Giters

fluxcd / terraform-provider-flux

Terraform and OpenTofu provider for bootstrapping Flux

Home Page:https://registry.terraform.io/providers/fluxcd/flux/latest

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bootstrap run error: 2 healthcheck failuers

imishchuk-carbon opened this issue · comments

commented

Hello, team.

When I'm trying to use flux_bootstrap_git to bootstrap my cluster I get the following error:

│ Error: Bootstrap run error
│ 
│   with flux_bootstrap_git.this,
│   on bootstrap.tf line 5, in resource "flux_bootstrap_git" "this":
│    5: resource "flux_bootstrap_git" "this" {
│ 
│ bootstrap failed with 2 health check failure(s): [error while waiting for
│ GitRepository to be ready: 'failed to checkout and determine revision:
│ unable to list remote for 'ssh://git@github.com/org/eks.git': ssh:
│ handshake failed: ssh: unable to authenticate, attempted methods [none
│ publickey], no supported methods remain', error while waiting for
│ Kustomization to be ready: 'context deadline exceeded']

All Flux related resources are created inside EKS so it looks like the only thing that fails is pushing manifests to the repo itself.

Deploy key is created with read/write permissions.
Secret flux-system:flux-system is created with correct data

Configuration

resource "flux_bootstrap_git" "this" {
  path = format("clusters/%s", terraform.workspace)

  kustomization_override = templatefile(
    "./kustomization.yaml.tpl",
    {
      account_id = data.aws_caller_identity.current.id,
      role_name  = local.kustomize-controller,
    }
  )

  components_extra = [
    "image-reflector-controller",
    "image-automation-controller",
  ]

  depends_on = [
    github_repository_deploy_key.this
  ]

  timeouts = {
    create = "5m"
    update = "5m"
  }
}

provider "github" {
  owner = local.github_org
  # token is sourced from GITHUB_TOKEN env var
}

resource "tls_private_key" "flux" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "github_repository_deploy_key" "this" {
  title      = format("flux-%s", terraform.workspace)
  repository = local.github_repository
  key        = tls_private_key.flux.public_key_openssh
  read_only  = "false"
}

provider "flux" {
  kubernetes = {
    host                   = data.aws_eks_cluster.this.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)

    exec = {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "aws"
      # This requires the awscli to be installed locally where Terraform is executed
      args = ["eks", "get-token", "--cluster-name", data.aws_eks_cluster.this.id]
    }
  }
  git = {
    url = "ssh://git@github.com/${local.github_org}/${local.github_repository}.git"
    ssh = {
      username    = "git"
      private_key = tls_private_key.flux.private_key_pem
    }
    branch = var.branch
  }
}

flux provider is 1.2.2

PAT permissions used. Both result in same behavior.
read:org, repo, workflow
admin:org, admin:public_key, admin:ssh_signing_key, repo

Any idea what might be the issue?

commented

Apparently, this odd behavior was caused by our .gitgnore ignoring gotk-*.yaml files.
Once this was removed, bootstrap worked as expected.

commented

@stefanprodan we should close this issue.