Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(feat): kubeconfig_raw as alternative to local file and setting KUBECONFIG env variable #51

Open
lukasmrtvy opened this issue Jan 7, 2021 · 6 comments
Open

(feat): kubeconfig_raw as alternative to local file and setting KUBECONFIG env variable #51

lukasmrtvy opened this issue Jan 7, 2021 · 6 comments

Comments

@lukasmrtvy
Copy link

lukasmrtvy commented Jan 7, 2021
edited
Loading

Would be nice to support kubeconfig_raw as input in helmfile provider.
For example like this provider https://github.com/vmware-tanzu/terraform-provider-carvel/blob/develop/pkg/provider/kubeconfig.go#L34
Use case:

data "azurerm_kubernetes_cluster" "example" {
  name                = "myakscluster"
  resource_group_name = "my-example-resource-group"
}

resource "helmfile_release_set" "mystack" {
    content = file("./helmfile.yaml")
    kubeconfig_raw = data.azurerm_kubernetes_cluster.example.kube_admin_config_raw
}

It should be sensitive input ( hide sensitive stuff in plan/apply steps)

Thanks

Official provider can use also raw input https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#host
@lukasmrtvy lukasmrtvy mentioned this issue Jan 7, 2021
Open
@mumoshu
Copy link
Owner

mumoshu commented Jan 8, 2021

@lukasmrtvy Hey! Just curious, but why do we need this? For the azurerm_kubenretes_cluster's case, can't we just use kube_admin_config_raw in combination with local_file? 🤔

@lukasmrtvy
Copy link
Author

lukasmrtvy commented Jan 8, 2021
edited
Loading

@mumoshu if you are running tf in CI without cache ( and i believe that caching kubeconfig is not a good idea ), then you will loose this file and this resource will be recreated on every run ( triggering false positive diff )

Probably is possible to do some workaround with local-exec, but why, almost every k8s provider ( kubernetes, helm, kapp, etc ) can use kubeconfig_raw or is able to set host/ca/crt/key/user/token via vars.
Its doable with https://github.com/scottwinkler/terraform-provider-shell ( kubectl config set + helmfile ), but its tricky to calculate state in read phase. Also using external data source for helmfile template output and for example kapp provider for deploying raw manifest is possible to do, but believe that this provider should be able to use these variables...

Examples from AWS, Azure providers:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster#password
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth#example-usage

@anton-kachurin anton-kachurin mentioned this issue Feb 27, 2021
Open
@lukasmrtvy
Copy link
Author

@mumoshu any progress on this? thanks

@unacceptable
Copy link

I would like to propose something along these lines. IMHO we should be able to authenticate with just certificates/tokens like with the kubernetes-alpha and helm providers.

IIRC - I believe that local_file would work in certain scenarios, but not on a medium with ephemeral storage (like a container running a CD build) or a peer's workstation if the path names are the same.

@yashbhutwala
Copy link

yashbhutwala commented Jun 10, 2021
edited
Loading

I agree, the auth experience of this provider should be consistent with the helm and kubernetes providers.

@mumoshu
Copy link
Owner

mumoshu commented Jun 11, 2021

I agree. I'll happily review anyone's PR to add that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mumoshu @lukasmrtvy @yashbhutwala @unacceptable