Skip to content

Instantly share code, notes, and snippets.

@pst

pst/tf plan with new provider

Created July 27, 2020 12:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pst/02c284bc4e65b707d4db9aa0dbe6d779 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pst/02c284bc4e65b707d4db9aa0dbe6d779 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tf plan with new provider
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.kustomization.test: Refreshing state...
kustomization_resource.test["~G_v1_Namespace|~X|test-istio"]: Refreshing state... [id=8faab14d-96ed-463c-8200-be295f55053b]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|requestauthentications.security.istio.io"]: Refreshing state... [id=28feffa3-10a9-4b0d-927c-54f79d02f229]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|destinationrules.networking.istio.io"]: Refreshing state... [id=d6935d3b-aabd-493c-a83d-20c8f434c3db]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|rbacconfigs.rbac.istio.io"]: Refreshing state... [id=1d41838b-8779-4d88-8091-7e7ab863f1da]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|serviceroles.rbac.istio.io"]: Refreshing state... [id=22ca87af-3555-4b6e-b8d3-9fa74ca2250b]
kustomization_resource.test["~G_v1_ServiceAccount|test-istio|istio-ingressgateway-service-account"]: Refreshing state... [id=f4e80b9e-b246-4d30-874d-dab02dfd126e]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|metadata-exchange-1.4"]: Refreshing state... [id=90ae068b-5fd1-493b-be47-e3be2b5c1012]
kustomization_resource.test["~G_v1_ServiceAccount|test-istio|prometheus"]: Refreshing state... [id=a1c0bc62-f659-47f3-89f5-36949dbf944f]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|workloadentries.networking.istio.io"]: Refreshing state... [id=81713d3f-dbb2-4ea4-a339-170cf0b20656]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|servicerolebindings.rbac.istio.io"]: Refreshing state... [id=2f6106bb-d9a4-4c64-ad93-f5eb9caac134]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|peerauthentications.security.istio.io"]: Refreshing state... [id=ff3b2f31-54fd-4468-8895-2ffbc00e6a10]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|virtualservices.networking.istio.io"]: Refreshing state... [id=49203670-61be-4c74-a178-78f855e12016]
kustomization_resource.test["admissionregistration.k8s.io_v1beta1_MutatingWebhookConfiguration|~X|istio-sidecar-injector"]: Refreshing state... [id=4319c319-d3f9-4cbd-b288-ecdf698b2b12]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|authorizationpolicies.security.istio.io"]: Refreshing state... [id=0f6ff9ce-1dbd-4976-98a2-e5ef3e91f088]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|envoyfilters.networking.istio.io"]: Refreshing state... [id=fb2fda93-925b-409c-b2f2-5329ae525ebd]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|handlers.config.istio.io"]: Refreshing state... [id=68ae22d8-c20e-40a6-9d15-32a1c27cb21b]
kustomization_resource.test["policy_v1beta1_PodDisruptionBudget|test-istio|istio-ingressgateway"]: Refreshing state... [id=95d028d9-d9e1-47ec-9892-b952f5b39142]
kustomization_resource.test["admissionregistration.k8s.io_v1beta1_ValidatingWebhookConfiguration|~X|istiod-istio-system"]: Refreshing state... [id=38c2673d-3585-433d-b12c-f20aaba37f9a]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|quotaspecbindings.config.istio.io"]: Refreshing state... [id=7637a2c8-6159-4e3d-861b-6bec623428a1]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|rules.config.istio.io"]: Refreshing state... [id=47c9a437-1541-4eea-b5a2-ed322dad3520]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRole|~X|prometheus-istio-system"]: Refreshing state... [id=8da247b5-eabb-4128-b6b2-d58669df9169]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|tcp-metadata-exchange-1.6"]: Refreshing state... [id=1491699c-bf95-4607-bb8c-c96033dbc363]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|stats-filter-1.6"]: Refreshing state... [id=016f1684-9a6d-46ac-b8fe-da63395b9331]
