kubernetes_role_binding does not support various apigroups

[billietlsfeir]

Terraform Version and Provider Version

Terraform v0.12.13

• provider.kubernetes v1.11.3

Affected Resource(s)

• kubernetes_role_binding
• maybe kubernetes_cluster_role_binding (not tested)

Terraform Configuration Files

resource "kubernetes_role_binding" "foo" {
  metadata {
    name      = "terraform-example"
    namespace = var.namespace
  }
  role_ref {
    api_group = "roles.authorization.openshift.io"
    kind      = "Role"
    name      = "admin"
  }
  subject {
    kind      = "User"
    name      = var.ldap
    api_group = "users.user.openshift.io"
  }
}

Debug Output

https://gist.github.com/billietlsfeir/740105b4f05ecae4121cc0f0a66ab772

Panic Output

No panic

Expected Behavior

Terraform should have created a RoleBinding object in kubernetes tying the specified User with the OpenShift Role.

Actual Behavior

APIGroups for rolerefs are restricted to Kubernetes', and we can't plan apply the provided snippet.

Steps to Reproduce

1. Configure your kubectl client to connect to an existing kubernetes cluster.

Important Factoids

I attempted to manage RoleBindings in OpenShift, which use specific apigroups for roles and users. Since the apigroup is the same for RoleBinding, I don't understand why this requirement.

References

None.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[jrhouston]

Thanks for opening this @billietlsfeir. Looks like here we're explicitly only allowing rbac.authorization.k8s.io which is what's available on vanilla kubernetes. This is clearly not the case with OpenShift.

Paths forward here:

1. Don't validate this attribute, let it be any arbitrary string.
2. Use discovery to figure out what is valid as the api_group here. (This might not be possible, need to investigate)

[github-actions]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

[alexsomesan]

This is still a valid issue. Reopening.