Using Azure Web App for Containers with managed identity - azure

Deployed an Azure App service for Containers with a custom image (from Centos 7 base image).
Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:
IDENTITY_ENDPOINT - the URL to the local token service.
However, when checking inside the container, this variable is not set:
[root#f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT
(empty result here)
I've also tried to invoke az cli, which fails as well:
[root#f22dfd74be31 ~]# az login -i
AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly
and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with
url: /metadata/identity/oauth2/token?resource=https%3
A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9e0c4
c72e8>: Failed to establish a new connection: [Errno 110] Connection timed out',))
I've successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?

When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized.
In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):
eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)

It should support MSI, make sure you enable the MSI like below.
Besides, step 4 in this doc also mentions the CLI command to enable MSI.
az webapp identity assign --resource-group AppSvc-DockerTutorial-rg --name <app-name> --query principalId --output tsv

Related

Azure CLI - AKS Communication Issue

i have problem in executing Kubectl commands, its errors out with 502 certificate error
Unable to connect to the server: x509: certificate signed by unknown authority
I can able to login to az login after that I'm connecting with my AKS cluster by using below command
az aks get-credentials --resource-group sitecore10.x-dev-k8s --name sitecore102-Dev-AKS-v1 --overwrite-existingenter code here
After that executing Kubectl get pods or Kubectl get services but it doesn't work
already tried adding environment variables
Opened .kube file and opened the same Url in browser , displayed the below error
Resolved
I got a chance to resolve this issue.
The actual issue is AKS URL (https://AKSInstance.hcp.westus.azmk8s.io:443) is blocked by Company Internet Monitoring Software (Netskope).
i raised a support ticket to whitelist the URL https://*.azmk8s.io
How to check the issue :
C:\Users[YourUserName].kube open config file to identify the AKS URL, try opening the URL directly in the browser, if your getting 401 authentication issue then your good, otherwise if your getting error message related to certificate then it should be your Internet Monitoring software is blocking the AKS URL calls.
I tried to reproduce the same in my environment to connect the AKS cluster from a windows machine:
I have created AKS cluster, like below.
Go to Azure Portal > Kubernetes Services > Create.
Download Kubectl tool here and install the same on a windows machine, like below.
open powershell in CMD and navigate to download folder and run kubectl.exe , like below.
connect your cluster using cloud shell to download .kube.config file. like below.
once connected to the cluster, download the config file to the Local windows machine.
Create a folder with .kube name in your username folder and place the downloaded config file in the same folder.
Path C:\Users\yourusername
Now run kubectl cmd to get the AKS cluster details from the windows machine, like below.
Reference: kubectl unable to connect to server: x509: certificate signed by unknown authority by bherto39.

How to run "docker login azure" from Azure DevOps pipeline

I have a shell script that deploys containers to Azure Container Instances that runs fine locally using the Azure CLI (on Linux) but I'm having trouble performing the login to Azure from a pipeline task.
Locally the following command will open a browser to login:
docker login azure
The docs suggest that to do the same in a pipeline task I can pass in a client id and client secret. I think that it should look like this:
docker login azure --client-id $servicePrincipalId --client-secret $servicePrincipalKey --tenant-id $tenantId
However, when I run this in my pipeline I get this error:
unknown flag: --client-id
docker login azure --help run locally tells me that --client-id is a valid flag, so I'm wondering is there another way to do this in an Azure DevOps pipeline?
At the moment the problem is that there is no docker cli azure module installed on Microsoft Hosted agents, Installation instructions can be found here:
https://docs.docker.com/cloud/aci-integration/
The workaround I have used to solve the problem:
- script: |
# Add the compose-cli module;
curl -L https://raw.githubusercontent.com/docker/compose-cli/main/scripts/install/install_linux.sh | sh
# Login to Azure using docker CLI, you can use variables here;
# Note: Docker#2 task with Login Action will not help here;
docker login azure --client-id xxx --client-secret yyy --tenant-id zzz
# Check Context list;
docker context aci list
# Create ACI Context;
docker context create aci myaci --location <Azure Location> --resource-group <RG NAME> --subscription-id <subscription ID>
# Check It again.
docker context list
The Azure pipeline task for Docker allows you to use a service connection for the 'docker login' style task. To use a username / password combination, you'll start by creating a Service Connection of type 'Docker Registry'. Then specify 'other' for type. Here you can enter your credentials. The password is obfuscated for security as you would expect.
Now you can use this service connection in your azure devops pipeline docker tasks.
Sources cited:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-registry-service-connection
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others

How to change plan when deploing the app?

