Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Pulling an issue from here -> : hashicorp/terraform-k8s#99

RBAC is too permissive and should be configurable to the use case. I understand the need for some of these permissions if I were controlling k8s applications inside this k8s cluster, however I have another use case where its not managing k8s apps, and thus I'd like to remove those permissions.

- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  verbs:
  - '*'

Also, there is no documentation on why it needs certain roles. Maybe thats another ticket?

Potential Helm Configuration

{{- if $managingKubernetesApps }}
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  verbs:
  - '*'
 {{- end }}

References

https://github.com/hashicorp/terraform-helm/blob/master/templates/sync-workspace-role.yaml

1. Curious to know if this operator can detect drift in remote state on TFE workspace as well on the original aws account when sqs from example is deleted by someone and perform auto remediation as per k8s controller mechanism.

2. How can we pass output of one TF module resource as input to other when created as yaml files?

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There is no direct helm way to specify imagePullSecrets

Potential Helm Configuration

global:
  imagePullSecrets:
  - nexus-secret # .i.e.

where nexus-secret (for example) is already in existing secret with dockerconfig type.

References

https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod

Description

Description

Rename the master branch to main per HashiCorp's inclusive language commitment.

See this discussion for more information.

Helm install of this operator via terraform into AWS EKS cluster gives the following error. Same error is encountered when using helm directly:
Warning Failed 41m (x12 over 43m) kubelet Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "terraform-1640001071-terraform-sync-workspace-579fb5c5bc-npf59_tfcloud(0997638a-cb58-43dd-9d0b-13722df1bce9)", container: terraform-sync-workspace)

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

terraform-k8s, Helm, & Kubernetes Version

Version 1.1.0, Terraform 1.0.7, Helm provider 2.4.0, helm version 3.7.2, Kubernetes 1.21

Helm Values

Defaults used

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

terraform-k8s, Helm, & Kubernetes Version

Affected Resource(s)

helm.releases.hashicorp.com

Helm Values

# Copy-paste your Helm values.yaml here.

Debug Output

Expected Behavior

The terraform-helm chart should appear

Actual Behavior

Steps to Reproduce

Important Factoids

The chart appears correctly via command line, without requiring --devel

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

1. Ability to override repository value (if i have proxy registry) while relying on the default value of "tag"
2. within the same chart, Defaulting "tag" (if not assigned a value from user) to .Chart.AppVersion.
3. being consistent with community charts

Potential Helm Configuration

global:
  imageK8S:
     repository: hashicorp/terraform-k8s
     tag: 1.0.0 # better make it empty string, and put this value under Chart.yaml ( appVersion)

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As far as i understand, this helm chart assumes that you have already Terraform Cloud or Enterprise, and then, it starts from that.
We would like to use this helm chart to also provision a totally offline and private Terraform enterprise.
Otherwise, is there another chart does that?

Potential Helm Configuration

privateTerraformEnterprise:
   install: false
   image:
     repository: 
     tag: ...

References

https://youtu.be/ynXFwKYwu4o?t=1380

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

terraform-k8s, Helm, & Kubernetes Version

terraform-k8s: hashicorp/terraform-k8s:1.0.0
Helm: v3.6.0
Kubernetes: v1.19.8-eks-96780e

Helm Values

syncWorkspace:
  k8WatchNamespace: dev

Debug Output

E0616 16:19:10.725113 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1alpha1.Workspace: workspaces.app.terraform.io is forbidden: User "system:serviceaccount:terraform-operator:terraform-operator-terraform-sync-workspace" cannot list resource "workspaces" in API group "app.terraform.io" in the namespace "dev"

Expected Behavior

Terraform Cloud Operator is capable of watch and write secrets to the k8WatchNamespace defined namespace

Actual Behavior

Terraform Operator logs that have no permissions for access resource "workspaces" in API group "app.terraform.io" in the namespace "dev".

Steps to Reproduce

1. Use provided Helm values and install the operator in the "operator-terraform" namespace.

2. Apply the following YAML via kubectl apply (please note that the namespace is dev):

apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
  name: infra-dev
  namespace: dev
spec:
  organization: Bla
  secretsMountPath: "/tmp/secrets"
  module:
    source: "terraform-aws-modules/sqs/aws"
    version: "3.1.0"
  outputs:
    ......
  variables:
    ......

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

terraform-k8s, Helm, & Kubernetes Version

terraform-k8s - 1.1.0
helm - 3.8.0
kubernetes - 1.22.3-gke.1500

Affected Resource(s)

(https://github.com/hashicorp/terraform-helm/blob/master/crds/app.terraform.io_workspaces_crd.yaml)

Helm Values

Default helm values.

Debug Output

Last Helm logs: Normal error 12s helm-controller reconciliation failed: Helm install failed: failed to install CRD crds/app.terraform.io_workspaces_crd.yaml: unable to recognize "": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1"

Expected Behavior

Helm chart installs the CRD

Actual Behavior

Helm chart errors on CRD install

Steps to Reproduce

Install the helm chart on k8s 1.22+

Important Factoids

References

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122

This is to add a Helm chart to deploy the Workspace Custom Resource. Currently, we have examples listed under the example directory as Kubernetes YAML.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

terraform-k8s, Helm, & Kubernetes Version

terraform-k8s: 1.1.1
Helm: 3.8.0
Kubernetes: 1.21.4

Affected Resource(s)

https://github.com/hashicorp/terraform-helm/blob/master/templates/sync-workspace-role.yaml

Helm Values

global:
  imageK8S: "hashicorp/terraform-k8s:1.1.1"

Debug Output

E0301 12:31:04.773294       1 leaderelection.go:325] error retrieving resource lock k8s-tfe-test/4ebc9a03.terraform.io: leases.coordination.k8s.io "4ebc9a03.terraform.io" is forbidden: User "system:serviceaccount:k8s-tfe-test:operator-test-terraform-sync-workspace" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "k8s-tfe-test"

Expected Behavior

Helm chart should define all the required roles/rolebindings for the serviceaccount used by the image.

Actual Behavior

get and update permissions are missing for coordination.k8s.io : leases for the serviceaccount created as part of the helm chart.

Steps to Reproduce

Helm install with the new image.

Important Factoids

I know that this git repo is still using the older version (v1.1.0). Hopefully it can be updated to use new version and include additional roles.

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add optional port definition to deployment's pod spec to allow prometheus-operator PodMonitor to scrape the /metrics endpoint.

Potential Helm Configuration

          {{- if .Values.syncWorkspace.exposeMetricsPort }}
          ports:
            - containerPort: 8383
              protocol: TCP
          {{- end }}

References