kustomization_resource.test["apps_v1_Deployment|test-istio|istiod"]: Refreshing state... [id=56e02842-9ab0-4779-ac6b-2d11ce1b067d]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|metadata-exchange-1.5"]: Refreshing state... [id=a0f91028-d5e9-4f6d-8638-71d2867c7fe1]
kustomization_resource.test["autoscaling_v2beta1_HorizontalPodAutoscaler|test-istio|istiod"]: Refreshing state... [id=efafb247-d8a4-4812-9aab-640d88ea9ca5]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|clusterrbacconfigs.rbac.istio.io"]: Refreshing state... [id=f8e9332e-b3ed-446a-884a-5b3e8719ef97]
kustomization_resource.test["autoscaling_v2beta1_HorizontalPodAutoscaler|test-istio|istio-ingressgateway"]: Refreshing state... [id=c2785ce8-05e4-4361-84fc-0d916e03de1e]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|stats-filter-1.5"]: Refreshing state... [id=8f98337f-d8c5-4989-a2cd-5ff573f5f386]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|httpapispecs.config.istio.io"]: Refreshing state... [id=e3dfae24-f5dc-444a-834d-905abba6a9c0]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRole|~X|istio-reader-istio-system"]: Refreshing state... [id=57fbf191-8cea-463a-9855-3bad00106568]
kustomization_resource.test["~G_v1_ServiceAccount|test-istio|istio-reader-service-account"]: Refreshing state... [id=ea033166-04df-4751-a035-9674650f7da9]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRole|~X|istiod-istio-system"]: Refreshing state... [id=694c22ce-760e-411c-9dd1-a622ba0d4c5d]
kustomization_resource.test["rbac.authorization.k8s.io_v1_RoleBinding|test-istio|istio-ingressgateway-sds"]: Refreshing state... [id=7b544e05-fba4-4be5-b7d8-79966807fd10]
kustomization_resource.test["~G_v1_Service|test-istio|istio-ingressgateway"]: Refreshing state... [id=536d425c-a37c-4cd0-8cc6-78d0eafa2cb6]
kustomization_resource.test["~G_v1_ConfigMap|test-istio|prometheus"]: Refreshing state... [id=84c9449f-358c-413d-a72f-fd136955dda3]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|tcp-stats-filter-1.6"]: Refreshing state... [id=2612eddd-13c8-4e1b-b399-4e8cdd0d39ad]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|tcp-metadata-exchange-1.5"]: Refreshing state... [id=2335206f-2e36-4a04-9ec1-b9dfcc831a01]
kustomization_resource.test["apps_v1_Deployment|test-istio|prometheus"]: Refreshing state... [id=04612686-ed89-4163-a622-9f31e64c9435]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|templates.config.istio.io"]: Refreshing state... [id=5a835160-dc52-4e88-9633-0de3c243a13a]
kustomization_resource.test["policy_v1beta1_PodDisruptionBudget|test-istio|istiod"]: Refreshing state... [id=fb5ddf2e-743d-48eb-ac9d-05e02d4407f7]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|tcp-stats-filter-1.5"]: Refreshing state... [id=5abc6ed7-c4f9-4993-960d-8b9d19ea4e07]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|attributemanifests.config.istio.io"]: Refreshing state... [id=9f0c7475-dcb8-4938-b023-6dc3cf1f3e0f]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|httpapispecbindings.config.istio.io"]: Refreshing state... [id=03a748e1-b12f-4d56-8158-af797cb31dc0]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|sidecars.networking.istio.io"]: Refreshing state... [id=7558fbb6-27ab-45cf-8a70-4c963a6fb414]
