Error when declaratively adding a new AKS cluster (using MSI)

[1aziz]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

I'm trying to add a new AKS cluster declaratively using kubelogin, but I'm getting the following error:

level=error msg="could not unmarshal cluster secret aks-workload-dev-secret-manual"

This is how my cluster Secret looks like:

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    argocd.argoproj.io/secret-type: cluster
  name: aks-workload-dev-secret-manual
  namespace: argocd
stringData:
  config: |
    {
      "execProviderConfig": {
        "command": "argocd-k8s-auth",
        "env": {
          "AZURE_CLIENT_ID": REDACTED,
          "AAD_LOGIN_METHOD": "msi"
        },
        "args": ["azure"],
        "apiVersion": "client.authentication.k8s.io/v1beta1"
      },
      "tlsClientConfig": {
        "insecure": true,
        "caData": REDACTED
      }
    }
  name: aks-workload-dev
  server: REDACTED
type: Opaque

I have already added the required configs to the deployment templates (for both the server and app controller) to use kubelogin:

The error could be caused by a formatting issue (maybe with my JSON in the Secret manifest), or I might have misconfigured something. I'd appreciate if someone could help, please.

To Reproduce

• Run the secret above with own values (replaced by REDACTED).

Expected behavior

• The cluster is added in Argo CD

Version

v2.9.3+6eba5be

Logs

level=error msg="could not unmarshal cluster secret aks-workload-dev-secret"

[1aziz]

So, it seems I should use the kubelogin command directly:

apiVersion: v1
kind: Secret
metadata:
  name: aks-workload-dev-secret
  namespace: argocd
data:
  config: {
  "execProviderConfig": {
    "command": "kubelogin",
    "args": [
      "get-token",
      "--login=msi",
      "--server-id=REDACTED",
      "--client-id= REDACTED"
    ],
    "apiVersion": "client.authentication.k8s.io/v1beta1"
  },
  "tlsClientConfig": {
    "insecure": false,
      "caData": REDACTED
  }
}  name: aks-workload-dev
  server: REDACTED
type: Opaque

[teemusale]

With msi login flow, kubelogin does not useAZURE_CLIENT_ID. It seems you need place the client id in AAD_SERVICE_PRINCIPAL_CLIENT_ID instead. Perhaps the msi login flow should be added to the documentation as well.

---
apiVersion: v1
kind: Secret
metadata:
  labels:
    argocd.argoproj.io/secret-type: cluster
  name: aks-workload-dev-secret-manual
  namespace: argocd
stringData:
  config: |
    {
      "execProviderConfig": {
        "command": "argocd-k8s-auth",
        "env": {
          "AAD_SERVICE_PRINCIPAL_CLIENT_ID": REDACTED,
          "AAD_LOGIN_METHOD": "msi"
        },
        "args": ["azure"],
        "apiVersion": "client.authentication.k8s.io/v1beta1"
      },
      "tlsClientConfig": {
        "insecure": true,
        "caData": REDACTED
      }
    }
  name: aks-workload-dev
  server: REDACTED
type: Opaque

[andrii-korotkov-verkada]

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?