search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.48k stars 4.09k forks source link

`no basic auth credentials` on `vpc-cni` upgrade when applying the EKS module #3212

Closed alxyok closed 1 day ago

alxyok commented 1 week ago

Description

Applying my custom module that makes use of this terraform-aws-eks/aws/eks module after awhile is failing. It tries to update all my addons (including vpc-cni) and pull images from repository an ECR repository in some account with ID 602401143452.

The error is as follows

Failed to pull image "602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon-k8s-cni-init:v1.19.0-eksbuild.1": failed to pull and unpack image "602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon-k8s-cni-init:v1.19.0-eksbuild.1": failed to resolve reference "602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon-k8s-cni-init:v1.19.0-eksbuild.1": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials

If I manually login with my account credentials to that registry 602401143452.dkr.ecr.eu-west-1.amazonaws.com I can pull locally no problem.

My question is, why is it pulling a version from 602401143452.dkr.ecr.eu-west-1.amazonaws.com instead of public.ecr.aws?

Versions

Reproduction Code [Required]

Here is an extract of my configuration.

Steps to reproduce the behavior:

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  version = "20.24.1"

  cluster_name                    = var.eks_cluster_name
  cluster_version                 = var.eks_cluster_version
  cluster_endpoint_private_access = false
  cluster_endpoint_public_access  = true

  create_kms_key = false
  cluster_encryption_config = {
    resources        = ["secrets"]
    provider_key_arn = module.kms.key_arn
  }

  vpc_id     = var.vpc_id
  subnet_ids = var.subnet_ids

  iam_role_permissions_boundary          = local.permissions_boundary_arn
  create_cloudwatch_log_group            = true
  cluster_enabled_log_types              = []
  cloudwatch_log_group_retention_in_days = 90

  cluster_addons = {
    vpc-cni = {
      most_recent = false
      configuration_values = jsonencode(yamldecode(<<-EOT
        resources:
          requests:
            cpu: 10m
            memory: 200Mi
      EOT
      ))
    }
   # other config below...
}

Expected behavior

I expected the plugin to be updated seamlessly to the newer version.

Actual behavior

Failed to pull the image.

alxyok commented 3 days ago

hey @bryantbiggs, thanks for adding the label. would you know who I could contact on that matter?

bryantbiggs commented 3 days ago

This is the account where the VPC CNI image is published https://github.com/aws/eks-charts/blob/ef3f3145682b25cfb264a567d579ea59adcc561f/stable/aws-vpc-cni/values.yaml#L15

For questions on the VPC CNI you can reach out here https://github.com/aws/amazon-vpc-cni-k8s

alxyok commented 1 day ago

ok thanks @bryantbiggs! i'll move this then