ibm_container_alb_cert destroy not synchronous

[pauljegouic]

Hi there,

Terraform Version

  bivwak-ibm-container-service git:(feature/tls) ✗ terraform -v
Terraform v0.12.23
+ provider.http v1.2.0
+ provider.ibm v1.8.1
+ provider.kubernetes v1.11.3
+ provider.null v2.1.2

Affected Resource(s)

• ibm_container_alb_cert

Use Case

Since there is no integration between Certificate Manager and IKS, we need to apply a workaround to update certificate at the cluster level, when renewing the certificate.

To do so, we would like to take advantage of the taint functionnality in Terraform. It provoks a destroy/recreate of the resource, which solve our issue for the moment.

But the issue is that the ibm_container_alb_cert resource is successfully destroyed, but recreation failed. We need to wait for IKS to actually delete and clean secrets.

Taint ibm_container_alb_cert

➜  bivwak-ibm-container-service git:(feature/tls) ✗ terraform taint module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert
Resource instance module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert has been marked as tainted.

Terraform apply: FAIL

➜  bivwak-ibm-container-service git:(feature/tls) ✗ terraform apply -var environment_id=featuretls -var-file tests/env/vars.standard_config.json --auto-approve

[SKIP]

module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert: Destruction complete after 1s
module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert: Creating...

Error: Request failed with status code: 409, ServerErrorResponse: {"incidentID":"5b5cddb1266dedf7-CDG","code":"E0025","description":"An ALB secret with the same name already exists. Choose another name.","type":"ALBSecret"}

Try to re-apply: SUCCESS

➜  bivwak-ibm-container-service git:(feature/tls) ✗ terraform apply -var environment_id=featuretls -var-file tests/env/vars.standard_config.json --auto-approve

[SKIP]

module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert: Creating...
module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert: Still creating... [10s elapsed]
module.bivwak_k8s.module.security.module.mtls.ibm_container_alb_cert.ingress_cert: Creation complete after 14s [id=bsal5ptf0dia1btc8vdg/ingress-tls-cert]

Thanks in advance !

[hkantare]

As per the comments we see there is some time delay to delete the secret from the cluster...We will investigate and see can we check for the secret exists before completing resource deletion of ALB CERT

[pauljegouic]

ibm_container_bind_service is also affected by this

[Anil-CM]

@ifs-pauljegouic,
we have tried the following approach:

1. apply the below configuration:

resource "ibm_container_alb_cert" "cert" {
  cert_crn    = "crn:v1:bluemix:public:cloudcerts:us-south:a/96fe4b4beb8947bf85223e69dab47878:6fdddfcd-902e-4928-bf66-4e9a862cde75:certificate:1ec38c64ba738d99dab108bd8c32ef1d"
  secret_name = "mycert"
  cluster_id  = "bpj241dd0huh760itedg"
}

resource "ibm_container_bind_service" "bind_service" {
  cluster_name_id             = "bpj241dd0huh760itedg"
  service_instance_name       = "litecos"
  namespace_id                = "default"
}

2. Taint the ibm_container_alb_cert resource using terraform taint.
3. Run terraform plan-apply

The configuration applied, didn't see any issues with ibm_container_bind_service.

[hkantare]

Fixed in latest releases v1.16.1