Azure/azure-workload-identity

Problem with doing helm install workload-identity-webhook

kwaksaewon opened this issue · 2 comments

kwaksaewon commented

Describe the bug
I'm following https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html to install the workload-identity-webhook.
The first two helm commands described in https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html#helm-3-recommended works fine. However, when I try to run the last command,

helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
   --namespace azure-workload-identity-system \
   --create-namespace \
   --set azureTenantID="${AZURE_TENANT_ID}"

I get an error message like this:

Error: INSTALLATION FAILED: Unable to continue with install: ClusterRole "azure-wi-webhook-manager-role" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "workload-identity-webhook": current value is "aks-managed-workload-identity"; annotation validation error: key "meta.helm.sh/release-namespace" must equal "azure-workload-identity-system": current value is "kube-system"

I tried to manually update the meta.helm.sh/release-namespace and meta.helm.sh/release-name of azure-wi-webhook-manager-role, by doing this:

kubectl annotate clusterrole azure-wi-webhook-manager-role meta.helm.sh/release-name=workload-identity-webhook meta.helm.sh/release-namespace=azure-workload-identity-system --overwrite

and when I do the third helm install command again (helm install workload-identity-webhook...) from the github doc, I get this error.

Error: INSTALLATION FAILED: Unable to continue with install: ClusterRoleBinding "azure-wi-webhook-manager-rolebinding" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "workload-identity-webhook": current value is "aks-managed-workload-identity"; annotation validation error: key "meta.helm.sh/release-namespace" must equal "azure-workload-identity-system": current value is "kube-system"

Then I tried to manually update meta.helm.sh/release-namespace and meta.helm.sh/release-name of azure-wi-webhook-manager-rolebinding, by doing this:

 kubectl annotate clusterrolebinding azure-wi-webhook-manager-rolebinding meta.helm.sh/release-namespace=azure-workload-identity-system meta.helm.sh/release-name=workload-identity-webhook --overwrite

Then I tried to do the third helm install command again (helm install workload-identity-webhook...) from the github doc, and I circle back to the first error I saw with azure-wi-webhook-manager-role.

Steps To Reproduce

helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts
helm repo update
helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
   --namespace azure-workload-identity-system \
   --create-namespace \
   --set azureTenantID="${AZURE_TENANT_ID}"

Expected behavior

namespace/azure-workload-identity-system created
NAME: workload-identity-webhook
LAST DEPLOYED: Wed Aug  4 10:49:20 2021
NAMESPACE: azure-workload-identity-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Logs

Environment

  • Kubernetes version (use kubectl version):
    Client Version: v1.29.1
    Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
    Server Version: v1.27.9
    WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1

  • Cloud provider or hardware configuration: Microsoft Azure

  • OS (e.g: cat /etc/os-release): Microsoft Windows 11 Enterprise

  • Kernel (e.g. uname -a):

//Get-WmiObject -Class Win32_OperatingSystem
SystemDirectory : C:\WINDOWS\system32
Organization    :
BuildNumber     : 22631
RegisteredUser  :
SerialNumber    : <not including this info>
Version         : 10.0.22631
  • Install tools: Not sure what to put for this
  • Network plugin and version (if this is a network-related bug): N/A
  • Others:

Additional context
Also, Why is this step marked as 'Recommended' in the github doc? Is it not required?

shaneramey commented

I had the same issue. I ended up not installing workload identity using helm and things are working.

kubectl get clusterrole azure-wi-webhook-manager-role -o yaml # shows already installed

I think that clusterrole is added when you run

az aks update -g <group> -n <aks_cluster_name> --enable-oidc-issuer --enable-workload-identity
kwaksaewon commented

Yeah you're right, I see that the azure-wi-webhook-manager-role role is already installed, after I've ran that az aks update command. Thanks!