Enabling both secrets_store_csi_driver and secrets_store_csi_driver_provider_aws results in error ClusterRole secretproviderclasses-admin-role already exist

[mldevpants]

Description

When following https://aws-ia.github.io/terraform-aws-eks-blueprints/v4.5.0/add-ons/csi-secrets-store-provider-aws/ instructions, or just using the suggested way :

enable_secrets_store_csi_driver = true
enable_secrets_store_csi_driver_provider_aws = true

The apply of the terraform fails for a duplicate role in the cluster for secretprovidercalsses-admin-role, which belongs to secrets-store-csi-driver

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:
  v4.14.0

• Terraform version:
  Terraform v1.2.7
  on linux_amd64

• Provider version(s):

• provider registry.terraform.io/gavinbunney/kubectl v1.14.0
• provider registry.terraform.io/hashicorp/aws v4.38.0
• provider registry.terraform.io/hashicorp/cloudinit v2.2.0
• provider registry.terraform.io/hashicorp/helm v2.7.1
• provider registry.terraform.io/hashicorp/kubernetes v2.15.0
• provider registry.terraform.io/hashicorp/null v3.2.0
• provider registry.terraform.io/hashicorp/random v3.4.3
• provider registry.terraform.io/hashicorp/time v0.9.1
• provider registry.terraform.io/hashicorp/tls v4.0.4

Reproduction Code [Required]

enable_secrets_store_csi_driver = true
enable_secrets_store_csi_driver_provider_aws = true

Steps to reproduce the behavior:

In both, with or without, different codes (terraform and terragrunt) Yes

Inlcude the above when installing the addons
and execute terraform/terragrunt apply

Expected behaviour

Both Helm deployed successfully

Actual behaviour

Error occurs for secrets_store_csi_driver_provider_aws addon

Terminal Output Screenshot(s)

Missing the output, the error says that ClusterRole secretproviderclasses-admin-role already exists, Duplicates are not allowed.

Additional context

When investigating such behavior, and following the helm charts, I ended up with

And the Chart.yaml from eks-charts for csi-secrets-store-provider-aws,
https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml
has the following dependency:

dependencies:
- name: secrets-store-csi-driver
  repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
  version: 1.1
  condition: secrets-store-csi-driver.install

Additional information should be provided either for the https://aws-ia.github.io/terraform-aws-eks-blueprints/v4.5.0/add-ons/csi-secrets-store-provider-aws/ instructions, since enabling only enable_secrets_store_csi_driver_provider_aws = true will result in both charts installed.
The https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws does explain some stuff, but from the addons it's not clear.

Additionally, some documentation point to https://github.com/aws/secrets-store-csi-driver-provider-aws, which yet another repo for the aws's csi provider, another location for a chart, which doesn't include this dependency for secrets-store-csi-driver.

According to the addon main.tf: https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/csi-secrets-store-provider-aws/main.tf
it points to eks-charts location:

module "helm_addon" {
  source = "../helm-addon"

  # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml
  helm_config = merge(
    {
      name        = local.name
      chart       = local.name
      repository  = "https://aws.github.io/eks-charts"
      version     = "0.0.3"
      namespace   = kubernetes_namespace_v1.csi_secrets_store_provider_aws.metadata[0].name
      description = "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster."
    },
    var.helm_config
  )

  manage_via_gitops = var.manage_via_gitops
  addon_context     = var.addon_context
}

The description of it is ok.

[boatmisser]

Try overriding the helm config for secrets_store_csi_driver_provider_aws with:

secrets-store-csi-driver:
  install: false

By default secrets_store_csi_driver_provider_aws also tries to install secrets_store_csi_driver.

[mldevpants]

So what I did actually I disabled the main secrets-store-csi-driver with its helm-configs, and moved the helm configs values under secrets-store-csi-driver: for secrets_store_csi_driver_provider_aws.

Another reason why I opened that if someone searches the web with a duplicate role name in the cluster, one could actually find something and be directed to a solution.

Thanks

[mldevpants]

also the example in: examples/secrets-management/csi-secrets-driver actually creates an error running as it is.
I can write the updated way, or the original author would like to update it?

[bryantbiggs]

resolved in #144