Terraform-provider-kubernetes: kubernetes_secret service account token ca.crt parameter unreachable

Created on 22 Feb 2019  ·  8Comments  ·  Source: hashicorp/terraform-provider-kubernetes

Terraform Version

Terraform v0.11.11
+ provider.google v1.19.1
+ provider.google-beta v1.20.0
+ provider.kubernetes v1.5.1
+ provider.null v1.0.0
+ provider.template v1.0.0

Affected Resource(s)

  • kubernetes_secret

Terraform Configuration Files

resource "kubernetes_service_account" "dev" {
  metadata {
    name      = "dev"
    namespace = "test"
  }
}

data "kubernetes_secret" "dev-secret" {
  metadata = {
    name      = "${kubernetes_service_account.dev.0.default_secret_name}"
    namespace = "${kubernetes_service_account.dev.metadata.0.namespace}"
  }

  depends_on = [
    "kubernetes_service_account.dev",
  ]
}

output "dev_service_account_kubeconfig" {
  value = <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${data.kubernetes_secret.dev-secret.data.ca.crt}
    server: https://${var.cluster_endpoint}
  name: cluster
contexts:
- context:
    cluster: cluster
    user: user
    namespace: ${kubernetes_service_account.dev.metadata.0.namespace}
  name: context
current-context: context
kind: Config
preferences: {}
users:
- name: user
  user:
    token: ${base64decode(data.kubernetes_secret.dev-secret.data.token)}
EOF
}

Expected Behavior

The output should be properly generated

Actual Behavior

The attribute ca.crt from the data body from the secret cannot be accessed because of dot syntax limitations.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

there should be a way to access all the data attributes present in a secret

bug
Source
picture txomon
👍4

Most helpful comment

Here is a work-around for terraform 0.11 with an external datasource script (depends on bash and jq) :

provider kubernetes {
  version = "1.6.2"
}

provider external {
  version = "1.1.2"
}

resource "kubernetes_service_account" "ci" {
  metadata {
    name = "ci"
  }
}

data "kubernetes_secret" "ci" {
  metadata {
    name = "${kubernetes_service_account.ci.default_secret_name}"
  }
}

output "ci_token" {
  value = "${lookup(data.kubernetes_secret.ci.data, "token")}"
}

data "external" "ci_ca_crt" {
  program = ["${path.module}/extract.sh"]

  query = {
    input = "${jsonencode(data.kubernetes_secret.ci.data)}"
  }
}

output "ci_ca_cert" {
  value = "${data.external.ci_ca_crt.result["ca_crt"]}"
}

Content of extract.sh:

#!/bin/bash

# Exit if any of the intermediate steps fail
set -e

# Exit if any of the pipeline steps fail
set -o pipefail

# Extract "input" argument from the input into INPUT shell variable.
# jq will ensure that the values are properly quoted and escaped for consumption by the shell.
eval "$(jq -r '@sh "INPUT=\(.input)"')"


# Safely produce a JSON object containing the result value.
# jq will ensure that the value is properly quoted and escaped to produce a valid JSON string.
jq -n --argjson input "$INPUT" '{"ca_crt": $input | .ca | .crt}'

Result:

# terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

 <= data.external.ci_ca_crt
      id:                          <computed>
      program.#:                   "1"
      program.0:                   "/home/patrick/go/src/github.com/terraform-providers/terraform-provider-kubernetes/test/extract.sh"
      query.%:                     <computed>
      result.%:                    <computed>

 <= data.kubernetes_secret.ci
      id:                          <computed>
      data.%:                      <computed>
      metadata.#:                  "1"
      metadata.0.generation:       <computed>
      metadata.0.name:             "${kubernetes_service_account.ci.default_secret_name}"
      metadata.0.namespace:        "default"
      metadata.0.resource_version: <computed>
      metadata.0.self_link:        <computed>
      metadata.0.uid:              <computed>
      type:                        <computed>

  + kubernetes_service_account.ci
      id:                          <computed>
      default_secret_name:         <computed>
      metadata.#:                  "1"
      metadata.0.generation:       <computed>
      metadata.0.name:             "ci"
      metadata.0.namespace:        "default"
      metadata.0.resource_version: <computed>
      metadata.0.self_link:        <computed>
      metadata.0.uid:              <computed>


Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_service_account.ci: Creating...
  default_secret_name:         "" => "<computed>"
  metadata.#:                  "" => "1"
  metadata.0.generation:       "" => "<computed>"
  metadata.0.name:             "" => "ci"
  metadata.0.namespace:        "" => "default"
  metadata.0.resource_version: "" => "<computed>"
  metadata.0.self_link:        "" => "<computed>"
  metadata.0.uid:              "" => "<computed>"
kubernetes_service_account.ci: Creation complete after 0s (ID: default/ci)
data.kubernetes_secret.ci: Refreshing state...
data.external.ci_ca_crt: Refreshing state...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

ci_ca_cert = -----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTE4MDMxMDEyNDY0N1oXDTI4MDMwNzEyNDY0N1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKcH
Zd013/vvBxdrA6HGOCKzciTAa2oRXk8BO8snHgGB8W44tqL7pgiwLZ5LEEvvfkCK
O4DaPCj3tw3d3gMwuSFaC9hjpryIAcRju9BbQv+pTzL1PvjtIg9iMK1zwXVPZw0r
0iJwzDoUDQt3fyxwT7KGRZ6Wr4uKBZNQsencdQfxj9JOIVxxqWbK7qG2jcogfS4v
lf/rTEUhNSiZbZGukMC4vYwujnsL3XRZ7MphqylMf6brnq6xLsdOcIDgjSPIzo1F
0Q2+cfZ/Qp2z88Xh1qYAFavfqsY+v5+OwdAe5gh00t2idL+jurN3gISYdhsJ6GO9
ldxiY+v8Q0ucUFijTBUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQAGuVV3yCHeHnqlRmJBT/KTOKi48XnU/SU/OfpDCsoYwjB/zudC
Y/kCqcQ2BrLneE7QchU/EZE/oe8gXH1l9rqHsrZI4DOs+zBiGghGzYc3AR2ztgS9
3VzQqt6XDQzWgKpNEnbBP/OHODCkqqsdcHo7r0r4deeIMXJ5wU9hZLs1MTECLOtX
dturq5fr4wyORvhJ0kvpTtTKZvSLCSuNQQ2GXHvB+Bxvagrwps9mFlJlExlz+P2e
bsBOznlvYK0SJLUz1uQUAXOHVkwokxXdLDGgGua4rYJKRZ2oZid7k8baTABt6sZD
yU/jZwakIFkMkV8DASjZ5N7pfBsB7xXa/t1N
-----END CERTIFICATE-----

ci_token = eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2a
WNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpLXRva2VuLWY0cDV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY2
91bnQudWlkIjoiMDNjYzkyNTUtNzcxOC0xMWU5LWFjMWQtYjQyMzRjOTUzNmRhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y2kifQ.LR1Y3SzECq6AihpJ26CCJNu2osMnHA4OwRQ43CnRwFB0wvM-NKDj85W1iHCMCzii
1kphSFvVcDeHH9jFx1HE4Syvi8Q403YKxT5FFRoa-EGQhhca3c6w9U7IXi50RKF6_8KyeL2SWkKNd8pYItJihTJ8DFTlBD9sgnTaGN27KAUTw2nuPVvSTnIgriQnxdX3XRClXNStlXYIFSpiF3bHxYCdF1zgFywsDViTnssdrwuLlHVM3Rm76fvOd
6dX-SOM9cvIzacgRgMDmSJJTYUtGScGmb7dvUbXuXZ0z2veEpTCEyAoWUCdgg93-X-WIstwh61fOpHf3O3ZXdcf4_42Eg
picture pdecat on 15 May 2019
👍2 🎉1

All 8 comments

This is certainly a bug caused by https://github.com/hashicorp/terraform/issues/10876
It is already fixed in Terraform master and will be available in the 0.12 release.

Here is my test with a build of TF master and the provider 0.12 branch.

