How to use static External IP for Azure kubernetes LoadBalancer?

Question

I created a deployment at AKS:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: frontend
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        io.kompose.service: frontend
    spec:
      containers:
      - image: app:latest
        name: frontend
        volumeMounts:
        - mountPath: /app/db
          name: db
        - mountPath: /root/.aspnet/https
          name: https
          readOnly: true
        env:
        - name: ASPNETCORE_URLS
          value: "https://+;http://+"
        - name: ASPNETCORE_HTTPS_PORT
          value: "443"
        - name: ASPNETCORE_Kestrel__Certificates__Default__Path
          value: "/root/.aspnet/https/cert.pfx"
        - name: ASPNETCORE_Kestrel__Certificates__Default__Password
          valueFrom:
            secretKeyRef:
              name: certificate-pass
              key: pass
      restartPolicy: Always
      serviceAccountName: ""
      volumes:
      - name: db
        persistentVolumeClaim:
          claimName: db
      - name: https
        secret:
          secretName: certificate
          items:
          - key: file
            path: cert.pfx

and a service:

apiVersion: v1
kind: Service
metadata:
  name: frontend-service
spec:
  selector:
    io.kompose.service: frontend
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
  type: LoadBalancer

Service is created successfully. I can access it using provided External IP:

Now I want to make this IP static. There is an official docs which tells how to make it: Use a static public IP address and DNS label with the Azure Kubernetes Service (AKS) load balancer

There is also an article which technically duplicates the docs, but in a bit more details: Use a static public IP address outside of the node resource group with the Azure Kubernetes Service (AKS) load balancer

I am able to create an IP address, but when I reach az role assignment create command it fails ($GROUP here is just a placeholder for real Resource group literal):

$ CLIENT_ID=$(az aks show --resource-group Default --name k8s --query "servicePrinci
palProfile.clientId" --output tsv)
$ SUB_ID=$(az account show --query "id" --output tsv)
$ az role assignment create --assignee $CLIENT_ID --role "Network Contributor" --scope /subscriptions/$SUB_ID/resourceGroups/$GROUP

If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id $CLIENT_ID

When I try proposed command if fails:

$ az ad sp create --id $CLIENT_ID
Another object with the same value for property servicePrincipalNames already exists.

I found similar issue at GitHub Azure/azure-cli repo, but there is no answer.

If I skip this step and set loadBalancerIP: XXX.XXX.XXX.XXX at config level, load balancer has a new property Load balancer IP, but External IP is not changed:

How to mitigate this error?

Do you still work on this question? I didn't get any response and you also do not accept it. — Charles Xu, Jan 25 '21 at 06:28

score 0 · Answer 1 · answered Jan 18 '21 at 02:35

According to the messages you provide, I'm very confused about why you need to run the command az ad sp create --id $CLIENT_ID, both the docs do not show the necessity to run this command.

As I know, you only need to assign the "Network Contributor" role of the group other than the AKS node group to the service principal of the AKS. That's the right step you need to do. I think you need to read the docs again with more attention.

score 0 · Accepted Answer · answered Jan 30 '21 at 17:26

0

I had to use literal value instead of a variable $CLIENT_ID. That helped.

answered Jan 30 '21 at 17:26

Skyblade

2,354
4
25
44

How to use static External IP for Azure kubernetes LoadBalancer?

2 Answers2