Issue with CRDs when upgrading

[paymog]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: v1.3.5
Kubernetes provider version: 2.21.1
Kubernetes version: 1.24

Affected Resource(s)

Terraform Configuration Files

I'm using cdktf and not terraform directly. Here's the cdktf construct which is causing the issue

    new Manifest(this, `${config.projectName}-doppler-secret`, {
      manifest: {
        apiVersion: "secrets.com/v1alpha1",
        kind: "DopplerSecret",
        metadata: {
          name: `${config.projectName}-doppler-secret`,
          namespace: DOPPLER_OPERATING_SYSTEM_NAMESPACE,
        },
        spec: {
          tokenSecret: {
            name: config.serviceTokenSecret.metadata.name,
          },
          managedSecret: {
            name: config.secretName,
            namespace: config.secretNamespace,
          },
        },
      },
    });

Debug Output

There's way too much and it seems like we'd have sensitive values in it.

Steps to Reproduce

1. Be on cdktf 0.12.3
2. apply the doppler helm chart: https://docs.doppler.com/docs/kubernetes-operator#using-helm
3. apply a kubernetes manifest which creates a DopplerSecret like above
4. see that it all works
5. try upgrading to cdktf 0.16.3, see the above issue when applying with the newest version of cdktf

The above is an approximate way to reproduce what I'm seeing

Expected Behavior

Prior to upgrading my cdktf from version 0.12.3 to 0.16.3 the above Manifest worked flawlessly.

Actual Behavior

Now that I've upgraded (without changing anything in my cluster) I'm seeing the following errors for each of the 4 instantiations of the above Manifest.

│ Error: Failed to determine GroupVersionResource for manifest
│
│   with kubernetes_manifest.doppler-workflow-worker_workflow-worker-workflow-worker-doppler-secret-crd_workflow-worker-doppler-secret_81BF5042,
│   on cdk.tf.json line 6366, in resource.kubernetes_manifest.doppler-workflow-worker_workflow-worker-workflow-worker-doppler-secret-crd_workflow-worker-doppler-secret_81BF5042:
│ 6366:       }
│
│ no matches for kind "DopplerSecret" in group "secrets.com"
goldsky-infra-dev  ╷
                   │ Error: Failed to determine GroupVersionResource for manifest
                   │
                   │   with kubernetes_manifest.doppler-workflow-worker_workflow-worker-workflow-worker-doppler-secret-crd_workflow-worker-doppler-secret_81BF5042 (doppler-workflow-worker/workflow-worker-workflow-worker-doppler-secret-crd/workflow-worker-doppler-secret),
                   │   on cdk.tf.json line 6366, in resource.kubernetes_manifest.doppler-workflow-worker_workflow-worker-workflow-worker-doppler-secret-crd_workflow-worker-doppler-secret_81BF5042 (doppler-workflow-worker/workflow-worker-workflow-worker-doppler-secret-crd/workflow-worker-doppler-secret):
                   │ 6366:       }
                   │
                   │ no matches for kind "DopplerSecret" in group "secrets.com"

I can verify that the CRD already exists:

 ❮❮❮ k get crd
NAME                                                        CREATED AT
certificaterequests.cert-manager.io                         2022-09-01T00:59:30Z
certificates.cert-manager.io                                2022-09-01T00:59:30Z
challenges.acme.cert-manager.io                             2022-09-01T00:59:30Z
clusterissuers.cert-manager.io                              2022-09-01T00:59:30Z
dopplersecrets.secrets.doppler.com                          2023-01-08T15:20:46Z
eniconfigs.crd.k8s.amazonaws.com                            2021-12-09T02:48:43Z
flinkdeployments.flink.apache.org                           2022-08-31T22:18:36Z
flinksessionjobs.flink.apache.org                           2022-08-31T22:18:37Z
ingressclassparams.elbv2.k8s.aws                            2021-12-16T06:48:29Z
issuers.cert-manager.io                                     2022-09-01T00:59:30Z
orders.acme.cert-manager.io                                 2022-09-01T00:59:30Z
secretproviderclasses.secrets-store.csi.x-k8s.io            2022-08-04T19:19:14Z
secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io   2022-08-04T19:19:17Z
securitygrouppolicies.vpcresources.k8s.aws                  2021-12-09T02:48:46Z
targetgroupbindings.elbv2.k8s.aws                           2021-12-09T02:51:53Z
 ❯❯❯ k get dopplersecret -A
NAMESPACE                 NAME                                AGE
doppler-operator-system   goldsky-api-doppler-secret          150d
doppler-operator-system   goldsky-db-metrics-doppler-secret   149d
doppler-operator-system   rpc-node-proxy-doppler-secret       110d
doppler-operator-system   workflow-worker-doppler-secret      149d

References

• Unable to create Custom Resource (CR) Failed to determine GroupVersionResource for manifest #1917 - this mentions that the CRD and the instance of the CRD must be done in separate apply. That's already the case because all of these resources existed prior to me attempting to upgrade the version of cdktf.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[paymog]

turns out I had to change secrets.com/v1alpha1 to secrets.doppler.com/v1alpha1