New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.6.0 provider version causing Error: Kubernetes cluster unreachable: exec plugin: invalid apiVersion
#893
Comments
cc: @jrhouston for visibility |
Is this specific to AWS EKS clusters? Are they still on v1alpha? Seems like this also occurred with 2.4.0 |
Yes, the AWS EKS cluster is using the ⨠ aws eks get-token --cluster-name "<REDACTED>" | jq .apiVersion
"client.authentication.k8s.io/v1alpha1" |
It looks like the I was able to fix this for EKS by updating the The latest version of the awscli uses this version:
|
@jrhouston as one who primarily works with AWS, I request that you track Kubernetes dependencies along the lines of the latest Kubernetes version EKS supports, currently 1.22. This would help to preserve compatibility between the provider and EKS clusters. (I understand if people not using EKS feel differently, but you can't please everyone, so I'm staking my claim.) |
@jrhouston how to switch to the v1beta1 version of the API ? |
I agree with you in principle, and we do tend to hold off on releasing things that are going to break on the older versions Kubernetes in the main cloud providers. However, in this case the API contract here is actually between the You may also need to run Perhaps we should add a validator to check if the version specified is If there are any non-EKS users watching this issue I would appreciate if they could chime in on their situation. |
we encounter this issue on eks.7(platformVersion) with 1.21(k8s version). I tried using the aws cliv2 but no avail. Pinning the helm provider version as suggested above works for us. It's looks like the helm provider removed the support to
|
@lupindeterd the latest version of the awscli definitely supports v1beta1 of this API – you may need to run |
May be related to kubernetes-sigs/aws-iam-authenticator#439 |
This is due to aws/aws-cli#6940 changing the AWS CLI behaviour (there are plenty of issues in that repo regarding this and other changes). |
Not sure if this is the place for it but.... Fun factIf you're running this in CI, and you're using token auth and it's complaining that there is no kube config file, simply create an empty one
Also I cannot get eks exec auth to work. I'm using the |
@jrhouston wrote:
The better behavior (already implemented in the Kubernetes provider) is to pass the configured value of the |
I'm having something similar. Had the original error. Upgraded providers and the aws cli, now I'm getting a different error that I can't seem to get out of and I'm not sure if related just yet. Kubernetes cluster unreachable: the server has asked for the client to provide credentials |
Be careful with this approach. It caches the auth token in the state during the plan, and if you don't use it 'quickly' enough, it will expire part way through apply. We switched to the 'exec' plugin to avoid this. |
Note that 1.22 has the v1beta1 version of client.authentication.k8s.io. Note that you will need to use the awscli v2 version, as the v1 version does not seem to support anything other than v1alpha1. The exec plugin uses the awscli. |
combination of helm provider 2.6.0 and aws cli 2.7.8 allowed us to get it working with api_version = "client.authentication.k8s.io/v1beta1", other versions we are using, k8s = 1.22, terraform = 1.2.5, terraform provider aws = 4.23.0 running under azure devops |
We got the same issue, fixed the helm provider version to 2.4.1 solved the issue |
Changing api version seems to be a step forward(in contrast to module version pin) |
We couldn't use aws-cli v2 since we're running on alpine, and it is painful to get it running there.
|
This issue is strictly informative, therefore we are closing to prevent confusion. Anyone running into this issue, as the description states will need to update your config to the new version and update your exec plugins. If you continue to run into specific issues that updating both config and exec plugins does not solve, we ask you to please open a new GitHub issue and we will review. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
v1alpha1
of the client authentication API was removed in the Kubernetes client in version 1.24. The latest release of this provider was updated to use 1.24 of the Kubernetes client Go modules, and 3.9 of the upstream Helm module. We know this seems like a breaking change but is expected as API versions markedalpha
can be removed in minor releases of the Kubernetes project.The upstream helm Go module was also updated to use the 1.24 client in helm 3.9 so you will see this issue if you use the
helm
command directly with a kubeconfig that tries to use thev1alpha1
client authentication API.AWS users will need to update their config to use the
v1beta1
API. Support forv1beta1
was added as default in theawscli
in v1.24.0 so you may need to update your awscli package and runaws eks update-kubeconfig
again.Adding this note here as users pinning to the previous version of this provider will not see a fix to this issue the next time they update: you need to update your config to the new version and update your exec plugins. If your exec plugin still only supports
v1alpha1
you need to open an issue with them to update it.Terraform, Provider, Kubernetes and Helm Versions
Affected Resource(s)
helm_release
Terraform Configuration Files
Using module https://github.com/cloudposse/terraform-aws-helm-release
This is how we set the provider
I tried changing the
api_version
toclient.authentication.k8s.io/v1beta1
but then that gave me a mismatch with the expected value ofclient.authentication.k8s.io/v1alpha1
.Debug Output
NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.
Panic Output
Steps to Reproduce
terraform apply
Expected Behavior
Terraform plans correctly
Actual Behavior
Terraform fails with this error
Important Factoids
Pinning the provider version to the last release 2.5.1 works
A fast way that we pinned our root modules using
References
Community Note
The text was updated successfully, but these errors were encountered: