K
Q

Terraform GKE x509: certificate signed by unknown authority

12/13/2020

Following this tutorial, https://learn.hashicorp.com/tutorials/terraform/gke?in=terraform/kubernetes I have deployed a GKE cluster in GCloud.

Now when I try to schedule a deployment following this link, https://learn.hashicorp.com/tutorials/terraform/kubernetes-provider

It fails with,

kubernetes_deployment.nginx: Creating...

Error: Failed to create deployment: Post "https://<ip>/apis/apps/v1/namespaces/default/deployments": x509: certificate signed by unknown authority

  on kubernetes.tf line 21, in resource "kubernetes_deployment" "nginx":
  21: resource "kubernetes_deployment" "nginx" {

My kubernetes.tf looks like this,

terraform {
  required_providers {
    kubernetes = {
      source = "hashicorp/kubernetes"
    }
  }
}

provider "kubernetes" {
  load_config_file = false

  host     = google_container_cluster.primary.endpoint
  username = var.gke_username
  password = var.gke_password

  client_certificate     = google_container_cluster.primary.master_auth.0.client_certificate
  client_key             = google_container_cluster.primary.master_auth.0.client_key
  cluster_ca_certificate = google_container_cluster.primary.master_auth.0.cluster_ca_certificate
}

resource "kubernetes_deployment" "nginx" {
  metadata {
    name = "scalable-nginx-example"
    labels = {
      App = "ScalableNginxExample"
    }
  }

  spec {
    replicas = 2
    selector {
      match_labels = {
        App = "ScalableNginxExample"
      }
    }
    template {
      metadata {
        labels = {
          App = "ScalableNginxExample"
        }
      }
      spec {
        container {
          image = "nginx:1.7.8"
          name  = "example"

          port {
            container_port = 80
          }

          resources {
            limits {
              cpu    = "0.5"
              memory = "512Mi"
            }
            requests {
              cpu    = "250m"
              memory = "50Mi"
            }
          }
        }
      }
    }
  }
}

I am using MacOS to run terraform. Any help is appreciated.

Please note that kubectl get pods --all-namespaces is working fine, so I don't think it's an issue with kube config.

Thanks, Arun

-- Arun A Nayagam
google-kubernetes-engine
kubernetes
terraform

Similar Questions

The dns-controller Kubernetes deployment has not updated the Kubernetes cluster's - AWS
How to check if Kubernetes cluster is running fine
aws-alb-ingress metrics on eks?
Change the horizontal-pod-autoscaler-sync-period in EKS
ansible k8s module failing to connect to cluster with 503 - appends /version/openshift to non openshift cluster

1 Answer

12/14/2020

It was because the certificate was base64 encoded, changing the provider section to the below snippet, got rid of the issue.

provider "kubernetes" {
  load_config_file = false

  host     = google_container_cluster.primary.endpoint
  username = var.gke_username
  password = var.gke_password

  client_certificate     = base64decode(google_container_cluster.primary.master_auth.0.client_certificate)
  client_key             = base64decode(google_container_cluster.primary.master_auth.0.client_key)
  cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth.0.cluster_ca_certificate)
}
-- Arun A Nayagam
Source: StackOverflow