[Bug]: validate kubernetes credential on every plan/apply
networkhermit opened this issue · comments
Describe the bug
I find that terraform-provider-flux doesn't check the validity of kubernetes credential on every terraform plan
/terraform apply
. So invalid kubernetes credentials could stay undetected in terraform-provider-flux for a long time and breaking in a fresh bootstrap.
Steps to reproduce
- Bootstrap a testing cluster with the following provider configuration
provider "flux" {
kubernetes = {
config_path = "~/.kube/config"
}
git = {}
}
- Refactor the kubernetes credential configuration:
provider "flux" {
kubernetes = {
config_path = "~/.kube/non_existed_config"
}
git = {}
}
Or the following example based on a real refactor regression:
provider "flux" {
kubernetes = {
client_certificate = var.KUBE_CLIENT_CERT_DATA
config_path = var.KUBE_CLIENT_KEY_DATA // The config_path should be client_key
cluster_ca_certificate = var.KUBE_CLUSTER_CA_CERT_DATA
host = var.KUBE_HOST
}
git = {}
}
- Running
terraform plan
orterraform apply
won't detect the kubernetes credential handling is problematic.
Expected behavior
validate kubernetes credential on every plan/apply phase
Screenshots and recordings
No response
Terraform and provider versions
OpenTofu v1.6.2
on linux_amd64
- provider registry.opentofu.org/fluxcd/flux v1.2.3
Terraform provider configurations
provider "flux" {
kubernetes = {
config_path = "~/.kube/non_existed_config"
}
git = {}
}
flux_bootstrap_git resource
resource "flux_bootstrap_git" "fleet" {
cluster_domain = var.cluster_domain
path = var.watch_path
}
Flux version
null
Additional context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Would you like to implement a fix?
None
We should add the logic check to https://github.com/fluxcd/terraform-provider-flux/blob/main/internal/provider/provider.go#L331