AKS secrets store provider azure - Internal server error

Question

Hello,

AKS environment
We have set up a SecretProviderClass allowing us to synchronize any change from the keyvault in order to take into account automated renewals of TLS certificates to be ultimately consumed by our ingress

We are currently experiencing an issue updating certificates in our cluster.

When we look at metrics such as:

kubectl port-forward -n kube-system ds/aks-secrets-store-provider-azure 8898:8898

We see the following errors:

grpc_request_bucket{grpc_code="Unknown",grpc_message="failed to mount objects, error: failed to get objectType:secret, objectName:wildcard-greybox-ca, objectVersion:: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://GreyboxVault.vault.azure.net/secrets/wildcard-greybox-ca/?api-version=2016-10-01: StatusCode=500 -- Original Error: adal: Refresh request failed. Status Code = '500 '.Response body: {\"error\":\"server_error\",\"error_description\":\"Internal server error\"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api -version=2018-02-01&client_id=c58481ee-abc2-4d06-8fd3-06bf31ca9928&resource=https%3A%2F%2Fvault.azure.net",grpc_method="/v1alpha1.CSIDriverProvider/Mount",os_type="linux",provider ="azure",service_name="csi-secrets-store-provider-azure",telemetry_sdk_language="go",telemetry_sdk_name="opentelemetry",telemetry_sdk_version="0.20.0",le="0.1"} 0

Can you help me understand what is wrong?

Extra information:
At the creation of the environment as long as on the Keyvault side there is no change, we do not encounter any error.
The environment has been created for more than 96 days as of today

Answer 1

Hi @Olivier Neu

Could you please share more insights of which AKS version are you using and also which is the CSIdriver version?