Deployment of HashiCorp Vault with helm_release fails with error: Chart.yaml file is missing. #1215
Open
Description
Terraform, Provider, Kubernetes and Helm Versions
Terraform version: 1.5.1
Provider version: 2.10.1
Kubernetes version: 1.24.0
Affected Resource(s)
- helm_release
I am unable to deploy Helm with Terraform despite providing the correct repository URL and chart name, as per many of examples I've looked at. The Helm insists the Chart.yaml is missing, when it is not actually missing.
Terraform Configuration Files
resource "helm_release" "vault" {
name = "vault"
namespace = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
version = "0.25.0"
values = [templatefile("${path.module}/templates/override_values.yml.tpl", {
vault-ha-mode = var.vault-ha-mode
vault-server-replicas = var.vault-server-replicas
vault-server-mem-request = var.vault-server-mem-request
vault-server-cpu-request = var.vault-server-cpu-request
vault-server-mem-limit = var.vault-server-mem-limit
vault-server-cpu-limit = var.vault-server-cpu-limit
vault-auto-unseal-key-region = data.aws_region.current.name
vault-auto-unseal-key-id = data.aws_kms_key.vault-auto-unseal-key.id
vault-server-addrs = null_resource.vault-servers[*].triggers.names
})]
set {
name = "serviceAccount.create"
value = "false"
}
set {
name = "serviceAccount.name"
value = kubernetes_service_account.vault-service-account.metadata[0].name
}
}Debug Output
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.vault.helm_release.vault will be created
+ resource "helm_release" "vault" {
+ atomic = false
+ chart = "vault"
+ cleanup_on_fail = false
+ create_namespace = false
+ dependency_update = false
+ disable_crd_hooks = false
+ disable_openapi_validation = false
+ disable_webhooks = false
+ force_update = false
+ id = (known after apply)
+ lint = false
+ manifest = (known after apply)
+ max_history = 0
+ metadata = (known after apply)
+ name = "vault"
+ namespace = "vault"
+ pass_credentials = false
+ recreate_pods = false
+ render_subchart_notes = true
+ replace = false
+ repository = "https://helm.releases.hashicorp.com"
+ reset_values = false
+ reuse_values = false
+ skip_crds = false
+ status = "deployed"
+ timeout = 300
+ values = [
+ <<-EOT
# Vault Helm Chart Value Overrides
global:
enabled: true
tlsDisable: false
injector:
enabled: true
# Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
image:
repository: "hashicorp/vault-k8s"
tag: "latest"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
server:
# These Resource Limits are in line with node requirements in the
# Vault Reference Architecture for a Small Cluster
resources:
requests:
memory: "2gi"
cpu: "1000m"
limits:
memory: "2gi"
cpu: "2000m"
# For HA configuration and because we need to manually init the vault,
# we need to define custom readiness/liveness Probe settings
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
livenessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`.
extraVolumes:
- type: secret
name: tls-server
- type: secret
name: tls-ca
- type: secret
name: kms-creds
# This configures the Vault Statefulset to create a PVC for audit logs.
# See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage:
enabled: true
standalone:
enabled: false
# Run Vault in "HA" mode.
ha:
enabled: "true"
replicas: "3"
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/tls-server/fullchain.pem"
tls_key_file = "/vault/userconfig/tls-server/server.key"
tls_client_ca_file = "/vault/userconfig/tls-server/client-auth-ca.pem"
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"
leader_client_key_file = "/vault/userconfig/tls-server/server.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"
leader_client_key_file = "/vault/userconfig/tls-server/server.key"
}
retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/server.crt"
leader_client_key_file = "/vault/userconfig/tls-server/server.key"
}
}
service_registration "kubernetes" {}
seal "awskms" {
region = "<censored>"
kms_key_id = "<censored>"
}
# Vault UI
ui:
enabled: true
serviceType: "LoadBalancer"
serviceNodePort: null
externalPort: 8200
# For Added Security, edit the below
#loadBalancerSourceRanges:
# - < Your IP RANGE Ex. 10.0.0.0/16 >
# - < YOUR SINGLE IP Ex. 1.78.23.3/32 >
EOT,
]
+ verify = false
+ version = "0.25.0"
+ wait = true
+ wait_for_jobs = false
+ set {
+ name = "serviceAccount.create"
+ value = "false"
}
+ set {
+ name = "serviceAccount.name"
+ value = "vault-sa"
}
}
Steps to Reproduce
- Set up Terraform with Kubernetes and Helm provider.
- Define deployment resource in Terraform specifying the vault parameters as defined in above output (you can probably drop all the special configurations included with
valuesandset, - Run
terraform apply - Fail.
Expected Behavior
Terraform should deploy vault with helm_release.
Actual Behavior
Terraform helm_provider is failing with:
│ Error: could not download chart: Chart.yaml file is missing
│
│ with module.vault.helm_release.vault,
│ on vault/vault.tf line 31, in resource "helm_release" "vault":
│ 31: resource "helm_release" "vault" {
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment