Open cilerler opened 1 year ago
Hi @cilerler, can you please help with the following:
containerappName
and environmentName
? I was able to find one resource with cAppName spiderman-api
and environmentName thankfulsmoke-3a10a192
under the same subscription with similar errors. But it seems to be created on 2023-10-23T12:57:47.308294
(the logs shared above are of 2023-10-21
). Also in this case, the errors are because dapr is shutting down before the Get Calls are being made and so the failures:
Hi @cilerler, can you please help with the following:
- When you are running in local, you are connecting to the same App config store resource right? What's the authentication mechanism are you using in local?
- It possibly might be the access issue i.e., App config store not accessible from the app. Please re-verify if the managed identity is setup correctly.
- Can you provide with the
containerappName
andenvironmentName
? I was able to find one resource with cAppNamespiderman-api
and environmentNamethankfulsmoke-3a10a192
under the same subscription with similar errors. But it seems to be created on2023-10-23T12:57:47.308294
(the logs shared above are of2023-10-21
). Also in this case, the errors are because dapr is shutting down before the Get Calls are being made and so the failures:
I can see another capps environment on the mentioned time kindcoast-bd7979a0
with the same logs. can you confirm if this is the one where you saw the errors mentioned in the issue? Here also Dapr shuts down first and then Get call is being made, and so it fails.
Thank you very much for looking into this. π€
(3) Here are all the names and types I don't recall thanksfulsmoke
or kindcoast
and I do not see it in my list
(1) In my local DAPR, I'm not connecting to Azure; I do use local Redis. But when I use the regular credentials against Azure App Configuration via LinqPad, it works.
(2) I found an ugly workaround:
and it worked.
So I'm not sure why it is happening, but it is a persistent issue. I'm using Terraform to create it all, and I'm now 100% able to reproduce the issue and the workaround. I can share the Terraform script with you if it helps.
Yeah Please share the Terraform script. I will try to repro the same on my end.
I added it to the same repo above
the steps needs to be follow to reproduce the issue are below, and if you prefer I can join you for screenshare. all the commands exists in the readme in the link above.
init
terraformapply
terraformoutput
terraform credentials and registry nameclone
the repository on githubcongratulations π₯³ π
I added it to the same repo above
the steps needs to be follow to reproduce the issue are below, and if you prefer I can join you for screenshare. all the commands exists in the readme in the link above.
init
terraformapply
terraformoutput
terraform credentials and registry nameclone
the repository on github- add credentials and registry name to the secrets of the github
- trigger manual action to deploy the image
congratulations π₯³ π
I am able to repro the issue. Looking into it further.
hi, i;m experiencing the same issue. It works with keyvault, but not with config.
hi, i;m experiencing the same issue. It works with keyvault, but not with config.
Do you mean to sya using AKV as a secretstore is working, but AAC as a configstore is not?
I added it to the same repo above
the steps needs to be follow to reproduce the issue are below, and if you prefer I can join you for screenshare. all the commands exists in the readme in the link above.
init
terraformapply
terraformoutput
terraform credentials and registry nameclone
the repository on github- add credentials and registry name to the secrets of the github
- trigger manual action to deploy the image
congratulations π₯³ π
@cilerler The workaround doesn't seem to be working for me though yet. We can get into a call to discuss if that's okay. Pinged you on Discord.
hi, i;m experiencing the same issue. It works with keyvault, but not with config.
Do you mean to sya using AKV as a secretstore is working, but AAC as a configstore is not?
Exactly. Workaround is also not working for me.
@chielos24, I just demonstrated it to @shivamkm07 and proved that the workaround is effective for the issue I reported. One suggestion I would make is that the order of steps is important:
Great, will try this!
But i am looking for a future proof solution. I am building a production system, that is constantly updated via CI/CD pipelines. Any idea on why this is happening? Is it a timing issue?
I have no idea. But I'm looking forward to @shivamkm07's update.
Update:
ChainedTokenCredential: failed to acquire a token. Attempted credentials: managed identity AzureCLICredential: fork/exec /bin/sh: no such file or directory
. Even on restarting and Adding the Key in configuration store, still got the same error and after some more restarts, the correct error i.e. failed to get key...
. It seems non-deterministic. There were runs when I didn't get this error at all. (Note here I hadn't deleted and re-created the component, that fixes the issue, yes!)So, in essence, the error only surfaces when we are deploying application with Terraform and using Managed identity. And again, as the workaround says, the same deployment, on manually re-creating the component fixes the issue.
Thanks for your efforts and willingness to help uncover the real reason. I wonder if this would happen when running CLI commands. As far as I know, Terraform uses az
behind the scenes, so could it be something in the CLI? Regardless, I will reach out to the Terraform repo and link to this issue. Thank you very much again.
[!Note] I will keep the issue open until one of us confirms that it is working with
az
UPDATED According to Microsoft's article, it should actually work just fine. I don't think this is an issue on Terraform's end.
I believe the issue is that the CLI doesn't directly support creating Azure components, and that's likely the issue. ~So, Terraform team probably came up with a solution to make it work, but it seems it's not working as expected.~
@shivamkm07 what do you think about it?
