search

aws-observability / terraform-aws-observability-accelerator

Open source project to help accelerate and ease observability setup on AWS environments
https://aws-observability.github.io/terraform-aws-observability-accelerator/
Apache License 2.0
283 stars 82 forks source link

[Bug]: modules/eks-monitoring/add-ons/external-secrets does not work with Fargate #241

Open mpalumbo7 opened 11 months ago

mpalumbo7 commented 11 months ago

Welcome to the AWS Observability Accelerator

AWS Observability Accelerator Release version

v2.9.2

What is your environment, configuration and the example used?

❯ terraform --version          
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v5.22.0
+ provider registry.terraform.io/hashicorp/awscc v0.63.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.11.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Used to deploy:

What did you do and What did you see instead?

While deploying eks-monitoring, I received the following:

❯ terraform apply .tf-out                                                                                                                                      
Acquiring state lock. This may take a few moments...
module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.cluster_secretstore: Creating...
module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.secret: Creating...
module.eks_observability.module.eks_monitoring.module.operator[0].module.cert_manager[0].module.helm_addon.helm_release.addon[0]: Creating...
module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.cluster_secretstore: Still creating... [10s elapsed]
module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.secret: Still creating... [10s elapsed]
╷
│ Error: cannot re-use a name that is still in use
│ 
│   with module.eks_observability.module.eks_monitoring.module.operator[0].module.cert_manager[0].module.helm_addon.helm_release.addon[0],
│   on .terraform/modules/eks_observability.eks_monitoring.operator.cert_manager/modules/kubernetes-addons/helm-addon/main.tf line 1, in resource "helm_release" "addon":
│    1: resource "helm_release" "addon" {
│ 
╵
╷
│ Error: cluster-secretstore-sm failed to run apply: error when creating "/var/folders/7b/tdztr7dj46z531m5m0pxzymc0000gp/T/389883418kubectl_manifest.yaml": Internal error occurred: failed calling webhook "validate.clustersecretstore.external-secrets.io": failed to call webhook: Post "https://external-secrets-webhook.external-secrets.svc:443/validate-external-secrets-io-v1beta1-clustersecretstore?timeout=5s": tls: failed to verify certificate: x509: certificate is valid for ip-XX-XX-XX-XX.us-west-2.compute.internal, not external-secrets-webhook.external-secrets.svc
│ 
│   with module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.cluster_secretstore,
│   on .terraform/modules/eks_observability.eks_monitoring/modules/eks-monitoring/add-ons/external-secrets/main.tf line 59, in resource "kubectl_manifest" "cluster_secretstore":
│   59: resource "kubectl_manifest" "cluster_secretstore" {
│ 
╵
╷
│ Error: grafana-operator/external-secrets-sm failed to run apply: error when creating "/var/folders/7b/tdztr7dj46z531m5m0pxzymc0000gp/T/525858993kubectl_manifest.yaml": Internal error occurred: failed calling webhook "validate.externalsecret.external-secrets.io": failed to call webhook: Post "https://external-secrets-webhook.external-secrets.svc:443/validate-external-secrets-io-v1beta1-externalsecret?timeout=5s": tls: failed to verify certificate: x509: certificate is valid for ip-XX-XX-XX-XX.us-west-2.compute.internal, not external-secrets-webhook.external-secrets.svc
│ 
│   with module.eks_observability.module.eks_monitoring.module.external_secrets[0].kubectl_manifest.secret,
│   on .terraform/modules/eks_observability.eks_monitoring/modules/eks-monitoring/add-ons/external-secrets/main.tf line 89, in resource "kubectl_manifest" "secret":
│   89: resource "kubectl_manifest" "secret" {
│ 
╵
Releasing state lock. This may take a few moments...

Some research leads me to believe the issue is the same as this:

https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/issues/55

However, the workaround of setting the external-secrets webhook port to 9443 is not possible with the observability accelerator. The helm_config variable of external-secrets is not exposed at the top level module variables.

Do I understand the problem correctly, or is there something else going on?

Additional Information

No response

bpgould commented 4 months ago

I have the same issue