Rancher 2.9.1 Error 401 Unauthorized

[psyreactor]

Rancher Server Setup

• Rancher version: 2.9.1
• Installation option (Docker install/Helm Chart): helm
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): EKS
• Proxy/Cert Details: CertManager

Information about the Cluster

• Kubernetes version: 1.30.4
• Cluster Type (Local/Downstream): Local
• Hosted = EKS

User Information

• What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom)
  • If custom, define the set of permissions: Admin

Provider Information

• What is the version of the Rancher v2 Terraform Provider in use? 4.1.0/5.0.0
• What is the version of Terraform in use?: 1.5.5

Describe the bug

The code worked perfectly with Rancher version 2.8.5. After updating to 2.9.1, it started presenting errors, whether using provider version 4.1.0 or 5.0.0:

Releasing state lock. This may take a few moments... ╷ │ Error: Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=Unauthorized 401: must authenticate] from [https://rancher.domain.com/v3] │ │ with rancher2_cloud_credential.rancher, │ on main.tf line 148, in resource "rancher2_cloud_credential" "rancher": │ 148: resource "rancher2_cloud_credential" "rancher" { │ ╵ ╷ │ Error: Getting Setting V2: Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=Unauthorized 401: must authenticate] from [https://rancher.domain.com/v1/schemas] │ │ with rancher2_app_v2.rancher_logging["rancher-logging"], │ on main.tf line 157, in resource "rancher2_app_v2" "rancher_logging": │ 157: resource "rancher2_app_v2" "rancher_logging" { │ ╵

To Reproduce

Generate Terraform code with Rancher 2.8.5, validate its functionality, and then update Rancher to 2.9.1 and re-run the Terraform stack.

Additional context

The bootstrap is working, the token is generated in Rancher, but it fails when trying to use the provider with the alias admin.

Best Regards

[alegrey91]

Hi @psyreactor, and thanks for reasing the problem. Was the API token generated by selecting cluster in the scope? If so, this might be a known issue. Please take a look here: rancher, stackoverflow. This looks like more a rancher issue.

[psyreactor]

Hi @alegrey91, for some reason, it kept trying to retrieve a token that no longer existed, i assume that for some reason, the Rancher update removed the token. I was forced to remove the rancher2_bootstrap resource from the tfstate using the --target parameter in Terraform and recreate it using --target again, after which I was able to run the full stack without errors.

[alegrey91]

Hi @psyreactor, thanks for letting us know :) We will investigate to find a solution for that, so you will not have problems with the next upgrade.

[alegrey91]

@psyreactor I'm trying to reproduce the scenario to check if we have a bug. Can you please tell me which scope did you select for the token creation? We actually don't expect to get token removed after the platform upgrade, so this looks weird.

[ivko-pivko]

@alegrey91 , we also encountered this problem after the upgrade to 2.9.1 and I used the workaround mentioned by psyreactor to fix the token problem. But again, 20-something days after the upgrade we are seeing the same issue. Terraform state refers to a token that does not exist anymore:

++ terraform state show rancher2_bootstrap.admin

rancher2_bootstrap.admin:

resource "rancher2_bootstrap" "admin" { current_password = (sensitive value) id = "user-xxxxx" initial_password = (sensitive value) password = (sensitive value) telemetry = false token = (sensitive value) token_id = "token-78fmd"

on the local cluster: kubectl get token -A
token-26z42 52d token-5ws7b 53d token-bzkvk 52d token-cs94v 20s token-dtvqx 14h token-fw8mr 14h token-nnr6l 52d token-qpnvz 155m token-rzlmh 53d token-z4vk5 52d

Because of this, my pipelines with terraform fail: Error: Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=Unauthorized 401: must authenticate] from [Rancher UR/v3L]

[alegrey91]

hello @ivko-pivko, thanks for reporting this. Can I ask you which scope did you select for the token creation?

[ivko-pivko]

Not sure that I know if I'm able to define the scope of the token when we define the provider, as I can when I create a token via the GUI. Can you tell me what I'm missing ?

We are defining the bootstrap provider: provider "rancher2" { alias = "bootstrap" api_url = "https://${var.rancher_hostname}" bootstrap = true }

resource "rancher2_bootstrap" "admin" { depends_on = [helm_release.rancher] provider = rancher2.bootstrap

initial_password = "some pass"
password         = "some pass 2"

telemetry = false }

And then :

provider "rancher2" { alias = "admin" api_url = rancher2_bootstrap.admin.url token_key = rancher2_bootstrap.admin.token

insecure = true }