MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.31k stars 21.5k forks source link

Invalid Client Secret error #13940

Closed KomanRudden closed 6 years ago

KomanRudden commented 6 years ago

Hello,

I am receiving this error under Events when I describe the nginx-ingress-controller service. This is resulting in there never being assigned an external IP address.

Normal EnsuringLoadBalancer 3m (x10 over 24m) service-controller Ensuring load balancer Warning CreatingLoadBalancerFailed 3m service-controller (combined from similar events): Error creating load balancer (will retry): failed to ensure load balancer for service ingress-nginx/nginx-ingress-controller: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/3a00c58a-2609-4b7a-9420-87860b89757b/resourceGroups/MC_test_eba-next_test-eba-next-k8s_westeurope/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 415df32b-757a-4fe3-9f99-97b3f8431c00\r\nCorrelation ID: 252b0fd5-0bd5-4c71-a655-c7759e5bcb38\r\nTimestamp: 2018-08-24 13:42:57Z","error_codes":[70002,50012],"timestamp":"2018-08-24 13:42:57Z","trace_id":"415df32b-757a-4fe3-9f99-97b3f8431c00","correlation_id":"252b0fd5-0bd5-4c71-a655-c7759e5bcb38"}

Is there any advise you can provide please?

Thank you.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

mimckitt commented 6 years ago

Thanks for the feedback! We are currently investigating and will update you shortly.

mimckitt commented 6 years ago

@koman can you tell me the exact command you are using that is producing the error?

Also are you running these commands on prem or in the Azure Cloud Shell? Based on the error it appears you might have lost you connection to the Azure infrastructure and need to login again using az login

KomanRudden commented 6 years ago

Hi, Here is the exact sequence of commands I ran in Azure Cloud Shell -

helm install stable/nginx-ingress --namespace kube-system

NAME:   youthful-gerbil
LAST DEPLOYED: Sat Aug 25 08:35:58 2018
NAMESPACE: kube-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ServiceAccount
NAME                           SECRETS  AGE
youthful-gerbil-nginx-ingress  1        4s

==> v1beta1/ClusterRoleBinding
NAME                           AGE
youthful-gerbil-nginx-ingress  4s

==> v1/Service
NAME                                           TYPE          CLUSTER-IP    EXTERNAL-IP  PORT(S)                     AGE
youthful-gerbil-nginx-ingress-controller       LoadBalancer  10.0.218.165  <pending>    80:31313/TCP,443:30938/TCP  3s
youthful-gerbil-nginx-ingress-default-backend  ClusterIP     10.0.247.57   <none>       80/TCP                      2s

==> v1beta1/Deployment
NAME                                           DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
youthful-gerbil-nginx-ingress-controller       1        1        1           0          2s
youthful-gerbil-nginx-ingress-default-backend  1        1        1           0          2s

==> v1beta1/PodDisruptionBudget
NAME                                           MIN AVAILABLE  MAX UNAVAILABLE  ALLOWED DISRUPTIONS  AGE
youthful-gerbil-nginx-ingress-controller       1              N/A              0                    2s
youthful-gerbil-nginx-ingress-default-backend  1              N/A              0                    2s

==> v1/Pod(related)
NAME                                                            READY  STATUS             RESTARTS  AGE
youthful-gerbil-nginx-ingress-controller-67f6496989-l94v2       0/1    ContainerCreating  0         1s
youthful-gerbil-nginx-ingress-default-backend-868449b9bd-wqtnm  0/1    ContainerCreating  0         1s

==> v1/ConfigMap
NAME                                      DATA  AGE
youthful-gerbil-nginx-ingress-controller  1     4s

==> v1beta1/ClusterRole
NAME                           AGE
youthful-gerbil-nginx-ingress  4s

==> v1beta1/Role
youthful-gerbil-nginx-ingress  4s

==> v1beta1/RoleBinding
NAME                           AGE
youthful-gerbil-nginx-ingress  4s

NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w youthful-gerbil-nginx-ingress-controller'

An example Ingress that makes use of the controller:

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

koman@Azure:~$ kubectl get services --all-namespaces

NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default azure-vote-back ClusterIP 10.0.196.1306379/TCP 19h default azure-vote-front LoadBalancer 10.0.118.5680:31126/TCP 19h default kubernetes ClusterIP 10.0.0.1443/TCP 4d kube-system heapster ClusterIP 10.0.163.5980/TCP 4d kube-system kube-dns ClusterIP 10.0.0.1053/UDP,53/TCP 4d kube-system kubernetes-dashboard ClusterIP 10.0.11.23280/TCP 4d kube-system tiller-deploy ClusterIP 10.0.211.244134/TCP 23h kube-system youthful-gerbil-nginx-ingress-controller LoadBalancer 10.0.218.16580:31313/TCP,443:30938/TCP 30s kube-system youthful-gerbil-nginx-ingress-default-backend ClusterIP 10.0.247.5780/TCP 29s test-eba-next azure-vote-back ClusterIP 10.0.150.606379/TCP 20m test-eba-next azure-vote-front LoadBalancer 10.0.183.25380:30780/TCP 20m

kubectl describe service youthful-gerbil-nginx-ingress-controller --namespace kube-system

