Closed KomanRudden closed 6 years ago
Thanks for the feedback! We are currently investigating and will update you shortly.
@koman can you tell me the exact command you are using that is producing the error?
Also are you running these commands on prem or in the Azure Cloud Shell? Based on the error it appears you might have lost you connection to the Azure infrastructure and need to login again using az login
Hi, Here is the exact sequence of commands I ran in Azure Cloud Shell -
helm install stable/nginx-ingress --namespace kube-system
NAME: youthful-gerbil
LAST DEPLOYED: Sat Aug 25 08:35:58 2018
NAMESPACE: kube-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ServiceAccount
NAME SECRETS AGE
youthful-gerbil-nginx-ingress 1 4s
==> v1beta1/ClusterRoleBinding
NAME AGE
youthful-gerbil-nginx-ingress 4s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
youthful-gerbil-nginx-ingress-controller LoadBalancer 10.0.218.165 <pending> 80:31313/TCP,443:30938/TCP 3s
youthful-gerbil-nginx-ingress-default-backend ClusterIP 10.0.247.57 <none> 80/TCP 2s
==> v1beta1/Deployment
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
youthful-gerbil-nginx-ingress-controller 1 1 1 0 2s
youthful-gerbil-nginx-ingress-default-backend 1 1 1 0 2s
==> v1beta1/PodDisruptionBudget
NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE
youthful-gerbil-nginx-ingress-controller 1 N/A 0 2s
youthful-gerbil-nginx-ingress-default-backend 1 N/A 0 2s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
youthful-gerbil-nginx-ingress-controller-67f6496989-l94v2 0/1 ContainerCreating 0 1s
youthful-gerbil-nginx-ingress-default-backend-868449b9bd-wqtnm 0/1 ContainerCreating 0 1s
==> v1/ConfigMap
NAME DATA AGE
youthful-gerbil-nginx-ingress-controller 1 4s
==> v1beta1/ClusterRole
NAME AGE
youthful-gerbil-nginx-ingress 4s
==> v1beta1/Role
youthful-gerbil-nginx-ingress 4s
==> v1beta1/RoleBinding
NAME AGE
youthful-gerbil-nginx-ingress 4s
NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w youthful-gerbil-nginx-ingress-controller'
An example Ingress that makes use of the controller:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: example
namespace: foo
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: exampleService
servicePort: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
koman@Azure:~$ kubectl get services --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default azure-vote-back ClusterIP 10.0.196.130
6379/TCP 19h default azure-vote-front LoadBalancer 10.0.118.56
80:31126/TCP 19h default kubernetes ClusterIP 10.0.0.1
443/TCP 4d kube-system heapster ClusterIP 10.0.163.59
80/TCP 4d kube-system kube-dns ClusterIP 10.0.0.10
53/UDP,53/TCP 4d kube-system kubernetes-dashboard ClusterIP 10.0.11.232
80/TCP 4d kube-system tiller-deploy ClusterIP 10.0.211.2
44134/TCP 23h kube-system youthful-gerbil-nginx-ingress-controller LoadBalancer 10.0.218.165
80:31313/TCP,443:30938/TCP 30s kube-system youthful-gerbil-nginx-ingress-default-backend ClusterIP 10.0.247.57
80/TCP 29s test-eba-next azure-vote-back ClusterIP 10.0.150.60
6379/TCP 20m test-eba-next azure-vote-front LoadBalancer 10.0.183.253
80:30780/TCP 20m
kubectl describe service youthful-gerbil-nginx-ingress-controller --namespace kube-system
`Name: youthful-gerbil-nginx-ingress-controller
Namespace: kube-system
Labels: app=nginx-ingress
chart=nginx-ingress-0.25.1
component=controller
heritage=Tiller
release=youthful-gerbil
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal EnsuringLoadBalancer 12s (x5 over 1m) service-controller Ensuring load balancer
Warning CreatingLoadBalancerFailed 12s service-controller Error creating load balancer (will retry): failed to ensure load balancer for service kube-system/youthful-gerbil-nginx-ingress-controller: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/3a00c58a-2609-4b7a-9420-87860b89757b/resourceGroups/MC_test_eba-next_test-eba-next-k8s_westeurope/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 13763ade-437b-4141-b388-751ba4983b00\r\nCorrelation ID: e49a0ff6-5a5a-4309-88a0-75661777434d\r\nTimestamp: 2018-08-25 08:37:17Z","error_codes":[70002,50012],"timestamp":"2018-08-25 08:37:17Z","trace_id":"13763ade-437b-4141-b388-751ba4983b00","correlation_id":"e49a0ff6-5a5a-4309-88a0-75661777434d"}
This seems to be the exact error - Error validating credentials. AADSTS50012: Invalid client secret is provided.
Any thoughts would be very much apreciated :-)
Thank you!
@koman I am not seeing the same error when running the commands.
What access level to your subscription do you have? Are you a subscription admin? You can check this by going to the portal -> Subscriptions -> Access Control
Then lookup your username and see what access level you have
Hi Micah
Ok, I am definitely not the admin for this subscription. At BMW our team have to ask for temporary admin access when attempting certain tasks. Do you think this error when deploying Ingress is caused by a lack of admin rights?
I will request from the internal Azure Cloud team admin rights and try again.
I will get back to you.
Thank you Micah.
On Mon, 27 Aug 2018 at 18:55, Micah notifications@github.com wrote:
@koman https://github.com/koman I am not seeing the same error when running the commands.
What access level to your subscription do you have? Are you a subscription admin? You can check this by going to the portal -> Subscriptions -> Access Control
Then lookup your username and see what access level you have
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-416292392, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-53w9Rb-OcN9HlQnveTu-MEKUvmcuYks5uVCSFgaJpZM4WLZbc .
-- Kind regards, Koman Rudden
Thanks @koman
You might not need to have full admin access but you are creating resources so you need to be enabled to do so.
Have you also tried removing the cluster and trying the doc again to see if you get the same error each time?
Morning Micah,
I think what I'll try today is to create a separate cluster (leave this one as is) and attempt the tutorial again. I'll let you know how I get along later.
Thanks, Koman
On Mon, 27 Aug 2018 at 21:43, Micah notifications@github.com wrote:
Thanks @koman https://github.com/koman
You might not need to have full admin access but you are creating resources so you need to be enabled to do so.
Have you also tried removing the cluster and trying the doc again to see if you get the same error each time?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-416344336, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-53x17Ncgs2mYJy8ta3b2dnCc-1QyAks5uVEvMgaJpZM4WLZbc .
-- Kind regards, Koman Rudden
@koman any update on this?
@koman I will close this for now. But when ready just let me know and we can always reopen and continue.
@micah thank you. I am trying a few things with a new resource group and K8s cluster. Will be in touch if need be.
On Fri, 31 Aug 2018 at 17:40, Micah notifications@github.com wrote:
@koman https://github.com/koman I will close this for now. But when ready just let me know and we can always reopen and continue.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/13940#issuecomment-417703778, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-539ARqdQ6LLIf0icw-2TbwelAF1edks5uWVjigaJpZM4WLZbc .
-- Kind regards, Koman Rudden
Hello,
I am receiving this error under Events when I describe the nginx-ingress-controller service. This is resulting in there never being assigned an external IP address.
Normal EnsuringLoadBalancer 3m (x10 over 24m) service-controller Ensuring load balancer Warning CreatingLoadBalancerFailed 3m service-controller (combined from similar events): Error creating load balancer (will retry): failed to ensure load balancer for service ingress-nginx/nginx-ingress-controller: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/3a00c58a-2609-4b7a-9420-87860b89757b/resourceGroups/MC_test_eba-next_test-eba-next-k8s_westeurope/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 415df32b-757a-4fe3-9f99-97b3f8431c00\r\nCorrelation ID: 252b0fd5-0bd5-4c71-a655-c7759e5bcb38\r\nTimestamp: 2018-08-24 13:42:57Z","error_codes":[70002,50012],"timestamp":"2018-08-24 13:42:57Z","trace_id":"415df32b-757a-4fe3-9f99-97b3f8431c00","correlation_id":"252b0fd5-0bd5-4c71-a655-c7759e5bcb38"}
Is there any advise you can provide please?
Thank you.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.