BUG: Ephemeral access key / secret key is cached for capa-controller-manager

About

When a user bootstraps TKG with ephemeral credentials, the credentials are stored in capa-manager-bootstrap-credentials within the capa-system namespace. If the user performs the bootstrapping from a system that already has a IAM role applied, this will not be a problem.

When the temporary credentials expire, cluster API is no longer capable of reconciling objects in AWS.

Workaround

To remedy, the temporary credentials need to be cleared out and they must look like the following:

k get secret -n capa-system capa-manager-bootstrap-credentials --output=jsonpath='{.data.credentials}' | base64 -d

[default]
None

Additionally, capa-controller-manager needs to be restarted.

k rollout restart -n capa-system deployment capa-controller-manager

Ideally, this should be accounted for in bootstrapping. Are temporary credentials being used? If so, make sure that we document or add automation to fix the AWS credentials used by CAPA.