The latest articles on The Ops Community ⚙️ by Philipp Strube (@pst). https://community.ops.io/pst https://community.ops.io/images/22wAl05CMC9OeK4nEQvHKt0F9fUGHUDAePczleJEH2k/rs:fill:90:90/g:sm/mb:500000/ar:1/aHR0cHM6Ly9jb21t/dW5pdHkub3BzLmlv/L3JlbW90ZWltYWdl/cy91cGxvYWRzL3Vz/ZXIvcHJvZmlsZV9p/bWFnZS8xMTQvZGRj/Mzc3YjAtODBlNC00/M2MyLTkyODQtM2Ew/NWVmMWY1ZTVhLmpw/ZWc https://community.ops.io/pst en Philipp Strube Wed, 25 May 2022 19:45:34 +0000 https://community.ops.io/pst/a-better-way-to-provision-kubernetes-resources-using-terraform-4km4 https://community.ops.io/pst/a-better-way-to-provision-kubernetes-resources-using-terraform-4km4 <p>Terraform is immensely powerful when it comes to defining and maintaining infrastructure as code. In combination with a declarative API, like a cloud provider API, it can determine, preview, and apply changes to the codified infrastructure.</p> <p>Consequently, it is common for teams to use Terraform to define the infrastructure of their Kubernetes clusters. And as a platform to build platforms, Kubernetes commonly requires a number of additional services before workloads can be deployed. Think of ingress controllers or logging and monitoring agents and so on. But despite Kubernetes' own declarative API, and the obvious benefits of maintaining a cluster's infrastructure and services from the same infrastructure as code repository, Terraform is far from the first choice to provision Kubernetes resources.</p> <p>With <a href="https://www.kubestack.com/">Kubestack</a>, the open-source Terraform framework I maintain, I'm on a mission to provide the best developer experience for teams working with Terraform and Kubernetes. And unified provisioning of all platform components, from cluster infrastructure to cluster services, is something I consider crucial in my relentless pursuit of said developer experience.</p> <p>Because of that, the two common approaches to provision Kubernetes resources using Terraform never really appealed to me.</p> <p>On the one hand, there's the Kubernetes provider. And while it integrates Kubernetes resources into Terraform, maintaining the Kubernetes resources in HCL is a lot of effort. Especially for Kubernetes YAML you consume from upstream. On the other hand, there are the Helm provider and the Kubectl provider. These two use native YAML instead of HCL, but do not integrate the Kubernetes resources into the Terraform state and, as a consequence, lifecycle.</p> <p>I believe my Kustomization provider based modules are a better alternative because of three distinct benefits:</p> <ol> <li>Like Kustomize, the upstream YAML is left untouched, meaning upstream updates require minimal maintenance effort.</li> <li>By defining the Kustomize overlay in HCL, all Kubernetes resources are fully customizable using values from Terraform.</li> <li>Each Kubernetes resource is tracked individually in Terraform state, so diffs and plans show the changes to the actual Kubernetes resources.</li> </ol> <p>To make these benefits less abstract, let's compare my Nginx ingress module with one using the Helm provider to provision Nginx ingress.</p> <p>The Terraform configuration for both examples is available in <a href="https://github.com/kbst/terraform-helm-vs-kustomize">this repository</a>. Let's take a look at the Helm module first.</p> <h2> The Helm-based module </h2> <p>Usage of the module is straightforward. First, configure the Kubernetes and Helm providers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then define a kubernetes_namespace and call the release/helm module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-module/release/helm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.7.0"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">metadata</span><span class="err">.</span><span class="mi">0</span><span class="err">.</span><span class="nx">name</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://kubernetes.github.io/ingress-nginx"</span> <span class="nx">app</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.1.0"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">force_update</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">recreate_pods</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">deploy</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="nx">value</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>If you now run a terraform plan for this configuration, you see the resources to be created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># kubernetes_namespace.nginx_ingress will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">generation</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="err">+</span> <span class="nx">resource_version</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">uid</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># module.nginx_ingress.helm_release.this[0] will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">atomic</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="err">+</span> <span class="nx">cleanup_on_fail</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">create_namespace</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">dependency_update</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">disable_crd_hooks</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">disable_openapi_validation</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">disable_webhooks</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">force_update</span> <span class="p">=</span> <span class="kc">true</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">lint</span> <span class="p">=</span> <span class="kc">true</span> <span class="err">+</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">max_history</span> <span class="p">=</span> <span class="mi">0</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="err">+</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="err">+</span> <span class="nx">recreate_pods</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">render_subchart_notes</span> <span class="p">=</span> <span class="kc">true</span> <span class="err">+</span> <span class="nx">replace</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://kubernetes.github.io/ingress-nginx"</span> <span