CAPZ with ASO doesn't work for AzureUSGovernment #4113
Comments
dtzar
added
the
priority/important-soon
|
/triage accepted |
k8s-ci-robot
added
the
triage/accepted
|
/assign @mboersma |
|
It appears ASO can only configure the ARM endpoint globally for all resources it manages. I've opened an issue here to make that capability accessible at the per-resource level to match CAPZ's capabilities from before: Azure/azure-service-operator#3447. If your management cluster is only managing workload clusters for one cloud, you could possibly modify the ASO deployment manually to configure it as you need as a stopgap. |
|
Hi @nojnhuh, I was looking into how we could globally set the ARM endpoint url for the ASO controller but I can't find a way. CAPZ is always setting the resource scoped secret https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/controllers/asosecret_controller.go#L235 ASO is not merging the resource and the global secret, but stops after Because of this, even if we do manually set the global or namespaced settings for the ASO controller, they will be ignored (unless I missed something) :( |
|
Even if changing it in aso-controller-settings doesn't work, I suppose it would be possible to edit the ASO deployment and hardcode the value there or referring to a different secret instead of deriving it from the global ASO secret. |
|
@ionutleca Did that workaround work for you? I'll reopen this to keep tracking making this more automatic. |
|
Yes, I managed to make it work with the right values set in |
|
Just opened this PR to at least allow setting these fields with environment variables when CAPZ is installed. Hopefully that's at least a step in the right direction: #4390 |
|
There's still more to iron out here re: CAPZ configuring the environment per-workload cluster and ASO only configuring it globally for all resources it manages, but I don't think I'll be able to follow up with that during this milestone. /unassign |
dtzar
added
the
size/XL
dtzar
added
the
area/managedclusters
|
Blocked until Azure/azure-service-operator#3447 |
dtzar
removed
the
priority/important-soon
/kind bug
What steps did you take and what happened:
The AzureManagedControlPlane supports the following parameter:
The createSecretFromClusterIdentity function doesn't set azureResourceManagerEndpoint and any other cloud specific variables.
The ASO controller fails with:
The subscription '***' could not be found.: PUT https://management.azure.com/subscriptions/***/resourceGroups/***What did you expect to happen:
CAPZ to also add to the
*-aso-secretthe values specific to whatspec.azureEnvironmenton theAzureManagedControlPlaneresource points to.Anything else you would like to add:
Environment:
kubectl version): v1.27.3/etc/os-release): AKSUbuntu-2004gen2fipscontainerd-202309.06.0The text was updated successfully, but these errors were encountered: