首页 > 其他分享 >【Azure K8S】演示修复因AKS密钥过期而导致创建服务不成功的问题(The provided client secret keys for app ****** are expired)

【Azure K8S】演示修复因AKS密钥过期而导致创建服务不成功的问题(The provided client secret keys for app ****** are expired)

时间:2023-05-31 19:23:11浏览次数:53  
标签:provided service AKS app keys client https error aks

问题描述

在Azure Kubernetes 服务中,创建一个Internal Load Balancer服务,使用以下yaml内容:

internallb.yaml

apiVersion: v1
kind: Service
metadata:
  name: ilb-myapp
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: myapp

apply yaml

kubectl apply -f internallb.yaml

查看service状态,一直保持pending

kubectl get service

## 输出结果:
NAME               TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
ilb-myapp          LoadBalancer   10.0.32.246   <pending>     80:30198/TCP   92m
kubernetes         ClusterIP      10.0.0.1      <none>        443/TCP        13h

查看service日志

"error_description":"AADSTS7000222: The provided client secret keys for app '********-****-****-****-************' are expired

kubectl describe service  ilb-myapp 

##输出结果:
Events:
  Type     Reason                    Age                  From                  Message
  ----     ------                    ----                 ----                  -------
  Warning  UpdateLoadBalancerFailed  45m (x26 over 82m)   service-controller    (combined from similar events): Error updating load balancer with new hosts map[aks-vmss000002:{} aks-vmss000003:{} aks-vmss000006:{} aks-vmss000007:{}]: shouldUpdateLoadBalancer: failed to list managed load balancers: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 401, RawError: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to http://localhost:7788/*****: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '********-****-****-****-************' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.\r\nTrace ID: fa5035d2-1a6e-4b5a-85d0-910862a12501\r\nCorrelation ID: a184c126-96cb-42a9-8c4b-92869210e295\r\nTimestamp: 2023-05-31 02:33:46Z","error_codes":[7000222],"timestamp":"2023-05-31 02:33:46Z","trace_id":"fa5035d2-1a6e-4b5a-85d0-910862a12501","correlation_id":"a184c126-96cb-42a9-8c4b-92869210e295","error_uri":"https://login.chinacloudapi.cn/error?code=7000222"} 
  Normal   EnsuringLoadBalancer      37s (x25 over 95m)   service-controller    Ensuring load balancer
  Warning  ListLoadBalancers         37s (x152 over 91m)  azure-cloud-provider  (combined from similar events): Retriable: false, RetryAfter: 0s, HTTPStatusCode: 401, RawError: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to http://localhost:7788/*****: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '********-****-****-****-************' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.\r\nTrace ID: 277e6d9c-d663-4415-bff9-ef6610dc4f01\r\nCorrelation ID: 383589a0-2dd7-4c8e-a1a3-23a48ae8bd6d\r\nTimestamp: 2023-05-31 03:19:01Z","error_codes":[7000222],"timestamp":"2023-05-31 03:19:01Z","trace_id":"277e6d9c-d663-4415-bff9-ef6610dc4f01","correlation_id":"383589a0-2dd7-4c8e-a1a3-23a48ae8bd6d","error_uri":"https://login.chinacloudapi.cn/error?code=7000222"} 
 

 

问题解答

根据错误消息,已经得知是 app client secret 已经过期。那么要修复这个问题,就是更换新的 secret。操作步骤有两步:

第一步 :根据错误消息中的Application ID,在Azure AD中查找到对应的注册应用

在注册应用中,重新生成新的Client Secret,复制保存新的Secret(用于第二步中)

第二步 : 使用 az aks update-credentials 命令,更新AKS集群中的密钥值(Secret Value)

  az aks update-credentials --resource-group <resource group name>  --name <AKS Cluster name>  --reset-service-principal --service-principal <App Application ID>    --client-secret  <第一步中的Secret Value>

命令参考文档:https://docs.azure.cn/zh-cn/aks/update-credentials#update-aks-cluster-with-service-principal-credentials

当命令执行完成后,在此检查 Service 状态,不在是Pending。而是分配了正确的IP地址

 