------------------------------------------------------------
~/test-service-account » cat main.tf                                                                                                                                                         alex@alexs-macbook
resource "kubernetes_service_account" "test" {
  metadata {
    generate_name = "test"
  }
}

data "kubernetes_secret" "test" {
  metadata {
    name      = "${kubernetes_service_account.test.default_secret_name}"
    namespace = "${kubernetes_service_account.test.metadata.0.namespace}"
  }
}

output "token" {
  value = "${data.kubernetes_secret.test.data["token"]}"
}

output "cert" {
  value = "${data.kubernetes_secret.test.data["ca.crt"]}"
}
------------------------------------------------------------
~/test-service-account » terraform-local version                                                                                                                                             alex@alexs-macbook
Terraform v0.12.0-dev
+ provider.kubernetes (unversioned)

------------------------------------------------------------
~/test-service-account » terraform-local apply                                                                                                                                               alex@alexs-macbook

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.kubernetes_secret.test will be read during apply
  # (config refers to values not yet known)
 <= data "kubernetes_secret" "test"  {
      + data = (sensitive value)
      + id   = (known after apply)
      + type = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + name             = (known after apply)
          + namespace        = "default"
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
        }
    }

  # kubernetes_service_account.test will be created
  + resource "kubernetes_service_account" "test" {
      + automount_service_account_token = false
      + default_secret_name             = (known after apply)
      + id                              = (known after apply)

      + metadata {
          + generate_name    = "test"
          + generation       = (known after apply)
          + name             = (known after apply)
          + namespace        = "default"
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_service_account.test: Creating...
kubernetes_service_account.test: Creation complete after 0s [id=default/testvbkj7]
data.kubernetes_secret.test: Refreshing state...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

cert = -----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIQIoblzX9f5QnHoDZMpR9gTjANBgkqhkiG9w0BAQsFADAv
MS0wKwYDVQQDEyRjMDRiNDdlNy04NDA3LTQ3YTAtYWExNS1iZTU3OGU2M2VlMDMw
HhcNMTkwMzI1MTI1NzI1WhcNMjQwMzIzMTM1NzI1WjAvMS0wKwYDVQQDEyRjMDRi
NDdlNy04NDA3LTQ3YTAtYWExNS1iZTU3OGU2M2VlMDMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC75RK1H4ZkcdXxHK31sTNtoj+7yK3SAJYXz05vTrWl
B20pn+0NCvH+qj0DJ3RKM3KcZWSRBGRkSWrnKG8bzF2rHneDOt9jtDDBLZL1I/VT
nMwQ0+egeBMXPIKAgnAMlCDb8dy16PVj/5FTs6NQXvTMjZY5MeDONm5M6Scbfg/O
wO70zdZSVSHIL2Hrv/MKuzLFW6QlwXBq3eD1H1qdi3ZsnydaGs03XE4E3QwrN34M
UzgWzs4/NzXObtURJVUGWFpO84LFWmnblh6UaxMf4WWz9s+1YAd/yC4Z2vWZ/N23
7MRsRsODQQif6wtoq9aJgaDGtLoyqYn8y2nxDjMNZuRpAgMBAAGjIzAhMA4GA1Ud
DwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBe
Mgdv/ckG+/RUqqXo6tvBq1CG4par2wFNDAcOsWBvfLa4XtaPwMXXoF3mqCnRcTia
tXHprF2+/65XAs4UNPwBotjCn/reMoeMzZt3fBxjbtWbidyztz9Cno5iRnYUuNK7
juK41v+eIsafcVbZLyLsu4btVaCpFr2oWWXRa6av0jQbx4Jaj28BdfV7Dsf1jxSS
dCw8jk+YySCo/ezy7NdyfC32X1MHWcvvzTZp2Ui1EKtIOsXRn6F46a5U8nb/PY3T
QBKMV8iboo9u7gY2482734euI/sBr/gzISN4ZihZ5U9qT0AgwxuW5NZWnO/Jb+cA
ml9oN6nE06gMKI6ZDaUn
-----END CERTIFICATE-----

token = eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3R2YmtqNy10b2tlbi1nZGh2ayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0ZXN0dmJrajciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyOGEzYTRmMi00ZjU4LTExZTktYThkYy00MjAxMGE4NDAxZGMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0ZXN0dmJrajcifQ.TeCbBD_BCdfYerE5m_m_2WrCzi6kzmPMnXLL2YsAXFfZYjTcT-sY4m7ZhgMHVpcMEoSlkfVPBpfsTwFlLr0opLMrPIh7YetwcwUIRFlilIVJLrYYRMlFclzhJR4kQyIIa-agZIBf87MhpMfyyj8xZeeINlaugw85lzMureF2YIwCq_NeyBuce0qLnFgSU6pSJ6ZvYhYAJf35vf9M2ipanYv03vumSSv99JJ1WyHQRa4BRhdpg4LVqh0fNvN1W9kKVvkT2pvD8-Y0tSWK-Hr5vCpK8XTP6OKSowl0ceZxXAzDAtGoMbaYiXmTB-JFAeNije3wt8dEUi9oNWhYpqjYcg
------------------------------------------------------------
alexsomesan picture alexsomesan on 26 Mar 2019

until v0.12 is released a temporary workaround to at least be able to see the output in a reasonable format would be:

output "dev_service_account_kubeconfig" {
  value = "${jsonencode(data.kubernetes_secret.dev-secret.data)}"
}
dalazx picture dalazx on 15 May 2019

