New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: equivalent of kubectl patch
#723
Comments
I have 2 additional use cases for the same feature, both on EKS.
The annotation must be removed. |
Yeah also it would be nice to have equivalent of |
This comment has been minimized.
This comment has been minimized.
I am currently trying to update an existing ConfigMap and simply add more rules to it but once the CM created it seems that it cannot be referred to in order to be updated. Any thoughts? Thanks |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
When we setup EKS cluster with terraform and are using tainted on-demand nodes for all system services, we have to patch CoreDNS first to make all further installed apps working. For now we can't patch existing EKS CoreDNS with terraform so we have to install 3rd party CoreDNS helm chart at the beginning. Ability to patch existing deployments would be really great. |
+1 Would love this for some of our enterprise EKS Fargate Deployments |
It would nice to have such a Terraform resource to patch EKS |
This is also needed to patch EKS clusters hit by kubernetes/kubernetes#61486 |
This feature would feed very well into things like custom CNI on EKS |
This would also help for management of service meshes such as linkerd or istio, where one might want to add annotations to control mesh proxy injection into the This request is actually being made in different forms in several issues now, see also: |
For anyone else who's running into this, we've for the moment worked around it with a truly awful abuse of the null resource and local provisioner:
|
I tweaked @memory's null_resource workaround to work with the aws provider. This should save anyone looking to run fargate-only EKS a bit of time.
|
This comment has been minimized.
This comment has been minimized.
The following might also be a viable workaround:
Might work quicker since the token should only be requested once and then reused for any kubectl commands. Also doesn't depend on having aws-cli installed. |
This comment has been minimized.
This comment has been minimized.
Same question for me :) : |
Adding to the list, patching |
Same issue here, with the need to patch the coredns for taints-tollerations setup and aws-node daemonset for some parameters tweaking (like IP warm target and external SNAT enable). Will be really nice to be able to get all resources provisioned in one shot by terraform without workarrounds like |
This is also relevant when you want to deploy an EKS cluster only running Fargate. you need to patch the existing CoreDNS deployment in order to deploy it as Fargate. |
Also needed to simply edit the coredns-custom configmap that is created by default in AKS. |
I've got a similar requirement, so until there is a better method, I'm using a template and null resource: # argocd-cm patch
# https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file
data "template_file" "argocd_cm" {
template = file(var.argocd_cm_yaml_path)
vars = {
tenantId = data.azurerm_client_config.current.tenant_id
appClientId = azuread_service_principal.argocd.application_id
}
}
# https://www.terraform.io/docs/provisioners/local-exec.html
resource "null_resource" "argocd_cm" {
triggers = {
yaml_contents = filemd5(var.argocd_cm_yaml_path)
sp_app_id = azuread_service_principal.argocd.application_id
}
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
environment = {
KUBECONFIG = var.aks_config_path
}
command = <<EOT
kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "${data.template_file.argocd_cm.rendered}"
EOT
}
depends_on = [
local_file.kubeconfig,
null_resource.argocd_configure
]
} |
Expanding on @cmanfre4's answer, we could probably simplify it to a single job with this command:
It does 2 things:
|
Just FYI - if you patch the CoreDNS on EKS, you'll want to eject from the EKS API managing the CoreDNS deployment using the |
Thanks @jkroepke! I was able to remove the default storage class from an EKS cluster with https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations. resource "kubernetes_annotations" "default-storageclass" {
api_version = "storage.k8s.io/v1"
kind = "StorageClass"
force = "true"
metadata {
name = "gp2"
}
annotations = {
"storageclass.kubernetes.io/is-default-class" = "false"
}
} |
that's very interesting way of doing this |
I have a very simple workaround in the form of a bootstrap script which deletes the relevant default resources: #!/usr/bin/env bash
set -euo pipefail
while test $# -gt 0; do
case "$1" in
-h | --help)
echo " "
echo "options:"
echo "-h, --help show brief help"
echo "--context specify kube contxt"
exit 0
;;
--context)
shift
if test $# -gt 0; then
context=$1
else
echo "no kube context specified"
exit 1
fi
shift
;;
*)
break
;;
esac
done
for kind in daemonset clusterRole clusterRoleBinding serviceAccount; do
echo "deleting $kind/aws-node"
kubectl --context "$context" --namespace kube-system delete $kind aws-node
done
for kind in customResourceDefinition; do
echo "deleting $kind/eniconfigs.crd.k8s.amazonaws.com"
kubectl --context "$context" --namespace kube-system delete $kind eniconfigs.crd.k8s.amazonaws.com
done
for kind in daemonset serviceAccount; do