Actually i am not using TF, i'm using regular azure cli
That's even better, it simply removes the terraform from the equation. Can you share your YAML with us to use below?
az containerapp env dapr-component set -g $deploymentResourceGroup -n $deploymentContainerAppEnvironment --dapr-component-name "configuration" --yaml ""
That's even better, it simply removes the terraform from the equation. Can you share your YAML with us to use below?
az containerapp env dapr-component set -g $deploymentResourceGroup -n $deploymentContainerAppEnvironment --dapr-component-name "configuration" --yaml ""
Yeah @chielos24 Can you share the steps that you are doing? I was also thinking terraform might have some issue here but seems it's not
We initial setup with (.. are removed):
az containerapp create \
--name backoffice-api \
--resource-group .. \
--environment .. \
--image ../container/backoffice-api:latest \
--registry-server .. \
--registry-username .. \
--registry-password .. \
--user-assigned .. \
--min-replicas 1 \
--max-replicas 1 \
--dapr-app-id backoffice-api \
--enable-dapr \
--dapr-app-port 80
az containerapp up \
--name backoffice-api \
--resource-group .. \
--image ../container/backoffice-api:latest \
--environment .. \
--registry-server .. \
--logs-workspace-id .. \
--logs-workspace-key .. \
--registry-username .. \
--registry-password .. \
--service-principal-client-id .. \
--service-principal-client-secret j.. \
--service-principal-tenant-id ..
And Component
az containerapp env dapr-component set \
--name .. \
--resource-group .. \
--yaml ./dapr/config.yaml \
--dapr-component-name ..-config
config.yaml
componentType: configuration.azure.appconfig
version: v1
metadata:
- name: host
value: https://<appcs>.azconfig.io
- name: azureTenantId
value: ".."
- name: azureClientId
value: ".."
scopes:
- backoffice-api
CI/CD via Azure Devops:
az containerapp update -n backoffice-api -g <rg> -i n<cr>/container/backoffice-api:latest
/edit should be correct now.
I'm not sure if it makes any difference, but the first thing I see is config.yml is different, are you sure that it is a valid syntax?
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: <NAME>
spec:
type: configuration.azure.appconfig
version: v1
metadata:
- name: host # host should be used when Azure Authentication mechanism is used.
value: <HOST>
- name: connectionString # connectionString should not be used when Azure Authentication mechanism is used.
value: <CONNECTIONSTRING>
- name: maxRetries
value: # Optional
- name: retryDelay
value: # Optional
- name: maxRetryDelay
value: # Optional
- name: azureEnvironment # Optional, defaults to AZUREPUBLICCLOUD
value: "AZUREPUBLICCLOUD"
# See authentication section below for all options
- name: azureTenantId # Optional
value: "[your_service_principal_tenant_id]"
- name: azureClientId # Optional
value: "[your_service_principal_app_id]"
- name: azureCertificateFile # Optional
value : "[pfx_certificate_file_fully_qualified_local_path]"
- name: subscribePollInterval # Optional
value: #Optional [Expected format example - 30s]
yeah, something is up with that.
And i just something else. I tried to create the app config via the portal. And it did not allow me to use dashes in the component name i had "companyname-productname-config" and that did work via CLI, but portal did not.
Retrying now with only "config"
edit..
Apparently that was the trick for me.. So no dashes.
edit2. Not sure yet, still working on it.
i'm sort of stable now. When re-creating the api (delete, create and up) my config stays, and i can access some keys.
however, when i ask a couple of keys like:
var keys = new List<string>() {
"ConnectionStrings:AccountsDb",
"AzureAd",
"AzureAdB2C:ApplicationId",
"AzureAdB2C:ApplicationSecret",
"AzureAdB2C:ExtensionId",
"AzureAdB2C:TenantId",
"MicrosoftDynamics"
};
Then the 5th key is not working anymore, and i get the same error. Tried to do it in seperate calls (chunks of 4) did not help me. No idea why, is there a way to get more logging.
The strange thing also, is that when doing AKS, i had this solution working, even with 12 keys.
@chielos24 Great news. However, to keep things focused, please open a new issue for your concern. It's not related to the initial issue we're addressing anymore.
That said, here's a head start for you: If you need more logs, feel free to enable DAPR logs, and don't forget to set it to 'Debug' as shown below.
Thanks! Will do!
Update:
To narrow down the issue, I used a pre-existing managed identity resource and pre-created configuration store(with Test
key added already) and then used both Terraform and az cli to create just the ACA environment, app and the Dapr component.