~This should work with terraform 0.11: ${lookup(data.kubernetes_secret.dev-secret.data, "ca.crt")}.~

Apparently, it does not: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/436#issuecomment-492631122

pdecat picture pdecat on 15 May 2019

Here is a work-around for terraform 0.11 with an external datasource script (depends on bash and jq) :

provider kubernetes {
  version = "1.6.2"
}

provider external {
  version = "1.1.2"
}

resource "kubernetes_service_account" "ci" {
  metadata {
    name = "ci"
  }
}

data "kubernetes_secret" "ci" {
  metadata {
    name = "${kubernetes_service_account.ci.default_secret_name}"
  }
}

output "ci_token" {
  value = "${lookup(data.kubernetes_secret.ci.data, "token")}"
}

data "external" "ci_ca_crt" {
  program = ["${path.module}/extract.sh"]

  query = {
    input = "${jsonencode(data.kubernetes_secret.ci.data)}"
  }
}

output "ci_ca_cert" {
  value = "${data.external.ci_ca_crt.result["ca_crt"]}"
}

Content of extract.sh:

#!/bin/bash

# Exit if any of the intermediate steps fail
set -e

# Exit if any of the pipeline steps fail
set -o pipefail

# Extract "input" argument from the input into INPUT shell variable.
# jq will ensure that the values are properly quoted and escaped for consumption by the shell.
eval "$(jq -r '@sh "INPUT=\(.input)"')"


# Safely produce a JSON object containing the result value.
# jq will ensure that the value is properly quoted and escaped to produce a valid JSON string.
jq -n --argjson input "$INPUT" '{"ca_crt": $input | .ca | .crt}'

Result:

# terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

 <= data.external.ci_ca_crt
      id:                          <computed>
      program.#:                   "1"
      program.0:                   "/home/patrick/go/src/github.com/terraform-providers/terraform-provider-kubernetes/test/extract.sh"
      query.%:                     <computed>
      result.%:                    <computed>

 <= data.kubernetes_secret.ci
      id:                          <computed>
      data.%:                      <computed>
      metadata.#:                  "1"
      metadata.0.generation:       <computed>
      metadata.0.name:             "${kubernetes_service_account.ci.default_secret_name}"
      metadata.0.namespace:        "default"
      metadata.0.resource_version: <computed>
      metadata.0.self_link:        <computed>
      metadata.0.uid:              <computed>
      type:                        <computed>

  + kubernetes_service_account.ci
      id:                          <computed>
      default_secret_name:         <computed>
      metadata.#:                  "1"
      metadata.0.generation:       <computed>
      metadata.0.name:             "ci"
      metadata.0.namespace:        "default"
      metadata.0.resource_version: <computed>
      metadata.0.self_link:        <computed>
      metadata.0.uid:              <computed>


Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_service_account.ci: Creating...
  default_secret_name:         "" => "<computed>"
  metadata.#:                  "" => "1"
  metadata.0.generation:       "" => "<computed>"
  metadata.0.name:             "" => "ci"
  metadata.0.namespace:        "" => "default"
  metadata.0.resource_version: "" => "<computed>"
  metadata.0.self_link:        "" => "<computed>"
  metadata.0.uid:              "" => "<computed>"
kubernetes_service_account.ci: Creation complete after 0s (ID: default/ci)
data.kubernetes_secret.ci: Refreshing state...
data.external.ci_ca_crt: Refreshing state...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