kustomization_resource.test["~G_v1_Service|test-istio|prometheus"]: Refreshing state... [id=164e6cd1-0694-47ee-bc9b-bcedaa31fcf7]
kustomization_resource.test["~G_v1_ServiceAccount|test-istio|istiod-service-account"]: Refreshing state... [id=80d9162a-9403-4908-b999-22bef91d60e0]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|instances.config.istio.io"]: Refreshing state... [id=052d56a1-4d8e-4468-af56-a771f3c704de]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|gateways.networking.istio.io"]: Refreshing state... [id=2e66bdfe-e944-4eae-bd93-2c4209dbe2b2]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|stats-filter-1.4"]: Refreshing state... [id=6cd3548c-941a-481e-8b71-785efb2639c2]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRoleBinding|~X|istio-reader-istio-system"]: Refreshing state... [id=b16798e2-fdac-4e2e-b0ba-9b34ea765e72]
kustomization_resource.test["~G_v1_ConfigMap|test-istio|istio"]: Refreshing state... [id=163d2438-1e7d-4a15-86d8-4e6c2f094543]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRoleBinding|~X|prometheus-istio-system"]: Refreshing state... [id=286d9956-c272-4cbb-8aad-cd22b874888d]
kustomization_resource.test["~G_v1_Service|test-istio|istiod"]: Refreshing state... [id=618a5224-b7bc-47da-968f-3792ea0f5fd7]
kustomization_resource.test["networking.istio.io_v1alpha3_EnvoyFilter|test-istio|metadata-exchange-1.6"]: Refreshing state... [id=d2630206-c89c-4701-94f7-50f45bd0d291]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|serviceentries.networking.istio.io"]: Refreshing state... [id=a6cbfe85-3aef-462c-8355-66509b6ede48]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|istiooperators.install.istio.io"]: Refreshing state... [id=a113470f-bd38-4d29-b99d-6fe23e687112]
kustomization_resource.test["apps_v1_Deployment|test-istio|istio-ingressgateway"]: Refreshing state... [id=ecbebaa6-ba85-4044-9f4c-034b1e59b245]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|quotaspecs.config.istio.io"]: Refreshing state... [id=3ea8078c-c6e6-45a2-b1ec-3eeba4c70216]
kustomization_resource.test["apiextensions.k8s.io_v1beta1_CustomResourceDefinition|~X|adapters.config.istio.io"]: Refreshing state... [id=80b2a8a8-8c4f-42bb-9aaf-284fcec308f4]
kustomization_resource.test["rbac.authorization.k8s.io_v1_ClusterRoleBinding|~X|istiod-pilot-istio-system"]: Refreshing state... [id=1bdefbd2-94ff-4351-8cd3-9867211a5f7e]
kustomization_resource.test["rbac.authorization.k8s.io_v1_Role|test-istio|istio-ingressgateway-sds"]: Refreshing state... [id=3a99d079-f827-471f-9df6-9a592e184cdd]
kustomization_resource.test["~G_v1_ConfigMap|test-istio|istio-sidecar-injector"]: Refreshing state... [id=077378f9-224a-417b-8f23-fdfc221c09bc]
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# kustomization_resource.test["admissionregistration.k8s.io_v1beta1_MutatingWebhookConfiguration|~X|istio-sidecar-injector"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "4319c319-d3f9-4cbd-b288-ecdf698b2b12"
~ manifest = jsonencode(
~ {
apiVersion = "admissionregistration.k8s.io/v1beta1"
kind = "MutatingWebhookConfiguration"
metadata = {
labels = {
app = "sidecar-injector"
istio.io/rev = "default"
release = "istio"
}
name = "istio-sidecar-injector"
}
~ webhooks = [
~ {
- admissionReviewVersions = [
- "v1beta1",
] -> null
~ clientConfig = {
+ caBundle = ""
~ service = {
name = "istiod"
namespace = "test-istio"
path = "/inject"
- port = 443 -> null
}
}
failurePolicy = "Fail"
- matchPolicy = "Exact" -> null
name = "sidecar-injector.istio.io"
namespaceSelector = {
matchLabels = {
istio-injection = "enabled"
}
}
- objectSelector = {} -> null
- reinvocationPolicy = "Never" -> null
~ rules = [
~ {
apiGroups = [
"",
]
