Unable to get resourcegroup, it is created but cannot be seen with kubectl get

[shalinin00]

Version of Azure Service Operator

Describe the bug
Fyi - I've created managed identity and also federated identity.
I am trying to create resource group by helm install ASOv2 for Managed Identity.
Trying to create a resource group after following this wiki: https://github.com/Azure/azure-service-operator/blob/main/v2/README.md
I have exported all the variables and installed and then all controller pods are coming up fine.
When trying to create a resource group, getting the following error

kubectl get resourcegroup
No resources found in default namespace.

To Reproduce
Steps to reproduce the behavior: Follow the instructions in the wiki https://github.com/Azure/azure-service-operator/blob/main/v2/README.md
Trying to create Resource group step.
When I do ```
kubectl get resourcegroup
No resources found in default namespace.

kubectl logs -f azureserviceoperator-controller-manager9806-ljllp -n azureserviceoperator-system

2023/09/23 03:51:33 http: TLS handshake error from 173.74.2.34.47:9876353: EOF
2023/09/23 03:51:33 http: TLS handshake error from 173.74.2.34.47:9876353: EOF
2023/09/23 03:51:33 http: TLS handshake error from 173.74.2.34.47:9876353: EOF
2023/09/23 03:51:33 http: TLS handshake error from 173.74.2.34.47:9876353: EOF
I0923 03:51:34.384007 1 common.go:58] controllers/ResourceGroupController "msg"="Reconcile invoked" "annotations"={"serviceoperator.azure.com/operator-namespace":"azureserviceoperator-system"} "conditions"="[]" "creationTimestamp"="2023-09-23T03:51:33Z" "deletionTimestamp"=null "finalizers"=null "generation"=1 "kind"={"kind":"ResourceGroup","apiVersion":"resources.azure.com/v1api20200601storage"} "name"="aso-rg-sampletest" "namespace"="default"

**Expected behavior**

Resource group should be created successfully through ASOv2 with managed identity.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Additional context**
Add any other context about the problem here.

[super-harsh]

Hi @shalinin00, could you please provide us with a bit more information on helm command you used to install ASO?

Also, For more information on ASO authentication modes, I'd suggest you refer to ASO authentication docs here

[shalinin00]

Hi @shalinin00, could you please provide us with a bit more information on helm command you used to install ASO?

Also, For more information on ASO authentication modes, I'd suggest you refer to ASO authentication docs here

Helm command -

helm upgrade --install aso2 aso2/azure-service-operator \
     --create-namespace \
     --namespace=azureserviceoperator-system \
     --set azureSubscriptionID=$AZURE_SUBSCRIPTION_ID \
     --set azureTenantID=$AZURE_TENANT_ID \
     --set azureClientID=$AZURE_CLIENT_ID \
     --set useWorkloadIdentityAuth=true \
     --set crdPattern='resources.azure.com/*;containerservice.azure.com/*;keyvault.azure.com/*;managedidentity.azure.com/*;eventhub.azure.com/*;dbformysql.azure.com/*'

Resource -

cat <<EOF | kubectl apply -f -
apiVersion: resources.azure.com/v1api20200601
kind: ResourceGroup
metadata:
  name: aso-sample-rg-5
  namespace: default
spec:
  location: westeurope
EOF

[shalinin00]

@super-harsh / Team,
Any update on this? Im stuck in creating resource group.

[matthchr]

is that the full ASO logs? Can you share a more complete set of logs from the ASO pod? The TLS handshake error may be nothing of concern and the actual problem is somewhere else in the logs.

Can you also confirm what message kubectl gives when you do the kubectl apply of the RG? Does it succeed? Or does it give an error? If error, what error?

What version of Kubernetes are you running on? IIRC this TLS error may be due to a Go bug that impacted 1.23-1.24: kubernetes/kubernetes#109022.

Note that if it is due to that bug, it's not breaking anything that I know of and the errors can mostly be ignored.

[shalinin00]

@ matthchr Thank you so much for the explanation. Appreciate your response.
I'm able to create resourcegroup from aso v2 controller and see it in Azure portal. But unable to GET resourcegroup.

[matthchr]

Do you have ASOv1 installed as well? Or some other operator which installs a CRD called resourcegroup?

Can you try using the fully specified CRD name instead of the shorthand? kubectl get resourcegroup.resources.azure.com should show it. It has to exist because ASO reconciled it.

You can also examine kubectl get crds to see what 2 CRDs you have that are named resourcegroup. I believe that Kubernetes prefers the one that was installed earlier when using the short name.

[shalinin00]

@matthchr Yes, i've ASOv1 installed. Now, I can GET all the created resources. Thank you so much!!
Also, i can see 2 CRD installed.

I hope this could be documented in the ASO v2 which will be helpful.

[A bit little of context] We have v1, and installing v2 as we need to migrate from v1 to v2.
will I face the similar issue for flexible server CRD as im planning to migrate from mysql to flexible server?

[matthchr]

You'll only face this issue where the actual CRD shortnames overlap. MySQL and MySQLFlexibleServer short names don't overlap, so you won't have this issue.

The only resource I am aware that has this issue in ASOv1 vs ASOv2 is ResourceGroup. It's not an "issue" so much as a confusing interaction. It's actually working as intended.

I think your problem is solved, so I've closed this issue and filed #3342 tracking some documentation improvements that should call this out more explicitly.