The terraform script that I used:
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.4.0"
}
}
}
provider "random" {}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
}
}
variable "environment" {
type = string
default = "development"
}
variable "environment_variable_name" {
type = string
default = "ASPNETCORE_ENVIRONMENT"
}
variable "location" {
type = string
default = "eastus"
}
variable "data_location" {
type = string
default = "United States"
}
variable "app_code_name" {
type = string
}
variable "container_app_environment" {
type = string
}
variable "container_app_suffix_api" {
type = string
}
locals {
resource_group_name = "${var.app_code_name}-${var.environment}"
container_app_api = "${var.app_code_name}-${var.container_app_suffix_api}"
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "environment" {
name = local.resource_group_name
location = var.location
}
resource "azurerm_container_app_environment" "container_app_environment" {
name = var.container_app_environment
location = azurerm_resource_group.environment.location
resource_group_name = azurerm_resource_group.environment.name
}
resource "azurerm_container_app_environment_dapr_component" "dapr_component_configurationstore" {
name = "configuration"
container_app_environment_id = azurerm_container_app_environment.container_app_environment.id
component_type = "configuration.azure.appconfig"
version = "v1"
metadata {
name = "host"
value = "<CONFIG_STORE_HOST>"
}
metadata {
name = "azureClientId"
value = "<IDENTITY_CLIENT_ID>"
}
scopes = [
var.container_app_suffix_api
]
}
resource "azurerm_container_app" "container_app_api" {
name = local.container_app_api
resource_group_name = azurerm_resource_group.environment.name
container_app_environment_id = azurerm_container_app_environment.container_app_environment.id
revision_mode = "Single"
template {
container {
name = var.container_app_suffix_api
image = "<IMAGE>"
cpu = 0.25
memory = "0.5Gi"
}
min_replicas = 1
max_replicas = 1
}
lifecycle {
ignore_changes = [
template[0].container[0].image,
]
}
dapr {
app_id = var.container_app_suffix_api
app_port = 80
app_protocol = "grpc"
}
}
The equivalent az cli script that I used is below:
RESOURCE_GROUP=<RG_NAME>
LOCATION=>LOCATION>
CONTAINERAPPS_ENVIRONMENT=<ENV_NAME>
az group create --name $RESOURCE_GROUP --location $LOCATION
az containerapp env create --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --location "$LOCATION"
az containerapp env dapr-component set --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --dapr-component-name configuration --yaml configuration.yaml
IDENTITY_ID=$(az identity show -n "<IDENTITY_NAME>" --resource-group "<IDENTITY_RG>" --query id | tr -d \")
az containerapp create --name myapp --resource-group $RESOURCE_GROUP --user-assigned $IDENTITY_ID --environment $CONTAINERAPPS_ENVIRONMENT --image <IMAGE> --min-replicas 1 --max-replicas 1 --enable-dapr --dapr-app-id myapp --dapr-app-port 80 --dapr-app-protocol grpc
configuration.yaml
referred above is this:
componentType: configuration.azure.appconfig
version: v1
metadata:
- name: host # host should be used when Azure Authentication mechanism is used.
value: "<CONFIG_STORE_HOST>"
- name: azureClientId # Optional
value: "<IDENTITY_CLIENT_ID>"
scopes:
- myapp
The two scripts should ideally do the same work, as both use same identity resource and same configuration store, with similar settings. However, the Terraform script reproduced the error mentioned in description but az cli worked fine fetching data correctly. I repeated above excercise multiple times with both terraform and az cli, and got same result.
From above, it doesn't look like there is any issue from Dapr side. @torosent can you please take a look at it? It seems the issue is either in Terraform or some internal ACA management.
@shivamkm07 CC:@torosent
I don't think your test is correct. I created exact match here using AZ CLI and PowerShell, and I have the same issue. The same workaround works for it.
~I think the reason you believe it's working is most likely because you didn't delete the DAPR configuration in the environment, between deployments, which definitely makes it work next time.~
I've discovered why yours is working. You have the --user-assigned
line, which doesn't exist in either the Terraform script or CLI script I created. When I include that line, it works just fine. Without it, the issue occurs, and I need to apply the workaround to make it work. But that shouldn't be defined in there, it should be (and it is already) in DAPR component.
BUG REPORT: Failed to get [
<key>
] from Configuration store<configstorename>
: context deadline exceededIssue description
I'm trying to use DAPR with ACA. I created a lean example that attempts to access DAPR through both URL and SDK to retrieve configuration settings. It works on my local machine without any issues, but on Azure, it gives a context deadline exceeded error with the SDK and a 500 error with the URL.
Steps to reproduce
You can use the same sample project I use.
Update the GitHub repository settings to deploy it via the action.
CONTAINER_APP_NAME_PREFIX
action variable e.g.HelloDapr
AZURE_CONTAINERREGISTRY
action secret e.g.<YOURREGISTRY>.azurecr.io
Set
AZURE_CREDENTIALS
action secret e.g.EXPECTED BEHAVIOR
It should retrieve the key via HTTP and GRPC.
ACTUAL BEHAVIOR
500 (Internal Server Error)
context deadline exceeded
LOGS
CONSOLE
APP
DAPR
SCREENSHOTS
ON LOCAL
β Working as expected
ON AZURE CONTAINER APPS
β Not working
ADDITIONAL CONTEXT
DAPR SETUP
CONFIGSTORE SETUP
CONFIG ENTRY
CREDENTIALS