ValidatingWebhookConfiguration - webhook rules incorrectly translated

[LightAndLight]

I ran k2tf on this document https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.11.3/deploy/static/provider/cloud/deploy.yaml, which contains this resource definition:

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-2.11.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.34.1
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    rules:
      - apiGroups:
          - extensions
          - networking.k8s.io
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
      - v1beta1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /extensions/v1beta1/ingresses

but the corresponding Terraform output looks like this:

resource "kubernetes_validating_webhook_configuration" "ingress_nginx_admission" {
  metadata {
    name = "ingress-nginx-admission"

    labels = {
      "app.kubernetes.io/component" = "admission-webhook"

      "app.kubernetes.io/instance" = "ingress-nginx"

      "app.kubernetes.io/managed-by" = "Helm"

      "app.kubernetes.io/name" = "ingress-nginx"

      "app.kubernetes.io/version" = "0.34.1"

      "helm.sh/chart" = "ingress-nginx-2.11.1"
    }
  }

  webhook {
    name = "validate.nginx.ingress.kubernetes.io"

    client_config {
      service {
        namespace = "ingress-nginx"
        name      = "ingress-nginx-controller-admission"
        path      = "/extensions/v1beta1/ingresses"
      }
    }

    rule {
      operations = ["CREATE", "UPDATE"]
    }

    failure_policy            = "Fail"
    side_effects              = "None"
    admission_review_versions = ["v1", "v1beta1"]
  }
}

The apiGroups, apiVersions, and resources are not translated, but they are required fields which means this is an invalid Terraform configuration.

[sl1pm4t]

Could you run k2tf with the --debug flag to see if it logs warnings about these fields.
I suspect it's probably not guessing the correct Terraform attribute name and then skipping because it's not found in the Terraform schema.

[LightAndLight]

Only Debug level logs are produced. There weren't any warnings.

[yuriy-yarosh]

Having the same issue while translating the Vault helm chart - injector-mutating-webhook.yaml loses apiGroups, apiVersions and resources during translation.

[yuriy-yarosh]

objectSelector:
  matchExpressions:
    - key: app.kubernetes.io/name
  operator: NotIn
  values:
    - injector

also gets translated to

object_selector {
  match_expressions {
    key      = component
    operator = "NotIn"
    values   = ["injector"]
  }
}

[geekofalltrades]

I'm also suffering this issue trying to convert this configuration.

One-line repro:

yaml="$(curl -s https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml | grep -A 100 'apiVersion: admission')" && echo "${yaml}" && echo "------" && k2tf <<< "${yaml}"

[auriben]

Having the same issue with nginx ingress controller https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml

Any plans to take a look to this?

[dsowinski]

I'm having exactly the same issue as OP and @auriben - please look into this issue. Thank you.

[michaelday008]

I'm having the same issue. Any chance this will be fixed in the future?