New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for certificates/v1 API #1473
Conversation
d6ae153
to
61c9b6a
Compare
"signer_name": { | ||
Type: schema.TypeString, | ||
Description: apiDocSpec["signerName"], | ||
Required: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now required by the API.
return getErr | ||
} | ||
approval := certificates.CertificateSigningRequestCondition{ | ||
Status: v1.ConditionTrue, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The status field is now required in the condition.
} | ||
|
||
log.Printf("[DEBUG] Waiting for certificate to be issued") | ||
err = resource.RetryContext(ctx, d.Timeout(schema.TimeoutCreate), func() *resource.RetryError { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to use the RetryContext function rather than the StateChangeConf struct as we weren't actually dealing with any state here.
log.Printf("[ERROR] Received error: %v", err) | ||
return resource.NonRetryableError(err) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed some superfluous logic here, the for loop below is all that's required.
if v, ok := in["usages"].(*schema.Set); ok && v.Len() > 0 { | ||
obj.Usages = expandCertificateSigningRequestV1Usages(v.List()) | ||
} | ||
if v, ok := in["signer_name"].(string); ok && v != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added signer_name
here, as it was missing.
a3d83c0
to
fb94507
Compare
fb94507
to
d07db75
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, works in my testing.
The trouble with putting the API version into the Terraform code: if in future you want to replace a With cloud providers that provide multiple APIs for the same backing resource, Terraform typically doesn't expose details of which API Terraform is using. I'd expect to see a preference for any particular API configured at the provider level, not per-resource. |
Hi @sftim thanks for sharing your thoughts. Fundamentally, I agree with what you're saying – I would love it were possible to specify the API group/version (or use the discovery client to check) and then have the provider use the appropriate schema for the resource when the provider plugin is loaded, either by specifying it in the provider block or even the resource itself in the same way that Kubernetes does. Unfortunately down to the way the Terraform's protocol and type system works this isn't possible right now, and that kind of change is likely a major version away for Terraform if it's even feasible. The schema for the built-in resources (ones that aren't kubernetes_manifest) has to be known at build time, and there isn't a mechanism for resources to have multiple schema versions that can be built into the provider and toggled based on configuration. Certainly as Terraform evolves we will come back and revisit this. So at present it's kind of a trade-off between:
I have written more about our motivation for doing this on this (unreleased) documentation page but basically the tl;dr is this is going to make it easier for us to use code generation to generate each resource in the provider from the Kubernetes API definition, rather than the currently laborious manual process it is today. The third option above (I feel) is the lesser of those 3 evils to help get us to where the lag time between changes the Kubernetes API landing as built-in resources in the provider is much shorter. Hopefully that makes sense. |
Also, to your point on this, there is some prior art on this in the AWS provider where to support multiple versions of the underlying cloud API the version number actually is exposed in the resource name for a few services like CloudHSM and API Gateway. Another option that occurred to me would be to actually break the provider down into multiple provider plugins for each API group (e.g having |
@jrhouston if there's a GitHub issue or discussion about this (in the I can start one but also very happy to let you take a lead there. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
This PR adds support for the certificates/v1 API by adding a new
kubernetes_certificate_signing_request_v1
resource.Acceptance tests
Output from acceptance testing:
Release Note
Release note for CHANGELOG:
References
Community Note