ci_ca_cert = -----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTE4MDMxMDEyNDY0N1oXDTI4MDMwNzEyNDY0N1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKcH
Zd013/vvBxdrA6HGOCKzciTAa2oRXk8BO8snHgGB8W44tqL7pgiwLZ5LEEvvfkCK
O4DaPCj3tw3d3gMwuSFaC9hjpryIAcRju9BbQv+pTzL1PvjtIg9iMK1zwXVPZw0r
0iJwzDoUDQt3fyxwT7KGRZ6Wr4uKBZNQsencdQfxj9JOIVxxqWbK7qG2jcogfS4v
lf/rTEUhNSiZbZGukMC4vYwujnsL3XRZ7MphqylMf6brnq6xLsdOcIDgjSPIzo1F
0Q2+cfZ/Qp2z88Xh1qYAFavfqsY+v5+OwdAe5gh00t2idL+jurN3gISYdhsJ6GO9
ldxiY+v8Q0ucUFijTBUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQAGuVV3yCHeHnqlRmJBT/KTOKi48XnU/SU/OfpDCsoYwjB/zudC
Y/kCqcQ2BrLneE7QchU/EZE/oe8gXH1l9rqHsrZI4DOs+zBiGghGzYc3AR2ztgS9
3VzQqt6XDQzWgKpNEnbBP/OHODCkqqsdcHo7r0r4deeIMXJ5wU9hZLs1MTECLOtX
dturq5fr4wyORvhJ0kvpTtTKZvSLCSuNQQ2GXHvB+Bxvagrwps9mFlJlExlz+P2e
bsBOznlvYK0SJLUz1uQUAXOHVkwokxXdLDGgGua4rYJKRZ2oZid7k8baTABt6sZD
yU/jZwakIFkMkV8DASjZ5N7pfBsB7xXa/t1N
-----END CERTIFICATE-----

ci_token = eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2a
WNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpLXRva2VuLWY0cDV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY2
91bnQudWlkIjoiMDNjYzkyNTUtNzcxOC0xMWU5LWFjMWQtYjQyMzRjOTUzNmRhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y2kifQ.LR1Y3SzECq6AihpJ26CCJNu2osMnHA4OwRQ43CnRwFB0wvM-NKDj85W1iHCMCzii
1kphSFvVcDeHH9jFx1HE4Syvi8Q403YKxT5FFRoa-EGQhhca3c6w9U7IXi50RKF6_8KyeL2SWkKNd8pYItJihTJ8DFTlBD9sgnTaGN27KAUTw2nuPVvSTnIgriQnxdX3XRClXNStlXYIFSpiF3bHxYCdF1zgFywsDViTnssdrwuLlHVM3Rm76fvOd
6dX-SOM9cvIzacgRgMDmSJJTYUtGScGmb7dvUbXuXZ0z2veEpTCEyAoWUCdgg93-X-WIstwh61fOpHf3O3ZXdcf4_42Eg
pdecat picture pdecat on 15 May 2019
👍2 🎉1

As an update, we ended up taking the certificate from other resource (from the cloud provider resource), and passing it around. We tried to avoid as many hacks as possible and lower maintenance struggle.

txomon picture txomon on 9 Jun 2019

Can confirm this is resolved with terraform 0.12+:

provider kubernetes {
  version = "1.6.2"
}

resource "kubernetes_service_account" "ci" {
  metadata {
    name = "ci"
  }
}

data "kubernetes_secret" "ci" {
  metadata {
    name = kubernetes_service_account.ci.default_secret_name
  }
}

output "ci_token" {
  value = lookup(data.kubernetes_secret.ci.data, "token")
}

output "ci_ca_cert" {
  value = lookup(data.kubernetes_secret.ci.data, "ca.crt")
}

# terraform version
Terraform v0.12.1
+ provider.kubernetes v1.6.2

# terraform apply -auto-approve
kubernetes_service_account.ci: Creating...
kubernetes_service_account.ci: Creation complete after 1s [id=default/ci]
data.kubernetes_secret.ci: Refreshing state...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

ci_ca_cert = -----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
[...]
KrJhfLsMyDbWG8oevmU22g4PVPUVNGc072wv
-----END CERTIFICATE-----

ci_token = eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJp****Kuyiwfxo-D6duTUh5LhEw
pdecat picture pdecat on 12 Jun 2019

Closing since this is resolved.

dak1n1 picture dak1n1 on 14 May 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 14 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

burdiyan picture burdiyan  ·  4Comments
jaceq picture jaceq  ·  4Comments
dmitry-mightydevops picture dmitry-mightydevops  ·  3Comments
dhild picture dhild  ·  4Comments
bugb picture bugb  ·  4Comments