apiVersions = [
"v1",
]
operations = [
"CREATE",
]
resources = [
"pods",
]
- scope = "*" -> null
},
]
sideEffects = "None"
- timeoutSeconds = 30 -> null
},
]
}
)
}
# kustomization_resource.test["admissionregistration.k8s.io_v1beta1_ValidatingWebhookConfiguration|~X|istiod-istio-system"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "38c2673d-3585-433d-b12c-f20aaba37f9a"
~ manifest = jsonencode(
~ {
apiVersion = "admissionregistration.k8s.io/v1beta1"
kind = "ValidatingWebhookConfiguration"
metadata = {
labels = {
app = "istiod"
istio = "istiod"
release = "istio"
}
name = "istiod-istio-system"
}
~ webhooks = [
~ {
- admissionReviewVersions = [
- "v1beta1",
] -> null
~ clientConfig = {
+ caBundle = ""
~ service = {
name = "istiod"
namespace = "test-istio"
path = "/validate"
- port = 443 -> null
}
}
failurePolicy = "Ignore"
- matchPolicy = "Exact" -> null
name = "validation.istio.io"
- namespaceSelector = {} -> null
- objectSelector = {} -> null
~ rules = [
~ {
apiGroups = [
"config.istio.io",
"rbac.istio.io",
"security.istio.io",
"authentication.istio.io",
"networking.istio.io",
]
apiVersions = [
"*",
]
operations = [
"CREATE",
"UPDATE",
]
resources = [
"*",
]
- scope = "*" -> null
},
]
sideEffects = "None"
- timeoutSeconds = 30 -> null
},
]
}
)
}
# kustomization_resource.test["apps_v1_Deployment|test-istio|istio-ingressgateway"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "ecbebaa6-ba85-4044-9f4c-034b1e59b245"
~ manifest = jsonencode(
~ {
apiVersion = "apps/v1"
kind = "Deployment"
metadata = {
labels = {
app = "istio-ingressgateway"
istio = "ingressgateway"
release = "istio"
}
name = "istio-ingressgateway"
namespace = "test-istio"
}
~ spec = {
selector = {
matchLabels = {
app = "istio-ingressgateway"
istio = "ingressgateway"
}
}
strategy = {
rollingUpdate = {
maxSurge = "100%"
maxUnavailable = "25%"
}
}
~ template = {
metadata = {
annotations = {
sidecar.istio.io/inject = "false"
}
labels = {
app = "istio-ingressgateway"
chart = "gateways"
heritage = "Tiller"
istio = "ingressgateway"
release = "istio"
service.istio.io/canonical-name = "istio-ingressgateway"
service.istio.io/canonical-revision = "latest"
}
}
~ spec = {
affinity = {
nodeAffinity = {
preferredDuringSchedulingIgnoredDuringExecution = [
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"amd64",
]
},
]
}
weight = 2
},
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"ppc64le",
]
},
]
}
weight = 2
},
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"s390x",
]
},
]
}
weight = 2
},
]
requiredDuringSchedulingIgnoredDuringExecution = {
nodeSelectorTerms = [
{
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"amd64",
"ppc64le",
"s390x",
]
},
]
},
]
}
}
}
~ containers = [
~ {
args = [
"proxy",
"router",
"--domain",
"$(POD_NAMESPACE).svc.cluster.local",
"--proxyLogLevel=warning",
"--proxyComponentLogLevel=misc:error",
"--log_output_level=default:info",
"--serviceCluster",
"istio-ingressgateway",
"--trust-domain=cluster.local",
]
~ env = [
{
name = "JWT_POLICY"
value = "third-party-jwt"
},
{
name = "PILOT_CERT_PROVIDER"
value = "istiod"
},
{
name = "CA_ADDR"
value = "istiod.istio-system.svc:15012"
},
{
name = "NODE_NAME"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "spec.nodeName"
}
}
},
{
name = "POD_NAME"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "metadata.name"
}
}
},
{
name = "POD_NAMESPACE"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "metadata.namespace"
}
}
},
{
name = "INSTANCE_IP"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "status.podIP"
}
}
},
{
name = "HOST_IP"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "status.hostIP"
}
}
},
~ {
name = "SERVICE_ACCOUNT"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "spec.serviceAccountName"
}
}
},
~ {
name = "CANONICAL_SERVICE"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.labels['service.istio.io/canonical-name']"
}
}
},
~ {
name = "CANONICAL_REVISION"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.labels['service.istio.io/canonical-revision']"
}
}
},
{
name = "ISTIO_META_WORKLOAD_NAME"
value = "istio-ingressgateway"
},
{
name = "ISTIO_META_OWNER"
value = "kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway"
},
{
name = "ISTIO_META_MESH_ID"
value = "cluster.local"
},
{
name = "ISTIO_META_ROUTER_MODE"
value = "sni-dnat"
},
{
name = "ISTIO_META_CLUSTER_ID"
value = "Kubernetes"
},
]
image = "docker.io/istio/proxyv2:1.6.5"
- imagePullPolicy = "IfNotPresent" -> null
name = "istio-proxy"
~ ports = [
~ {
containerPort = 15021
- protocol = "TCP" -> null
},
~ {
containerPort = 8080
- protocol = "TCP" -> null
},
~ {
containerPort = 8443
- protocol = "TCP" -> null
},
~ {
containerPort = 15443
- protocol = "TCP" -> null
},
~ {
containerPort = 15011
- protocol = "TCP" -> null
},
~ {
containerPort = 15012
- protocol = "TCP" -> null
},
~ {
containerPort = 8060
- protocol = "TCP" -> null
},
~ {
containerPort = 853
- protocol = "TCP" -> null
},
{
containerPort = 15090
name = "http-envoy-prom"
protocol = "TCP"
},
]
readinessProbe = {
failureThreshold = 30
httpGet = {
path = "/healthz/ready"
port = 15021
scheme = "HTTP"
}
initialDelaySeconds = 1
periodSeconds = 2
successThreshold = 1
timeoutSeconds = 1
}
~ resources = {
~ limits = {
~ cpu = "2" -> "2000m"
~ memory = "1Gi" -> "1024Mi"
}
requests = {
cpu = "100m"
memory = "128Mi"
}
}
- terminationMessagePath = "/dev/termination-log" -> null
- terminationMessagePolicy = "File" -> null
volumeMounts = [
{
mountPath = "/etc/istio/proxy"
name = "istio-envoy"
},
{
mountPath = "/etc/istio/config"
name = "config-volume"
},
{
mountPath = "/var/run/secrets/istio"
name = "istiod-ca-cert"
},
{
mountPath = "/var/run/secrets/tokens"
name = "istio-token"
readOnly = true
},
{
mountPath = "/var/run/ingress_gateway"
name = "ingressgatewaysdsudspath"
},
{
mountPath = "/etc/istio/pod"
name = "podinfo"
},
{
mountPath = "/etc/istio/ingressgateway-certs"
name = "ingressgateway-certs"
readOnly = true
},
{
mountPath = "/etc/istio/ingressgateway-ca-certs"
name = "ingressgateway-ca-certs"
readOnly = true
},
]
},
]
serviceAccountName = "istio-ingressgateway-service-account"
~ volumes = [
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "istio-ca-root-cert"
}
name = "istiod-ca-cert"
},
~ {
~ downwardAPI = {
- defaultMode = 420 -> null
~ items = [
~ {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.labels"
}
path = "labels"
},
~ {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.annotations"
}
path = "annotations"
},
]
}
name = "podinfo"
},
{
emptyDir = {}
name = "istio-envoy"
},
{
emptyDir = {}
name = "ingressgatewaysdsudspath"
},
~ {
name = "istio-token"
~ projected = {
- defaultMode = 420 -> null
sources = [
{
serviceAccountToken = {
audience = "istio-ca"
expirationSeconds = 43200
path = "istio-token"
}
},
]
}
},
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "istio"
optional = true
}
name = "config-volume"
},
~ {
name = "ingressgateway-certs"
~ secret = {
- defaultMode = 420 -> null
optional = true
secretName = "istio-ingressgateway-certs"
}
},
~ {
name = "ingressgateway-ca-certs"
~ secret = {
- defaultMode = 420 -> null
optional = true
secretName = "istio-ingressgateway-ca-certs"
}
},
]
}
}
}
}
)
}
# kustomization_resource.test["apps_v1_Deployment|test-istio|istiod"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "56e02842-9ab0-4779-ac6b-2d11ce1b067d"
~ manifest = jsonencode(
