pulumi-kubernetes
pulumi-kubernetes copied to clipboard
pulumi
Helm Release deployment to EKS cluster requires AWS CLI
What happened?
While deploying helm Release to EKS cluster created with pulumi classic package, deployment fails with error:
getting credentials: exec plugin is configured to use API version client.authentication.k8s.io/v1beta1, plugin returned version client.authentication.k8s.io/v1alpha1
Due to this docs only aws-iam-authenticator is required in order to authenticate to cluster. However, with pare installation of aws-iam-authenticator the Release is not deployed onto cluster. Temporarily we've fixed the problem installing the whole AWS CLI.
Steps to reproduce
- Create EKS cluster with AWS classic package
- build kubeconfig based on EKS data
- build provider from kubeconfig
- try to deploy any helm release onto EKS cluster using created provider
Expected Behavior
Helm Release is deployed without need to install AWS CLI
Actual Behavior
AWS CLI is required
Versions used
No response
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Did you build the EKS cluster using the classic provider or using pulumi-eks? The kubeconfig emitted by pulumi-eks does have a dependency on aws-cli because it uses it to retrieve the token to access the api server. If you look at your kubeconfig chances are you have something like this: eks get-token --cluster-name... in the exec block. If you are using pulumi-eks you should upgrade to the latest version and bump your aws-cli/kubectl to get around https://github.com/pulumi/pulumi-eks/issues/720
Yes, it's classic module. However, for getting token aws-iam-authenticator should be enough. All in all this is what gathered token
TL;DR: Install the latest version of aws-iam-authenticator from the the Github page.
The problem lies in aws-iam-authenticator not being updated to support the later Kubernetes clients. This provider uses the client k8s.io/client-go v0.24.2 dependency which dropped support for client.authentication.k8s.io/v1alpha1. When an exec plugin like aws eks get-token or aws-iam-authenticator is executed, it returns a response like
{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
...other fields here...
}
The apiVersion needs to be supported by both the client, which is client-go in this case, and that was changed to only support v1beta1 now. See https://github.com/kubernetes/client-go/issues/1095
If your AWS CLI is updated to the latest versions, aws eks get-token will work with this provider because AWS updated this tool to return an output with the proper apiVersion. But as of writing this comment, the installation instructions for aws-iam-authenticator from AWS's documentation still gives a link to a very old version (2021-07-05). If you really want to use aws-iam-authenticator, all you have to do is install the latest version from the Github page instead and everything will work. I tested and confirmed this with version 0.5.9.
Another possible issue is to ensure that you are running the latest version of the aws cli. I was running terraform on a fresh copy of Ubuntu, that had aws cli v1 installed, upgradeing to v2 did the trick.
