I am trying to deploy Filebeat demonset on Azure Kubernetes services
I have grabbed my code from : https://github.com/elastic/beats/tree/master/deploy/kubernetes/filebeat
Below is the error i am facing, Kindly let me know if am missing something here
Error:
{
"kind": "Event",
"apiVersion": "v1",
"metadata": {
"name": "filebeat.1686897c8d8bxxxx",
"namespace": "kube-system",
"selfLink": "/api/v1/namespaces/kube-system/events/filebeat.1686897c8d8bxxxx",
"uid": "5b94cf20-b432-4d77-b20b-f45fd91xxxxx",
"resourceVersion": "708810xx",
"creationTimestamp": "2021-06-08T07:04:43Z",
"managedFields": [
{
"manager": "kube-controller-manager",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-06-08T07:04:45Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:count": {},
"f:firstTimestamp": {},
"f:involvedObject": {
"f:apiVersion": {},
"f:kind": {},
"f:name": {},
"f:namespace": {},
"f:resourceVersion": {},
"f:uid": {}
},
"f:lastTimestamp": {},
"f:message": {},
"f:reason": {},
"f:source": {
"f:component": {}
},
"f:type": {}
}
}
]
},
"involvedObject": {
"kind": "DaemonSet",
"namespace": "kube-system",
"name": "filebeat",
"uid": "80f770e5-2b8b-xxxx-bcea-2c2dfba5xxxx",
"apiVersion": "apps/v1",
"resourceVersion": "7088xxxx"
},
"reason": "FailedCreate",
"message": "Error creating: pods \"filebeat-\" is forbidden: error looking up service account kube-system/filebeat: serviceaccount \"filebeat\" not found",
"source": {
"component": "daemonset-controller"
},
"firstTimestamp": "2021-06-08T07:04:43Z",
"lastTimestamp": "2021-06-08T07:04:45Z",
"count": 9,
"type": "Warning",
"eventTime": null,
"reportingComponent": "",
"reportingInstance": ""
}
Kubernetes is failing to create your pod because it references a Service Account that does not exist.
Please ensure to apply all the yaml files in the page you mentioned:
https://github.com/elastic/beats/tree/master/deploy/kubernetes/filebeat
As a basic example:
kubectl apply -f filebeat-configmap.yaml
kubectl apply -f filebeat-daemonset.yaml
kubectl apply -f filebeat-role-binding.yaml
kubectl apply -f filebeat-role.yaml
kubectl apply -f filebeat-service-account.yaml
According to the YAML files in the link that you provided, it seems the daemonset in the YAML file filebeat-daemonset.yaml depends on the service account filebeat. So you need to deploy the service account filebeat before you deploy the daemonset:
Related
To create an API Connection to Azure Service Bus using Managed Identity I'm using the following template:
"resources": [
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('connections_servicebus_name')]",
"location": "[parameters('connections_servicebus_location')]",
"kind": "V1",
"properties": {
"alternativeParameterValues": {},
"displayName": "[parameters('connections_servicebus_displayname')]",
"api": {
"name": "[parameters('connections_servicebus_name')]",
"displayName": "[parameters('connections_servicebus_displayname')]",
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('connections_servicebus_location'), '/managedApis/', 'servicebus')]",
"type": "Microsoft.Web/locations/managedApis"
},
"customParameterValues": {},
"parameterValueSet": {
"name": "managedIdentityAuth",
"values": {}
}
}
}
]
that is actually working except for the fact that the 'NamespaceEndpoint' information (like: sb://mySBNS.servicebus.windows.net) is not provided anywhere and so the field appear empty on Azure portal:
After adding it manually, the connection and the LogicApp that is using it, start to work.
What is the json field to provide that information??
You can refer to this question for full details:
"parameterValueSet": {
"name": "managedIdentityAuth",
"values": {
"namespaceEndpoint": {
"value": "sb://<servicebus-namespace-name>.servicebus.windows.net/"
}
}
}
How can I get the cluster ca certificate from the arm template for some ManagedClusters?
In terraform we use:
azurerm_kubernetes_cluster.aks_cluster.kube_config.0.cluster_ca_certificate
But in ARM I can't find it anywhere.
Can you please give some help?
Thanks
My solution:
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "get-cluster-ca",
"location": "[resourceGroup().location]",
"identity": {
....