class="err">+</span> <span class="nx">reset_values</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">reuse_values</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">skip_crds</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"deployed"</span> <span class="err">+</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">300</span> <span class="err">+</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[]</span> <span class="err">+</span> <span class="nx">verify</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.1.0"</span> <span class="err">+</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">wait_for_jobs</span> <span class="p">=</span> <span class="kc">false</span> <span class="err">+</span> <span class="nx">set</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"2"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">2</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <p>And this is the key issue with how Helm is integrated into the Terraform workflow. The plan does not tell you what Kubernetes resources will be created for the Nginx ingress controller. And neither are the Kubernetes resources tracked in Terraform state, as shown by the apply output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">kubernetes_namespace</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">kubernetes_namespace</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">0</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="nx">ingress</span><span class="err">-</span><span class="nx">nginx</span><span class="p">]</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">helm_release</span><span class="err">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">helm_release</span><span class="err">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">3</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="nx">ingress</span><span class="err">-</span><span class="nx">nginx</span><span class="p">]</span> <span class="nx">Apply</span> <span class="nx">complete</span><span class="err">!</span> <span class="nx">Resources</span><span class="err">:</span> <span class="mi">2</span> <span class="nx">added</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">changed</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">destroyed</span><span class="err">.</span> </code></pre> </div> <p>Similarly, if planning a change, there's again no way to tell what the changes to the Kubernetes resources will be.</p> <p>So if you increase the <code>replicaCount</code> value of the Helm chart, the terraform plan will merely show the change to the <code>helm_release</code> resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">set</span> <span class="err">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="nx">value</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <p>What will the changes to the Kubernetes resources be? And more importantly, is it a simple in-place update, or does it require a destroy-and-recreate? Looking at the plan, you have no way of knowing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># module.nginx_ingress.helm_release.this[0] will be updated in-place</span> <span class="err">~</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="c1"># (27 unchanged attributes hidden)</span> <span class="err">-</span> <span class="nx">set</span> <span class="p">{</span> <span class="err">-</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="err">-&gt;</span> <span class="kc">null</span> <span class="err">-</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"2"</span> <span class="err">-&gt;</span> <span class="kc">null</span> <span class="p">}</span> <span class="err">+</span> <span class="nx">set</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="err">+</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"3"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">1</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <h2> The Kustomize-based module </h2> <p>Now, let's take a look at the same steps for the Kustomize-based module. Usage is similar. First require the kbst/kustomization provider and configure it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">kustomization</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"kbst/kustomization"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kustomization"</span> <span class="p">{</span> <span class="nx">kubeconfig_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="p">}</span> </code></pre> </div> <p>Then call the nginx/kustomization module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"kbst.xyz/catalog/nginx/kustomization"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.1.3-kbst.1"</span> <span class="nx">configuration_base_key</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx-controller"</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Unlike for the Helm-based module though, when you run terraform plan now you will see each Kubernetes resource and its actual configuration individually. To keep this blog post palatable, I show the details for the namespace only.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p0["_/Namespace/_/ingress-nginx"] will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kustomization_resource"</span> <span class="s2">"p0"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">+</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="err">(</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"v1"</span> <span class="err">+</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Namespace"</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="s2">"app.kubernetes.io/version"</span> <span class="p">=</span> <span class="s2">"v0.46.0"</span> <span class="err">+</span> <span class="s2">"catalog.kubestack.com/heritage"</span> <span class="p">=</span> <span class="s2">"kubestack.com/catalog/nginx"</span> <span class="err">+</span> <span class="s2">"catalog.kubestack.com/variant"</span> <span class="p">=</span> <span class="s2">"base"</span> <span class="p">}</span> <span class="err">+</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="s2">"app.kubernetes.io/component"</span> <span class="p">=</span> <span class="s2">"ingress-controller"</span> <span class="err">+</span> <span