search

banzaicloud / terraform-provider-k8s

Kubernetes Terraform provider with support for raw manifests
https://registry.terraform.io/providers/banzaicloud/k8s
MIT License
135 stars 30 forks source link

cluster_ca_certificate parameter doesn't appear to be working #32

Closed ophelan closed 4 years ago

ophelan commented 4 years ago

I'm in the process of migrating a deploy from 0.6.0 to 0.7.2. The kubeconfig_content parameter was removed, requiring me to pass configuration in a different fashion. Upon converting to the new configuration, I receive the error Error: Failed to configure: Get https://REDACTED.eks.amazonaws.com/api?timeout=32s: x509: certificate signed by unknown authority. This error remains regardless of whether I pass the cluster_ca_certificate attribute.

Previously, the provider was called using a templated kubeconfig:

provider "k8s" {
  kubeconfig_content  = local.tokenconfig
}
locals {
  tokenconfig = templatefile(
    "${path.module}/tokenconfig.tpl",
    {
      name        = local.cluster.name
      endpoint    = module.cluster.endpoint
      certificate = module.cluster.ca-certificate
      token       = module.cluster.token
    })
}
apiVersion: v1
clusters:
- cluster:
    server: ${endpoint}
    certificate-authority-data: ${certificate}
  name: ${name}
contexts:
- context:
    cluster: ${name}
    user: ${name}
  name: ${name}
current-context: ${name}
kind: Config
preferences: {}
users:
- name: ${name}
  user:
    token: ${token}

With the configuration changes, I have moved to this format, where I pass the host, cluster_ca_certificate, and token directly, rather than the kubeconfig.

provider "k8s" {
  load_config_file = false
  host = module.cluster.endpoint
  cluster_ca_certificate = module.cluster.ca-certificate
  token = module.cluster.token
}
micahnoland commented 4 years ago

Try base64decode(module.cluster.ca-certificate)

bonifaido commented 4 years ago

As @micahnoland has pointed out, the parameter has to be non-base64 encoded as in https://www.terraform.io/docs/providers/kubernetes/#cluster_ca_certificate (we use the same attributes), just like:

provider "k8s" {
  load_config_file = false
  host = "https://5D1D3E6D2FE99FB03AF4753CFF4D1796.sk1.eu-west-1.eks.amazonaws.com"
  cluster_ca_certificate = <<CERTIFICATE
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIwMDMyMDA4MjcxNVoXDTMwMDMxODA4MjcxNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/z
NNDKP1kQ6TKyyP9V67tiwfgvq6Ypqo0qmu7CclQNYK8q2JCFNeFzsszQzBmDrt+9
...
-----END CERTIFICATE-----
CERTIFICATE
}
ophelan commented 4 years ago

Thanks guys. It was indeed a base64 issue. Not sure how I missed that.