Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On enabling Work load identity the client secret and client key is not generating #503

Open
1 task done
prajwaldc600 opened this issue Feb 7, 2024 · 2 comments
Open
1 task done

On enabling Work load identity the client secret and client key is not generating #503

prajwaldc600 opened this issue Feb 7, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@prajwaldc600
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Greenfield/Brownfield provisioning

greenfield

Terraform Version

1.7.2

Module Version

7.5.0

AzureRM Provider Version

3.8.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

resource "tls_private_key" "k8s_ssh_key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "azurerm_kubernetes_cluster" "k8s" {
  name                = "test-aks-cluster"
  location            = "westus3"
  resource_group_name = "test-rg"
  dns_prefix          = "test-aks-cluster"
  role_based_access_control_enabled = true
  
  oidc_issuer_enabled = true
  workload_identity_enabled = true
  local_account_disabled = true

  linux_profile {
    admin_username = "testuser"
    ssh_key {
      key_data = tls_private_key.k8s_ssh_key.public_key_openssh
    }
  }

  default_node_pool {
    name       = "default"
    node_count = 3
    vm_size    = "Standard_D2_v2"
    os_sku = "AzureLinux"
    temporary_name_for_rotation = "temp"
  }

  identity {
    type = "SystemAssigned"
  }
}

tfvars variables values

NA

Debug Output/Panic Output

"kube_config": [
          {
            "client_certificate": "",
            "client_key": "",
            "cluster_ca_certificate": "<Client_CA_Cert_Value>",
            "host": "<Host>",
            "password": "",
            "username": "clusterUser_test-aks-cluster"
          }
        ]

Expected Behaviour

Client Key, and Client Certificate should be generated as ssh key is provided in the inputs.

Actual Behaviour

Client Key, and Client Certificate are coming as blank values.
This issue is happening only when work load identity is enabled.

Steps to Reproduce

No response

Important Factoids

No response

References

No response
@prajwaldc600 prajwaldc600 added the bug Something isn't working label Feb 7, 2024
@zioproto
Copy link
Collaborator

zioproto commented Feb 7, 2024

Hello @prajwaldc600

are you using the module published in our repo https://github.com/Azure/terraform-azurerm-aks ?

from the example code you shared it seems you wanted to open a provider issue at:

https://github.com/hashicorp/terraform-provider-azurerm

please confirm

from what I read in the issue this is working as expected

the line:

  local_account_disabled = true

Will force the login to the cluster with Azure managed identity:
https://learn.microsoft.com/en-gb/azure/aks/enable-authentication-microsoft-entra-id#disable-local-accounts

for this reason the client_key is not present.

@zioproto
Copy link
Collaborator

@prajwaldc600 could you please let me know if my previous comment fixed your issue or if you need additional help ? thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Azure Module Kanban
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zioproto @prajwaldc600