azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard

Published 20 hours ago verified publisher icon Azure

aks connectedk8s connect should allow connecting to existing arc kubernetes resources and use own key-pair

Open stephybun opened this issue 2 years ago • 7 comments

Extension name (the extension in question)

connectedk8s

Description of issue (in as much detail as possible)

Hello 👋🏼 We're trying to add support for Arc Kubernetes in the AzureRM Provider for Terraform, unfortunately there is no means of connecting an Arc Kubernetes resource that was created by Terraform to a Kubernetes cluster, it will remain with status Connecting.

I attempted the following without success:

  1. Command az connectedk8s connect --name arc-kubernetes-resource-name --resource-group resource-group-name

This doesn't work because the command creates the Arc Kubernetes resource for you, so it will fail if a resource already exists with the same name.

  1. Pull and deploy the helm chart that az connectedk8s connect ... runs

I used the same values that are passed from the az connectedk8s CLI to the Helm chart, but substituted my own RSA key pair generated via openssl, the deployment fails with pods in kube-aad-proxyand config-agent ending in a CrashLookBackOff.

Ideally the connect command should allow the user to connect a cluster to an existing Arc Kubernetes resource and to supply our own private key for the connection. Would this be possible or is there an alternative way of connecting an existing Arc Kubernetes resource to a cluster?

stephybun avatar Apr 29 '22 12:04 stephybun

route to CXP team

yonzhan avatar Apr 29 '22 14:04 yonzhan

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @akashkeshari.

Issue Details

Extension name (the extension in question)

connectedk8s

Description of issue (in as much detail as possible)

Hello 👋🏼 We're trying to add support for Arc Kubernetes in the AzureRM Provider for Terraform, unfortunately there is no means of connecting an Arc Kubernetes resource that was created by Terraform to a Kubernetes cluster, it will remain with status Connecting.

I attempted the following without success:

  1. Command az connectedk8s connect --name arc-kubernetes-resource-name --resource-group resource-group-name

This doesn't work because the command creates the Arc Kubernetes resource for you, so it will fail if a resource already exists with the same name.

  1. Pull and deploy the helm chart that az connectedk8s connect ... runs

I used the same values that are passed from the az connectedk8s CLI to the Helm chart, but substituted my own RSA key pair generated via openssl, the deployment fails with pods in kube-aad-proxyand config-agent ending in a CrashLookBackOff.

Ideally the connect command should allow the user to connect a cluster to an existing Arc Kubernetes resource and to supply our own private key for the connection. Would this be possible or is there an alternative way of connecting an existing Arc Kubernetes resource to a cluster?

Author: stephybun
Assignees: -
Labels:

customer-reported, Service Attention, Connected Kubernetes, Auto-Assign
Milestone: -

ghost avatar May 02 '22 03:05 ghost

Hi @stephybun ,

  1. The command "az connectedk8s connect" will succeed if you provide a different arc resource name or delete the already created arc resource and provide the same name again. You cannot use the same name to arc onboard a new cluster since the arc resource might be corresponding to a different k8s cluster.
  2. The public-private key pair generated by connectedk8s CLI is used by arc-agents for establishing a one-time connection to one of the arc service. Post that, the public-pvt key pair is useless and we use a different auth mechanism(MSI). Hence, we did not keep the overhead of generating the pub-pvt key pair on customer's end.
  3. Terraform templates can only create arc-resource currently but cannot install arc-agents. So, they are not useful to arc-onboard a k8s cluster. However, if you are looking for template based arc-onboarding, you could check out the onboarding container tool that we also support. Let me know if this works for you or you still need a terraform based solution for arc-onboarding

akashkeshari avatar May 31 '22 06:05 akashkeshari

@akashkeshari, thanks for the response. The link provided in 3. for the onboarding container tool returns 404. Is this repo public?

stephybun avatar May 31 '22 06:05 stephybun

It's not public yet. But I have just provided you read access. you may take a look, thanks

akashkeshari avatar May 31 '22 08:05 akashkeshari

It's not public yet. But I have just provided you read access. you may take a look, thanks

Can I get access to this too?

mcmcghee avatar Jun 21 '22 15:06 mcmcghee

It's not public yet. But I have just provided you read access. you may take a look, thanks

Access to this would be greatly appreciated as well, thank you!

jacobdanovitch avatar Jun 21 '22 18:06 jacobdanovitch

@akashkeshari is there a plan for this repo to be public?

tombuildsstuff avatar Oct 17 '22 14:10 tombuildsstuff