deploy cluster for next helm training #7

splattner · 2024-05-13T13:19:42Z

No description provided.

github-actions · 2024-05-13T13:20:16Z

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan


terraform

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.training-cluster.hcloud_firewall.firewall will be created
  + resource "hcloud_firewall" "firewall" {
      + id     = (known after apply)
      + labels = (known after apply)
      + name   = "k8s-cluster-training"

      + apply_to {
          + label_selector = "cluster=training"
          + server         = (known after apply)
        }

      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "22"
          + protocol        = "tcp"
          + source_ips      = [
              + "0.0.0.0/0",
              + "::/0",
            ]
        }
      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "30000-32767"
          + protocol        = "tcp"
          + source_ips      = [
              + "0.0.0.0/0",
              + "::/0",
            ]
        }
      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "9345"
          + protocol        = "tcp"
          + source_ips      = (known after apply)
        }
    }

  # module.training-cluster.hcloud_load_balancer.lb will be created
  + resource "hcloud_load_balancer" "lb" {
      + delete_protection  = false
      + id                 = (known after apply)
      + ipv4               = (known after apply)
      + ipv6               = (known after apply)
      + labels             = {
          + "cluster" = "training"
        }
      + load_balancer_type = "lb11"
      + location           = "nbg1"
      + name               = "lb-k8s-training"
      + network_id         = (known after apply)
      + network_ip         = (known after apply)
      + network_zone       = (known after apply)
    }

  # module.training-cluster.hcloud_load_balancer_network.lb will be created
  + resource "hcloud_load_balancer_network" "lb" {
      + enable_public_interface = true
      + id                      = (known after apply)
      + ip                      = "10.0.0.2"
      + load_balancer_id        = (known after apply)
      + network_id              = (known after apply)
    }

  # module.training-cluster.hcloud_load_balancer_service.api will be created
  + resource "hcloud_load_balancer_service" "api" {
      + destination_port = 6443
      + id               = (known after apply)
      + listen_port      = 6443
      + load_balancer_id = (known after apply)
      + protocol         = "tcp"
      + proxyprotocol    = (known after apply)

      + health_check {
          + interval = 5
          + port     = 6443
          + protocol = "tcp"
          + retries  = 2
          + timeout  = 2
        }
    }

  # module.training-cluster.hcloud_load_balancer_service.rke2 will be created
  + resource "hcloud_load_balancer_service" "rke2" {
      + destination_port = 9345
      + id               = (known after apply)
      + listen_port      = 9345
      + load_balancer_id = (known after apply)
      + protocol         = "tcp"
      + proxyprotocol    = (known after apply)

      + health_check {
          + interval = 5
          + port     = 9345
          + protocol = "tcp"
          + retries  = 5
          + timeout  = 2
        }
    }

  # module.training-cluster.hcloud_load_balancer_target.controlplane will be created
  + resource "hcloud_load_balancer_target" "controlplane" {
      + id               = (known after apply)
      + label_selector   = "cluster=training,controlplane=true"
      + load_balancer_id = (known after apply)
      + type             = "label_selector"
      + use_private_ip   = true
    }

  # module.training-cluster.hcloud_network.network will be created
  + resource "hcloud_network" "network" {
      + delete_protection        = false
      + expose_routes_to_vswitch = false
      + id                       = (known after apply)
      + ip_range                 = "10.0.0.0/8"
      + labels                   = {
          + "cluster" = "training"
        }
      + name                     = "training"
    }

  # module.training-cluster.hcloud_network_subnet.subnet will be created
  + resource "hcloud_network_subnet" "subnet" {
      + gateway      = (known after apply)
      + id           = (known after apply)
      + ip_range     = "10.0.0.0/24"
      + network_id   = (known after apply)
      + network_zone = "eu-central"
      + type         = "cloud"
    }

  # module.training-cluster.hcloud_placement_group.controlplane will be created
  + resource "hcloud_placement_group" "controlplane" {
      + id      = (known after apply)
      + labels  = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + name    = "controlplane-training"
      + servers = (known after apply)
      + type    = "spread"
    }

  # module.training-cluster.hcloud_server.controlplane[0] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-0"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.controlplane[1] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-1"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.controlplane[2] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-2"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[0] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-0"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[1] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-1"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[2] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-2"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server_network.controlplane[0] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.controlplane[1] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.controlplane[2] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[0] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[1] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[2] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_ssh_key.terraform will be created
  + resource "hcloud_ssh_key" "terraform" {
      + fingerprint = (known after apply)
      + id          = (known after apply)
      + labels      = {}
      + name        = "terraform-training"
      + public_key  = (known after apply)
    }

