search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

InvalidParameterException: bootstrapClusterCreatorAdminPermissions must be true if cluster authentication mode is set to CONFIG_MAP #1345

Closed hflobao closed 3 weeks ago

hflobao commented 3 weeks ago

Is there an existing issue for this?

Affected Resource(s)

Resource MRs required to reproduce the bug

spec:
  deletionPolicy: Delete
  forProvider:
    accessConfig:
    - authenticationMode: CONFIG_MAP
    - bootstrapClusterCreatorAdminPermissions: true
    enabledClusterLogTypes:
    - api
    - audit
    - authenticator
    - controllerManager
    - scheduler
    encryptionConfig:
    - provider:
      - keyArn: arn:aws:kms:us-east-1:123456789012:key/3748da25-4e5c-4e2c-9df1-81d94833d9a0
      resources:
      - secrets
    region: us-east-1
    roleArn: arn:aws:iam::123456789012:role/staging-eks-cluster-vkt2h-z9bmb
    roleArnRef:
      name: staging-eks-cluster-vkt2h-z9bmb
    roleArnSelector:
      matchControllerRef: true
      matchLabels:
        role: dataplane
    tags:
      crossplane-kind: cluster.eks.aws.upbound.io
      crossplane-name: staging-eks-cluster-vkt2h-wc4v6
      crossplane-providerconfig: iac-aws-staging
    vpcConfig:
    - endpointPrivateAccess: true
      endpointPublicAccess: true
      index: "0"
      subnetIds:
      - subnet-xxxx
      - subnet-yyyy
      - subnet-zzzz

Steps to Reproduce

Try to provision an EKS cluster with the "accessConfig" specified in the MR as per the documentation for the v1.5.0:

https://marketplace.upbound.io/providers/upbound/provider-aws-eks/v1.5.0/resources/eks.aws.upbound.io/Cluster/v1beta1#doc:spec-forProvider-accessConfig

What happened?

When trying to provision using the "accessConfig", the behavior is as if the bootstrapClusterCreatorAdminPermissions is set to false, even if I omit the parameter to use the default value or if I explicitly specify it with the value of true.

If the authenticationMode is set to "API" or "API_AND_CONFIG_MAP", the cluster get created, but with the value of false in the bootstrapClusterCreatorAdminPermissions. If the authenticationMode is set to "CONFIG_MAP", I get an error and the cluster is not created, as it requires the bootstrapClusterCreatorAdminPermissions to be set to true.

Relevant Error Output Snippet

status:
  atProvider: {}
  conditions:
  - lastTransitionTime: "2024-06-06T14:50:27Z"
    reason: Creating
    status: "False"
    type: Ready
  - lastTransitionTime: "2024-06-06T14:54:56Z"
    message: 'create failed: async create failed: failed to create the resource: [{0
      creating EKS Cluster (staging-eks-cluster-vkt2h-wc4v6): operation error
      EKS: CreateCluster, https response error StatusCode: 400, RequestID: b8ac9f2c-e4a3-4b93-8e0b-5b7c10a1b9bd,
      InvalidParameterException: bootstrapClusterCreatorAdminPermissions must be true
      if cluster authentication mode is set to CONFIG_MAP  []}]'
    reason: ReconcileError
    status: "False"
    type: Synced

Crossplane Version

1.16.0

Provider Version

1.5.0

Kubernetes Version

1.29

Kubernetes Distribution

EKS

Additional Info

No response

mattfield commented 3 weeks ago

@hflobao I think your spec.forProvider.accessConfig block is incorrect. Rather than two objects in an array, it should be a single array with one object like this:

spec:
  deletionPolicy: Delete
  forProvider:
    accessConfig:
    - authenticationMode: CONFIG_MAP
      bootstrapClusterCreatorAdminPermissions: true
hflobao commented 3 weeks ago

Hi @mattfield, thanks for taking time to answer! You're right! It's provisioning properly now. Thanks a lot!