Installing AGIC through Helm
ramesh569 opened this issue · comments
Describe the bug
tried installing AGIC through Helm chart as described in the
https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-install-existing#deploy-the-agic-add-on
however i get the error mentioned below.
i am using workload identity as authentication
To Reproduce
Steps to reproduce the behavior:
Create AKS cluster and app Gateway in two different subscription and create user managed identity and grant all the access as mentioned in above documentation.
below is the helm-config file::
This file contains the essential configs for the ingress controller helm chart
Verbosity level of the App Gateway Ingress Controller
verbosityLevel: 3
################################################################################
Specify which application gateway the ingress controller must manage
appgw:
subscriptionId: xxxxxe46e9-d9dd-4caa-9421-d2exxx
resourceGroup: rg-hub-flpoc
name: appxxxpoc
# Setting appgw.shared to "true" creates an AzureIngressProhibitedTarget CRD.
# This prohibits AGIC from applying config for any host/path.
# Use "kubectl get AzureIngressProhibitedTargets" to view and change this.
shared: false
################################################################################
Specify which kubernetes namespace the ingress controller must watch
Default value is "default"
Leaving this variable out or setting it to blank or empty string would
result in Ingress Controller observing all accessible namespaces.
kubernetes:
watchNamespace: " "
################################################################################
Specify the authentication with Azure Resource Manager
Two authentication methods are available:
- Option 1: Azure-AD-workload-identity
armAuth:
type: workloadIdentity
identityClientID: xxxxx-3ec5-4787-926d-xxxxxx
Alternatively you can use Service Principal credentials
armAuth:
type: servicePrincipal
secretJSON: <<Generate this value with: "az ad sp create-for-rbac --role Contributor --sdk-auth | base64 -w0" >>
################################################################################
Specify if the cluster is Kubernetes RBAC enabled or not
rbac:
enabled: false # true/false
Specify aks cluster related information. THIS IS BEING DEPRECATED.
aksClusterConfiguration:
apiServerAddress: aks-dns-pn0c2o7b.hcp.northeurope.azmk8s.io
Ingress Controller details
logs:
**E0127 09:03:17.207721 1 authorizer.go:63] Error getting Azure token: DefaultAzureCredential authentication failed. failed to acquire a token.
Attempted credentials:
EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
WorkloadIdentityCredential authentication failed. FromAssertion(): http call(https://login.microsoftonline.com/6e93a626-8aca-4dc1-9191-ce291b4b75a1/oauth2/v2.0/token)(POST) error: reply status code was 401:
{"error":"invalid_client","error_description":"AADSTS70025: The client 'b66ab927-3ec5-4787-926d-50f626f06d63'(ingressapplicationgateway-faks) has no configured federated identity credentials. Trace ID: d59b9ab7-3b2d-4fa1-96e2-ca47a08e2600 Correlation ID: db9dccf5-2db1-4ba3-9424-fa4f31e77f80 Timestamp: 2025-01-27 09:03:17Z","error_codes":[70025],"timestamp":"2025-01-27 09:03:17Z","trace_id":"d59b9ab7-3b2d-4fa1-96e2-ca47a08e2600","correlation_id":"db9dccf5-2db1-4ba3-9424-fa4f31e77f80"}
POST https://login.microsoftonline.com/6e93a626-8aca-4dc1-9191-ce291b4b75a1/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
{
"error": "invalid_client",
"error_description": "AADSTS70025: The client 'xxxxxx27-3ec5-4787-xxxx-xxxx6f06d63'(ingressapplicationgateway-floaks) has no configured federated identity credentials. Trace ID: d59b9ab7-3b2d-4fa1-96e2-ca47a08e2600 Correlation ID: db9dccf5-2db1-4ba3-9424-fa4f31e77f80 Timestamp: 2025-01-27 09:03:17Z",
"error_codes": [
70025**