参考资料

故障排查:https://docs.azure.cn/zh-cn/aks/kubernetes-service-principal?tabs=azure-cli#troubleshoot

使用服务主体凭据更新 AKS 群集 : https://docs.azure.cn/zh-cn/aks

标签:provided,service,AKS,app,keys,client,https,error,aks
From: https://www.cnblogs.com/lulight/p/17447110.html

相关文章

  • QA|selenium在send_keys时报错dict object has no attribute ''|UI自动化测试
    Q:selenium在send_keys时报错dictobjecthasnoattribute'send_keys',如下图 增加了print(type(e1))发现确实是字典类型,怪了,按道理e1的type应该是selenium.webdriver.remote.webelement.WebElement才对,怎么会变成dict字典呢?我网上查了,按照(115条消息)Python运行selenium时......
  • 利用akshare接口进行数据抓取
    akshare地址:https://www.akshare.xyz/data/index.html常用的包导入:importakshareasakimportnumpyasnpimportpandasaspdfromdatetimeimportdatetimeimportmatplotlib.pyplotaspltimportmplfinanceasmpffrompylabimportmplmpl.rcParams['font.san......
  • How to fix CMake error Could not find a package configuration file provided by
    CMakeErrorat/usr/lib/x86_64-linux-gnu/cmake/Boost-1.71.0/BoostConfig.cmake:117(find_package):Couldnotfindapackageconfigurationfileprovidedby"boost_filesystem"(requestedversion1.71.0)withanyofthefollowingnames:boos......
  • 碎片化学习前端之JavaScript(for...in 和 Object.keys() 的区别)
    前言JavaScript中遍历对象的方式主要有:for...in和Object.keys()两种方式。for...inletobj={name:'ming',age:18,}obj[Symbol('hello')]='world'obj.__proto__={gender:'man',job:'font-end'}f......
  • AKSK加密认证
    AK/SK加密认证AK/SK概述1.什么是AKSKak/sk是一种身份认证方式,常用于系统间接口调用时的身份验证,其中ak为AccessKeyID,sk为SecretAccessKey。客户端和服务端两者会协商保存一份相同的sk,其中sk必须保密。2.AK/SK认证过程客户端在调用的服务端接口时候,会带上ak以及signatu......
  • 字典遍历 dict1.values,dict1.keys,dict1.items
    ''''''dict1={'K1':'Aa','K2':'Bb','K3':'Cc'}forkindict1.keys():print(k,end='\t')print()forvindict1.values():print(v,end=&#......
  • 最新Cobalt strike 4.8(专业版)([*] Generating X509 certificate and keystore (for SSL
    ColbaltStrike搭建和使用 下载: https://anonfiles.com/eay1D0rfzc/CobaltStrike4_8_lusuo_rar解压(如有)密码:lusuokali中: ┌──(root㉿kali)-[~]└─#unrarxCobaltStrike4_8_lusuo.rar    以kali为服务端打开 报错是因为没给可执行权限......
  • MySQL8版本之json_keys、json_object、json_overlaps、json_pretty
    CREATETABLE`test_json`(`id`bigintNOTNULLAUTO_INCREMENT,`name`varchar(32)NOTNULL,`age`intNOTNULL,`test_json_array`jsonNOTNULL,`test_json_object`jsonNOTNULL,`test_json_array_object`jsonNOTNULL,`custinfo`jsonDEFAU......
  • Linux 安装python、flaks
    linux默认是带有python的下载并安装python3下载地址:https://www.python.org/ftp/python/3.8.2/Python-3.8.2.tgz--创建安装目录mkdir-p/usr/local/python3 --解压安装包tar-zxvfPython-3.8.2.tgz --进入目录编译安装cdPython-3.8.2./configure--pre......
  • Uncaught Error: Objects are not valid as a React child (found: object with keys
    转自:react报错UncaughtError:ObjectsarenotvalidasaReactchild(found:objectwithkeys{a}...报错信息分析UncaughtError:ObjectsarenotvalidasaReactchild(found:objectwithkeys{content,key,duration}).Ifyoumeanttorenderacollectiono......