Deployment of azure_arc_jumpstart/azure_edge_iot_ops/aks_edge_essentials_single fails

[JMayrbaeurl]

Is your issue related to a Jumpstart scenario, ArcBox, HCIBox, or Agora?

Yes. AKS Edge Essentials single node deployment with Azure Arc using ARM Template

Describe the issue or the bug

Connecting the local Kubernetes cluster with Azure Arc fails in 'az connectedk8s connect...'

To Reproduce
Simply follow the steps described at AKS Edge Essentials single node deployment with Azure Arc using ARM Template

Expected behavior

Upon successful run, a new Azure Arc-enabled server and Azure Arc-enabled Kubernetes cluster will be added to the resource group.

Environment summary

azure-cli 2.67.0
core 2.67.0
telemetry 1.1.0

Extensions:
connectedk8s 1.10.4
k8s-extension 1.6.2

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\arcdemo.azure\cliextensions'

Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct 1 2024, 03:06:41) [MSC v.1941 64 bit (AMD64)]

Have you looked at the Troubleshooting and Logs section?
Yes

Screenshots

Additional context
LogonScript.log

[JMayrbaeurl]

Found the root cause in the meantime. In custom.py of the connectedk8s extension at def install_kubectl_client() line 451 the attempt to install the kubectl with az aks install-cli fails with:

az aks install-cli --install-location "C:\Users\arcdemo.azure\kubectl-client\kubectl.exe"
The detected architecture of current device is "amd64", and the binary for "amd64" will be downloaded. If the detection is wrong, please download and install the binary corresponding to the appropriate architecture.
No version specified, will get the latest version of kubectl from "https://dl.k8s.io/release/stable.txt"
The command failed with an unexpected error. Here is the traceback:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>
Traceback (most recent call last):
File "urllib\request.py", line 1344, in do_open
File "http\client.py", line 1336, in request
File "http\client.py", line 1382, in _send_request
File "http\client.py", line 1331, in endheaders
File "http\client.py", line 1091, in _send_output
File "http\client.py", line 1035, in send
File "http\client.py", line 1477, in connect
File "ssl.py", line 455, in wrap_socket
File "ssl.py", line 1041, in _create
File "ssl.py", line 1319, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 666, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 733, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 703, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 336, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1733, in k8s_install_cli
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1877, in k8s_install_kubectl
File "urllib\request.py", line 215, in urlopen
File "urllib\request.py", line 515, in open
File "urllib\request.py", line 532, in _open
File "urllib\request.py", line 492, in _call_chain
File "urllib\request.py", line 1392, in https_open
File "urllib\request.py", line 1347, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>
To check existing issues, please visit: https://github.com/Azure/azure-cli/issuess

This can be avoided by using the already installed kubectl from AKS EE by setting the env variable KUBECTL_CLIENT_PATH to C:\Program Files\AksEdge\kubectl\kubectl.exe. The next attempt to az connectedk8s connect will complete successfully now.

[mrhoads]

Thanks for reporting this issue. I'll verify that the already-installed kubectl can be used and work that change in.