}
},
"kind": "AzureCLI",
"azCliVersion": "2.0.80",
"environmentVariables": [
{
"name": "RESOURCE_GROUP_NAME",
"value": "[resourceGroup().name]"
},
{
"name": "CLUSTER_NAME",
"value": "[variables('cluster_name')]"
}
],
"scriptContent": "#!/bin/bash\r\n\r\naz aks get-credentials --resource-group ${RESOURCE_GROUP_NAME} --name ${CLUSTER_NAME}\r\n\r\naz aks install-cli\r\n\r\necho '{\"ca\":' $(kubectl config view --raw -o json | jq -c '.clusters[0].cluster.\"certificate-authority-data\"') > $AZ_SCRIPTS_OUTPUT_PATH\r\n",
"timeout": "PT30M",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
],
"outputs": {
"result": {
"value": "[reference('get-cluster-ca').outputs.ca]",
"type": "string"
}
}
Hi I want to add Application Config Read Only Connection string in ARM Template
"appSettingsShared": {
"value": [
{
"name": "RedisCache:ConnectionString",
"value": "[concat(variables('RedisCacheName'),'.redis.cache.windows.net:6380,abortConnect=false,ssl=true,password=', listKeys(resourceId('Microsoft.Cache/Redis', variables('RedisCacheName')), '2015-08-01').primaryKey)]"
},
{
"name": "AppConfig:ConnectionString",
"value": "???"
}
]
I know how to do it using Azure CLI:
az appconfig credential list -g $resourceGroup -n $appConfigName --query "([?name=='Primary Read Only'].connectionString)[0]" --output tsv
Any help is really appreciated.
You can use the listkeys template function to retrieve your configStore keys and connection strings. The implementation is similar to the Configuration Stores - List Keys API, which returns a response similar to:
{
"value": [
{
"id": "439AD01B4BE67DB1",
"name": "Primary",
"value": "000000000000000000000000000000000000000000000000000000",
"connectionString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"lastModified": "2018-04-24T16:30:54+00:00",
"readOnly": false
},
{
"id": "CB45E100456857B9",
"name": "Secondary",
"value": "000000000000000000000000000000000000000000000000000000",
"connectionString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"lastModified": "2018-04-24T16:30:54+00:00",
"readOnly": false
},
{
"id": "B3AC55B7E71431A9",
"name": "Primary Read Only",
"value": "000000000000000000000000000000000000000000000000000000",
"connectionString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"lastModified": "2018-04-24T16:30:54+00:00",
"readOnly": true
},
{
"id": "E2AF6A9A89DCC177",
"name": "Secondary Read Only",
"value": "000000000000000000000000000000000000000000000000000000",
"connectionString": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"lastModified": "2018-04-24T16:30:54+00:00",
"readOnly": true
}
]
}
Since you want to access the Read-Only connection strings, you can access it in your ARM template as follows:
"value": "[listKeys(resourceId('Microsoft.AppConfiguration/configurationStores', variables('configurationStore_name')), '2019-11-01-preview').value[2].connectionString]"
This would get you the Primary Read Only connection string. Similarly, value[3].connectionString would retrieve the Secondary Read Only connection string.
In your template file, you can have the following to get the Redis Cache ConnectionString that your provisioned:
"outputs": {
"RedisCacheConnectionString": {
"type": "string",
"value":"[concat(reference(parameters('redisCacheName')).hostName,':', reference(parameters('redisCacheName')).sslPort,',password=',listKeys(resourceId('Microsoft.Cache/redis', parameters('redisCacheName')), '2020-06-01').primaryKey,',ssl=True,abortConnect=False')]"
}
}
This answer is inspired based on #bhargavi-annadevara's answer.
I'm attempting to use Service Fabric Mesh to deploy a container based app. I'm new to Mesh, but I did get the sample 'Hello App' working. Now I'm trying to deploy an app based on a container I have stored in Azure. I used the following command to deploy this:
az mesh deployment create --resource-group MikeMesh --template-file
test.json
The command says 'Deploying . . .' for about 10 minutes, and then says:
Unable to edit or replace deployment 'test': previous deployment from
'8/20/2018 9:55:28 PM' is still active (expiration time is '8/27/2018
9:55:27 PM'). Please see https://aka.ms/arm-deploy for usage details.
Note this is a brand new resource group, and I've never deployed anything here before. Also note I can deploy this same container using normal Service Fabric and it works fine.
