I was trying to deploy a helm chart using Terraform helm provider. With the below code I’m able to create a helm release and created namespace for the resources.
provider "helm" {
kubernetes {
kube_config_path = trim(base64decode(data.test.config.result.config_path), "n")
exec {
api_version = "client.authentication.k8s.io/v1"
command = "kubelogin"
args = [
"get-token",
"--login", "spn",
"--environment", "AzurePublicCloud",
"--server-id", "6dae42f8-4368-4678-94ff-3960e28e3630",
"--tenant-id", data.azurerm_client_config.current.tenant_id,
"--client-id", data.azurerm_client_config.current.client_id,
"--client-secret", data.azurerm_key_vault_secret.service_principal_key.value,
]
}
}
debug = true
}
resource "helm_release" "helmrelname" {
name = "helmrelname"
repository = "https://mycompany.github.io/charts"
chart = "helmrelname1"
namespace = "helmrelname-test"
create_namespace = true
timeout = 800
wait_for_jobs = true
wait = true
force_update = true
set {
name = "helmrelname.monitoring.create"
value = "false"
type = "auto"
}
depends_on = [data.test.config]
lifecycle {
ignore_changes = all
}
}
On "terraform apply" I could see that the execution failed with below error
query: failed to query with labels: secrets is forbidden: User "3df53t-3fea-48b4-a932-3061e1fec6cc" cannot list resource "secrets" in API group "" in the namespace "helmrelname-test"
What I should do to resolve this?
Note:
"3df53t-3fea-48b4-a932-3061e1fec6cc" is the service principal object id
2
Answers
Added the clusterrolebinding for cluster admin role to objecid "3df53t-3fea-48b4-a932-3061e1fec6cc" and issue got resolved.
Command used.
Seems issue was casued because of service principal permissions.
Replicated the same via below code.
Step1:
created a service principal by running below command
Output as follow
Step2:
main tf file as follows
NOTE: Copy the above secret password and appid information
Step3:
Upon running plan and apply
NOTE: We need valid chart repository access configured on portal.