class="s2">"app.kubernetes.io/instance"</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="err">+</span> <span class="s2">"app.kubernetes.io/managed-by"</span> <span class="p">=</span> <span class="s2">"kubestack"</span> <span class="err">+</span> <span class="s2">"app.kubernetes.io/name"</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="p">}</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="err">)</span> <span class="p">}</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["_/ConfigMap/ingress-nginx/ingress-nginx-controller"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["_/Service/ingress-nginx/ingress-nginx-controller"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["_/Service/ingress-nginx/ingress-nginx-controller-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["_/ServiceAccount/ingress-nginx/ingress-nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["_/ServiceAccount/ingress-nginx/ingress-nginx-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["apps/Deployment/ingress-nginx/ingress-nginx-controller"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["batch/Job/ingress-nginx/ingress-nginx-admission-create"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["batch/Job/ingress-nginx/ingress-nginx-admission-patch"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["networking.k8s.io/IngressClass/_/nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/ClusterRole/_/ingress-nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/ClusterRole/_/ingress-nginx-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/ClusterRoleBinding/_/ingress-nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/ClusterRoleBinding/_/ingress-nginx-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/Role/ingress-nginx/ingress-nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/Role/ingress-nginx/ingress-nginx-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/RoleBinding/ingress-nginx/ingress-nginx"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["rbac.authorization.k8s.io/RoleBinding/ingress-nginx/ingress-nginx-admission"] will be created</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p2["admissionregistration.k8s.io/ValidatingWebhookConfiguration/_/ingress-nginx-admission"] will be created</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">19</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <p>Applying, again, has all the individual Kubernetes resources. And because the modules use explicit <code>depends_on</code> to handle namespaces and CRDs first and webhooks last, resources are reliably applied in the correct order.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p0</span><span class="p">[</span><span class="s2">"_/Namespace/_/ingress-nginx"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p0</span><span class="p">[</span><span class="s2">"_/Namespace/_/ingress-nginx"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">0</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="mi">369</span><span class="nx">e8643</span><span class="err">-</span><span class="nx">ad33</span><span class="err">-</span><span class="mi">4</span><span class="nx">eb4</span><span class="err">-</span><span class="mi">95</span><span class="nx">dc</span><span class="err">-</span><span class="nx">f506cef4a198</span><span class="p">]</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p1</span><span class="p">[</span><span class="s2">"rbac.authorization.k8s.io/RoleBinding/ingress-nginx/ingress-nginx"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p1</span><span class="p">[</span><span class="s2">"batch/Job/ingress-nginx/ingress-nginx-admission-create"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="err">...</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p1</span><span class="p">[</span><span class="s2">"batch/Job/ingress-nginx/ingress-nginx-admission-patch"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">1</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="mi">58346878</span><span class="err">-</span><span class="mi">70</span><span class="nx">bd</span><span class="err">-</span><span class="mi">42</span><span class="nx">f2</span><span class="err">-</span><span class="nx">af61</span><span class="err">-</span><span class="mi">2730</span><span class="nx">e3435ca7</span><span class="p">]</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p1</span><span class="p">[</span><span class="s2">"_/ServiceAccount/ingress-nginx/ingress-nginx"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">0</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="nx">f009bbb7</span><span class="err">-</span><span class="mi">7</span><span class="nx">d2e</span><span class="err">-</span><span class="mi">4</span><span class="nx">f28</span><span class="err">-</span><span class="nx">a826</span><span class="err">-</span><span class="nx">ce133c91cc15</span><span class="p">]</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p2</span><span class="p">[</span><span class="s2">"admissionregistration.k8s.io/ValidatingWebhookConfiguration/_/ingress-nginx-admission"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">module</span><span class="err">.</span><span class="nx">nginx_ingress</span><span class="err">.</span><span class="nx">kustomization_resource</span><span class="err">.</span><span class="nx">p2</span><span class="p">[</span><span class="s2">"admissionregistration.k8s.io/ValidatingWebhookConfiguration/_/ingress-nginx-admission"</span><span class="p">]</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">1</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="mi">3185</span><span class="nx">b09f</span><span class="err">-</span><span class="mi">1</span><span class="nx">f67</span><span class="err">-</span><span class="mi">4079</span><span class="err">-</span><span class="nx">b44f</span><span class="err">-</span><span class="nx">de01bff44bd2</span><span class="p">]</span> <span class="nx">Apply</span> <span class="nx">complete</span><span class="err">!</span> <span class="nx">Resources</span><span class="err">:</span> <span class="mi">19</span> <span class="nx">added</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">changed</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">destroyed</span><span class="err">.</span> </code></pre> </div> <p>Naturally, it also means that if you increase the replica count like this...<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">replicas</span> <span class="err">=</span> <span class="p">[{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx-controller"</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}]</span> </code></pre> </div> <p>...the terraform plan shows which Kubernetes resources will change and what the diff is.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["apps/Deployment/ingress-nginx/ingress-nginx-controller"] will be updated in-place</span> <span class="err">~</span> <span class="nx">resource</span> <span class="s2">"kustomization_resource"</span> <span class="s2">"p1"</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"81e8ff18-6c6c-440d-bd8b-bf5f0d016953"</span> <span class="err">~</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="err">(</span> <span class="err">~</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">2</span> <span class="err">-&gt;</span> <span class="mi">3</span> <span class="c1"># (4 unchanged elements hidden)</span> <span class="p">}</span> <span class="c1"># (3 unchanged elements hidden)</span> <span class="p">}</span> <span class="err">)</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">1</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <p>Maybe more importantly even, the Kustomization provider will also correctly show if a resource can be changed using an in-place update. Or if a destroy-and-recreate is required because there is a change to an immutable field, for example.</p> <p>This is the result of two things:</p> <ol> <li>That, as you've just seen, every Kubernetes resource is handled individually in Terraform state, and</li> <li>that the Kustomization provider uses Kubernetes' server-side dry-runs to determine the diff of each resource.</li> </ol> <p>Based on the result of that dry-run, the provider instructs Terraform to create an in-place or a destroy-and-recreate plan.</p> <p>So, as an example of such a change, imagine you need to change <code>spec.selector.matchLabels</code>. Since <code>matchLabels</code> is an immutable field, you will see a plan that states that the Deployment resource must be replaced. And you will see 1 to add and 1 to destroy in the plan's summary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># module.nginx_ingress.kustomization_resource.p1["apps/Deployment/ingress-nginx/ingress-nginx-controller"] must be replaced</span> <span class="err">-/+</span> <span class="nx">resource</span> <span class="s2">"kustomization_resource"</span> <span class="s2">"p1"</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"81e8ff18-6c6c-440d-bd8b-bf5f0d016953"</span> <span class="err">-&gt;</span> <span class="err">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="err">)</span> <span class="err">~</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="err">(</span> <span class="err">~</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">example</span><span class="err">-</span><span class="nx">selector</span> <span class="p">=</span> <span class="s2">"example"</span> <span class="c1"># (6 unchanged elements hidden)</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx-controller"</span> <span class="c1"># (2 unchanged elements hidden)</span> <span class="p">}</span> <span class="err">~</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">2</span> <span class="err">-&gt;</span> <span class="mi">3</span> <span class="err">~</span> <span class="nx">selector</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">matchLabels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">example</span><span class="err">-</span><span class="nx">selector</span> <span class="p">=</span> <span class="s2">"example"</span> <span class="c1"># (4 unchanged elements hidden)</span> <span class="p">}</span> <span class="p">}</span> <span class="err">~</span> <span class="nx">template</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">example</span><span class="err">-</span><span class="nx">selector</span> <span class="p">=</span> <span class="s2">"example"</span> <span class="c1"># (4 unchanged elements hidden)</span> <span class="p">}</span> <span class="c1"># (1 unchanged element hidden)</span> <span class="p">}</span> <span class="c1"># (1 unchanged element hidden)</span> <span class="p">}</span> <span class="c1"># (2 unchanged elements hidden)</span> <span class="p">}</span> <span class="c1"># (2 unchanged elements hidden)</span> <span class="p">}</span> <span class="c1"># forces replacement</span> <span class="err">)</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">1</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">1</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <h2> Try it yourself </h2> <p>You can find the <a href="https://github.com/kbst/terraform-helm-vs-kustomize">source code</a> for the comparison on GitHub if you want to experiment with the differences yourself.</p> <p>If you want to try the Kustomize modules yourself, you can either use one of the modules from the catalog that bundle upstream YAML, like the <a href="https://www.kubestack.com/catalog/prometheus">Prometheus operator</a>, <a href="https://www.kubestack.com/catalog/cert-manager">Cert-Manager</a>, <a href="https://www.kubestack.com/catalog/sealed-secrets">Sealed secrets</a>, or <a href="https://www.kubestack.com/catalog/tektoncd">Tekton</a>, for example.</p> <p>But this doesn't only work for upstream services. There is also a module that can be used to provision any Kubernetes YAML in the exact same way as the catalog modules - called the <a href="https://www.kubestack.com/framework/documentation/cluster-service-modules#custom-manifests">custom manifest module</a>.</p> <h2> Get involved </h2> <p>Currently, the number of services available from the catalog is still limited.</p> <p>If you want to get involved, you can also find the <a href="https://github.com/kbst/catalog">catalog source on GitHub</a>.</p> <p>Photo by <a href="https://unsplash.com/@garri?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Vladislav Babienko</a> on <a href="https://unsplash.com/s/photos/options?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></p> devops terraform kubernetes kubestack