The link in the error message doesn't contain anything helpful. If I go to the 'Deployments' tab, the status says 'Deploying' but it seems stuck (it's been nearly two hours). If I click on 'Related events', I get 3 events but all of them say 'Succeeded' or 'Accepted'. Under 'Quick Insights' if I click 'Failed deployments', I see a 'Validate deployment' operation that failed 2 hours ago, but I'm not clear if this has anything to do with this deployment. The error message for that is the same as what I saw on the command line.
The test.json is as follows (with some sensitive information removed):
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-07-01-preview",
"name": "LimeadeMeshNetwork",
"type": "Microsoft.ServiceFabricMesh/networks",
"location": "eastus",
"dependsOn": [],
"properties": {
"addressPrefix": "10.0.0.4/22",
"ingressConfig": {
"layer4": [
{
"publicPort": "80",
"applicationName": "LimeadeApp",
"serviceName": "WebsiteService",
"endpointName": "WebsiteListener"
}
]
}
}
},
{
"apiVersion": "2018-07-01-preview",
"name": "LimeadeApp",
"type": "Microsoft.ServiceFabricMesh/applications",
"location": "eastus",
"dependsOn": [
"Microsoft.ServiceFabricMesh/networks/LimeadeMeshNetwork"
],
"properties": {
"description": "Limeade Mesh Application",
"services": [
{
"type": "Microsoft.ServiceFabricMesh/services",
"location": "eastus",
"name": "WebsiteService",
"properties": {
"description": "Limeade Website Service",
"osType": "windows",
"codePackages": [
{
"name": "WebsiteCode",
"image": "web:20180720103109",
"imageRegistryCredential": {
"server": "<container>.azurecr.io",
"username": "<username>",
"password": "<password>"
},
"endpoints": [
{
"name": "WebsiteListener",
"port": "80"
}
],
"resources": {
"requests": {
"cpu": "1",
"memoryInGB": "1"
}
}
}
],
"replicaCount": "1",
"networkRefs": [
{
"name": "[resourceId('Microsoft.ServiceFabricMesh/networks', 'LimeadeMeshNetwork')]"
}
]
}
}
]
}
}
]
}
I am developing ARM template to deploy an App Service Environment v2 configured with an Internal Load Balancer (ILB ASE). Is there a way to grab the Virtual IP (VIP) address that the Internal Load Balancer gets from the vnet it is attached to as an output? When I look at the properties of the ASE via PowerShell after it is provisioned, I do not see a property for the IP address, or for the load balancer.
After much research and testing...there is currently no way to do this as an output from the ARM template. Here are the ways that the value can be collected:
Via Resource Explorer...although this is not very helpful for doing it programmatically but it did help me figure out the other 2 ways
Using PowerShell to query the management.azure.com API but you have to publish an app with the appropriate permissions and assign the app to have permissions in the subscription you are trying to query resources from
Using Azure CLI. This method turned out to be the easiest.
I needed this value to fully automate the deployment of an App Gateway sitting in front of an ILB ASE. I use Terraform for deployment automation and I run the Terraform configs from Azure Cloud Shell. I kick off my deployments with a shell script where I dynamically get the storage account key to the storage account where I store state files. I then query the ILB ASE to get the IP address and set it to a variable that I then pass into Terraform
Below is a copy of the shell script I use:
#!/bin/bash
set -eo pipefail
# The block below will grab the access key for the storage account that is used
# to store state files
subscription_name="<my_subscription_name>"
tfstate_storage_resource_group="terraform-state-rg"
tfstate_storage_account="<name_of_statefile_storage_account>"
subscription_id="my_subscription_id>"
ilbase_rg_name="<name_of_resourcegroup_where_ase_is_deployed>"
ilbase_name="<name_of_ase>"
az account set --subscription "$subscription_name"
tfstate_storage_access_key=$(
az storage account keys list \
--resource-group "$tfstate_storage_resource_group" \
--account-name "$tfstate_storage_account" \
--query '[0].value' -o tsv
)
echo ""
echo "Terraform state storage account access key:"
echo $tfstate_storage_access_key
echo ""
# The block below will get the Virtual IP of the ASE Internal Load Balancer
# which will be used to create the App GW
ilbase_virtual_ip=$(
az resource show \
