Always use latest repository credentials #846 bug persists

madhavdas commented 2 months ago

Terraform, Provider, Kubernetes and Helm Versions

Terraform version:
 terraform -v
Terraform v1.9.5
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v5.61.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.5
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/time v0.12.1
+ provider registry.terraform.io/hashicorp/tls v4.0.6

Provider version: 
Kubernetes version: 1.30

Affected Resource(s)

helm_release

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
/*resource "helm_release" "karpenter" {                                                                                               
  namespace           = "kube-system"                                                                                                 
  name                = "karpenter"                                                                                                   
  repository          = "https://charts.karpenter.sh"                                                                                 
  //buggy fails login, most frustrating "oci://public.ecr.aws/karpenter"                                                    
  //repository_username = data.aws_ecrpublic_authorization_token.token.user_name                                                      
  //repository_password = data.aws_ecrpublic_authorization_token.token.password                                                       
  chart               = "karpenter"                                                                                                   
  version             = var.karpenterchartversion       //1.0.0                                                                              
  wait                = false                                                                                                         

  values = [                                                                                                                          
    <<-EOT                                                                                                                            
    serviceAccount:                                                                                                                   
      name: ${module.karpenter.service_account}                                                                                       
    settings:                                                                                                                         
      clusterName: ${module.eks.cluster_name}                                                                                         
      clusterEndpoint: ${module.eks.cluster_endpoint}                                                                                 
      interruptionQueue: ${module.karpenter.queue_name}                                                                               
    EOT                                                                                                                               
  ]

Debug Output

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure. ╷ │ Error: could not login to OCI registry "public.ecr.aws": login attempt to https://public.ecr.aws/v2/ failed with status: 403 Forbidden │ │ with helm_release.karpenter, │ on eks.tf line 136, in resource "helm_release" "karpenter": │ 136: resource "helm_release" "karpenter" { │

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm. Can't run debug now, have removed the code from terraform and plan on using the helm --install for karpenter on bash prompt.

Panic Output

Steps to Reproduce

terraform plan and apply both produce the error. impossible to proceed, tries all tricks available on the net In the end, removed the resource from state file and then commented out from the .tf file.

Expected Behavior

See the same as bug #846

Actual Behavior

Login to oci://public.ecr.aws should refresh when a token has expired. Neither deleting ~/.config/helm nor removing the entire .terraform folder helps. Helm login from CLI(bash) works but as a terraform resource 'helm_release' always fails to login to oci://public.ecr.aws

Important Factoids

References

GH-1234

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

emalihin commented 1 month ago

same with this version of the provider:

├── provider[registry.terraform.io/hashicorp/helm] 2.10.1

alexsomesan commented 3 weeks ago

I'm unable to reproduce this issue. The configuration quoted above applies correctly without credentials in my case.

Terraform will perform the following actions:

  # helm_release.karpenter will be created
  + resource "helm_release" "karpenter" {
      + atomic                     = false
      + chart                      = "karpenter"
      + cleanup_on_fail            = false
      + create_namespace           = true
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 0
      + metadata                   = (known after apply)
      + name                       = "karpenter"
      + namespace                  = "karpenter"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "oci://public.ecr.aws/karpenter"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + verify                     = false
      + version                    = "0.37.5"
      + wait                       = false
      + wait_for_jobs              = false
    }

Plan: 1 to add, 0 to change, 0 to destroy.
helm_release.karpenter: Creating...
helm_release.karpenter: Creation complete after 1s [id=karpenter]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Can you please elaborate on why your case requires authentication to oci://public.ecr.aws?

hashicorp / terraform-provider-helm