Problem ingress deployment creation, on AKS, has been deprecated controller.podLabels.aadpodidbinding=mi-devxxx and this will be replaced with Azure AD Workload Identity

[silandrew]

Problem ingress deployment creation, on AKS, has been deprecated controller.podLabels.aadpodidbinding=mi-devxxx and replaced with Azure AD Workload Identity :

depicted pod identity on AKS this is replaced by Azure AD Workload Identity:

NGINX Ingress controller version ingress-nginx- chart ver 4.2.5 app ver 1.3.1 (exec into the pod and run nginx-ingress-controller --version.):

Kubernetes version 124.3 (use kubectl version):

Environment Azurte AKS:

• Cloud provider Azuren:

• OS Ubuntu /etc/os-release):

• How was the ingress-nginx-controller installed:

  • If helm was used then please show output of helm ls -A | grep -i ingress

  helm install ingress-nginx/ingress-nginx --generate-name --namespace=portal-dev --set controller.replicaCount=3 --set controller.nodeSelector."beta.kubernetes.io/os"=linux --set defaultBackend.nodeSelector."beta.kubernetes.io/os"=linux --set controller.service.annotations."service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path"=/healthz --set controller.podLabels.aadpodidbinding=mi-aks-dev-01 -f - <<EOF controller: extraVolumes:

  • name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "ingress-tls" #name of the SecretProviderClass we created above

  extraVolumeMounts:

  • name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true EOF

• Current State of the controller:

  • kubectl describe ingressclasses nginx
  • ubectl describe ingressclasses nginx Name: nginx Labels: app.kubernetes.io/component=controller app.kubernetes.io/instance=ingress-nginx-1667572589 app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=ingress-nginx app.kubernetes.io/part-of=ingress-nginx app.kubernetes.io/version=1.3.1 helm.sh/chart=ingress-nginx-4.2.5 Annotations: meta.helm.sh/release-name: ingress-nginx-1667572589 meta.helm.sh/release-namespace: portal-dev Controller: k8s.io/ingress-nginx Events:

• Current state of ingress object, if applicable:

  • kubectl -n <appnnamespace> get all,ing -o wide
  • ubectl -n portal-dev get all,ing -o wide error: unable to match a printer suitable for the output format "wide", allowed formats are: custom-columns,custom-columns-file,go-template,go-template-file,json,jsonpath,jsonpath-as-json,jsonpath-file,name,template,templatefile,wide,yaml

As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application. Help up us (if possible) reproducing the issue using minikube or kind.

Install minikube/kind

• Minikube https://minikube.sigs.k8s.io/docs/start/
• Kind https://kind.sigs.k8s.io/docs/user/quick-start/

Install the ingress controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

Install an application that will act as default backend (is just an echo app)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

Create an ingress (please add any additional annotation required)

echo " apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: xxxxxx namespace: xxxx annotations:

kubernetes.io/ingress.allow-http: "false"

# defines controller implementing this ingress resource: https://docs.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik
# ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
# For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec.
kubernetes.io/ingress.class: nginx
#kubernetes.io/ingress.allow-http: "false"
#nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/enable-real-ip: "true"
nginx.ingress.kubernetes.io/compute-full-forwarded-for: "true"
nginx.ingress.kubernetes.io/proxy-add-original-uri-header: "true"    
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
#traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.tls.options: default
# traefik.ingress.kubernetes.io/router.middlewares: gzip-compress@file

spec:

ingressClassName: "traefik-internal"

tls:

• hosts:
  • "*.xxx" secretName: ingress-tls-csi
    rules:
• host: "*xxxxx" http: paths:
  • path: / pathType: Prefix backend: service:
    name: xxxx port: number: 80

    ---

make a request

--->

Anything else we need to know:

this replace pod identity az aks update -g rg-aks-xxx -n aks-xxx2 --enable-managed-identity --assign-identity xxxxxxxxxx

[k8s-ci-robot]

@silandrew: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

/remove-kind bug /help /kind support

[k8s-ci-robot]

@longwuyuan: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/9256): >/remove-kind bug >/help >/kind support Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

This is 2 years old now and there have been changes to AKS install as well as K8S specs since then.

I don't know what this "ontroller.podLabels.aadpodidbinding=mi-aks-dev-01" but whatever it is is heavily relying on Azure and AKS. So its less likely to be any code in the controller itself.

In any case to take any action now, the install has to be attempted again on AKS and the precise detailed elaborate information on the problem to install needs to be posted here.

There are several Azure users currently as per issues posted in the last 2 years and so its not likely that there is a problem in the controller per se for installing on AKS.

If there is a problem, please post the data as requested so that someone can analyze and comment. Hence closing this issue now as there is no current action item being tracked here and this is just adding to the tally of open issues, without tracking any action item.

/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/9256#issuecomment-2336624290): >This is 2 years old now and there have been changes to AKS install as well as K8S specs since then. > >I don't know what this `"ontroller.podLabels.aadpodidbinding=mi-aks-dev-01"` but whatever it is is heavily relying on Azure and AKS. So its less likely to be any code in the controller itself. > >In any case to take any action now, the install has to be attempted again on AKS and the precise detailed elaborate information on the problem to install needs to be posted here. > >There are several Azure users currently as per issues posted in the last 2 years and so its not likely that there is a problem in the controller per se for installing on AKS. > >If there is a problem, please post the data as requested so that someone can analyze and comment. Hence closing this issue now as there is no current action item being tracked here and this is just adding to the tally of open issues, without tracking any action item. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.