search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
738 stars 194 forks source link

ARO: Unable to resolve endoint #4044

Closed vsawant1608 closed 3 months ago

vsawant1608 commented 4 months ago

Steps followed: Create ARO cluster. Deploy aso operator as per steps here https://azure.github.io/azure-service-operator/#create-the-azure-service-operator-namespaced-secret Tried creating resource.

Getting below error and unable to create any resource

I0528 14:41:01.816161       1 common.go:66] "msg"="Reconcile invoked" "annotations"={"serviceoperator.azure.com/latest-reconciled-generation":"1","serviceoperator.azure.com/operator-namespace":"azureserviceoperator-system","serviceoperator.azure.com/resource-id":"/subscriptions/635abf4c-c185-405f-a215-08d1c64d5f98/resourceGroups/test-vs3"} "conditions"="[Condition [Ready], Status = \"False\", ObservedGeneration = 1, Severity = \"Warning\", Reason = \"UnknownError\", Message = \"ClientSecretCredential: unable to resolve an endpoint: server response error:\\n context deadline exceeded\", LastTransitionTime = \"2024-05-28 14:33:16 +0000 UTC\"]" "creationTimestamp"="2024-05-28T14:32:15Z" "deletionTimestamp"=null "finalizers"=["serviceoperator.azure.com/finalizer"] "generation"=1 "kind"={"kind":"ResourceGroup","apiVersion":"resources.azure.com/v1api20200601storage"} "logger"="controllers.ResourceGroupController" "name"="test-vs3" "namespace"="default" "owner"=null "ownerReferences"=null "resourceVersion"="78075" "uid"="90048526-b43e-4aaf-9263-266667aa54bf"
I0528 14:41:01.816315       1 azure_generic_arm_reconciler_instance.go:72] "msg"="Determined CreateOrUpdate action" "action"="BeginCreateOrUpdate" "azureName"="test-vs3" "logger"="controllers.ResourceGroupController" "name"="test-vs3" "namespace"="default"
I0528 14:41:01.816426       1 recorder.go:104] "msg"="Using credential from \"default/aso-credential\"" "logger"="events" "object"={"kind":"ResourceGroup","namespace":"default","name":"test-vs3","uid":"90048526-b43e-4aaf-9263-266667aa54bf","apiVersion":"resources.azure.com/v1api20200601storage","resourceVersion":"78075"} "reason"="CredentialFrom" "type"="Normal"
I0528 14:41:01.816461       1 azure_generic_arm_reconciler_instance.go:313] "msg"="About to send resource to Azure" "azureName"="test-vs3" "logger"="controllers.ResourceGroupController" "name"="test-vs3" "namespace"="default"

resourcegroup looks like this

vishakha_sawant:~$ k describe resourcegroup test-vs3
Name:         test-vs3
Namespace:    default
Labels:       <none>
Annotations:  serviceoperator.azure.com/latest-reconciled-generation: 1
              serviceoperator.azure.com/operator-namespace: azureserviceoperator-system
              serviceoperator.azure.com/resource-id: /subscriptions/635abf4c-c185-405f-a215-08d1c64d5f98/resourceGroups/test-vs3
API Version:  resources.azure.com/v1api20200601
Kind:         ResourceGroup
Metadata:
  Creation Timestamp:  2024-05-28T14:32:15Z
  Finalizers:
    serviceoperator.azure.com/finalizer
  Generation:        1
  Resource Version:  78075
  UID:               90048526-b43e-4aaf-9263-266667aa54bf
Spec:
  Azure Name:  test-vs3
  Location:    eastus
Status:
  Conditions:
    Last Transition Time:  2024-05-28T14:33:16Z
    Message:               ClientSecretCredential: unable to resolve an endpoint: server response error:
 context deadline exceeded
    Observed Generation:  1
    Reason:               UnknownError
    Severity:             Warning
    Status:               False
    Type:                 Ready
Events:
  Type     Reason                     Age                From                     Message
  ----     ------                     ----               ----                     -------
  Normal   CredentialFrom             97s (x9 over 12m)  ResourceGroupController  Using credential from "default/aso-credential"
  Warning  CreateOrUpdateActionError  37s (x8 over 11m)  ResourceGroupController  Reason: UnknownError, Severity: Warning, RetryClassification: RetrySlow, Cause: ClientSecretCredential: unable to resolve an endpoint: server response error:
 context deadline exceeded
vishakha_sawant:~$
matthchr commented 4 months ago

Is this related to the question you asked here?

whose answer was:

Ah, it looks like you should probably just disable the networkPolicies.enabled flag in our Helm chart as ARO doesn't support Kubernetes egress policies out of the box, as discussed here.

You can set up egress firewall rules to control network traffic, but there's no requirement you run ASO with network policies enabled. They're on by default as a security best practice only. You can disable them (and write your own ARO-compliant ones if you'd like).

matthchr commented 3 months ago

Closing this as it seems likely to be related to the issue which was already answered above.