  # module.training-cluster.helm_release.argocd will be created
  + resource "helm_release" "argocd" {
      + atomic                     = false
      + chart                      = "argo-cd"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 2
      + metadata                   = (known after apply)
      + name                       = "argocd"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "https://argoproj.github.io/argo-helm"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = [
          + <<-EOT
                server:
                  config:
                
                configs:
                  secret:
                    extra:
            EOT,
          + <<-EOT
                configs:
                  rbac: 
                    policy.csv: |
                      p, role:student, applications, *, */*, allow
                
                      p, role:student, applications, *, infra/*, deny
                      p, role:student, applications, *, trainee-environment/*, deny
                
                      p, role:student, clusters, get, *, allow
                      p, role:student, clusters, update, *, allow
                      p, role:student, repositories, get, *, allow
                      p, role:student, repositories, create, *, allow
                      p, role:student, repositories, update, *, allow
                      p, role:student, repositories, delete, *, allow
                
                      p, role:student, projects, get, *, allow
                      p, role:student, projects, create, *, allow
                      p, role:student, projects, update, *, allow
                      p, role:student, projects, delete, *, allow
                
                      p, role:student, projects, *, infra, deny
                      p, role:student, projects, *, trainee-environment, deny
                
                      g, acend:trainees, role:student
                
                
                      g, acend:admins, role:admin
            EOT,
          + <<-EOT
                global:
                  nodeSelector:
                    node-role.kubernetes.io/control-plane: "true"
                  tolerations:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Equal
                    value: "true"
                    effect: "NoSchedule"
                
                controller:
                  metrics:
                    enabled: true
                
                configs:
                  cm:
                    dex.config: |
                      connectors:
                        - type: gitea
                          id: gitea
                          name: Gitea
                          config:
                            clientID: $gitea-oauthclient-argocd:client_id
                            clientSecret: $gitea-oauthclient-argocd:client_secret
                            redirectURI: https://argocd.training.cluster.acend.ch/api/dex/callback
                            baseURL: https://gitea.training.cluster.acend.ch
                            loadAllGroups: true
                  params:
                    server.insecure: true
                    application.namespaces: user*
                
                server:
                  config:
                    kustomize.buildOptions: "--enable-helm"
                    resource.exclusions: |
                      - kinds:
                        - "CiliumIdentity"
                        - "ciliumidentities"
                        - "CiliumEndpoint"
                        - "ciliumendpoints"
                        - "CiliumNode"
                        - "ciliumnodes"
                  ingress:
                    enabled: true
                    ingressClassName: haproxy
                    tls:
                    - secretName: acend-wildcard
                  ingressGrpc:
                    enabled: true
                    ingressClassName: haproxy
                    tls:
                    - secretName: acend-wildcard
            EOT,
        ]
      + verify                     = false
      + version                    = "6.9.0"
      + wait                       = true
      + wait_for_jobs              = false

