Merge pull request #204093 from anraghun/rbac-secret-rotation

PRMerger9 · web-flow · commit 121b58bca1b6 · 2022-07-12T22:33:00.000-07:00
Azure RBAC doc updates
diff --git a/articles/azure-arc/kubernetes/azure-rbac.md b/articles/azure-arc/kubernetes/azure-rbac.md
@@ -57,7 +57,7 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
     az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
     ```
 
-1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster.
+1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster. Please note that this secret is valid for 1 year by default and will need to be [rotated after that](./azure-rbac.md#refresh-the-secret-of-the-server-application). Please refer to [this](/cli/azure/ad/sp/credential?view=azure-cli-latest&preserve-view=true#az-ad-sp-credential-reset) to set a custom expiry duration.
 
     ```azurecli
     az ad sp create --id "${SERVER_APP_ID}"
@@ -531,6 +531,19 @@ node-2    Ready    agent    6m42s    v1.18.14
 node-3    Ready    agent    6m33s    v1.18.14
 ```
 
+## Refresh the secret of the server application
+
+If the secret for the server application's service principal has expired, you will need to rotate it.
+
+```azurecli
+SERVER_APP_SECRET=$(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)
+```
+
+Update the secret on the cluster. Please add any optional parameters you configured when this command was originally run.
+```azurecli
+az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id "${SERVER_APP_ID}" --app-secret "${SERVER_APP_SECRET}"
+```
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/articles/azure-arc/kubernetes/cluster-connect.md b/articles/azure-arc/kubernetes/cluster-connect.md
@@ -158,7 +158,7 @@ A conceptual overview of this feature is available in [Cluster connect - Azure A
    kubectl create serviceaccount demo-user
    ```
 
-1. Create ClusterRoleBinding or RoleBinding to grant this [service account the appropriate permissions on the cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding). Example:
+1. Create ClusterRoleBinding to grant this [service account the appropriate permissions on the cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding). Example:
 
     ```console
     kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --serviceaccount default:demo-user
diff --git a/articles/azure-arc/kubernetes/troubleshooting.md b/articles/azure-arc/kubernetes/troubleshooting.md
@@ -155,7 +155,7 @@ To resolve this issue, try the following steps.
     cluster-metadata-operator-664bc5f4d-chgkl   2/2     Running            0          4m14s
     clusterconnect-agent-7cb8b565c7-wklsh       2/3     CrashLoopBackOff   0          1m15s
     clusteridentityoperator-76d645d8bf-5qx5c    2/2     Running            0          4m15s
-     config-agent-65d5df564f-lffqm               1/2     CrashLoopBackOff   0          1m14s
+    config-agent-65d5df564f-lffqm               1/2     CrashLoopBackOff   0          1m14s
      ```
 
 3. If the certificate below isn't present, the system assigned managed identity hasn't been installed.
@@ -168,10 +168,22 @@ To resolve this issue, try the following steps.
    name: azure-identity-certificate
    ```
 
-   To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy.
+   To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Please also verify if all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) have been met.
 
 4. If the `clusterconnect-agent` and the `config-agent` pods are running, but the `kube-aad-proxy` pod is missing, check your pod security policies. This pod uses the `azure-arc-kube-aad-proxy-sa` service account, which doesn't have admin permissions but requires the permission to mount host path.
 
+5. If the `kube-aad-proxy` pod is stuck in `ContainerCreating` state, check whether the kube-aad-proxy certificate has been downloaded onto the cluster.
+
+   ```console
+   kubectl get secret -n azure-arc -o yaml | grep name:
+   ```
+
+   ```output
+   name: kube-aad-proxy-certificate
+   ```
+
+   If the certificate is missing, please contact support.
+
 ### Helm validation error
 
 Helm `v3.3.0-rc.1` version has an [issue](https://github.com/helm/helm/pull/8527) where helm install/upgrade (used by the `connectedk8s` CLI extension) results in running of all hooks leading to the following error:
