Error: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1",

[gkzz]

Contact Details (optional)

No response

Description. What happened?

The following error occurred to me, when terraform apply runs.

│ Error: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1", unable to recognize "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"]
│ 
│   with module.cloudwatch_logs.helm_release.cloudwatch_logs[0],
│   on .terraform/modules/cloudwatch_logs/helm.tf line 1, in resource "helm_release" "cloudwatch_logs":
│    1: resource "helm_release" "cloudwatch_logs" {

Steps to reproduce

• Version information

  
  $ terraform version
  Terraform v1.1.7
  on linux_amd64

• provider registry.terraform.io/hashicorp/aws v3.70.0

• provider registry.terraform.io/hashicorp/helm v2.1.2

• provider registry.terraform.io/hashicorp/kubernetes v2.4.1

• provider registry.terraform.io/hashicorp/tls v3.3.0

• Prepare the following tf file

module "cloudwatch_logs" {
  source = "git::https://github.com/DNXLabs/terraform-aws-eks-cloudwatch-logs.git?ref=0.1.4"

  enabled = true
  # default
  namespace = "aws-cloudwatch-logs"
  # default
  service_account_name = "aws-for-fluent-bit"

  cluster_name                     = aws_eks_cluster.cluster.name
  cluster_identity_oidc_issuer     = aws_eks_cluster.cluster.identity.0.oidc.0.issuer
  cluster_identity_oidc_issuer_arn = aws_iam_openid_connect_provider.cluster.arn
  worker_iam_role_name             = aws_iam_role.node_iam_role.name
  region                           = var.region
}

data "tls_certificate" "cluster" {
  url = aws_eks_cluster.cluster.identity.0.oidc.0.issuer
}

resource "aws_iam_openid_connect_provider" "cluster" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.cluster.certificates.0.sha1_fingerprint]
  url             = aws_eks_cluster.cluster.identity.0.oidc.0.issuer
}

resource "aws_iam_role" "eks_cloudwatch_logs_role" {
  name = "eks_cloudwatch_logs_role"
  assume_role_policy = templatefile("policies/oidc_assume_role_policy.json", {
    OIDC_ARN = aws_iam_openid_connect_provider.cluster.arn
    OIDC_URL = replace(aws_iam_openid_connect_provider.cluster.url, "https://", ""), NAMESPACE = "kube-system",
    SA_NAME  = "aws-node"
  })
}

data "aws_eks_cluster" "cluster" {
  name = aws_eks_cluster.cluster.id
}
data "aws_eks_cluster_auth" "cluster" {
  name = aws_eks_cluster.cluster.id
}
provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
  token                  = data.aws_eks_cluster_auth.cluster.token
  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    args = [
      "eks", "get-token",
      "--cluster-name", aws_eks_cluster.cluster.name,
      "--region", var.region
    ]
    command = "aws"
  }
}

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.cluster.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
    token                  = data.aws_eks_cluster_auth.cluster.token
    exec {
      # https://stackoverflow.com/questions/71318743/kubectl-versions-error-exec-plugin-is-configured-to-use-api-version-client-auth
      api_version = "client.authentication.k8s.io/v1alpha1"
      # With both v1beta1 and v1alpha1, this issue is not fixed
      #api_version = "client.authentication.k8s.io/v1beta1" 
      args = [
        "eks", "get-token",
        "--cluster-name", aws_eks_cluster.cluster.name,
        "--region", var.region
      ]
      command = "aws"
    }
  }
}

• Run terraform apply command

Expected behavior

Successful to apply Terraform resources

Actual behavior

Same as the description

Occurrence

Frequently

Relevant log output

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[gkzz]

Some similar issues are the following

• https://github.com/SeldonIO/seldon-core/issues/3618
• https://github.com/hashicorp/terraform-provider-helm/issues/400
• kubectl versions Error: exec plugin is configured to use API version client.authentication.k8s.io/v1alpha1

[MalteKud]

@gkzz Specifying the currently latest helm chart version on the module solved this issue for me:

helm_chart_version = "0.1.17"