-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
meta: Treat internal k8s annotations as invalid #50
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I'm stumbling into this because this solution makes implementing this way to configure a service impossible: https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws What exactly are the major problems for Terraform that occur if you let a user in his own responsibility change such a value? I can see that if K8s resets such a value internally and automatically because it's not intended to be changed, Terraform will detect the change and write it again ans again on ech apply, but you already propose a solution for this with the ignore changes flag. Apart from that, users can break stuff in their own infrastructure abusing the wrong internal annotations, but that's their own responsibility and that is valid for just about any configuration change. I don't see why this must be so strict. |
Have you guys found any other way of implementing ssl on load balancers ? I'm struggling with that now and to be honest, don't understand at all why we shouldn't be able to set internal annotations using TF |
I can understand "internal annotations" look too arbitrary code, but some of them are too essentials at this stage to be banned like this. Why don't you just maintain a minimal set of annotations, as long as the situation is not clear? Of course I'm referring to the SSL support for the LoadBalancer type services (aws) and very few others. I wouldn't see many options at the moment, except stop using terraform/kubernetes and deploy services via kubectl. |
@tombuildsstuff @radeksimko can this please be revisited? This completely kills the potential of using Terraform to spin out private K8s clusters. Happy to help in any way I can. |
This breaks setting up a nginx ingress via a helm chart and routing services to it(https://github.com/helm/charts/tree/master/stable/nginx-ingress). For that, I need to set the kubernetes.io/ingress.class annotation. Some of these internal annotation are quite valid to want to configure externally. Please revisit. |
FWIW @alexsomesan I was able to workaround this issue in my fork, and allow support for internal annotations without causing a perpetual TF diff. |
It just occurred to me - we might also be able to create a datasource where the template developer would specify a set of annotations as internal, and then aggregate the datasource's set with the one's from the resource. |
@alexsomesan that would be awesome, I suggested something like that some time ago: #60 (comment) Edit: in fact, I instead suggested allowing the white listing of annotations, as tracking internal annotations as kubernetes evolves would probably be harder at the provider level. |
@alexsomesan Here's my POC for whitelisting... #60 (comment) Free to cherry-pick or reimplement it in your way |
@alexsomesan PR #244 contains the implementation of the @dh-harald POC from #60 (comment) |
i agree this should be reverted. |
Well this should be definitely reverted, it causes more problems than it appears to have solved. |
This is blocking e.g. the use of external-dns via terraform-provider-kubernetes, please revert or allow whitelisting annotations. |
Absolutely terrible idea - purge it with fire! |
This needs to be reverted for all the reasons above. |
WOW! Who thought this was a good idea?! |
^ Update on all of the above - #325 has now been merged which should fix this issue! |
This has now been fixed in 1.7.0: https://github.com/terraform-providers/terraform-provider-kubernetes/blob/master/CHANGELOG.md#170-may-22-2019 |
We always ignored internal annotations and we never allowed users to update them either as an effect of another bug. This is making it much more explicit and upfront and hopefully less confusing.
Closes #37
Why we don't support internal annotations
Annotations are more often (compared to labels) used by the scheduler or machine generally rather than a human. We cannot tell the difference between annotation specified by a user and machine-managed one from the API. This may be "by design" and we're not complaining about the K8S annotations design here by any means. It's a design preventing Terraform from detecting drifts between reality and config nonetheless.
This conflict of ownership presents a problem for any field of any resource and provider. Internal (
kubernetes.io/*
) annotations are just well known to be used by kubelet out of the box.If you have any tools/scripts outside of Terraform which add, remove or modify annotations for objects managed by Terraform, you may use
ignore_changes
, i.e.This is a way to tell Terraform that you manage annotations separately and want Terraform to ignore any changes your tools/scripts make to annotations.
Vast majority of custom user-specifyable annotations are also related to alpha or beta features which we currently don't intend to support as mentioned in Readme with further explanation in #1 (comment)
Before
After