secret of type `data` created by Terraform doesn't work
jimangel opened this issue · 2 comments
Is the secret data stringData
a requirement for the token secret?
I was testing adding the CCM secret via Terraform with:
# from terraform
resource "kubernetes_secret" "digitalocean_ccm_token" {
metadata {
name = "digitalocean"
namespace = "kube-system"
}
data = {
access-token = var.do_token
}
}
I can validate that the secret exists, it is base64 encoded. I can decode it to match the working example of:
# from localhost
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: digitalocean
namespace: kube-system
stringData:
access-token: $DO_PAT
EOF
When created with data
in Terraform I see:
Error syncing load balancer: failed to ensure load balancer: failed to build load-balancer request: failed to list all droplets: GET https://api.digitalocean.com/v2/droplets?page=1&per_page=200: 401 Unable to authenticate you
Cluster details:
- kubernetes v1.18.3
- docker v19.03.11
- coredns v1.6.7
- cilium cni v1.7.2
- ubuntu 20.04 LTS
Hi @jimangel
that looks pretty correct to me.
Can you verify that the base64-decoded key token matches what you'd expect by, say, comparing it to the token you must have been given through DigitalOcean's cloud control panel? If it doesn't, then I'm wondering if Terraform or some other step in the process might be encoding/decoding the data incorrectly somehow. (Carriage returns inserted where they shouldn't be has been an occasional issue to me in the past, though that's not to say it's something Terraform would susceptible to per se.)
You can easily test if your token is valid by running doctl -t <your token> account get
. It should return basic account data or show the dreaded 401 response if your token turns out to be invalid.
Let me know if that helps somehow.
Hmm, maybe a false alarm / sequence of events. The following worked (and CCM worked now too):
doctl -t $(kubectl -n kube-system get secret digitalocean -o jsonpath='{.data.access-token}' | base64 --decode) account get
Thanks for the quick response!