Working with Terraform and Kubernetes
Author:
Maintaining Kubestack, an open-source
Hashicorp recently announced
In this post I will however focus only on using Terraform to provision Kubernetes API resources, not Kubernetes clusters.
To be able to support different resources, Terraform requires providers that integrate the respective API. So, to create Kubernetes resources we need a Kubernetes provider. Here are our options: First, the
Terraform requires a schema for each resource and this means the maintainers have to translate the schema of each Kubernetes resource into a Terraform schema. This is a lot of effort and was the reason why for a long time the supported resources where pretty limited. While this has improved over time, still not everything is supported. And especially
This schema translation also results in some edge cases to be aware of. For example, On the plus side however, having a Terraform schema means full integration between Kubernetes and other Terraform resources. Like for
The biggest benefit when using Terraform to maintain Kubernetes resources is integration into the Terraform plan/apply life-cycle. So you can review planned changes before applying them. Also, using Second, the new
This provider uses dynamic resource types and server-side-apply to support all Kubernetes resources. I personally think this provider has the potential to be a game changer - even if
The only downside really is, that it's explicitly discouraged to use it for anything but testing. But the more people test it, the sooner it should be ready for prime time. So I encourage everyone to give it a try. Last, we have the
Kustomize is a popular way to handle customizations. But I was looking for a more reliable way to automate applying changes. Since this is exactly what Terraform is great at the Kustomize provider was born. Not going into too much detail here, but from Terraform's perspective, this provider treats every Kubernetes resource as a JSON string. This way it can handle any Kubernetes resource resulting from the Kustomize build. But it has the big disadvantage that Kubernetes resources can not easily be integrated with other Terraform resources. Remember the load balancer example from above. Under the hood, similarly to the new Kubernetes alpha provider, the Kustomize provider also uses the dynamic Kubernetes client and server-side-apply. Going forward, I plan to deprecate this part of the Kustomize provider that overlaps with the new Kubernetes provider and only keep the Kustomize integration. For teams that are already invested into Terraform, or teams that are looking for ways to replace The new alpha provider removes the limitations and has the potential to make Terraform a prime option to automate changes to Kubernetes resources. Teams that have already adopted Kustomize, may find integrating Kustomize and Terraform using the Kustomize provider beneficial over If you have any questions regarding these three options, feel free to reach out to me on the Kubernetes Slack in either the
Terraform
kubernetes provider (official)metadata in the Terraform schema is a list of maps. Which means you have to refer to the metadata.name of a Kubernetes resource like this in Terraform: kubernetes_secret.example.metadata.0.name.kubectl, purging of resources from the cluster is not trivial without manual intervention. Terraform does this reliably.Terraform
kubernetes-alpha providerTerraform
kustomize providerConclusion
kubectl in automation, Terraform's plan/apply life-cycle has always been a promising option to automate changes to Kubernetes resources. However, the limitations of the official Kubernetes provider resulted in this not seeing significant adoption.kubectl because it avoids common edge cases. Even if in this set up, Terraform can only easily be used to plan and apply the changes, not to adapt the Kubernetes resources. In the future, this issue may be resolved by combining the Kustomize provider with the new Kubernetes provider.