Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: EKS ClusterAuth v1.3.0 kubeconfig results in Unauthorized #1248

Closed
1 task done
lajchon opened this issue Apr 1, 2024 · 2 comments · Fixed by #1251
Closed
1 task done

[Bug]: EKS ClusterAuth v1.3.0 kubeconfig results in Unauthorized #1248

lajchon opened this issue Apr 1, 2024 · 2 comments · Fixed by #1251
Labels
bug Something isn't working

Comments

@lajchon
Copy link

lajchon commented Apr 1, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

No response

Resource MRs required to reproduce the bug

No response

Steps to Reproduce

After creating EKS Cluster, create ClusterAuth with writeConnectionSecretToRef configured. Create provider-kubernetes ProviderConfig to reference ClusterAuth Secret, or retrieve kubeconfig from Secret to use manually. ProviderConfig configured with IRSA credentials.source and assumeRoleChain.

What happened?

When utilizing provider-aws-eks v1.3.0, usage of the kubeconfig results in cannot get object: failed to get API group resources: unable to retrieve the complete list of server APIs: apps/v1: Unauthorized.

Downgrade to provider-aws-eks v1.2.0, and kubeconfig is updated and access to the EKS cluster is available.

The same results are exhibited when accessing an EKS cluster provisioned with v1.2.0, which worked as expected, but after upgrading to v1.3.0, the Unauthorized error began.

Relevant Error Output Snippet

No response

Crossplane Version

1.15.1

Provider Version

1.3.0

Kubernetes Version

v1.29.2

Kubernetes Distribution

EKS

Additional Info

No response
@lajchon lajchon added the bug Something isn't working label Apr 1, 2024
@adamhouse
Copy link

Some additional information- on the cluster side, we see the authenticator is logging the following on repeat:

{
  "Error": {
    "Code": "SignatureDoesNotMatch",
    "Message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.",
    "Type": "Sender"
  },
  "RequestId": "171b39d0-6bd1-4c09-97eb-1e3ee7f23098"
}

@haarchri
Copy link
Member

haarchri commented Apr 2, 2024

could be related to aws/aws-sdk-go-v2#2567

@erhancagirici erhancagirici mentioned this issue Apr 3, 2024
Merged
3 tasks
gucarreira added a commit to JOAMELO-ORG/eks-blueprints-add-ons that referenced this issue Apr 6, 2024
@gucarreira
bump version to 1.3.1
69c09f5 
Due to a bug crossplane-contrib/provider-upjet-aws#1248
@mbbush mbbush mentioned this issue Apr 22, 2024
Closed
54 tasks
This was referenced May 21, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@adamhouse @haarchri @lajchon