terraform helm release timeout while waiting for condition
I was facing the same issue (helm_release getting timed out). On further investigation, I found out that the Public IP was not getting assigned to the load balancer (kubectl describe svc nginx-ingress -n ingress-basic) because of incorrect RBAC permissions.
I was using Azure AKS Managed Identity feature by which Azure automatically creates a managed identity service principal which has only very limited permission (readonly permission to Managed Cluster resource group which is automatically created by AKS). My Pubic IP is in another resource group and load balancer was in managed resource group by AKS cluster.
Finally I was able to fix the issue by using 'Service Principal' option instead of managed identity in AKS cluster with 'contributor' access to subscription for the service principal.
So if any one is facing some issue with Managed Identity, please try using Service Principal with contributor access to the subscription, and that will fix the issue
To install the nginx-ingress in AKS cluster through helm in Terraform, here I show one way that available here. In this way, you need to install the helm in the machine which you want to run the terraform script. And then you also need to configure the helm to your AKS cluster. The steps in Configure the helm to AKS. You can check if the helm configured to AKS through installing something to the AKS.
When everything is ready. You just need to set the helm provider and use the resource helm_release
. The Terraform script to install the nginx-ingress shows here:
provider "helm" {
version = "~> 0.9"
}
resource "helm_release" "ingress" {
name = "application1"
chart = "stable/nginx-ingress"
version = "1.10.2"
namespace = "ingress-basic"
set {
name = "controller.replicaCount"
value = "1"
}
...
}
The process shows here:
This is just to install the nginx-ingress through helm in Terraform. If you want to create resources of the kubernetes. You can use the kubernetes in Terraform.
Update:
OK, to use a static public IP in another resource group for your ingress, you need to do two more steps.
- The service principal used by the AKS cluster must have delegated permissions to the other resource group which the public IP in. The permission should be "Network Contributor" at least.
- Set the ingress service annotations with the value of the resource group which the public IP in.
The annotation in the yaml file would like this:
annotations:
service.beta.kubernetes.io/azure-load-balancer-resource-group: myResourceGroup
For more details, see Use a static IP address outside of the node resource group.
Update1:
The code in the "helm_release":
resource "helm_release" "ingress" {
name = "application1223"
chart = "stable/nginx-ingress"
version = "1.10.2"
namespace = "ingress-basic"
set {
name = "controller.replicaCount"
value = "1"
}
set {
name = "controller.service.annotations.\"service\\.beta\\.kubernetes\\.io/azure-load-balancer-resource-group\""
value = "v-chaxu-xxxx"
}
set {
name = "controller.service.loadBalancerIP"
value = "13.68.175.40"
}
}
When it deploys successfully, the ingress service shows like this:
The info of the public IP which is in another resource group: