Here's an example of the intermittent problem we're trying to resolve:
Note this part of the error message in particular:
Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials on .terraform/modules/instance.aws_load_balancer_controller/main.tf line 384, in resource "helm_release" "using_iamserviceaccount"
My hypothesis is that the by the time the Fargate profile is set up and coredns has been fully restarted (which can take several minutes), the token generated via data.aws_eks_cluster_auth.main has expired. That expired token is then used to initialize the Helm provider when the first helm_resource is deployed, resulting in the error.
Here's an example of the intermittent problem we're trying to resolve:
Note this part of the error message in particular:
Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials on .terraform/modules/instance.aws_load_balancer_controller/main.tf line 384, in resource "helm_release" "using_iamserviceaccount"
My hypothesis is that the by the time the Fargate profile is set up and coredns has been fully restarted (which can take several minutes), the token generated via
data.aws_eks_cluster_auth.main
has expired. That expired token is then used to initialize the Helm provider when the firsthelm_resource
is deployed, resulting in the error.It turns out there's documentation about this problem, and a facility for addressing it. The PR here mimics the provided example for EKS, but reuses the existing single-purpose
aws-iam-authenticator
binary rather than adding a new dependency on the more generalaws
CLI binary.