--ids "/subscriptions/$subscription_id/resourceGroups/$ilbase_rg_name/providers/Microsoft.Web/hostingEnvironments/$ilbase_name/capacities/virtualip" \
--query "additionalProperties.internalIpAddress"
)
echo ""
echo "ASE internal load balancer IP:"
echo $ilbase_virtual_ip
echo ""
terraform plan \
-var "tfstate_access_key=$tfstate_storage_access_key" \
-var "ilbase_virtual_ip=$ilbase_virtual_ip"
You can use output like this:
"outputs": {
"privateIp": {
"type": "string",
"value": "[reference(parameters('lbname')).frontendIPConfigurations[0].properties.privateIPAddress]"
}
}
Here is my template, create one Vnet and one internal load balancer:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vnetName": {
"type": "string",
"defaultValue": "VNet1",
"metadata": {
"description": "VNet name"
}
},
"vnetAddressPrefix": {
"type": "string",
"defaultValue": "10.0.0.0/16",
"metadata": {
"description": "Address prefix"
}
},
"subnet1Prefix": {
"type": "string",
"defaultValue": "10.0.0.0/24",
"metadata": {
"description": "Subnet 1 Prefix"
}
},
"subnet1Name": {
"type": "string",
"defaultValue": "Subnet1",
"metadata": {
"description": "Subnet 1 Name"
}
},
"subnet2Prefix": {
"type": "string",
"defaultValue": "10.0.1.0/24",
"metadata": {
"description": "Subnet 2 Prefix"
}
},
"subnet2Name": {
"type": "string",
"defaultValue": "Subnet2",
"metadata": {
"description": "Subnet 2 Name"
}
},
"lbname": {
"defaultValue": "jasonlbb",
"type": "String"
}
},
"variables": {
"virtualnetworkname" : "vnet1",
"apiVersion": "2015-06-15",
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualnetworkname'))]",
"subnetRef": "[concat(variables('vnetID'),'/subnets/',parameters('subnet1Name'))]"
},
"resources": [
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnetName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[parameters('subnet1Name')]",
"properties": {
"addressPrefix": "[parameters('subnet1Prefix')]"
}
},
{
"name": "[parameters('subnet2Name')]",
"properties": {
"addressPrefix": "[parameters('subnet2Prefix')]"
}
}
]
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/loadBalancers",
"name": "[parameters('lbname')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[variables('vnetID')]"
],
"properties": {
"frontendIPConfigurations": [
{
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic"
},
"name": "LoadBalancerFrontend"
}
],
"backendAddressPools": [
{
"name": "BackendPool1"
}
],
"loadBalancingRules": [
{
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('lbname')), '/frontendIpConfigurations/LoadBalancerFrontend')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('lbname')), '/backendAddressPools/BackendPool1')]"
},
"probe": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('lbname')), '/probes/lbprobe')]"
},
"protocol": "Tcp",
"frontendPort": 80,
"backendPort": 80,
"idleTimeoutInMinutes": 15
},
"Name": "lbrule"
}
],
"probes": [
{
"properties": {
"protocol": "Tcp",
"port": 80,
"intervalInSeconds": 15,
"numberOfProbes": 2
},
"name": "lbprobe"
}
]
}
}
],
"outputs": {
"privateIp": {
"type": "string",
"value": "[reference(parameters('lbname')).frontendIPConfigurations[0].properties.privateIPAddress]"
}
}
}
Here is the screenshot about the result:
Hope this helps.
If you’re using Terraform, here’s how I got it working. Had to use the external data source in Terraform coupled with Azure CLI and jq to get around the bugs in Azure and the Terraform External Data provider.
# As of writing, the ASE ARM deployment don’t return the IP address of the ILB
# ASE. This workaround querys Azure’s API to get the values we need for use
# elsewhere in the script.
# See this https://stackoverflow.com/a/49436100
data “external” “app_service_environment_ilb_ase_ip_address” {
# This calls the Azure CLI then passes the value to jq to return JSON as a single
# string so that external provider can parse it properly. Otherwise you get an
# error. See this bug https://github.com/terraform-providers/terraform-provider-external/issues/23
program = [“bash”, “-c”, “az resource show --ids ${local.app_service_environment_id}/capacities/virtualip --query ‘{internalIpAddress: internalIpAddress}’ | jq -c”]
# Explicit dependency on the ASE ARM deployment because this command will fail
# if that resource isn’t built yet.
depends_on = [azurerm_template_deployment.ase]
}