      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.training-cluster.kubernetes_manifest.external-secrets-secretstore["cert-manager"] will be created
  + resource "kubernetes_manifest" "external-secrets-secretstore" {
      + manifest = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + name = "cluster-training.cluster.acend.ch-cert-manager"
            }
          + spec       = {
              + provider = {
                  + kubernetes = {
                      + auth            = {
                          + cert = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                        }
                      + remoteNamespace = "cert-manager"
                      + server          = {
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                }
            }
        }
      + object   = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + annotations                = (known after apply)
              + creationTimestamp          = (known after apply)
              + deletionGracePeriodSeconds = (known after apply)
              + deletionTimestamp          = (known after apply)
              + finalizers                 = (known after apply)
              + generateName               = (known after apply)
              + generation                 = (known after apply)
              + labels                     = (known after apply)
              + managedFields              = (known after apply)
              + name                       = "cluster-training.cluster.acend.ch-cert-manager"
              + namespace                  = (known after apply)
              + ownerReferences            = (known after apply)
              + resourceVersion            = (known after apply)
              + selfLink                   = (known after apply)
              + uid                        = (known after apply)
            }
          + spec       = {
              + conditions      = (known after apply)
              + controller      = (known after apply)
              + provider        = {
                  + akeyless                 = {
                      + akeylessGWApiURL = (known after apply)
                      + authSecretRef    = {
                          + kubernetesAuth = {
                              + accessID          = (known after apply)
                              + k8sConfName       = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef      = {
                              + accessID        = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessType      = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessTypeParam = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + caBundle         = (known after apply)
                      + caProvider       = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                    }
                  + alibaba                  = {
                      + auth     = {
                          + rrsa      = {
                              + oidcProviderArn   = (known after apply)
                              + oidcTokenFilePath = (known after apply)
                              + roleArn           = (known after apply)
                              + sessionName       = (known after apply)
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessKeySecretSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + regionID = (known after apply)
                    }
                  + aws                      = {
                      + additionalRoles   = (known after apply)
                      + auth              = {
                          + jwt       = {
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + sessionTokenSecretRef    = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + externalID        = (known after apply)
                      + region            = (known after apply)
                      + role              = (known after apply)
                      + secretsManager    = {
                          + forceDeleteWithoutRecovery = (known after apply)
                          + recoveryWindowInDays       = (known after apply)
                        }
                      + service           = (known after apply)
                      + sessionTags       = (known after apply)
                      + transitiveTagKeys = (known after apply)
                    }
                  + azurekv                  = {
                      + authSecretRef     = {
                          + clientId     = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientSecret = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + tenantId     = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + authType          = (known after apply)
                      + environmentType   = (known after apply)
                      + identityId        = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + tenantId          = (known after apply)
                      + vaultUrl          = (known after apply)
                    }
                  + chef                     = {
                      + auth      = {
                          + secretRef = {
                              + privateKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serverUrl = (known after apply)
                      + username  = (known after apply)
                    }
                  + conjur                   = {
                      + auth       = {
                          + apikey = {
                              + account   = (known after apply)
                              + apiKeyRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + userRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + jwt    = {
                              + account           = (known after apply)
                              + hostId            = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceID         = (known after apply)
                            }
                        }
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + url        = (known after apply)
                    }
                  + delinea                  = {
                      + clientId     = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + clientSecret = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + tenant       = (known after apply)
                      + tld          = (known after apply)
                      + urlTemplate  = (known after apply)
                    }
                  + doppler                  = {
                      + auth            = {
                          + secretRef = {
                              + dopplerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + config          = (known after apply)
                      + format          = (known after apply)
                      + nameTransformer = (known after apply)
                      + project         = (known after apply)
                    }
                  + fake                     = {
                      + data = (known after apply)
                    }
                  + fortanix                 = {
                      + apiKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl = (known after apply)
                    }
                  + gcpsm                    = {
                      + auth      = {
                          + secretRef        = {
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + workloadIdentity = {
                              + clusterLocation   = (known after apply)
                              + clusterName       = (known after apply)
                              + clusterProjectID  = (known after apply)
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + projectID = (known after apply)
                    }
                  + gitlab                   = {
                      + auth              = {
                          + SecretRef = {
                              + accessToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + environment       = (known after apply)
                      + groupIDs          = (known after apply)
                      + inheritFromGroups = (known after apply)
                      + projectID         = (known after apply)
                      + url               = (known after apply)
                    }
                  + ibm                      = {
                      + auth       = {
                          + containerAuth = {
                              + iamEndpoint   = (known after apply)
                              + profile       = (known after apply)
