The access token has been obtained for wrong audience or resource error

[gischethans]

Describe the bug The ingress-azure pod goes into CrashLoopBackOff status with the below error when the environment is set to AzureUSGovernmentCloud. The issue does not occur on older versions like 1.6.0

Message="The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.""

To Reproduce Install 1.7.1 version of the controller.

Ingress Controller details

• Output of kubectl describe pod <ingress controller>

  Name:             ingress-azure-85dfd8d479-jrkr7
  Namespace:        default
  Priority:         0
  Service Account:  ingress-azure
  Node:             aks-agent-21939062-vmss000001/10.0.0.92
  Start Time:       Thu, 22 Jun 2023 15:44:01 +0530
  Labels:           aadpodidbinding=ingress-azure
                app=ingress-azure
                pod-template-hash=85dfd8d479
                release=ingress-azure
  Annotations:      checksum/config: 98274f88b5466064d64af1b661ded40071725ba3a5cff6cdd8649409143958bc
                prometheus.io/port: 8123
                prometheus.io/scrape: true
  Status:           Running
  IP:               10.0.0.103
  IPs:
  IP:           10.0.0.103
  Controlled By:  ReplicaSet/ingress-azure-85dfd8d479
  Containers:
  ingress-azure:
  Container ID:   containerd://1ee8b7fb6a4e4bc8427fe3e98ff4dc669205f49dc5c93118e922080f000c77e0
  Image:          mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.7.1
  Image ID:       mcr.microsoft.com/azure-application-gateway/kubernetes-ingress@sha256:91a6648b78c65f3b6858441589daabd72146d9a53e896c0e6abf501e870f9d9b
  Port:           <none>
  Host Port:      <none>
  State:          Waiting
    Reason:       CrashLoopBackOff
  Last State:     Terminated
    Reason:       Error
    Exit Code:    255
    Started:      Fri, 23 Jun 2023 15:28:51 +0530
    Finished:     Fri, 23 Jun 2023 15:28:51 +0530
  Ready:          False
  Restart Count:  283
  Liveness:       http-get http://:8123/health/alive delay=15s timeout=1s period=20s #success=1 #failure=3
  Readiness:      http-get http://:8123/health/ready delay=5s timeout=1s period=10s #success=1 #failure=3
  Environment Variables from:
    ingress-azure  ConfigMap  Optional: false
  Environment:
    AZURE_CLOUD_PROVIDER_LOCATION:  /etc/appgw/azure.json
    AGIC_POD_NAME:                  ingress-azure-85dfd8d479-jrkr7 (v1:metadata.name)
    AGIC_POD_NAMESPACE:             default (v1:metadata.namespace)
  Mounts:
    /etc/appgw/ from azure (ro)
    /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-k28cz (ro)
  Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
  Volumes:
  azure:
  Type:          HostPath (bare host directory volume)
  Path:          /etc/kubernetes/
  HostPathType:  Directory
  kube-api-access-k28cz:
  Type:                    Projected (a volume that contains injected data from multiple sources)
  TokenExpirationSeconds:  3607
  ConfigMapName:           kube-root-ca.crt
  ConfigMapOptional:       <nil>
  DownwardAPI:             true
  QoS Class:                   BestEffort
  Node-Selectors:              kubernetes.io/os=linux
  Tolerations:                 op=Exists
  Events:
  Type     Reason   Age                    From     Message
  ----     ------   ----                   ----     -------
  Warning  BackOff  3m9s (x6897 over 23h)  kubelet  Back-off restarting failed container

• Output of `kubectl logs .

  I0623 09:53:37.255339       1 utils.go:114] Using verbosity level 3 from environment variable APPGW_VERBOSITY_LEVEL
  I0623 09:53:37.276052       1 supported_apiversion.go:70] server version is: 1.25.5
  I0623 09:53:37.286231       1 environment.go:294] KUBERNETES_WATCHNAMESPACE is not set. Watching all available namespaces.
  I0623 09:53:37.286249       1 main.go:118] Using User Agent Suffix='ingress-azure-85dfd8d479-jrkr7' when communicating with ARM
  I0623 09:53:37.286331       1 main.go:137] Application Gateway Details: Subscription="77f8dc1f-50f0-4867-a60b-1f999873096f" Resource Group="chethan2303-stamp-usgovvirginia-rg" Name="agw-chethan2303-usgovvirginia"
  I0623 09:53:37.286346       1 auth.go:58] Creating authorizer using Default Azure Credentials
  I0623 09:53:37.286411       1 httpserver.go:57] Starting API Server on :8123
  E0623 09:53:37.338618       1 client.go:184] configuration error (bad request) or unauthorized error while performing a GET using the authorizer
  E0623 09:53:37.338634       1 client.go:185] stopping GET retries
  F0623 09:53:37.338694       1 main.go:175] Failed getting Application Gateway: Code="ErrorApplicationGatewayUnexpectedStatusCode" Message="Unexpected status code '401' while performing a GET on Application Gateway." InnerError="network.ApplicationGatewaysClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationTokenAudience" Message="The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.""

• Any Azure support tickets associated with this issue. No

[akshaysngupta]

This is fixed in AGIC 1.7.2.