I had created my own subscription for Azure App Service. Then I had deployed my app (used CLI)
After that I remove the app, the resource group as well as subscription itself.
Now I got corporate subscription, create App Service via Azure UI and now trying to deploy my app to there.
When I use command
az webapp up --name MyAppName
i get message: The webapp 'MyAppName' exists in ResourceGroup 'MyCorporateGroup' and does not match the value entered 'MyPrivategroup '. Please re-run command with the correct parameters.
When I use command:
az webapp up --name MyAppName --resource-group MyCorporateGroup --subscription MyCorporateSubscription
I get: The plan name entered 'MyCorporateGroup_0' does not match the plan name that the webapp is hosted in 'MyCorporatePlanForAppService'.Please check if you have configured defaults for plan name and re-run command.
And when I use command:
az webapp up --name MyAppName --resource-group MyCorporateGroup --subscription MyCorporateSubscription -p MyCorporatePlanForAppService
i get message: Creating AppServicePlan MyCorporatePlanForAppService ...
(InvalidResourceLocation) The resource 'MyCorporatePlanForAppService' already exists in location 'germanywestcentral' in resource group 'MyCorporateGroup'. A resource with the same name cannot be created in location 'centralus'. Please select a new resource name.
Does anyone know how can i deploy my app to the corporate app service?
Thanks
The problem has been resolved when I remove .AZURE folder from my local machine. And then rebuild the app.
It seems to me you're not changing from one context to another. Try executing the following command before trying to update the web app in your corporate subscription:
az account set -s <corporate-subscription-name-or-id>

Custom Script Extension failing on Virtual Scale Set upgrade

I have created an Azure virtual scaleset with Linux VMs. I have to run Azure CLI commands via release pipelines on these VMs so I am trying to install a Azure CLI using Custom Extensions so that every time a new VM is up CLI is installed on the VM.
I have created a .sh file with below command on blob storage :
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
I ran below command on from the CLI to deploy the custom extension :
az vmss extension set --vmss-name <VMSS Name> --resource-group <Resource Group> --name CustomScript --version 2.0 --publisher Microsoft.Azure.Extensions --settings '{"FileUris": ["https://<Blobscriptpath>/preinstallscript.sh"],"commandToExecute": "bash /preinstallscript.sh"}'
This command is installing the extension and I can see that on Azure but when I am upgrading the VM instance I am getting below error:
"Failed to upgrade virtual machine instance ''. Error: Multiple VM extensions failed to be provisioned on the VM. Please see the VM extension instance view for other failures. The first extension failed due to the error: VM has reported a failure when processing extension 'CustomScript'. Error message: "Enable failed: failed to get configuration: json validation error: invalid public settings JSON: FileUris: Additional property FileUris is not allowed""
Below are the images from Azure Portal showing the Extension:
Please suggest if I am missing something.
According to the error message, Additional property FileUris is not allowed, you should use fileUris instead of FileUris. Read the Property values.
Also, If the blob is not public, you need to provide the storage account name and key to access the blob. For example, you can provide a .sh file on the blob storage.
#!/bin/bash
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
and deploy the custom extension with CLI.
az vmss extension set --vmss-name <VMSS Name> --resource-group <Resource Group> --name CustomScript --version 2.0 --publisher Microsoft.Azure.Extensions --settings '{"fileUris": ["https://xxx.blob.core.windows.net/shscripts/preinstallscript.sh"],"commandToExecute": "sh preinstallscript.sh"}'
Edit
After installing the VMSS, you can upgrade the VMSS instance to take this script effect.

Unable to connect with Azure Container Services - Kubernetes

I am working on setting up environment for deploying microservices.
I have gotten as far as building my code and deploying to a registry but having problem running it in Azure Container Services.
I am following this guide to connect to ACS: https://learn.microsoft.com/en-us/azure/container-service/container-service-connect
But i fail on the step: Download Cluster Credentials
Using the given command
az acs kubernetes get-credentials --resource-group=<cluster-resource-group> --name=<cluster-name>
Ofc changing the reseource group and clustername to the correct names from my portal. I get an error:
[WinError 10049] The requested address is not valid in its context
(if i change resource group or clustername to something else I get other errors so seems it can find those at least)
When i try to search for the error it seems to be some IP adress problem but can't figure out what to do. Tried running same command from other network (from home) to make sure work firewall is not blocking something.. but I get the same error
Any help appriciated!
This command copy the cluster credentials to your machine. Background processes are ssh to your cluster VM and copy the credentials.
So, you should ensure you could ssh to the master VM manual. If you could not ssh to master VM manual, az command also could not do it. You could get your master-dns-name on Azure Portal.
ssh -i id_rsa <user>#<master-dns-name>
Notes: If az command does not work and you could ssh to master VM, you could download credentials to your machine. They are same. You could check your link about this.
You also need check your azure cli version. You could use the following commands
az --version
My version is 2.02. It works for me.

Resources