echo "deleting $kind/kube-proxy"
kubectl --context "$context" --namespace kube-system delete $kind kube-proxy
done
for kind in configMap; do
echo "deleting $kind/kube-proxy-config"
kubectl --context "$context" --namespace kube-system delete $kind kube-proxy-config
done
for kind in deployment serviceAccount configMap; do
echo "deleting $kind/coredns"
kubectl --context "$context" --namespace kube-system delete $kind coredns
done
for kind in service; do
echo "deleting $kind/kube-dns"
kubectl --context "$context" --namespace kube-system delete $kind kube-dns
done
for kind in storageclass; do
echo "deleting $kind/gp2"
kubectl --context "$context" delete $kind gp2
done |
I've got a similar requirement to update the ArgoCD password, and this worked for me resource "null_resource" "argocd_update_pass" {
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = <<EOT
kubectl patch secret -n argocd argocd-secret -p '{"stringData": { "admin.password": "'$(htpasswd -bnBC 10 "" ${data.azurerm_key_vault_secret.argocd-password.value} | tr -d ':\n')'"}}' --kubeconfig ./temp/kube-config.yaml;
EOT
}
depends_on = [
helm_release.argocd,
local_file.kube_config
]
}
resource "local_file" "kube_config" {
content = azurerm_kubernetes_cluster.aks.kube_config_raw
filename = "${path.module}/temp/kube-config.yaml"
} |
Thank you for this! I think the top most wanted use cases missing are:
I believe looking at this thread these are the top priority ones to do first.
I wonder if it would not be better to close this issue and open specific focused issues for these 4 use-cases. Keep up the good work! |
@jrhouston We have another usecase. We're running on GKE with Calico enabled, this gives us a lot of readiness/liveness probe failures because the timeout is set to 1s. This is fixed in Calico (see projectcalico/calico#5122 (comment)) but the version of Calico that includes this fix isn't available on (stable) GKE yet. So we want to apply a patch to increase the timeout to match the value as set by newer Calico versions. Also whilst I understand the desire of Terraform to keep it simple with regards to the implementation, conceptually matching kubectl will probably be simpler for most users to understand and there'd be no need for a dozen or so specific resources. |
Here's a use case: I would love some kind of kubernetes_node_selector to do this patch, instead of having to workaround from a bash command or manually importing coredns after my eks creation |
Well, parameters to the module like manage_aws_auth_configmap suggest otherwise... |
Thanks @cmanfre4 for the tip. I repurposed your solution to replace my default EKS gp2 storage class (which is unencrypted by default.) I also added a variable
|
@bryantbiggs @michelzanini checkout version 2.15.0 released two days ago |
Hi. I’d like to patch imagePullSecrets into a ServiceAccount. |
Hi, I would like to patch a meshconfig and add ingressGateway. |
Would very much appreciate the ability to |
Hello @ArieLevs
I looked at the docs but couldn't get it working. Would you be able to kindly provide an example? |
@alicancakil your specific example can be solved by addon's optional configuration. See https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon already supports passing configuration values to addon. |
@alicancakil the
this will remove the value of |
to create a fully serverless EKS Fargate based cluster, you only need to use the addon configuration like @z0rc mentioned. Here is an example https://github.com/clowdhaus/eks-reference-architecture/blob/f37390db1b38d154979cc1aeb4d72ab53929e847/serverless/eks.tf#L13-L15 |
We have another use case When setting up the GKE identity service for enabling OIDC authentication on the k8s API, the setup instructions require you to edit a pre-existing |
We recently merged and released the ability to patch |
Another use case would be to be able to patch an existing resource created by an operator. For example, if I deploy rancher managed Prometheus and then I want to change the configuration of the |
To add another use case to the list: Patch a priority class name on deployments/statefulsets |
Another use case, edit configurations of EKS provided kube-proxy via patching configmap (not via eks addon) |
Yet another use case: I'd like to be able to patch the
Patching would be preferable to creating new storageclasses, as there are already 7 by default. |
I created a resource to patch daemonset in my provider: |
Terraform Version
Terraform v0.12.18
Affected Resource(s)
n/a (request for new resource)
In AWS EKS, clusters come "pre-configured" with several things running in the
kube-system
namespace. We need to patch those pre-configured things, while retaining any "upstream" changes which happen to be made. (for example: set HTTP_PROXY variables)kubectl provides the
patch
keyword to handle this use-case.The kubernetes provider for terraform should do the same.
Proposed example (this would add the
proxy-environment-variables
ConfigMap to the existingenvFrom
list which already containsaws-node-environment-variable-additions
for the container namedaws-node
):The text was updated successfully, but these errors were encountered: