Hi Team,
When i am trying to install eks cluster i am getting below error.
can you help on this issue.
Error: Post “https://0964692BCB2AC7F55C5ABBDBC1DD6A70.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps”: x509: certificate signed by unknown authority
on allow_nodes.tf line 17, in resource “kubernetes_config_map” “aws_auth”:
17: resource “kubernetes_config_map” “aws_auth” {
###############################allow_nodes.tf###############
########################################################################################
# setup provider for kubernetes
data "external" "aws_iam_authenticator" {
program = ["sh", "-c", "aws-iam-authenticator token -i example | jq-win64.exe -r -c .status"]
}
provider "kubernetes" {
host = "${aws_eks_cluster.tf_eks.endpoint}"
cluster_ca_certificate = "${base64decode(aws_eks_cluster.tf_eks.certificate_authority.0.data)}"
token = "${data.external.aws_iam_authenticator.result.token}"
load_config_file = false
version = "~> 1.5"
}
# Allow worker nodes to join cluster via config map
resource "kubernetes_config_map" "aws_auth" {
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = {
mapRoles = <<EOF
- rolearn: ${aws_iam_role.tf-eks-node.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
EOF
}
depends_on = [
"aws_eks_cluster.tf_eks","aws_autoscaling_group.tf_eks" ]
}
I also need help from @admins, I have the same problem with deployments and services.
Error: Failed to create deployment: Post "https://XXXXX.xx.region.eks.amazonaws.com/apis/apps/v1/namespaces/default/deployments": x509: certificate signed by unknown authority
on main.tf line 117, in resource "kubernetes_deployment" "example":
117: resource "kubernetes_deployment" "example" {
Error: Post
"https://XXXXX.xxx.region.eks.amazonaws.com/api/v1/namespaces/default/services": x509: certificate signed by unknown authority
on main.tf line 162, in resource "kubernetes_service" "example":
162: resource "kubernetes_service" "example" {
Error: Post "https://xxxx.xxx.region.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps": x509: certificate signed by unknown authority
on .terraform/modules/eks/aws_auth.tf line 64, in resource "kubernetes_config_map" "aws_auth":
64: resource "kubernetes_config_map" "aws_auth" {
Did anyone manager to solve this? Just stumbled upon the same problem after recreating an EKS cluster…
Did you try refreshing the token?
In my case it was me being dumb and base64 encoding the CA cert instead of decoding…
Just ran into this as well, I believe this is the first time we have run updates on our clusters since upgrading to 0.14.5. The solution for us was a modification in the kubernetes provider block, but only for the first apply (even an empty apply will fix it).
We had to change from this:
provider "kubernetes" {
token = data.aws_eks_cluster_auth.eks.token
host = aws_eks_cluster.eks_cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data)
}
To this:
provider "kubernetes" {
token = data.aws_eks_cluster_auth.eks.token
host = aws_eks_cluster.eks_cluster.endpoint
insecure = true
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
args = ["eks", "get-token", "--cluster-name", var.cluster_name]
command = "aws"
}
}
Then we ran terraform apply and we were able to revert the config back to just using the data block to look up the token and certificate. Weird.
Hope this helps someone else!