Test alekc/kubectl provider upgrade 2.1.*

[sj-williams]

Background

Dependabot is raising PRs to bump alekc/kubectl.

A quick check of this change in core infra yields changes to every K8s resource managed by this provider.

We need to do some thorough checking of the changes that are being made before we start to bump modules using this provider across infra.

Link to associated PR for gatekeeper:
ministryofjustice/cloud-platform-terraform-gatekeeper#68

Proposed user journey

Approach

Which part of the user docs does this impact

Communicate changes

• post for #cloud-platform-update
• Weeknotes item
• Show the Thing/P&A All Hands/User CoP
• Announcements channel

Questions / Assumptions

Definition of done

• readme has been updated
• user docs have been updated
• another team member has reviewed
• smoke tests are green
• prepare demo for the team

Reference

How to write good user stories

[kyphutruong]

On a test cluster, after bumping the alekc/kubectl provider to 2.1.3 in the terraform at infrastructure at core level (also have to bump modules that uses this provider). We get the following tf plan (only pasting snippet of plan as there are 82 changes):

  # module.gatekeeper.module.constraints.kubectl_manifest.constraints["warn_kubectl_create_sa"] will be updated in-place
  ~ resource "kubectl_manifest" "constraints" {
        id                      = "/apis/constraints.gatekeeper.sh/v1beta1/warnkubectlserviceaccounts/warn-kubectl-create-sa"
        name                    = "warn-kubectl-create-sa"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.constraints.kubectl_manifest.constraints["warn_service_account_secret_delete"] will be updated in-place
  ~ resource "kubectl_manifest" "constraints" {
        id                      = "/apis/constraints.gatekeeper.sh/v1beta1/k8swarnserviceaccountsecretdeletes/k8swarnserviceaccountsecretdelete"
        name                    = "k8swarnserviceaccountsecretdelete"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["default_fs_group.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/default-fs-group"
        name                    = "default-fs-group"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["default_seccomp_profile.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/default-seccomp-profile"
        name                    = "default-seccomp-profile"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["default_supplemental_groups.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/default-supplemental-groups"
        name                    = "default-supplemental-groups"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["deny_privilege_escalation.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/deny-privilege-escalation"
        name                    = "deny-privilege-escalation"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["deny_privilege_escalation_eph.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/deny-privilege-escalation-eph"
        name                    = "deny-privilege-escalation-eph"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["deny_privilege_escalation_init.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/deny-privilege-escalation-init"
        name                    = "deny-privilege-escalation-init"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["drop_all_cap.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/drop-all-cap"
        name                    = "drop-all-cap"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["drop_all_cap_eph.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/drop-all-cap-eph"
        name                    = "drop-all-cap-eph"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["drop_all_cap_init.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/drop-all-cap-init"
        name                    = "drop-all-cap-init"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["run_as_non_root.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/run-as-non-root"
        name                    = "run-as-non-root"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["run_as_non_root_eph.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/run-as-non-root-eph"
        name                    = "run-as-non-root-eph"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

  # module.gatekeeper.module.mutations.kubectl_manifest.mutations["run_as_non_root_init.yaml"] will be updated in-place
  ~ resource "kubectl_manifest" "mutations" {
        id                      = "/apis/mutations.gatekeeper.sh/v1/assigns/run-as-non-root-init"
        name                    = "run-as-non-root-init"
      ~ yaml_incluster          = (sensitive value)
        # (15 unchanged attributes hidden)
    }

Plan: 0 to add, 82 to change, 0 to destroy.

Here are some links to discussion of these changes in the provider repo: alekc/terraform-provider-kubectl#54

[kyphutruong]

alekc/kubectl providers updated at core level.

Update to components level to do