External-dns: Azure setup does not properly auth to adal

Hi @evillgenius75

Error = 'Post https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token?api-version=1.0: dial tcp: i/o timeout'"

suggests that ExternalDNS can't reach login.microsoftonline.com. This is more likely a problem with your cluster. I don't know if Azure puts any restrictions on pods in your cluster by default. It could also be KubeDNS not being able to lookup the host or your pod not being able to connect to the KubeDNS pod itself.

You would have to share some more information about your cluster in order for us to help any further.

We set up a new ACS cluster yesterday and then configured ExternalDNS as per the Azure tutorial. For us it worked out of the box.

Did you figure anything out @evillgenius75? Like @linki suggested, it takes some more information to be able to successfully close the issue. I've seen some teams "harden" their cluster security only whitelisting certain ip and/or urls. Outbound network traffic not matching it gets dropped. Have you done something like that for example?

check the contents of your /etc/kubernetes/azure.json

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: toolbox
  namespace: kube-system
  annotations:
    description: toolbox to open a shell upon to look around in the node
spec:
  replicas: 1
  template:
    metadata:
      labels:
        service: toolbox
    spec:
      volumes:
      - name: node-root
        hostPath:
          path: /
      containers:
      - name: toolbox
        image: debian
        command:
        - tail
        - -f
        - /dev/null
        volumeMounts:
        - name: node-root
          mountPath: /node_root
          readOnly: false

I have this problem with a cluster I created; I first created my cluster with Basic networking it worked fine. I realized I needed to put my cluster in an advanced networking so that I could put it in an existing VNet.

The ingress never get an endpoint assigned and the logs show this:

ime="2018-06-16T15:15:21Z" level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/*********/resourceGroups/MC_******dev_westeurope/providers/Microsoft.Network/dnsZones?api-version=2016-04-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/************/oauth2/token?api-version=1.0: dial tcp: i/o timeout'"

I created a container inside the cluster and I am able to curl that URL. I have no ideas why it is unreachable from there.

you ever fix this? im having the same issue.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.