openfun / kubic Goto Github PK

I've been trying to understand why ArgoCD is not working with Vault for the second day already. I followed all the instructions. On the last step, I set up the infrastructure using bin/terraform-apply.sh scaleway. I successfully obtained the load balancer's IP and linked it to the domains. Next, I followed the Vault setup instructions. I generated cluster-keys.json and was able to access the Vault admin interface using the root_token from this file. However, I still see an error on the ArgoCD admin page:

rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: sh -c "helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} --include-crds . |\nargocd-vault-plugin generate - -s ${ARGOCD_ENV_AVP_SECRET}\n" failed exit status 1: Error: Error making API request. URL: PUT https://vault-st.my_site.io/v1/auth/kubernetes/login Code: 403. Errors: * service account name not authorized Usage: argocd-vault-plugin generate [flags] Flags: -c, --config-path string path to a file containing Vault configuration (YAML, JSON, envfile) to use -h, --help help for generate -s, --secret-name string name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format : --verbose-sensitive-output enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr

I tried reinstalling ArgoCD with Vault already configured (commented out the contents of argocd.tf, did a plan and apply, and then uncommented and did a plan and apply), but it didn't help. I keep seeing this error. What am I doing wrong? Are there any additional steps that may be required?

Check this piece of code

resource "scaleway_lb_ip" "nginx_ip" {
  zone       = "fr-par-1"
  project_id = scaleway_k8s_cluster.joys.project_id
}

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update Helm release cert-manager to v1.14.5
• Update Terraform aws to v5.50.0
• Update Terraform helm to ~> 2.13.0
• Update Terraform kubernetes to ~> 2.30.0
• Update Terraform ovh to ~> 0.44.0
• Update Terraform scaleway to ~> 2.40.0
• Update bitnami/kubectl Docker tag to v1.30.1
• Update hashicorp/terraform Docker tag to v1.8.3
• Update Terraform vault to v4
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Scaleway will deprecate the full public cluster and require to put K8S cluster in a private network. This will remove the public IP attached to the node to access to internet. See more information here

This will required to add the attribute private_network_id in the Scaleway's resource scaleway_k8s_cluster We use this resource here.

Private network are created in a VPC (Virtual private Cloud) by Scaleway.

resource "scaleway_vpc_private_network" "kapsule" {
  name = "pn_kapsule"
}

resource "scaleway_k8s_cluster" "k8s_cluster" {
  private_network_id = scaleway_vpc_private_network.kapsule.id
}

Before to change this in Kubic will need to answer to this questions:

• Do we need to create a Gateway to access to Internet ?
• Do we need to create the load balancer to be accessible by Internet ?
• What are the procedure for running cluster ?