BUG: Ephemeral access key / secret key is cached for capa-controller-manager
About
When a user bootstraps TKG with ephemeral credentials, the credentials are stored in capa-manager-bootstrap-credentials
within the capa-system
namespace. If the user performs the bootstrapping from a system that already has a IAM role applied, this will not be a problem.
When the temporary credentials expire, cluster API is no longer capable of reconciling objects in AWS.
Workaround
To remedy, the temporary credentials need to be cleared out and they must look like the following:
k get secret -n capa-system capa-manager-bootstrap-credentials --output=jsonpath='{.data.credentials}' | base64 -d
[default]
None
Additionally, capa-controller-manager
needs to be restarted.
k rollout restart -n capa-system deployment capa-controller-manager
Ideally, this should be accounted for in bootstrapping. Are temporary credentials being used? If so, make sure that we document or add automation to fix the AWS credentials used by CAPA
.