Fixing appgw istio secret
All Submissions:
- [YES] Have you added an explanation of what your changes do and why you'd like us to include them? Included directions in comments
- [YES] I have updated the documentation accordingly.
- [YES] My code follows the code style of this project.
Current Behavior or Linked Issues
Check #249 (closed), this will fix the secret id in the app gw https listener, kudos to @vleskiv for finding.
Does this introduce a breaking change?
- [NO]
The secret for AGIC appgw was being used by the istio gw, therefore, the policy created for the secret was being mixed up, managed identity for Istio appgw does not have privileges over the AGIC certificate secret, therefore, gateway creation was failing.
Other information
- Increased the default value for aks subnet prefix
10.10.2.0/22(1024 ip's) since we have faced recently unavailability of ip's in the subnet range, this value directly affects on theistio_int_ip_adressvariable which should use ip address withing aks subnet range. - There is an additional issue in the istio ip address settings for the AKS subnet, which is causing the istio load balancer to stay in pending state.
Type Reason Age From Message │
│ ---- ------ ---- ---- ------- │
│ Normal EnsuringLoadBalancer 2s service-controller Ensuring load balancer │
│ Warning SyncLoadBalancerFailed 2s service-controller Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCod │
{ │
│ "error": { │
│ "code": "PrivateIPAddressNotInSubnet", │
│ "message": "Private static IP address 10.10.255.253 does not belong to the range of subnet prefix 10.10.2.0/23.", │
│ "details": [] │
│ } │
│ } It seemed that this was working in the past, but Azure AKS changed behavior for this recently, which is not allowing to work correctly anymore.
Brownfield environment expected plan
Terraform will perform the following actions:
# module.istio_appgateway.azurerm_application_gateway.main will be updated in-place
~ resource "azurerm_application_gateway" "main" {
id = "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Network/applicationGateways/osdu-mvp-srdev-z98y-istio-gw"
name = "osdu-mvp-srdev-z98y-istio-gw"
tags = {
"contact" = "OSDU Development"
}
# (7 unchanged attributes hidden)
~ http_listener {
id = "/subscriptions/**8***/resourceGroups/osdu-mvp-srdev-****-rg/providers/Microsoft.Network/applicationGateways/osdu-mvp-srdev-z98y-istio-gw/httpListeners/https-osdu-mvp-srdev-****-vnet-httplstn"
name = "https-osdu-mvp-srdev-z98y-vnet-httplstn"
~ ssl_certificate_name = "osdu-istio-certificate" -> "istio-appgw-ssl-cert"
+ http_listener_id = (known after apply)
+ http_listener_name = "http-osdu-mvp-srdev-******-vnet-httplstn"
+ id = (known after apply)
+ name = "http-osdu-mvp-srdev-****-vnet-rqrt"
+ redirect_configuration_id = (known after apply)
+ rewrite_rule_set_id = (known after apply)
+ rule_type = "Basic"
+ url_path_map_id = (known after apply)
}
+ request_routing_rule {
+ backend_address_pool_id = (known after apply)
+ backend_address_pool_name = "https-osdu-mvp-srdev-****-vnet-beap"
+ backend_http_settings_id = (known after apply)
+ backend_http_settings_name = "https-osdu-mvp-srdev-****-vnet-be-htst"
+ http_listener_id = (known after apply)
+ http_listener_name = "https-osdu-mvp-srdev-****-vnet-httplstn"
+ id = (known after apply)
+ name = "https-osdu-mvp-srdev-****-vnet-rqrt"
+ redirect_configuration_id = (known after apply)
+ rewrite_rule_set_id = (known after apply)
+ rule_type = "Basic"
+ url_path_map_id = (known after apply)
}
# (16 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Expected apply:
Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html
TF_WORKSPACE_NAME: sr-dev
TF_VAR_DATA_PARTITION_NAME:
module.istio_appgateway.azurerm_application_gateway.main: Modifying... [id=/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Network/applicationGateways/osdu-mvp-srdev-z98y-istio-gw]
module.istio_appgateway.azurerm_application_gateway.main: Still modifying... [id=/subscriptions/7c052588-ead2-45c9-9346-...nGateways/osdu-mvp-srdev-z98y-istio-gw, 10s elapsed]
module.istio_appgateway.azurerm_application_gateway.main: Modifications complete after 17s [id=/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Network/applicationGateways/osdu-mvp-srdev-z98y-istio-gw]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Outputs:Pipeline in dev environment OSDU Rx
Closes #249 (closed)