[azure] remove dummy MSI_ENDPOINT

[polivbr]

For some reason, code was added to set the MSI_ENDPOINT environment to a dummy value, which prevents the retrieval of an access token when using managed identities. This PR removes this code.

[lareeth]

Related #2383

[hamza-tumturk]

I'm facing this issue with the release v0.10.0.
level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/(subscription)/resourceGroups/(resourceGroup)/providers/Microsoft.Network/dnsZones?api-version=2018-05-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post \"http://dummy\": dial tcp: lookup dummy on 10.0.0.10:53: no such host'"

In which release was this bug introduced? And is there a known workaround for this to get managed identities with Azure working?

[kaganmersin]

In which release was this bug introduced? And is there a known workaround for this to get managed identities with Azure working?

Di̇d you find any working version or workaround solution until the next release that bug will be resolved ? Thanks

[lareeth]

The last working version is https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.9.0 which doesnt have the MSI_ENDPOINT commit

[kaganmersin]

The last working version is https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.9.0 which doesnt have the MSI_ENDPOINT commit

Yes I just checked that 0.9.0 is works for me

[duncan485]

Please review and merge this issue. This also causes issue with using aadpodidentity in conjunction with ExternalDNS

[phillebaba]

This seriously needs to be merged with an immediate version release as this basically breaks MSI for a lot of people. How was this merged in the first place?

[twendt]

The tests are failing with this PR as the adal code tries to do an http get on the msi endpoint which is not available outside of Azure and therefore fails.

I was able to fix it by setting the MSI_ENDPOINT in the test code in azure_test.go in line 472:

	os.Setenv("MSI_ENDPOINT", "http://dummy")
	token, err := getAccessToken(cfg, env)
	os.Unsetenv("MSI_ENDPOINT")

[phillebaba]

My question is why the tests would pass with the MSI_ENDPOINT set to dummy? In that case the tests are not testing anything really.

@njuettner is there anything that I can do to help move this along? It does not really seem like there is a maintainer for the Azure provider so dont really know who to reach out to 😃

[twendt]

The MS adal package which is being used by external-dns is trying to figure out which endpoint is supposed to be used. If the MSI_ENDPOINT environment variable is set, then that is used. If not then it tries to do an http get on the http://169.254.169.254/metadata/identity/oauth2/token which only works in Azure.

The solution to set the env var in the test is fine I would say, but it is not perfect since the returned token looks a little different. But the token is still an msi token and that is being verified by the test.
It is not the purpose of the test to verify that the function provided by the external package works correctly. Therefore I think this is ok.

I compiled the PR branch and verified that it works in our environment with a user assigned managed identity.

[njuettner]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: njuettner, polivbr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [njuettner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stevehipwell]

@Raffo @njuettner @seanmalloy any idea when this will be released, I assume it could be a patch? Currently v0.10 doesn't work in Azure with managed identity, but v0.10 is the recommended version for the available AKS K8s versions.

[Raffo]

I'm gonna have a look at the release problem this week.

[nabeelDanish]

Beginner here so can anyone help me here? I have my AKS Service configured to work with Ingress, but the Ingress log files show this same error

level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/(subscription)/resourceGroups/(resourceGroup)/providers/Microsoft.Network/dnsZones?api-version=2018-05-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post \"http://dummy\": dial tcp: lookup dummy on 10.0.0.10:53: no such host'"

I want to know if this issue is resolved in Azure or not, and if not what is the workaround to this? Do you have to downgrade your Kubernetes or external-dns version for this? If that's the case how would you do that in Azure?

[duncan485]

Hi @nabeelDanish , what version of external-dns are you running? This issue was resolved in 0.11.0, and as far as I know only existed in 0.10.0

[nabeelDanish]

@duncan485 I am sorry I don't know that I am using Azure Kubernetes Service to deploy my multicontainerized application. Is there a way to find on Azure Cloud Shell which version of external-dns I am running? and if there is a way to upgrade the version?

[stevehipwell]

@nabeelDanish you need to manually install ExternalDNS on an AKS cluster. Could you explain how you got it installed and also lookup the image version from the Deployment?

[stevehipwell]

@nabeelDanish do you happen to be using HTTP application routing? If so I think that bundles ExternalDNS as a sub component and Azure/AKS should make sure they're using a compatible version of ExternalDNS.

I'm not sure if it makes a difference but it looks like the version has been updated to v0.10.2.