Closed au2001 closed 1 year ago
Is there any update on this? I see it's possible with Azure Bicep and Pulumi it would be a tremendous help to have this available for Terraform. It would help facilitate the bootstrapping of clusters with applications.
GitOps AKS extension is now GA (announcement)
any update on this?
Also looking for this!
I got tired of waiting for support within the resource and decided to go with a local_exec provisioner for the time being. I'll share my solution, if anyone is interested.
provisioner "local-exec" {
interpreter = ["pwsh", "-Command"]
command = <<-EOT
. az login --service-principal -u $Env:ARM_CLIENT_ID -p $Env:ARM_CLIENT_SECRET --tenant $Env:ARM_TENANT_ID
. az account set --subscription $env:ARM_SUBSCRIPTION_ID
$maxWaitSeconds = 1800
$counter = 0
$interval = 30
. az provider register --namespace Microsoft.Kubernetes
. az provider register --namespace Microsoft.ContainerService
. az provider register --namespace Microsoft.KubernetesConfiguration
start-sleep -seconds 15
while ((. az provider show -n Microsoft.KubernetesConfiguration -o json | convertfrom-json).registrationState -ne "Registered" -and ($counter -lt $maxWaitSeconds) ) {
Write-Host "Registering Kubernetes Configuration Provider for $counter seconds."
start-sleep -seconds $interval
$counter = $counter + $interval
}
Write-Host "Successfully installed Kubernetes Configuration Provider for subscription. Installing CLI Extensions..."
. az extension add -n k8s-configuration
. az extension add -n k8s-extension
Start-Sleep -Seconds 120
. az k8s-configuration flux create -g ${var.resource_group_name} --cluster-name ${azurerm_kubernetes_cluster.aks.name} --cluster-type managedClusters --name flux-main --scope cluster --namespace default --kind git --url ${var.flux_url} --branch ${var.flux_branch} --https-user git --https-key ${var.flux_pat} --kustomization name=main path=${var.flux_path} prune=true
EOT
}
@techdecline, ill suggest to use the azapi
provider instead of using local-exec.
I did it like this:
resource "azapi_resource" "flux_addon" {
type = "Microsoft.KubernetesConfiguration/extensions@2022-03-01"
name = "flux"
parent_id = azurerm_kubernetes_cluster.main.id
locks = [azurerm_kubernetes_cluster.main.id]
body = jsonencode({
properties = {
extensionType = "microsoft.flux"
autoUpgradeMinorVersion = true
}
})
timeouts {
create = "20m"
}
}
resource "azapi_resource" "flux_config" {
type = "Microsoft.KubernetesConfiguration/fluxConfigurations@2022-03-01"
name = "cluster-config"
parent_id = azurerm_kubernetes_cluster.main.id
depends_on = [
azapi_resource.flux_addon
]
body = jsonencode({
properties = {
scope = "cluster"
namespace = "flux-system"
sourceKind = "GitRepository"
suspend = false
gitRepository = {
url = local.gitops_repo_url
timeoutInSeconds = 120
syncIntervalInSeconds = 120
repositoryRef = {
branch = var.gitOpsSettings.branchName
}
httpsUser = var.gitOpsSettings.httpsUser
}
configurationProtectedSettings = {
httpsKey = sensitive(base64encode(var.gitOpsSettings.httpsPassword))
}
kustomizations = {
shared = {
path = "cluster-config/shared"
timeoutInSeconds = 600
syncIntervalInSeconds = 60
retryIntervalInSeconds = 60
prune = false
force = false
}
applications = {
path = "cluster-config/applications"
dependsOn = ["shared"]
timeoutInSeconds = 600
syncIntervalInSeconds = 60
retryIntervalInSeconds = 60
prune = false
force = false
}
}
}
})
Hey @tiwood, this is much cleaner, thanks for sharing. Any experience how this behaves when deploying and destroying the module multiple times?
@techdecline , no issues with a blank cluster development and destruction.
I've seen some instances, where the destruction of the flux_config
ran into an timeout, which was either due to destroyed firewall rules and/or deployments not cleaning up (deployments made by flux).
But I've seen the same with the native AKS resources if deployments, stateful sets, etc. are still present during destruction.
FWIW, I've captured the API requests made by the CLI if you enable GitOps, that is how I got to properties/defintion above.
Will this create any Python dependencies for installing the Azure CLI extensions?
@techdecline, ill suggest to use the
azapi
provider instead of using local-exec.
I tried this, along with a plain azurerm_kubernetes_cluster_extension
resource, but I'm getting the following error;
ExtensionOperationFailed: The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant.