                              + tokenLocation = (known after apply)
                            }
                          + secretRef     = {
                              + secretApiKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serviceUrl = (known after apply)
                    }
                  + keepersecurity           = {
                      + authRef  = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + folderID = (known after apply)
                    }
                  + kubernetes               = {
                      + auth            = {
                          + cert           = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                          + serviceAccount = {
                              + audiences = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + token          = {
                              + bearerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + remoteNamespace = "cert-manager"
                      + server          = {
                          + caBundle   = (known after apply)
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                  + onboardbase              = {
                      + apiHost     = (known after apply)
                      + auth        = {
                          + apiKeyRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + passcodeRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + environment = (known after apply)
                      + project     = (known after apply)
                    }
                  + onepassword              = {
                      + auth        = {
                          + secretRef = {
                              + connectTokenSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + connectHost = (known after apply)
                      + vaults      = (known after apply)
                    }
                  + oracle                   = {
                      + auth              = {
                          + secretRef = {
                              + fingerprint = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + privatekey  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + tenancy   = (known after apply)
                          + user      = (known after apply)
                        }
                      + compartment       = (known after apply)
                      + encryptionKey     = (known after apply)
                      + principalType     = (known after apply)
                      + region            = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + vault             = (known after apply)
                    }
                  + passbolt                 = {
                      + auth = {
                          + passwordSecretRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + privateKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + host = (known after apply)
                    }
                  + passworddepot            = {
                      + auth     = {
                          + secretRef = {
                              + credentials = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + database = (known after apply)
                      + host     = (known after apply)
                    }
                  + pulumi                   = {
                      + accessToken  = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl       = (known after apply)
                      + environment  = (known after apply)
                      + organization = (known after apply)
                    }
                  + scaleway                 = {
                      + accessKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + apiUrl    = (known after apply)
                      + projectId = (known after apply)
                      + region    = (known after apply)
                      + secretKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                    }
                  + senhasegura              = {
                      + auth                 = {
                          + clientId              = (known after apply)
                          + clientSecretSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + ignoreSslCertificate = (known after apply)
                      + module               = (known after apply)
                      + url                  = (known after apply)
                    }
                  + vault                    = {
                      + auth                = {
                          + appRole        = {
                              + path      = (known after apply)
                              + roleId    = (known after apply)
                              + roleRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + cert           = {
                              + clientCert = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + iam            = {
                              + externalID          = (known after apply)
                              + jwt                 = {
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                = (known after apply)
                              + region              = (known after apply)
                              + role                = (known after apply)
                              + secretRef           = {
                                  + accessKeyIDSecretRef     = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + secretAccessKeySecretRef = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + sessionTokenSecretRef    = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + vaultAwsIamServerID = (known after apply)
                              + vaultRole           = (known after apply)
                            }
                          + jwt            = {
                              + kubernetesServiceAccountToken = {
                                  + audiences         = (known after apply)
                                  + expirationSeconds = (known after apply)
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                          = (known after apply)
                              + role                          = (known after apply)
                              + secretRef                     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + kubernetes     = {
                              + mountPath         = (known after apply)
                              + role              = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + ldap           = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                          + namespace      = (known after apply)
                          + tokenSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + userPass       = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                        }
                      + caBundle            = (known after apply)
                      + caProvider          = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + forwardInconsistent = (known after apply)
                      + namespace           = (known after apply)
                      + path                = (known after apply)
                      + readYourWrites      = (known after apply)
                      + server              = (known after apply)
                      + tls                 = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + keySecretRef  = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + version             = (known after apply)
                    }
                  + webhook                  = {
                      + body       = (known after apply)
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + headers    = (known after apply)
                      + method     = (known after apply)
                      + result     = {
                          + jsonPath = (known after apply)
                        }
                      + secrets    = (known after apply)
                      + timeout    = (known after apply)
                      + url        = (known after apply)
                    }
                  + yandexcertificatemanager = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                  + yandexlockbox            = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                }
              + refreshInterval = (known after apply)
              + retrySettings   = {
                  + maxRetries    = (known after apply)
                  + retryInterval = (known after apply)
                }
            }
        }
    }

  # module.training-cluster.kubernetes_manifest.external-secrets-secretstore["kube-system"] will be created
  + resource "kubernetes_manifest" "external-secrets-secretstore" {
      + manifest = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + name = "cluster-training.cluster.acend.ch-kube-system"
            }
          + spec       = {
              + provider = {
                  + kubernetes = {
                      + auth            = {
                          + cert = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                        }
                      + remoteNamespace = "kube-system"
                      + server          = {
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                }
            }
        }
      + object   = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + annotations                = (known after apply)
              + creationTimestamp          = (known after apply)
              + deletionGracePeriodSeconds = (known after apply)
              + deletionTimestamp          = (known after apply)
              + finalizers                 = (known after apply)
              + generateName               = (known after apply)
              + generation                 = (known after apply)
              + labels                     = (known after apply)
              + managedFields              = (known after apply)
              + name                       = "cluster-training.cluster.acend.ch-kube-system"
              + namespace                  = (known after apply)
              + ownerReferences            = (known after apply)
              + resourceVersion            = (known after apply)
              + selfLink                   = (known after apply)
              + uid                        = (known after apply)
            }
          + spec       = {
              + conditions      = (known after apply)
              + controller      = (known after apply)
              + provider        = {
                  + akeyless                 = {
                      + akeylessGWApiURL = (known after apply)
                      + authSecretRef    = {
                          + kubernetesAuth = {
                              + accessID          = (known after apply)
                              + k8sConfName       = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef      = {
                              + accessID        = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessType      = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessTypeParam = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + caBundle         = (known after apply)
                      + caProvider       = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                    }
                  + alibaba                  = {
                      + auth     = {
                          + rrsa      = {
                              + oidcProviderArn   = (known after apply)
                              + oidcTokenFilePath = (known after apply)
                              + roleArn           = (known after apply)
                              + sessionName       = (known after apply)
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessKeySecretSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + regionID = (known after apply)
                    }
                  + aws                      = {
                      + additionalRoles   = (known after apply)
                      + auth              = {
                          + jwt       = {
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + sessionTokenSecretRef    = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + externalID        = (known after apply)
                      + region            = (known after apply)
                      + role              = (known after apply)
                      + secretsManager    = {
                          + forceDeleteWithoutRecovery = (known after apply)
                          + recoveryWindowInDays       = (known after apply)
                        }
                      + service           = (known after apply)
                      + sessionTags       = (known after apply)
                      + transitiveTagKeys = (known after apply)
                    }
                  + azurekv                  = {
                      + authSecretRef     = {
                          + clientId     = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientSecret = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + tenantId     = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + authType          = (known after apply)
                      + environmentType   = (known after apply)
                      + identityId        = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + tenantId          = (known after apply)
                      + vaultUrl          = (known after apply)
                    }
                  + chef                     = {
                      + auth      = {
                          + secretRef = {
                              + privateKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serverUrl = (known after apply)
                      + username  = (known after apply)
                    }
                  + conjur                   = {
                      + auth       = {
                          + apikey = {
                              + account   = (known after apply)
                              + apiKeyRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + userRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + jwt    = {
                              + account           = (known after apply)
                              + hostId            = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceID         = (known after apply)
                            }
                        }
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + url        = (known after apply)
                    }
                  + delinea                  = {
                      + clientId     = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + clientSecret = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + tenant       = (known after apply)
                      + tld          = (known after apply)
                      + urlTemplate  = (known after apply)
                    }
                  + doppler                  = {
                      + auth            = {
                          + secretRef = {
                              + dopplerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + config          = (known after apply)
                      + format          = (known after apply)
                      + nameTransformer = (known after apply)
                      + project         = (known after apply)
                    }
                  + fake                     = {
                      + data = (known after apply)
                    }
                  + fortanix                 = {
                      + apiKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl = (known after apply)
                    }
                  + gcpsm                    = {
                      + auth      = {
                          + secretRef        = {
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + workloadIdentity = {
                              + clusterLocation   = (known after apply)
                              + clusterName       = (known after apply)
                              + clusterProjectID  = (known after apply)
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + projectID = (known after apply)
                    }
                  + gitlab                   = {
                      + auth              = {
                          + SecretRef = {
                              + accessToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + environment       = (known after apply)
                      + groupIDs          = (known after apply)
                      + inheritFromGroups = (known after apply)
                      + projectID         = (known after apply)
                      + url               = (known after apply)
                    }
                  + ibm                      = {
                      + auth       = {
                          + containerAuth = {
                              + iamEndpoint   = (known after apply)
                              + profile       = (known after apply)
