Error deploying Flux on AKS via Terraform provider: Certificate verification failure
mbaykara opened this issue · comments
Describe the bug
I'm encountering a certificate verification error when attempting to deploy Flux on AKS using the Terraform provider.
Steps to reproduce
flux = {
source = "fluxcd/flux"
version = "1.2.3"
}
provider "flux" {
kubernetes = {
host = module.aks.host
client_certificate = base64decode(module.aks.admin_client_certificate)
client_key = base64decode(module.aks.admin_client_key)
cluster_ca_certificate = base64decode(module.aks.admin_cluster_ca_certificate)
}
git = {
url = "ssh://git@${var.git_host}/${var.git_owner}/${var.flux_git_repo}"
ssh = {
username = "git"
private_key = var.ssh_private_key
}
}
}
resource "flux_bootstrap_git" "this" {
path = var.target_path
version = "v2.2.3"
components_extra = [
"image-reflector-controller",
"image-automation-controller"
]
}Expected behavior
Terraform terminated without error
Screenshots and recordings
Error: Bootstrap run error
│
│ with flux_bootstrap_git.this,
│ on flux.tf line 17, in resource "flux_bootstrap_git" "this":
│ 17: resource "flux_bootstrap_git" "this" {
│
│ CustomResourceDefinition/alerts.notification.toolkit.fluxcd.io dry-run failed: Get "https://aks-0qp2b7k1.hcp.westeurope.azmk8s.io:443/api?timeout=32s": tls: failed to verify certificate: x509: “apiserver” certificate is not
│ trusted
OS / Distro
Azure AKS v1.28.3
Flux version
v2.0.0 and v2.1.3
Flux check
► checking prerequisites
✔ Kubernetes 1.28.3 >=1.26.0-0
► checking version in cluster
✗ checking failed: customresourcedefinitions.apiextensions.k8s.io "gitrepositories.source.toolkit.fluxcd.io" not found
► checking controllers
✗ no controllers found in the 'flux-system' namespace with the label selector 'app.kubernetes.io/part-of=flux'
► checking crds
✗ no crds found with the label selector 'app.kubernetes.io/part-of=flux'
✗ check failed
Git provider
Github
Container Registry provider
No response
Additional context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
More
If I execute bootstrap from my local terminal, it installs Flux without any warnings or issues.
@mbaykara could you provide me with an understanding of what module you are using for module.aks please?
Previously I have used the following:
resource "azurerm_kubernetes_cluster" "default" {
name = var.cluster_name
...
}
Then configured the kubernetes provider using the following:
client_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_certificate)
client_key = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.client_key)
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.default.kube_config.0.cluster_ca_certificate)
@swade1987 I was using
module "aks" {
source = "Azure/aks/azurerm"
version = "8.0.0"
After retrieving information by leveraging as follows:
data "azurerm_kubernetes_cluster" "this" {
name = module.aks.aks_name
resource_group_name = azurerm_resource_group.this.name
}
provider "flux" {
kubernetes = {
host = module.aks.host
client_certificate = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_certificate)
client_key = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].client_key)
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.this.kube_config[0].cluster_ca_certificate)
}
}
@mbaykara just to close the loop on this ... did you close the issue as it's now been resolved by moving to the correct module reference?
Yeah, that's true.