self_signed_cluster_issuer" {
    manifest = {
        apiVersion = "cert-manager.io/v1"
        kind = "ClusterIssuer"
        metadata = {
          name = "self-signed-cluster-issuer"
        }
        spec = {
          selfSigned = {}
        }
    }
}

[artificial-aidan]

So I just dug into this a bunch, and have some tests to reproduce it, I'll get some stuff up tomorrow.

There is a hack that kind of works for now:

spec:
  selfSigned:
    crlDistributionPoints: []

This will create the issuer, but also error out with: When applying changes to kubernetes_manifest.webhook_issuer, provider "provider[\"registry.terraform.io/hashicorp/kubernetes\"]" produced an unexpected new value: │ .object.spec.selfSigned.crlDistributionPoints: was cty.ListValEmpty(cty.String), but now null.

But at least it applies.

[Skaronator]

This issue seems to be fixed in the 2.6.0 release fyi

[github-actions]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.