                              + tokenLocation = (known after apply)
                            }
                          + secretRef     = {
                              + secretApiKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serviceUrl = (known after apply)
                    }
                  + keepersecurity           = {
                      + authRef  = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + folderID = (known after apply)
                    }
                  + kubernetes               = {
                      + auth            = {
                          + cert           = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                          + serviceAccount = {
                              + audiences = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + token          = {
                              + bearerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + remoteNamespace = "kube-system"
                      + server          = {
                          + caBundle   = (known after apply)
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                  + onboardbase              = {
                      + apiHost     = (known after apply)
                      + auth        = {
                          + apiKeyRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + passcodeRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + environment = (known after apply)
                      + project     = (known after apply)
                    }
                  + onepassword              = {
                      + auth        = {
                          + secretRef = {
                              + connectTokenSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + connectHost = (known after apply)
                      + vaults      = (known after apply)
                    }
                  + oracle                   = {
                      + auth              = {
                          + secretRef = {
                              + fingerprint = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + privatekey  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + tenancy   = (known after apply)
                          + user      = (known after apply)
                        }
                      + compartment       = (known after apply)
                      + encryptionKey     = (known after apply)
                      + principalType     = (known after apply)
                      + region            = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + vault             = (known after apply)
                    }
                  + passbolt                 = {
                      + auth = {
                          + passwordSecretRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + privateKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + host = (known after apply)
                    }
                  + passworddepot            = {
                      + auth     = {
                          + secretRef = {
                              + credentials = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + database = (known after apply)
                      + host     = (known after apply)
                    }
                  + pulumi                   = {
                      + accessToken  = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl       = (known after apply)
                      + environment  = (known after apply)
                      + organization = (known after apply)
                    }
                  + scaleway                 = {
                      + accessKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + apiUrl    = (known after apply)
                      + projectId = (known after apply)
                      + region    = (known after apply)
                      + secretKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                    }
                  + senhasegura              = {
                      + auth                 = {
                          + clientId              = (known after apply)
                          + clientSecretSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + ignoreSslCertificate = (known after apply)
                      + module               = (known after apply)
                      + url                  = (known after apply)
                    }
                  + vault                    = {
                      + auth                = {
                          + appRole        = {
                              + path      = (known after apply)
                              + roleId    = (known after apply)
                              + roleRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + cert           = {
                              + clientCert = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + iam            = {
                              + externalID          = (known after apply)
                              + jwt                 = {
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                = (known after apply)
                              + region              = (known after apply)
                              + role                = (known after apply)
                              + secretRef           = {
                                  + accessKeyIDSecretRef     = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + secretAccessKeySecretRef = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + sessionTokenSecretRef    = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + vaultAwsIamServerID = (known after apply)
                              + vaultRole           = (known after apply)
                            }
                          + jwt            = {
                              + kubernetesServiceAccountToken = {
                                  + audiences         = (known after apply)
                                  + expirationSeconds = (known after apply)
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                          = (known after apply)
                              + role                          = (known after apply)
                              + secretRef                     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + kubernetes     = {
                              + mountPath         = (known after apply)
                              + role              = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + ldap           = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                          + namespace      = (known after apply)
                          + tokenSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + userPass       = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                        }
                      + caBundle            = (known after apply)
                      + caProvider          = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + forwardInconsistent = (known after apply)
                      + namespace           = (known after apply)
                      + path                = (known after apply)
                      + readYourWrites      = (known after apply)
                      + server              = (known after apply)
                      + tls                 = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + keySecretRef  = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + version             = (known after apply)
                    }
                  + webhook                  = {
                      + body       = (known after apply)
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + headers    = (known after apply)
                      + method     = (known after apply)
                      + result     = {
                          + jsonPath = (known after apply)
                        }
                      + secrets    = (known after apply)
                      + timeout    = (known after apply)
                      + url        = (known after apply)
                    }
                  + yandexcertificatemanager = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                  + yandexlockbox            = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                }
              + refreshInterval = (known after apply)
              + retrySettings   = {
                  + maxRetries    = (known after apply)
                  + retryInterval = (known after apply)
                }
            }
        }
    }

