elijah-roberts
commented
4 months ago I am also experiencing this issue.
# Akeyless
terraform {
required_providers {
akeyless = {
source = "akeyless-community/akeyless"
version = ">= 1.0.0"
}
}
}
provider "akeyless" {
api_gateway_address = <private gatway>
api_key_login {
access_id = "redacted"
access_key = "redacted"
}
}
resource "akeyless_auth_method_k8s" "k8s" {
name = "/tests/ns-${local.name}-ie-primary-${local.project_id}"
bound_namespaces = [kubernetes_namespace.main.metadata[0].name]
}
resource "akeyless_k8s_auth_config" "k8s" {
access_id = akeyless_auth_method_k8s.k8s.access_id
name = akeyless_auth_method_k8s.k8s.name
k8s_ca_cert = data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate
k8s_host = "https://${data.google_container_cluster.gke_cluster.private_cluster_config[0].private_endpoint}"
token_reviewer_jwt = kubernetes_secret_v1.akeyless_gateway_token_reviewer_token.data["token"]
k8s_issuer = "https://container.googleapis.com/v1/projects/${local.project_id}/locations/${local.location}/clusters/${local.cluster_name}"
signing_key = akeyless_auth_method_k8s.k8s.private_key
}
# Contextual components that are not a part of the issue
locals {
name = "secret-store-akeyless"
project_id = "redacted"
cluster_name = "redacted"
location = "us-east1"
}
resource "kubernetes_namespace" "main" {
metadata {
name = local.name
}
}
resource "kubernetes_service_account_v1" "akeyless_gateway_token_reviewer" {
metadata {
name = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore"
namespace = kubernetes_namespace.main.metadata[0].name
}
}
resource "kubernetes_cluster_role_binding_v1" "akeyless_role_tokenreview_binding" {
metadata {
name = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore-binding"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "system:auth-delegator"
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account_v1.akeyless_gateway_token_reviewer.metadata[0].name
namespace = kubernetes_namespace.main.metadata[0].name
}
}
resource "kubernetes_secret_v1" "akeyless_gateway_token_reviewer_token" {
metadata {
name = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore-token"
namespace = kubernetes_namespace.main.metadata[0].name
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account_v1.akeyless_gateway_token_reviewer.metadata[0].name
}
}
type = "kubernetes.io/service-account-token"
}
data "google_container_cluster" "gke_cluster" {
name = local.cluster_name
location = local.location
project = local.project_id
}I get this error:
I suspect that it has to do with the call made here in the provider: https://github.com/akeyless-community/terraform-provider-akeyless/blob/master/akeyless/provider.go#L356
Hello,
I'm trying to use the onprem gateway rather than the public endpoint. Our local gateway has some default rules that are used to encrypt secrets, auth config etc with a local encryption key (DFC).
If I configure the provider to use
https://api.akeyless.ioI can't encrypt by default the secrets and other resources with the custom DFC key, and I can't create auth config :If I use the onprem gateway, there is an authentication error (same access_id/access_key):
How can I use the local gateway for all resources ? Is there a miss configuration on the local gateway ?
Thanks for your help.