terraform-provider-kubernetes
terraform-provider-kubernetes copied to clipboard
hashicorp
CSR creation timeout
Terraform Version, Provider Version and Kubernetes Version
Terraform version: v1.1.3 on darwin_arm64
Kubernetes provider version: registry.terraform.io/hashicorp/kubernetes v2.10.0
Kubernetes version: v1.21.5-eks-9017834
Affected Resource(s)
- kubernetes_certificate_signing_request_v1
Terraform Configuration Files
locals {
vault_servers = [ "vault-0","vault-1","vault-2"]
vault_fqdn = [ "vault-0","vault-1","vault-2"]
}
resource "tls_private_key" "vault-server-keys" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "vault_server_csr" {
private_key_pem = tls_private_key.vault-server-keys.private_key_pem
subject {
common_name = "vault-server"
}
dns_names = local.vault_servers
}
resource "kubernetes_certificate_signing_request_v1" "kubernetes_csr_vault_server" {
metadata {
name = "vault-server-csr"
}
spec {
usages = ["client auth", "server auth"]
signer_name = "kubernetes.io/kube-apiserver-client"
request = tls_cert_request.vault_server_csr.cert_request_pem
}
auto_approve = true
}
Debug Output
https://gist.github.com/d114def1a95bdd059d96e8a4b6bb1377
Steps to Reproduce
terraform apply
Expected Behavior
CSR should be created terraform successfully completed
Actual Behavior
CSR is created terraform errors after 5 min timeout
for me helped next documentation. https://docs.aws.amazon.com/eks/latest/userguide/cert-signing.html
Same issue here with a non-AWS stack (RKE).
One note:
usages = ["client auth", "server auth"]
signer_name = "kubernetes.io/kube-apiserver-client"
Possibly "server auth" usage is not allowed with the signer "kubernetes.io/kube-apiserver-client"
Based on the release notes, it seems like server auth needs to be signed with beta.eks.amazonaws.com/app-serving but I have no idea why client auth certificates just never generate. I don't think this is a Terraform problem tho.
https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
Based on the release notes, it seems like server auth needs to be signed with
beta.eks.amazonaws.com/app-servingbut I have no idea why client auth certificates just never generate. I don't think this is a Terraform problem tho.https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
i don't think this is related to terraform, how you are updating your eks cluster?
Update: In my RKE Case, I had to tell the kube-controller, it should sign the Certs:
kube-controller:
image: ""
extra_args:
cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
So, the Timeout means what it is: the CA didn't sign the cert in $timeout time. And: This doesn't mean that the the Cert is approved, approved only means something should sign it now.
Getting same error for kubernetes provider version = "2.17.0" and Kubernetes version: v1.24 csr Approved but terraform completed with error after 5 min
Thank you for opening this issue @andel7. After further investigating, @peteroneilljr and @romankydybets are correct. This is not necessarily a Terraform issue but more of an issue coming from where the CSR is being generated. The provider will create the request and mark it as Approved once sent but will be left waiting for the certificate to be issued and will timeout if nothing is received. This would not fall under the provider but rather would fall under where the CSR is being issued from.
The message could be made a bit clearer, but for this issue it looks like you may want to look further into what's preventing the certificate from being issued. I will be closing this since this doesn't involve the kubernetes provider to solve the issue.