  # module.training-cluster.kubernetes_namespace.argocd will be created
  + resource "kubernetes_namespace" "argocd" {
      + id                               = (known after apply)
      + wait_for_default_service_account = false

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "certificate-wildcard"        = "true"
              + "kubernetes.io/metadata.name" = "argocd"
            }
          + name             = "argocd"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.kubernetes_secret.argocd-cluster will be created
  + resource "kubernetes_secret" "argocd-cluster" {
      + data                           = (sensitive value)
      + id                             = (known after apply)
      + type                           = "Opaque"
      + wait_for_service_account_token = true

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "argocd.argoproj.io/secret-type" = "cluster"
              + "flavor"                         = "k8s"
              + "type"                           = "training"
            }
          + name             = "training"
          + namespace        = "argocd"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.kubernetes_secret.secretstore-secret will be created
  + resource "kubernetes_secret" "secretstore-secret" {
      + data                           = (sensitive value)
      + id                             = (known after apply)
      + type                           = "Opaque"
      + wait_for_service_account_token = true

      + metadata {
          + generation       = (known after apply)
          + name             = "credentials-training.cluster.acend.ch"
          + namespace        = "external-secrets"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.null_resource.cleanup-argo-cr-before-destroy will be created
  + resource "null_resource" "cleanup-argo-cr-before-destroy" {
      + id       = (known after apply)
      + triggers = {
          + "kubeconfig" = (known after apply)
        }
    }

  # module.training-cluster.null_resource.wait_for_k8s_api will be created
  + resource "null_resource" "wait_for_k8s_api" {
      + id       = (known after apply)
      + triggers = {
          + "k8s_api_ip" = (known after apply)
        }
    }

  # module.training-cluster.random_password.argocd-admin-password will be created
  + resource "random_password" "argocd-admin-password" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = "_%@"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.rke2_cluster_secret will be created
  + resource "random_password" "rke2_cluster_secret" {
      + bcrypt_hash = (sensitive value)
      + id          = (known after apply)
      + length      = 256
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (sensitive value)
      + special     = false
      + upper       = true
    }

  # module.training-cluster.ssh_resource.getkubeconfig will be created
  + resource "ssh_resource" "getkubeconfig" {
      + agent                              = false
      + bastion_port                       = "22"
      + commands                           = [
          + "until [ -f /etc/rancher/rke2/rke2.yaml ]; do sleep 10; done;",
          + "cat /etc/rancher/rke2/rke2.yaml",
        ]
      + commands_after_file_changes        = true
      + host                               = (known after apply)
      + id                                 = (known after apply)
      + ignore_no_supported_methods_remain = false
      + port                               = "22"
      + private_key                        = (sensitive value)
      + result                             = (known after apply)
      + retry_delay                        = "5s"
      + timeout                            = "15m"
      + user                               = "root"
      + when                               = "create"
    }

  # module.training-cluster.time_sleep.wait_for_argocd-cleanup will be created
  + resource "time_sleep" "wait_for_argocd-cleanup" {
      + destroy_duration = "180s"
      + id               = (known after apply)
    }

  # module.training-cluster.time_sleep.wait_for_bootstrap will be created
  + resource "time_sleep" "wait_for_bootstrap" {
      + create_duration  = "30s"
      + destroy_duration = "30s"
      + id               = (known after apply)
    }

  # module.training-cluster.tls_private_key.terraform will be created
  + resource "tls_private_key" "terraform" {
      + algorithm                     = "ECDSA"
      + ecdsa_curve                   = "P384"
      + id                            = (known after apply)
      + private_key_openssh           = (sensitive value)
      + private_key_pem               = (sensitive value)
      + private_key_pem_pkcs8         = (sensitive value)
      + public_key_fingerprint_md5    = (known after apply)
      + public_key_fingerprint_sha256 = (known after apply)
      + public_key_openssh            = (known after apply)
      + public_key_pem                = (known after apply)
      + rsa_bits                      = 2048
    }

  # module.training-cluster.module.api-a-record.restapi_object.a-record[0] will be created
  + resource "restapi_object" "a-record" {
      + api_data        = (known after apply)
      + api_response    = (known after apply)
      + create_response = (known after apply)
      + data            = (known after apply)
      + id              = (known after apply)
      + id_attribute    = "data/id"
      + path            = "/api/user/v1/zones/242898/records"
    }

  # module.training-cluster.module.api-aaaa-record.restapi_object.aaaa-record[0] will be created
  + resource "restapi_object" "aaaa-record" {
      + api_data        = (known after apply)
      + api_response    = (known after apply)
      + create_response = (known after apply)
      + data            = (known after apply)
      + id              = (known after apply)
      + id_attribute    = "data/id"
      + path            = "/api/user/v1/zones/242898/records"
    }

Plan: 38 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ argocd-admin-password = (sensitive value)
  ~ count-students        = 4 -> 0
  ~ student-passwords     = (sensitive value)
  ~ training-kubeconfig   = (sensitive value)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @splattner, Workflow: Deploy

deploy cluster for next helm training

2b1d1e4

splattner temporarily deployed to production May 13, 2024 13:19 — with GitHub Actions Inactive

splattner merged commit 3d59227 into main May 13, 2024
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deploy cluster for next helm training #7

deploy cluster for next helm training #7

splattner commented May 13, 2024

github-actions bot commented May 13, 2024

deploy cluster for next helm training #7

deploy cluster for next helm training #7

Conversation

splattner commented May 13, 2024

github-actions bot commented May 13, 2024

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`