`Name: youthful-gerbil-nginx-ingress-controller Namespace: kube-system Labels: app=nginx-ingress chart=nginx-ingress-0.25.1 component=controller heritage=Tiller release=youthful-gerbil Annotations: Selector: app=nginx-ingress,component=controller,release=youthful-gerbil Type: LoadBalancer IP: 10.0.218.165 Port: http 80/TCP TargetPort: http/TCP NodePort: http 31313/TCP Endpoints: 10.244.0.46:80 Port: https 443/TCP TargetPort: https/TCP NodePort: https 30938/TCP Endpoints: 10.244.0.46:443 Session Affinity: None External Traffic Policy: Cluster

Events:
  Type     Reason                      Age               From                Message
  ----     ------                      ----              ----                -------
  Normal   EnsuringLoadBalancer        12s (x5 over 1m)  service-controller  Ensuring load balancer
  Warning  CreatingLoadBalancerFailed  12s               service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service kube-system/youthful-gerbil-nginx-ingress-controller: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/3a00c58a-2609-4b7a-9420-87860b89757b/resourceGroups/MC_test_eba-next_test-eba-next-k8s_westeurope/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 13763ade-437b-4141-b388-751ba4983b00\r\nCorrelation ID: e49a0ff6-5a5a-4309-88a0-75661777434d\r\nTimestamp: 2018-08-25 08:37:17Z","error_codes":[70002,50012],"timestamp":"2018-08-25 08:37:17Z","trace_id":"13763ade-437b-4141-b388-751ba4983b00","correlation_id":"e49a0ff6-5a5a-4309-88a0-75661777434d"}

This seems to be the exact error - Error validating credentials. AADSTS50012: Invalid client secret is provided.

Any thoughts would be very much apreciated :-)

Thank you!

mimckitt commented 6 years ago

@koman I am not seeing the same error when running the commands.

What access level to your subscription do you have? Are you a subscription admin? You can check this by going to the portal -> Subscriptions -> Access Control

Then lookup your username and see what access level you have

KomanRudden commented 6 years ago

Hi Micah

Ok, I am definitely not the admin for this subscription. At BMW our team have to ask for temporary admin access when attempting certain tasks. Do you think this error when deploying Ingress is caused by a lack of admin rights?

I will request from the internal Azure Cloud team admin rights and try again.

I will get back to you.

Thank you Micah.

On Mon, 27 Aug 2018 at 18:55, Micah notifications@github.com wrote:

@koman https://github.com/koman I am not seeing the same error when running the commands.

What access level to your subscription do you have? Are you a subscription admin? You can check this by going to the portal -> Subscriptions -> Access Control

Then lookup your username and see what access level you have

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-416292392, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-53w9Rb-OcN9HlQnveTu-MEKUvmcuYks5uVCSFgaJpZM4WLZbc .

-- Kind regards, Koman Rudden

mimckitt commented 6 years ago

Thanks @koman

You might not need to have full admin access but you are creating resources so you need to be enabled to do so.

Have you also tried removing the cluster and trying the doc again to see if you get the same error each time?

KomanRudden commented 6 years ago

Morning Micah,

I think what I'll try today is to create a separate cluster (leave this one as is) and attempt the tutorial again. I'll let you know how I get along later.

Thanks, Koman

On Mon, 27 Aug 2018 at 21:43, Micah notifications@github.com wrote:

Thanks @koman https://github.com/koman

You might not need to have full admin access but you are creating resources so you need to be enabled to do so.

Have you also tried removing the cluster and trying the doc again to see if you get the same error each time?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-416344336, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-53x17Ncgs2mYJy8ta3b2dnCc-1QyAks5uVEvMgaJpZM4WLZbc .

-- Kind regards, Koman Rudden

mimckitt commented 6 years ago

@koman any update on this?

mimckitt commented 6 years ago

@koman I will close this for now. But when ready just let me know and we can always reopen and continue.

KomanRudden commented 6 years ago

@micah thank you. I am trying a few things with a new resource group and K8s cluster. Will be in touch if need be.

On Fri, 31 Aug 2018 at 17:40, Micah notifications@github.com wrote:

@koman https://github.com/koman I will close this for now. But when ready just let me know and we can always reopen and continue.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-417703778, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-539ARqdQ6LLIf0icw-2TbwelAF1edks5uWVjigaJpZM4WLZbc .

-- Kind regards, Koman Rudden