Full error
β Error: creating/updating "Resource: (ResourceId \"/subscriptions/e121f1ae-b316-1b3d-bc3b-c05782ba71b8/resourceGroups/rg-example-kclsr1-aks-resources-dev-euw/providers/Microsoft.ContainerService/managedClusters/aks-example-kclsr1-dev-euw/providers/Microsoft.KubernetesConfiguration/extensions/flux\" / Api Version \"2022-11-01\")": GET https://management.azure.com/subscriptions/e121f1ae-b316-1b3d-bc3b-c05782ba71b8/resourceGroups/rg-example-kclsr1-aks-resources-dev-euw/providers/Microsoft.ContainerService/ManagedClusters/aks-example-kclsr1-dev-euw/providers/Microsoft.KubernetesConfiguration/extensions/flux/operations/8d772ea2-b10b-4a3e-9478-3cb8b45b3b45
β --------------------------------------------------------------------------------
β RESPONSE 200: 200 OK
β ERROR CODE: ExtensionOperationFailed
β --------------------------------------------------------------------------------
β {
β "id": "/subscriptions/e121f1ae-b316-1b3d-bc3b-c05782ba71b8/resourceGroups/rg-example-kclsr1-aks-resources-dev-euw/providers/Microsoft.ContainerService/ManagedClusters/aks-example-kclsr1-dev-euw/providers/Microsoft.KubernetesConfiguration/extensions/flux/operations/8d772ea2-b10b-4a3e-9478-3cb8b45b3b45",
β "name": "8d772ea2-b10b-4a3e-9478-3cb8b45b3b45",
β "status": "Failed",
β "error": {
β "code": "ExtensionOperationFailed",
β "message": "The extension operation failed with the following error: Request failed to https://management.azure.com/subscriptions/e121f1ae-b316-1b3d-bc3b-c05782ba71b8/resourceGroups/rg-example-kclsr1-aks-resources-dev-euw/providers/Microsoft.ContainerService/managedclusters/aks-example-kclsr1-dev-euw/extensionaddons/flux?api-version=2021-03-01. Error code: Unauthorized. Reason: Unauthorized.{\"error\":{\"code\":\"InvalidAuthenticationToken\",\"message\":\"The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant.\"}}.",
β "additionalInfo": []
β }
β }
β --------------------------------------------------------------------------------
β
β
β with module.kclsr1[0].azapi_resource.flux_addon,
β on .terraform/modules/kclsr1/flux.tf line 16, in resource "azapi_resource" "flux_addon":
β 16: resource "azapi_resource" "flux_addon" {
β
The application has sufficient permissions to create the underlying AKS cluster and the subscription in question has Microsoft.ContainerService
, Microsoft.Kubernetes
and Microsoft.KubernetesConfiguration
registered as providers.
Any idea to what may cause this error?
Thanks!
Edit
Seems to be fixed in version 3.65.0
With the release of azurerm_kubernetes_cluster_extension
we should no longer need the azapi provider, or am I missing something?
@tiwood i played with it a bit and it looks like azurerm_kubernetes_cluster_extension
can install the flux cluster extension fine but not the fluxconfiguration.
Additionally, if you add a fluxconfiguration with some other way (az cli), terraform can no longer destroy the extension.
@tiwood i played with it a bit and it looks like
azurerm_kubernetes_cluster_extension
can install the flux cluster extension fine but not the fluxconfiguration. Additionally, if you add a fluxconfiguration with some other way (az cli), terraform can no longer destroy the extension.
Dealing with this now, it's a real pain
Closed by #21579
I have the same issue, I'm able to install flux but not add the flux configuration. I have to do the configuration with flux bootstrap command.
Also, this is not happening to me:
This is done with the Microsoft.KubernetesConfiguration/extensions/microsoft.flux cluster extension which is automatically installed when creating a Microsoft.KubernetesConfiguration/fluxConfigurations resource.
if I use Microsoft.KubernetesConfiguration/fluxConfigurations never it installs the extension, I'm in an infinite loop.
Closed by #21579
Maybe I am missing something but it doesnβt seem like βpruneβ was included in the PR even though it is in the azure documentation. I donβt see it on the TF documentation and when I try to add it by assuming where it should be I get errors
man I missing something?
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
Description
AKS managed clusters have a preview feature to install Flux v2. This is done with the
Microsoft.KubernetesConfiguration/extensions/microsoft.flux
cluster extension which is automatically installed when creating aMicrosoft.KubernetesConfiguration/fluxConfigurations
resource. The latter is the one which would be nice to be able to control with this Terraform provider.New or Affected Resource(s)
azurerm_kubernetes_configuration_flux
Potential Terraform Configuration
References