https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
p
s
So I have to edit all the terraform resources to add this exclusion? is there a way to avoid rancher to write these labels/annotations?
and I guess I’ve to do the same with argo too
p
depending on the version you are using, you may be able to set it on the provider level https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#ignore-kubernetes-annotations-and-labels
annotating things is a common thing that happens in kubernetes, it is not unusual for rancher to be doing it. It just doesn't happen to easily fit into the model that terraform uses. I've had better luck using the terraform helm provider instead of the kubernetes provider (create a new chart in a subdirectory of the terraform module)
s
I see, thank you for the hint. We planned to use rancher mostly as a “read-only” system, everything else is managed with terraform and argo. We just didn’t expect it will edit all the resources in the cluster
p
argo should be smart enough to not have problems with rancher's edits, I would lean more on that than terraform. Terraform is still good for cases where maybe you have something in a terraform variable and you want to write it to a secret/configmap
đź‘Ť 1
this would probably cover most of it
Copy code
provider "kubernetes" {
  ignore_annotations = [
    "cattle\\.io\\/",
  ]
}
if you are using AWS EKS, it likes to annotate things too, you can add regex to the above
s
Cool, thanks!
b
It is unfortunately pretty common for APIs to make changes to objects without asking. For instance AWS security group rules does this, there are several other places I have had to ignore changes in AWS.
It is usually in arbitrary fields like tags and annotations.
This doesn't make Terraform unmanageable, it is just an expectation you need to have when writing. I am not sold on Rancher as a read only resource, I would simply orchestrate Rancher objects using the Rancher provider, but I would like to hear more about this use case.
s
@bumpy-tomato-36167 we use rancher as a “read-only” system for people (devs) that are not confident with k8s. This allows us to give them visibility about resources running on clusters, related to their job (so a specific project in a specific cluster) like healthy status, number of replicas, resources usage, realtime logs. Some of them also have “console-only” access, so they can enter in a container and interact with the application, without the risk they can alter the underline structure of the system.
b
That's really neat! Thank you for sharing! I maintain a set of modules for deploying RKE2 on AWS targeting a longer term "production ready" deployment to get devops teams a jump start on their workloads. https://registry.terraform.io/namespaces/rancher Understanding different use cases helps me build test cases. We (SUSE distros team) support so many different infrastructure configurations that testing them all is impossible. It is good to get direct feedback from users so that I can build test cases to verify real users are satisfied.
đź‘Ź 1
Open in Slack
PreviousNext
Powered by