-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Teleport AKS Auto Discovery not working for Azure China #37000
Comments
@AntonAM Hi Anton, can you please provide any update on this? We are currectly blocked by this to roll out our solution on Azure China environments. |
The root of the problem seems to be caused by the fact that Teleport isn't setting the Cloud when creating azure clients. This means it will always default to See Azure/azure-sdk-for-go#21807 for more details. |
@waleed-cariad can you try running discovery service with environment variable |
@AntonAM I have attached a log file named |
Just to add, as mentioned here on Azure Docs, we are successfully able to get an access token by manually running the following on that Azure VM where Teleport Process is running with the VM being assigned a Managed Identity
This is the same as we are seeing in Teleport Logs when trying to run Teleport Processes to use Azure Managed identity of that VM where Teleport is deployed. Hope that helps. I guess you still don't support Azure China as mentioned here on line 88 ? |
@AntonAM @rosstimothy Can you please let us know any timeline for this to be fixed? As I mentioned, we are blocked by this to roll-out our solution to China and we can't just do it in Europe only as that does not help us to keep our Architecture replicated in all regions. Also, we are in the process of buying Teleport licence hopefully but we need to make sure first that we can use teleport both in Europe and in China. Can you please help to fix this issue else we will be completely stuck by this. |
Hi @waleed-cariad, this issue is not currently under active development. If you are a Teleport Enterprise customer (or in the process of becoming one) I would encourage you to raise this with your account rep. They'll be able to start some conversations internally that will help us determine when we can schedule this work. |
Expected behavior:
Teleport AKS Auto Discovery service, when configured with right acces and roles, should get a token from Azure and discover all AKS clusters it has given access to.
Current behavior:
We are trying to set-up Azure AKS auto-discovery as mentioned here: https://goteleport.com/docs/kubernetes-access/discovery/azure/
After initial set-up, when teleport discovery was enabled, we are seeing the following:
To add: the VM where teleport discovery service is runnuing is configured with
system-assigned-identity
and alsorole-assignments
has been configured for this identity to access AKS clusters.Our understanding is: for China, the resource principal mentioned in the error above should be "https://management.core.chinacloudapi.cn/" besides "https://management.core.windows.net/"
Bug details:
The text was updated successfully, but these errors were encountered: