Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] keyvault-nginx-default is stuck in ContainerCreating #260

Open
JoeyC-Dev opened this issue Jul 24, 2024 · 2 comments
Open

[BUG] keyvault-nginx-default is stuck in ContainerCreating #260

JoeyC-Dev opened this issue Jul 24, 2024 · 2 comments

Comments

@JoeyC-Dev
Copy link

Problem:
Cannot set default certificate via Key Vault.

Screenshot:
image
image
image

Caption:
I am not sure if I configured permission correctly, but the naming of "placeholder" and the use of "pause" image makes me thinking if this is intended. There is no other log I can find.

Set-up demo:

ranNum=$(echo $RANDOM)
region=westus
rG=aks_approuting_${ranNum}
kv=kv${ranNum}
aks=aks-${ranNum}
aksVer=1.30

cert_name=example-meow-${ranNum}

az group create -n ${rG} -l ${region} -o none

az aks create -n ${aks} -g ${rG} --kubernetes-version ${aksVer} --node-os-upgrade-channel None \
--node-vm-size Standard_A4_v2 --node-count 1 --enable-app-routing --no-ssh-key
infra_rG=$(az aks show -n ${aks} -g ${rG} --query nodeResourceGroup -o tsv)

# Section: set-policy mode
az keyvault create -n ${kv} -g ${rG} --enable-rbac-authorization false
az aks approuting update -n ${aks} -g ${rG} --enable-kv


# Grant permission
kvprovider_mi_client_id=$(az identity show --resource-group ${infra_rG} --name "azurekeyvaultsecretsprovider-${aks}" --query clientId -o tsv)
az keyvault set-policy -n ${kv} --certificate-permissions get --spn ${kvprovider_mi_client_id}

webapp_mi_client_id=$(az identity show --resource-group ${infra_rG} --name "webapprouting-${aks}" --query clientId -o tsv)
az keyvault set-policy -n ${kv} --certificate-permissions get --spn ${webapp_mi_client_id}

# Generate certificate
openssl req -new -x509 -nodes -subj "/CN=${cert_name}" -addext "subjectAltName=DNS:${cert_name}" -out ${cert_name}.crt -keyout ${cert_name}.key
openssl pkcs12 -export -in ${cert_name}.crt -inkey ${cert_name}.key -out ${cert_name}.pfx

# Import
az keyvault certificate import --vault-name ${kv} -n ${cert_name} -f ${cert_name}.pfx
certUrl=$(az keyvault certificate show --vault-name ${kv} -n ${cert_name} --query id -o tsv | sed -E 's/((.*)([\/]))([a-z0-9]+)/\2/')

# Get AKS credentials 
az aks get-credentials -n ${aks} -g ${rG}

# Apply default cert
cat <<EOF | kubectl apply -f -
apiVersion: approuting.kubernetes.azure.com/v1alpha1
kind: NginxIngressController
metadata:
  name: default
spec:
  ingressClassName: webapprouting.kubernetes.azure.com
  controllerNamePrefix: nginx
  loadBalancerAnnotations: 
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  defaultSSLCertificate:
    keyVaultURI: ${certUrl}
EOF
@JoeyC-Dev
Copy link
Author

Tried:

az aks approuting update -n ${aks} -g ${rG} --enable-kv --attach-kv ${kvURI}

And this work.

I want to know why I have to attach-kv here? I should already give enough permission.

@sabbour
Copy link

sabbour commented Oct 7, 2024

The az keyvault set-policy -n ${kv} --certificate-permissions get --spn ${webapp_mi_client_id} command should be az keyvault set-policy -n ${kv} --certificate-permissions get --object-id ${webapp_mi_client_id} because it is a managed identity and not a service principal.

attach-kv does this for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sabbour @JoeyC-Dev