Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support kubeseal secrets #1574

Open
1 task done
UriZafrir opened this issue Nov 23, 2024 · 0 comments
Open
1 task done

Support kubeseal secrets #1574

UriZafrir opened this issue Nov 23, 2024 · 0 comments
Labels
bug Something isn't working needs:triage

Comments

@UriZafrir
Copy link

UriZafrir commented Nov 23, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

s3.aws.upbound.io/v1beta1

Resource MRs required to reproduce the bug

apiVersion: s3.aws.upbound.io/v1beta1
kind: Bucket
metadata:
name: crossplane-bucket-24982734923847hasdkjh
spec:
forProvider:
region: il-central-1
providerConfigRef:
name: default

you can check it out here:
https://github.com/UriZafrir/argocd-autopilot-cluster-2/tree/main/bootstrap/cluster-resources/crossplane

Steps to Reproduce

I'm using sealed secrets,
I've encrypted my secret,
so i have:
sealed-secret.yaml
s3-provider,
and the bucket MR.

What happened?

went according to the quickstart:
https://docs.crossplane.io/latest/getting-started/provider-aws/

filled this file..

[default]
aws_access_key_id = <value>
aws_secret_access_key = <value>

generated a secret:

kubectl create secret generic aws-secret \
  -n crossplane-system \
  --from-file=creds=./aws-credentials.txt \
  --dry-run=client -o yaml > aws-secret.yaml

then used kubeseal:

kubeseal --controller-name=sealed-secrets --controller-namespace=kube-system --format yaml <aws-secret.yaml>sealed-secret.yaml

After creating the bucket, Argocd is in sync, but when describing the bucket i get:

Warning CannotConnectToProvider 32s (x10 over 9m33s) managed/s3.aws.upbound.io/v1beta1, kind=bucket (combined from similar events): cannot initialize the Terraform plugin SDK async external client: cannot get terraform setup: cannot get account id: cannot get the caller identity: GetCallerIdentity query failed: GetCallerIdentity query failed: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 0254301b-8c41-46d3-a819-106e50a70490, api error InvalidClientTokenId: The security token included in the request is invalid.

image

Relevant Error Output Snippet

Warning  CannotConnectToProvider  32s (x10 over 9m33s)  managed/s3.aws.upbound.io/v1beta1, kind=bucket  (combined from similar events): cannot initialize the Terraform plugin SDK async external client: cannot get terraform setup: cannot get account id: cannot get the caller identity: GetCallerIdentity query failed: GetCallerIdentity query failed: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 0254301b-8c41-46d3-a819-106e50a70490, api error InvalidClientTokenId: The security token included in the request is invalid.

Crossplane Version

1.19.0-rc.0.79.gea5d79669

Provider Version

xpkg.upbound.io/upbound/provider-aws-s3:v1.17.0

Kubernetes Version

Client Version: v1.30.5+k3s1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.5+k3s1

Kubernetes Distribution

k3s

Additional Info

No response
@UriZafrir UriZafrir added bug Something isn't working needs:triage labels Nov 23, 2024
@mergenci mergenci changed the title crossplane with -sealed-secret -"cannot initialize the Terraform plugin SDK async external client: cannot get terraform setup: cannot get account id: cannot get the caller identity: GetCallerIdentity query failed: GetCallerIdentity query failed: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 0254301b-8c41-46d3-a819-106e50a70490, api error InvalidClientTokenId: The security token included in the request is invalid." Support kubeseal secrets Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@UriZafrir