This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 90%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
After yesterday's mishaps that is described in https://learn.microsoft.com/en-us/answers/questions/1403535/how-to-fix-an-aks-cluster-that-is-in-state-rotatin we discovered today that one of our clusters didn't recover that well.
There are as far as I can see two different issues we're experiencing:
Updating state (our user pool is running normally).If these two are connected, or if they are connected to yesterday's issue is not clear, but they did arise after yesterday's issues, and they both affect us heavily.
Issue 1 prohibits us to do ANYTHING with the cluster configuration (except creating a new pool), so we decided to create a new system pool and then drain the old one, but this was effectively stopped by issue 2, since we have an NGINX instance that is running on our system nodes that retrieves certificates from a key vault using the azure key vault provider for secret store which are dependent of this setting.
This is the error we are getting from the secret store provider:
failed to process mount request" err="failed to get objectType:secret, objectName:certificate, objectVersion:: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<keyvault>.vault.azure.net/secrets/certificate/?api-version=2016-10-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=<clientid>&resource=https%3A%2F%2Fvault.azure.net
So the questions are:
azureKeyvaultSecretsProvider?
I'll answer my own issue for further reference.
We didn't find any reason for why the system pool was stuck in Updating state, neither the reason for why the azureKeyvaultSecretsProvider:identity configuration was gone. But, to fix the issue we did the following.
And then suddenly everything was back in order and we re-added the affinity and toleration to our NGINX ingress to move that back to the system pool.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Rune Gulbrandsen Thanks for sharing the update for others in the community.
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!
Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.
Issue: System pool in AKS is stuck in Updating state
Solution: Customer shared - Removed the affinity and toleration that put our NGINX ingress into system pool and redeployed it to the user pools.
And then suddenly everything was back in order, and we re-added the affinity and toleration to our NGINX ingress to move that back to the system pool.
If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.