Deployed TF code to create CSR and TF output says Resources' created but kubernetes dont have csr created

gokulviswalingam · April 27, 2023, 8:51am

Deployed TF code to create CSR and TF output says Resources’ created but kubernetes dont have csr created. We traced the log and found that provider plugin exited for tls

. dag/walk: vertex “kubernetes_certificate_signing_request_v1.csr” is waiting for “kubernetes_certificate_signing_request_v1.csr (expand)”
2023-04-26T14:31:43.417+0530 [TRACE] dag/walk: vertex “kubernetes_certificate_signing_request_v1.csr (expand)” is waiting for “provider["registry.terraform.io/hashicorp/kubernetes"]”
2023-04-26T14:31:43.417+0530 [TRACE] dag/walk: vertex “provider["registry.terraform.io/hashicorp/kubernetes"] (close)” is waiting for “kubernetes_certificate_signing_request_v1.csr”
2023-04-26T14:31:43.417+0530 [TRACE] dag/walk: vertex “root” is waiting for “provider["registry.terraform.io/hashicorp/tls"] (close)”
2023-04-26T14:31:43.435+0530 [DEBUG] provider.stdio: received EOF, stopping recv loop: err=“rpc error: code = Unavailable desc = error reading from server: EOF”
2023-04-26T14:31:45.393+0530 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/tls/4.0.4/linux_amd64/terraform-provider-tls_v4.0.4_x5 pid=2083
2023-04-26T14:31:45.393+0530 [DEBUG] provider: plugin exited

We checked the configuration and installation of TLS (4.0.4 latest version used) looks fine.

Any help would be appreciated guys . Thanks

maxb · April 27, 2023, 9:09am

The log messages you have provided do not represent any kind of error, just Terraform functioning normally.

Therefore, there’s no actionable information in this post that people can use to help you.

Please read and follow Guide to asking for help in this forum particularly the “What to share” section.

gokulviswalingam · April 27, 2023, 9:30am

Thanks , Let me put more Information in my question . We have written TF code to create CSR Certificate signing - Amazon EKS as per the AWS documents. The code is as below :

resource "tls_private_key" "rsa_priv" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "tls_cert_request" "cert_request" {
  private_key_pem = tls_private_key.rsa_priv.private_key_pem

  subject {
    common_name  = "admin"
  }
}

resource "kubernetes_certificate_signing_request_v1" "csr" {
  metadata {
    name = "csr"
  }

  spec {
    request = tls_cert_request.cert_request.cert_request_pem
    usages = [
      "digital signature",
      "key encipherment",
      "server auth"
    ]
    signer_name = "beta.eks.amazonaws.com/app-serving"
  }
  auto_approve = true
}

TLS Provider version used : 4.0.4

When we do Terraform apply we get a out says 3 resources added and No error in output .

When we go to kubernetes cluster and kubectl get csr, csr is not created. (Note: We followed the steps to create csr manually and it works fine on same cluster)

Output as below

tls_private_key.rsa_priv: Creating…

tls_private_key.rsa_priv: Creation complete after 0s [id=1a181e6fee5019218fa265b0475fcad9a838ef95]

tls_cert_request.cert_request: Creating…

tls_cert_request.cert_request: Creation complete after 0s [id=6a22e20eea067ab7bee85936462848be37a3abad]

kubernetes_certificate_signing_request_v1.csr: Creating…

kubernetes_certificate_signing_request_v1.csr: Creation complete after 2s [id=csr]

Releasing state lock. This may take a few moments…

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Steps we tried:

We verified TLS configuration, installation and version seems fine .
Debug/Trace command did not provide any error msgs
We disabled vpn to check if network/firewall blocking - No issues found

Thanks

maxb · April 27, 2023, 10:24am

Please bear this in mind: Welcome to the forum - please reformat your message

The line

shows that Terraform truly believes it has successfully created the Kubernetes object.

Is it possible it could be getting created in the wrong cluster, or the wrong namespace?

Are you able to review access logs from the Kubernetes API server to confirm how it sees the request?

gokulviswalingam · April 27, 2023, 10:30am

Hi Max, Thanks for reply . I Will reformat my msg and apologise as I am new to the forum.
Yes we already checked that, its not creating this any other cluster and also as part of the deployment we created a New cluster to test this .We also checked all namespaces and it doesn’t have the csr created . Regarding API server logs , will double check that . Thanks

gokulviswalingam · April 27, 2023, 2:20pm

Not able to see any Kubernetes API logs . Thanks

maxb · April 27, 2023, 2:38pm

The documentation - Terraform Registry - said something which confused me:

This is a logical resource, so it contributes only to the current Terraform state and does not persist any external managed resources.

I couldn’t find any explanation in the docs what this actually meant, so I tracked down the relevant source code:

https://github.com/hashicorp/terraform-provider-kubernetes/blob/main/kubernetes/resource_kubernetes_certificate_signing_request_v1.go

and it seems that this Terraform resource is coded a bit unusually.

Upon creation it:

Creates the CSR in Kubernetes
Waits for the CSR to be signed
Downloads the produced certificate and stores it in Terraform state
Deletes the CSR object from Kubernetes

So it turns out that’s why you can’t see the CSR in Kubernetes - it’s getting automatically deleted by Terraform.

gokulviswalingam · April 27, 2023, 2:42pm

Great , That answers the question Thanks