K
Q

terraform keeps overwriting token for kubernetes provider

11/18/2019

We're trying to run terraform apply with the following kubernetes provider setting in our terraform file:

data "google_client_config" "current" {
}

data "google_container_cluster" "onboarding_cluster" {
  name     = var.cluster_name
  location = var.cluster_location
}

provider "kubernetes" {
  load_config_file       = false
  host                   = data.google_container_cluster.onboarding_cluster.endpoint
  cluster_ca_certificate = base64decode(data.google_container_cluster.onboarding_cluster.master_auth[0].cluster_ca_certificate)
  token                  = data.google_client_config.current.access_token
}

resource "kubernetes_service_account" "service_account" {
  metadata {
    name      = var.kubernetes_service_account_name
    namespace = var.kubernetes_service_account_namespace
  }
}

But we're getting the following error:

Error: Unauthorized

  on main.tf line 85, in resource "kubernetes_service_account" "service_account":
  85: resource "kubernetes_service_account" "service_account" {

After setting the TF_LOG to DEBUG we see the following request being made to create the kubernetes service account:

---[ REQUEST ]---------------------------------------
POST /api/v1/namespaces/default/serviceaccounts HTTP/1.1
...
Authorization: Bearer <SOME_KUBERNETES_JWT>

The auth bearer token is being overwritten even when we hardcode the token in our provider! For example:

provider "kubernetes" {
  load_config_file       = false
  host                   = data.google_container_cluster.onboarding_cluster.endpoint
  cluster_ca_certificate = base64decode(data.google_container_cluster.onboarding_cluster.master_auth[0].cluster_ca_certificate)
  token                  = "some.hardcoded.token"
}

Even with the above, the token will remain the same in the HTTP request.

We've found that the token that's being sent in the auth header is found on the terraform container at /run/secrets/kubernetes.io/serviceaccount/token.

Is there any reason terraform would overwrite this token with a token generated by kubernetes? Are there any other settings we could attempt?

-- Bilbo Baggins
terraform
terraform-provider-kubernetes

Similar Questions

Artemis Replication In Kubernetes Issues
Kubeadm join failing and hangs at Setting node annotation to enable volume controller attach/detach
changing cert-manager validation from http to dns
externally access the application using hostname/subdomain in ingress resource
Kubernetes control pod name

1 Answer

11/20/2019

This is an issue with the kubernetes provider. Github issue here: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/679

To fix, set your provider version to 1.9, like so:

provider "kubernetes" {
  version = "1.9"
  cluster_ca_certificate = base64decode(
    data.google_container_cluster.this.master_auth[0].cluster_ca_certificate,
  )
  host             = data.google_container_cluster.this.endpoint
  token            = data.external.get_token.result["token"]
  load_config_file = false
}
-- Bilbo Baggins
Source: StackOverflow