~ {
apiVersion = "apps/v1"
kind = "Deployment"
metadata = {
labels = {
app = "istiod"
istio = "pilot"
istio.io/rev = "default"
release = "istio"
}
name = "istiod"
namespace = "test-istio"
}
~ spec = {
selector = {
matchLabels = {
istio = "pilot"
}
}
strategy = {
rollingUpdate = {
maxSurge = "100%"
maxUnavailable = "25%"
}
}
~ template = {
metadata = {
annotations = {
sidecar.istio.io/inject = "false"
}
labels = {
app = "istiod"
istio = "pilot"
istio.io/rev = "default"
}
}
~ spec = {
~ containers = [
~ {
args = [
"discovery",
"--monitoringAddr=:15014",
"--log_output_level=default:info",
"--domain",
"cluster.local",
"--trust-domain=cluster.local",
"--keepaliveMaxServerConnectionAge",
"30m",
]
env = [
{
name = "REVISION"
value = "default"
},
{
name = "JWT_POLICY"
value = "third-party-jwt"
},
{
name = "PILOT_CERT_PROVIDER"
value = "istiod"
},
{
name = "POD_NAME"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "metadata.name"
}
}
},
{
name = "POD_NAMESPACE"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "metadata.namespace"
}
}
},
{
name = "SERVICE_ACCOUNT"
valueFrom = {
fieldRef = {
apiVersion = "v1"
fieldPath = "spec.serviceAccountName"
}
}
},
{
name = "PILOT_TRACE_SAMPLING"
value = "1"
},
{
name = "PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND"
value = "true"
},
{
name = "PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND"
value = "true"
},
{
name = "INJECTION_WEBHOOK_CONFIG_NAME"
value = "istio-sidecar-injector"
},
{
name = "ISTIOD_ADDR"
value = "istiod.istio-system.svc:15012"
},
{
name = "PILOT_ENABLE_ANALYSIS"
value = "false"
},
{
name = "CLUSTER_ID"
value = "Kubernetes"
},
{
name = "CENTRAL_ISTIOD"
value = "false"
},
]
image = "docker.io/istio/pilot:1.6.5"
- imagePullPolicy = "IfNotPresent" -> null
name = "discovery"
~ ports = [
~ {
containerPort = 8080
- protocol = "TCP" -> null
},
~ {
containerPort = 15010
- protocol = "TCP" -> null
},
~ {
containerPort = 15017
- protocol = "TCP" -> null
},
~ {
containerPort = 15053
- protocol = "TCP" -> null
},
]
~ readinessProbe = {
- failureThreshold = 3 -> null
~ httpGet = {
path = "/ready"
port = 8080
- scheme = "HTTP" -> null
}
initialDelaySeconds = 1
periodSeconds = 3
- successThreshold = 1 -> null
timeoutSeconds = 5
}
~ resources = {
~ requests = {
cpu = "500m"
~ memory = "2Gi" -> "2048Mi"
}
}
securityContext = {
capabilities = {
drop = [
"ALL",
]
}
runAsGroup = 1337
runAsNonRoot = true
runAsUser = 1337
}
- terminationMessagePath = "/dev/termination-log" -> null
- terminationMessagePolicy = "File" -> null
volumeMounts = [
{
mountPath = "/etc/istio/config"
name = "config-volume"
},
{
mountPath = "/var/run/secrets/tokens"
name = "istio-token"
readOnly = true
},
{
mountPath = "/var/run/secrets/istio-dns"
name = "local-certs"
},
{
mountPath = "/etc/cacerts"
name = "cacerts"
readOnly = true
},
{
mountPath = "/var/lib/istio/inject"
name = "inject"
readOnly = true
},
]
},
]
securityContext = {
fsGroup = 1337
}
serviceAccountName = "istiod-service-account"
~ volumes = [
{
emptyDir = {
medium = "Memory"
}
name = "local-certs"
},
~ {
name = "istio-token"
~ projected = {
- defaultMode = 420 -> null
sources = [
{
serviceAccountToken = {
audience = "istio-ca"
expirationSeconds = 43200
path = "istio-token"
}
},
]
}
},
~ {
name = "cacerts"
~ secret = {
- defaultMode = 420 -> null
optional = true
secretName = "cacerts"
}
},
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "istio-sidecar-injector"
optional = true
}
name = "inject"
},
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "istio"
}
name = "config-volume"
