[BUG] Azure KeyVault Logs are filled with Unauthorized (401) events when using Controller Certificate-Sync #812
Description
Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting
Components and versions
Select which component(s) the bug relates to with [X].
[X] Controller, version: 1.7.3 (docker image tag)
[ ] Env-Injector (webhook), version: x.x.x (docker image tag)
[ ] Other
When using Certificate-Sync on the Controller node (not tested on Env Injector node) using Environment Authentication (other methods of authentication not tested), certificates are syncing as expected, however, there are multiple 401 Unauthorized log entries being generated in the KeyVault's logs in Azure Portal. Additionally there is nothing in the AKS Controller logs indicating the occurrence of a 401 event. After removing the AzureKeyVaultSecret CRD, the 401 log entries disappear.
To Reproduce
Steps to reproduce the behavior:
-
Create an App Registration in Azure which will be used for Authentication
-
Generate a Client Secret for the App Registration and save the token value for later
-
Assign the following permissions to the App Registration for the KeyVault that will be used with akv2k8s:
a) Using RBAC - Assign "Key Vault Certificate User" and "Key Vault Secrets User" to the App Registration
b) Using Access policies - Assign "Secret Permissions - Get" and "Certificate Permissions - Get" to the App Registration -
Install akv2k8s with authentication type = environment
kubectl create ns akv2k8s
kubectl config set-context --current --namespace=akv2k8s
helm repo add spv-charts https://charts.spvapi.no
helm repo update
helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s
kubectl create secret generic service-principal-auth --from-literal AZURE_TENANT_ID='<tenant-id-of-AppRegistration>' --from-literal AZURE_CLIENT_ID='<client-id-of-AppRegistration>' --from-literal AZURE_CLIENT_SECRET='<client-secret-generated-in-AppRegistration>'
helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set global.keyVaultAuth=environment --set global.envFromSecret[0].name=service-principal-auth --set env_injector.enabled=false --set global.logLevel=trace
-
Upload a PFX certificate to the KeyVault (my-pfxcert)
-
Create a new AzureKeyVaultSecret in a namespace other than akv2k8s
kubectl create ns my-namespace
- Create the following file my-akv.yaml
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: certificate-sync
namespace: my-namespace
spec:
vault:
name: my-keyvault
object:
name: my-pfxcert
type: certificate
output:
secret:
name: my-pfxsecret
type: kubernetes.io/tls
- Apply the file
kubectl apply -f .\my-akv.yaml
-
Wait 5 - 10 minutes for Logs to start generating in Azure
-
Check the Azure Logs of my-keyvault in the Azure Portal
a) Go to my-keyvault > Monitoring > Logs
b) Run the following query (Time range = Last 30 minutes):
AzureDiagnostics | where ResultSignature != "OK" | top 50 by TimeGenerated desc
Result: You will see a bunch of Unauthorized 401 attempts coming from the IP Address of your Controller node in AKS. my-pfxcert will be syncing as expected and no logs appear in the Controller indicating a reason for the 401 Unauthorized KeyVault logs.
Expected behavior
my-pfxcert syncs as expected and the Azure KeyVault logs for my-keyvault are not spammed with 401 Log entries.
Logs
If applicable, add logs to help explain your problem.
paste log here...
Additional context
Add any other context about the problem here.