Revert "Filter well known labels and annotations (#1253)" (#1298)

* Revert "Filter well known labels and annotations (#1253)"

This reverts commit e5b56a9.

* Allow app.kubernetes.io to be user specified

Author: jrhouston

kubernetes/known_labels_annotations.go

@@ -1183,34 +1183,6 @@ func TestAccKubernetesPod_topologySpreadConstraint(t *testing.T) {
 	})
 }
 
-func TestAccKubernetesPod_filterAnnotations(t *testing.T) {
-	name := acctest.RandomWithPrefix("tf-acc-test")
-	resourceName := "kubernetes_pod.test"
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:          func() { testAccPreCheck(t) },
-		ProviderFactories: testAccProviderFactories,
-		CheckDestroy:      testAccCheckKubernetesPodDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccKubernetesPodConfigFilterAnnotations(name, busyboxImageVersion),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "metadata.0.annotations.%", "1"),
-					resource.TestCheckResourceAttr(resourceName, "metadata.0.annotations.kubernetes.io/ingress.class", "gce-multi-cluster"),
-					resource.TestCheckResourceAttr(resourceName, "metadata.0.labels.%", "1"),
-					resource.TestCheckResourceAttr(resourceName, "metadata.0.labels.kubernetes.io/ingress.class", "gce-multi-cluster"),
-				),
-			},
-			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"metadata.0.resource_version"},
-			},
-		},
-	})
-}
-
 func testAccCheckKubernetesPodDestroy(s *terraform.State) error {
 	conn, err := testAccProvider.Meta().(KubeClientsets).MainClientset()
 
@@ -2649,26 +2621,3 @@ func testAccKubernetesPodTopologySpreadConstraintConfig(podName, imageName strin
 }
 `, podName, imageName)
 }
-
-func testAccKubernetesPodConfigFilterAnnotations(name, imageName string) string {
-	return fmt.Sprintf(`resource "kubernetes_pod" "test" {
-  metadata {
-    name = "%s"
-
-	labels = {
-	  "kubernetes.io/ingress.class" = "gce-multi-cluster"
-	}
-
-	annotations = {
-	  "kubernetes.io/ingress.class" = "gce-multi-cluster"
-	}
-  }
-  spec {
-    container {
-        image = "%s"
-        name  = "containername"
-    }
-  }
-}
-`, name, imageName)
-}

kubernetes/resource_kubernetes_pod_test.go

@@ -3,11 +3,11 @@ package kubernetes
 import (
 	"encoding/base64"
 	"fmt"
+	"net/url"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	api "k8s.io/api/core/v1"
-
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -155,8 +155,24 @@ func isKeyInMap(key string, d map[string]interface{}) bool {
 	return false
 }
 
-func isInternalKey(key string) bool {
-	if _, ok := knownLabelsAnnotations[key]; ok {
+func isInternalKey(annotationKey string) bool {
+	u, err := url.Parse("//" + annotationKey)
+	if err != nil {
+		return false
+	}
+
+	// allow user specified application specific keys
+	if u.Hostname() == "app.kubernetes.io" {
+		return false
+	}
+
+	// internal *.kubernetes.io keys
+	if strings.HasSuffix(u.Hostname(), "kubernetes.io") {
+		return true
+	}
+
+	// Specific to DaemonSet annotations, generated & controlled by the server.
+	if strings.Contains(annotationKey, "deprecated.daemonset.template.generation") {
 		return true
 	}
 	return false

kubernetes/structures.go

@@ -14,15 +14,13 @@ func TestIsInternalKey(t *testing.T) {
 		{"anyKey", false},
 		{"any.hostname.io", false},
 		{"any.hostname.com/with/path", false},
-		{"any.kubernetes.io", false},
-		{"kubernetes.io", false},
-		{"pv.kubernetes.io/any/path", false},
-		{"pv.kubernetes.io/any/path", false},
-		{"kubernetes.io/hostname", true},
-		{"statefulset.kubernetes.io/pod-name", true},
+		{"app.kubernetes.io", false},
+		{"kubernetes.io", true},
+		{"kubectl.kubernetes.io", true},
+		{"pv.kubernetes.io/any/path", true},
 	}
-	for i, tc := range testCases {
-		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("%s", tc.Key), func(t *testing.T) {
 			isInternal := isInternalKey(tc.Key)
 			if tc.Expected && isInternal != tc.Expected {
 				t.Fatalf("Expected %q to be internal", tc.Key)

kubernetes/structures_test.go

@@ -38,12 +38,12 @@ The following arguments are supported:
 
 * `annotations` - (Optional) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
 
-~> By default, the provider ignores any annotations whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
+~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
 
 * `generation` - A sequence number representing a specific generation of the desired state.
 * `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
 
-~> By default, the provider ignores any labels whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
+~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
 
 * `resource_version` - An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespaces have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
 * `uid` - The unique in time and space value for this namespace. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#uids)

website/docs/d/namespace.html.markdown

@@ -47,12 +47,12 @@ The following arguments are supported:
 
 * `annotations` - (Optional) An unstructured key value map stored with the API service that may be used to store arbitrary metadata.
 
-~> By default, the provider ignores any annotations whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
+~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
 
 * `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
 * `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the API service. 
 
-~> By default, the provider ignores any labels whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
+~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
 
 * `name` - (Optional) Name of the API service, must be unique. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#names)
 

website/docs/r/api_service.html.markdown

@@ -64,12 +64,12 @@ The following arguments are supported:
 
 * `annotations` - (Optional) An unstructured key value map stored with the certificate signing request that may be used to store arbitrary metadata.
 
-~> By default, the provider ignores any annotations whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
+~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/annotations)
 
 * `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
 * `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the certificate signing request. May match selectors of replication controllers and services.
 
-~> By default, the provider ignores any labels whose key names are in the [Well-Known Labels, Annotations and Taints](https://kubernetes.io/docs/reference/labels-annotations-taints). This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
+~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/labels)
 
 * `name` - (Optional) Name of the certificate signing request, must be unique. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/identifiers#names)