},
]
}
}
}
}
)
}
# kustomization_resource.test["apps_v1_Deployment|test-istio|prometheus"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "04612686-ed89-4163-a622-9f31e64c9435"
~ manifest = jsonencode(
~ {
apiVersion = "apps/v1"
kind = "Deployment"
metadata = {
labels = {
app = "prometheus"
release = "istio"
}
name = "prometheus"
namespace = "test-istio"
}
~ spec = {
replicas = 1
selector = {
matchLabels = {
app = "prometheus"
}
}
~ template = {
metadata = {
annotations = {
sidecar.istio.io/inject = "false"
}
labels = {
app = "prometheus"
release = "istio"
}
}
~ spec = {
affinity = {
nodeAffinity = {
preferredDuringSchedulingIgnoredDuringExecution = [
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"amd64",
]
},
]
}
weight = 2
},
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"ppc64le",
]
},
]
}
weight = 2
},
{
preference = {
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"s390x",
]
},
]
}
weight = 2
},
]
requiredDuringSchedulingIgnoredDuringExecution = {
nodeSelectorTerms = [
{
matchExpressions = [
{
key = "beta.kubernetes.io/arch"
operator = "In"
values = [
"amd64",
"ppc64le",
"s390x",
]
},
]
},
]
}
}
}
~ containers = [
~ {
args = [
"--storage.tsdb.retention=6h",
"--config.file=/etc/prometheus/prometheus.yml",
]
image = "docker.io/prom/prometheus:v2.15.1"
- imagePullPolicy = "IfNotPresent" -> null
~ livenessProbe = {
- failureThreshold = 3 -> null
~ httpGet = {
path = "/-/healthy"
port = 9090
- scheme = "HTTP" -> null
}
- periodSeconds = 10 -> null
- successThreshold = 1 -> null
- timeoutSeconds = 1 -> null
}
name = "prometheus"
~ ports = [
~ {
containerPort = 9090
name = "http"
- protocol = "TCP" -> null
},
]
~ readinessProbe = {
- failureThreshold = 3 -> null
~ httpGet = {
path = "/-/ready"
port = 9090
- scheme = "HTTP" -> null
}
- periodSeconds = 10 -> null
- successThreshold = 1 -> null
- timeoutSeconds = 1 -> null
}
resources = {
requests = {
cpu = "10m"
}
}
- terminationMessagePath = "/dev/termination-log" -> null
- terminationMessagePolicy = "File" -> null
volumeMounts = [
{
mountPath = "/etc/prometheus"
name = "config-volume"
},
{
mountPath = "/etc/istio-certs"
name = "istio-certs"
},
]
},
~ {
args = [
"proxy",
"sidecar",
"--domain",
"$(POD_NAMESPACE).svc.cluster.local",
"istio-proxy-prometheus",
"--proxyLogLevel=warning",
"--proxyComponentLogLevel=misc:error",
"--controlPlaneAuthPolicy",
"NONE",
"--trust-domain=cluster.local",
]
~ env = [
{
name = "OUTPUT_CERTS"
value = "/etc/istio-certs"
},
{
name = "JWT_POLICY"
value = "third-party-jwt"
},
{
name = "PILOT_CERT_PROVIDER"
value = "istiod"
},
{
name = "CA_ADDR"
value = "istiod.istio-system.svc:15012"
},
~ {
name = "POD_NAME"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.name"
}
}
},
~ {
name = "POD_NAMESPACE"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "metadata.namespace"
}
}
},
~ {
name = "INSTANCE_IP"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "status.podIP"
}
}
},
~ {
name = "SERVICE_ACCOUNT"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "spec.serviceAccountName"
}
}
},
~ {
name = "HOST_IP"
~ valueFrom = {
~ fieldRef = {
- apiVersion = "v1" -> null
fieldPath = "status.hostIP"
}
}
},
{
name = "ISTIO_META_MESH_ID"
value = "cluster.local"
},
{
name = "ISTIO_META_CLUSTER_ID"
value = "Kubernetes"
},
]
image = "docker.io/istio/proxyv2:1.6.5"
imagePullPolicy = "Always"
name = "istio-proxy"
ports = [
{
containerPort = 15090
name = "http-envoy-prom"
protocol = "TCP"
},
]
readinessProbe = {
failureThreshold = 30
httpGet = {
path = "/healthz/ready"
port = 15020
scheme = "HTTP"
}
initialDelaySeconds = 1
periodSeconds = 2
successThreshold = 1
