istio: Terraform plan fails during initial run of helm_release for Istiod

Bug Description

I have following Terrafrom code for deploying Istio via Terraform helm_release resource:

resource "helm_release" "istio-base" {
 chart            = "base"
 namespace        = "istio-system"
 create_namespace = "true"
 name             = "istio-base"
 version          = "1.15.3"
 repository       = "https://istio-release.storage.googleapis.com/charts"
 #force_update     = var.force_update
 #recreate_pods    = var.recreate_pods
}

resource "helm_release" "istiod" {
 depends_on        = [helm_release.istio-base]
 name              = "istiod"
 namespace         = "istio-system"
 dependency_update = true
 repository        = "https://istio-release.storage.googleapis.com/charts"
 chart             = "istiod"
 version           = "1.15.3"
 atomic            = true
 lint              = true
}

During first deployment(initial setup) of Istio on new k8s cluster, Terraform plan fails with error:

│ Error: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "stats-filter-1.13" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first, resource mapping not found for name: "stats-filter-1.14" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first, resource mapping not found for name: "stats-filter-1.15" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first, resource mapping not found for name: "tcp-stats-filter-1.13" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first, resource mapping not found for name: "tcp-stats-filter-1.14" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first, resource mapping not found for name: "tcp-stats-filter-1.15" namespace: "istio-system" from "": no matches for kind "EnvoyFilter" in version "networking.istio.io/v1alpha3"
│ ensure CRDs are installed first]

From error I see that during Terraform plan , it tries to validate CRDs, which are not supposed to be installed during Terraform plan via resource “helm_release” “istio-base” .

I thought that once you set skip_crds = true for helm_release, issue will be resolved, but it didn’t help.

Version

Terraform version: 1.3.3
Helm provider version: v2.7.1.
Istio helm chart version: 1.15.3

Additional Information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 4
  • Comments: 15

Most upvoted comments

@ElkRom I believe this is not an Istio issue, I would close this GitHub issue and open a new one on the hashicorp/terraform-provider-helm GitHub repository:

I also found this related issue there:

Please confirm if we can close this issue. Thanks

+2
zioproto on Nov 21, 2022
Read more comments on GitHub
← istio: Telemetry v2 envoy needs metric expiry
istio: Test Failure: security/tests/integration/certificateRotationTest →