timeoutSeconds = 1
}
- resources = {} -> null
- terminationMessagePath = "/dev/termination-log" -> null
- terminationMessagePolicy = "File" -> null
volumeMounts = [
{
mountPath = "/var/run/secrets/istio"
name = "istiod-ca-cert"
},
{
mountPath = "/etc/istio/proxy"
name = "istio-envoy"
},
{
mountPath = "/var/run/secrets/tokens"
name = "istio-token"
},
{
mountPath = "/etc/istio-certs/"
name = "istio-certs"
},
{
mountPath = "/etc/istio/config"
name = "istio-config-volume"
},
]
},
]
serviceAccountName = "prometheus"
~ volumes = [
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "istio"
optional = true
}
name = "istio-config-volume"
},
~ {
~ configMap = {
- defaultMode = 420 -> null
name = "prometheus"
}
name = "config-volume"
},
{
emptyDir = {
medium = "Memory"
}
name = "istio-certs"
},
{
emptyDir = {
medium = "Memory"
}
name = "istio-envoy"
},
{
name = "istio-token"
projected = {
defaultMode = 420
sources = [
{
serviceAccountToken = {
audience = "istio-ca"
expirationSeconds = 43200
path = "istio-token"
}
},
]
}
},
{
configMap = {
defaultMode = 420
name = "istio-ca-root-cert"
}
name = "istiod-ca-cert"
},
]
}
}
}
}
)
}
# kustomization_resource.test["~G_v1_Service|test-istio|istio-ingressgateway"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "536d425c-a37c-4cd0-8cc6-78d0eafa2cb6"
~ manifest = jsonencode(
~ {
apiVersion = "v1"
kind = "Service"
~ metadata = {
+ annotations = null
labels = {
app = "istio-ingressgateway"
istio = "ingressgateway"
release = "istio"
}
name = "istio-ingressgateway"
namespace = "test-istio"
}
~ spec = {
~ ports = [
~ {
name = "status-port"
- nodePort = 31776 -> null
port = 15021
- protocol = "TCP" -> null
targetPort = 15021
},
~ {
name = "http2"
- nodePort = 31357 -> null
port = 80
- protocol = "TCP" -> null
targetPort = 8080
},
~ {
name = "https"
- nodePort = 31172 -> null
port = 443
- protocol = "TCP" -> null
targetPort = 8443
},
~ {
name = "tls"
- nodePort = 31503 -> null
port = 15443
- protocol = "TCP" -> null
targetPort = 15443
},
]
selector = {
app = "istio-ingressgateway"
istio = "ingressgateway"
}
type = "LoadBalancer"
}
}
)
}
# kustomization_resource.test["~G_v1_Service|test-istio|istiod"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "618a5224-b7bc-47da-968f-3792ea0f5fd7"
~ manifest = jsonencode(
~ {
apiVersion = "v1"
kind = "Service"
metadata = {
labels = {
app = "istiod"
istio = "pilot"
istio.io/rev = "default"
release = "istio"
}
name = "istiod"
namespace = "test-istio"
}
~ spec = {
~ ports = [
~ {
name = "grpc-xds"
port = 15010
- protocol = "TCP" -> null
- targetPort = 15010 -> null
},
~ {
name = "https-dns"
port = 15012
- protocol = "TCP" -> null
- targetPort = 15012 -> null
},
~ {
name = "https-webhook"
port = 443
- protocol = "TCP" -> null
targetPort = 15017
},
~ {
name = "http-monitoring"
port = 15014
- protocol = "TCP" -> null
- targetPort = 15014 -> null
},
{
name = "dns-tls"
port = 853
protocol = "TCP"
targetPort = 15053
},
]
selector = {
app = "istiod"
istio = "pilot"
}
}
}
)
}
# kustomization_resource.test["~G_v1_Service|test-istio|prometheus"] will be updated in-place
~ resource "kustomization_resource" "test" {
id = "164e6cd1-0694-47ee-bc9b-bcedaa31fcf7"
~ manifest = jsonencode(
~ {
apiVersion = "v1"
kind = "Service"
metadata = {
annotations = {
prometheus.io/scrape = "true"
}
labels = {
app = "prometheus"
release = "istio"
}
name = "prometheus"
namespace = "test-istio"
}
~ spec = {
~ ports = [
~ {
name = "http-prometheus"
port = 9090
protocol = "TCP"
- targetPort = 9090 -> null
},
]
selector = {
app = "prometheus"
}
}
}
)
}
Plan: 0 to add, 8 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment