This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 67%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
I am having trouble with a container runtime in a k8s cluster. I'm stuck.
Context: My org is moving away from using azure function apps as our production API runtime and moving toward using containerized web applications in managed AKS clusters.
In order to prevent work stoppage, we settled on a middle ground where we run our codebase inside of docker containers running the azure functions runtime.
Here's my dockerfile (very vanilla ... please note that I'm using dotnet 6.0 and in-process model which I hope to get away from very very soon):
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS installer-env
COPY . /src
RUN dotnet restore "/src/AxonVR.Azure.Authentication/AxonVR.Azure.Authentication.csproj"
RUN dotnet build "/src/AxonVR.Azure.Authentication/AxonVR.Azure.Authentication.csproj" -c Release -o "/bin/build"
RUN dotnet publish "/src/AxonVR.Azure.Authentication/AxonVR.Azure.Authentication.csproj" -c Release -o "/home/site/wwwroot"
FROM mcr.microsoft.com/azure-functions/dotnet:4
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
AZURE_FUNCTIONS_ENVIRONMENT=Production
COPY --from=installer-env ["/home/site/wwwroot", "/home/site/wwwroot"]
The most fundamental operation this application offers is an IDP integrated oauth login. When someone hits our function app URI in a browser, they're redirected to an IDP where our system can operate as the middle man and an oauth token issuer for the IDP it is proxying. As half that process, after authenticating against the IDP, the user is sent in the browser back to a URI that has another function app running behind it. The function app running under this URI processes the redirect from the IDP and directs the browser to place the token in browser local storage, or in a cookie, or wherever.
namespace controllers
{
public class UserAuthController
{
public const string RootUri = "api/v3/auth/user";
private readonly ILogger<UserAuthController> _logger;
public UserAuthController(ILogger<UserAuthController> log)
{
_logger = log;
}
[FunctionName("UserAuthRedirect")]
public async Task<IActionResult> UserAuthRedirect(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = RootUri + "/redirect")] HttpRequest req)
{
_logger.LogWarning("UserAuthRedirect triggered.");
// business logic here
}
// other functions here
}
}
But none of this happens. The function app body is simply not executing. I have logging statements all over the code that aren't being reported out. The function app runtime is returning a 500 http response, but nothing is logged in application logs. I have reduced the logging level app-wide to Trace but still get nothing.
This is a sample of the logs that the application runtime is offering up. They're anything but helpful.
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
Prior to deploying this in a k8s cluster, I obviously tested it locally. The most suitable docker runtime I have on my local machine is docker compose. That works.
When I try this flow in docker compose, the request is processed normally, same as any other, and i get loads of logs. I get nothing when deployed in k8s. I can also just hit this URI directly and get a response with loads of logs without going through the full login flow
I don't understand why the azure function runtime in this docker container is failing to execute, and even more, just failing to log anything. There's no indication anywhere in this runtime as to what could be causing failure. Executing locally is different than running in the vr ag1 cluster. But those logs above are all I have, and they're totally useless.
Like I said, I have tried reducing the log-level to trace, I have double check that console logging is enabled in my host.json config.
{
"version": "2.0",
"logging": {
"logLevel": {
"default": "Trace",
"Host.Aggregator": "Trace",
"Host.Results": "Trace",
"Function": "Trace",
"Microsoft": "Trace",
"Worker": "Trace",
"Function.UserAuthRedirect.User": "Trace"
}
},
"extensions": {
"http": {
"routePrefix": ""
}
}
}
I really don't know what to do at this point. It just makes no sense because it's the same docker image and same functions runtime that runs when i start the container on my local machine. It's driving me crazy. If anyone has any ideas, I would love to hear them. Thanks in advance. :-)
Could you kindly use a supported version of DotNet and retry it? I can see as per https://dotnet.microsoft.com/en-us/download/dotnet/6.0 it says- "This release has reached end of life, meaning it is no longer supported. We recommend moving to a supported release, such as .NET 9.0. See our support policy for more details."
Hi Landon Hemsley, I did some digging and discovered the issue was caused by double api/ prefixing in the route mapping.
You have two options-
One is adjusting your curl/Browser Call
Update your call to curl http://<external-ip>/api/api/v3/auth/user/redirect
This will properly reach the function as per how Azure Functions maps routes by default (with the api/ prefix).
Option 2: Remove the default api prefix
If you'd prefer a cleaner route like /api/v3/auth/user/redirect, you can disable the default api prefix by editing host.json like so:
{
"version": "2.0",
"extensions": {
"http": {
"routePrefix": ""
}
}
}
Then rebuild and redeploy your container to AKS
docker build -t <acr-name>.azurecr.io/myfuncapp:latest .
docker push <acr-name>.azurecr.io/myfuncapp:latest
kubectl rollout restart deployment myfuncapp -n <namespace>
I tried the same. Created an AKS cluster attached it to my ACR
In my Dockerfile I switched to isolated process model
FROM mcr.microsoft.com/azure-functions/dotnet-isolated:4.0
```here's my dockerfile
```Dockerfile
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY . .
RUN dotnet publish -c Release -o /app
FROM mcr.microsoft.com/azure-functions/dotnet-isolated:4.0
WORKDIR /home/site/wwwroot
COPY --from=build /app .
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
AZURE_FUNCTIONS_ENVIRONMENT=Development
and created a deployment inside it
apiVersion: v1
kind: Namespace
metadata:
name: funcapp
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myfuncapp
namespace: funcapp
spec:
replicas: 1
selector:
matchLabels:
app: myfuncapp
template:
metadata:
labels:
app: myfuncapp
spec:
containers:
- name: myfuncapp
image: funcacr90417903.azurecr.io/myfuncapp:latest
ports:
- containerPort: 80
env:
- name: AzureFunctionsJobHost__Logging__Console__IsEnabled
value: "true"
- name: AZURE_FUNCTIONS_ENVIRONMENT
value: "Development"
---
apiVersion: v1
kind: Service
metadata:
name: myfuncapp-service
namespace: funcapp
spec:
selector:
app: myfuncapp
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
checked the service. Got the IP
Pods are up and your Azure Function as well.
One more thing. The reason why you were not getting proper logs because Azure Functions in-process model doesn’t support full ASP.NET-style controller-based patterns with constructor injection the way ASP.NET Core MVC does. Constructor-based DI (ILogger<UserAuthController> log) is valid, but requires Startup.cs configuration. If Startup.cs is not properly wired up or the DI fails silently, the function won’t be executed, and no logs will appear.
In-Process Function Model + Controller Class + DI
public class UserAuthController
{
[FunctionName("UserAuthRedirect")]
public async Task<IActionResult> UserAuthRedirect(
[HttpTrigger(...)] HttpRequest req)
You don’t need Startup.cs, and the class-based DI works out-of-the-box
Let me know if you have any additional questions. If this was helpful kindly accept and upvote my answer. Thanks
Sadly, this is not it. In my OP I included the full host.json. If you look closely, you can see I had already removed the route prefix.
I will post an update on the OP; i have since changed the runtime to an officially supported version, and changed to a worker-process model, but still get the same error. Updates to come...
{
"version": "2.0",
"logging": {
"logLevel": {
"default": "Trace",
"Host.Aggregator": "Trace",
"Host.Results": "Trace",
"Function": "Trace",
"Microsoft": "Trace",
"Worker": "Trace",
"Function.DeviceAuthRequest.User": "Trace",
"Function.HealthCheck.User": "Trace",
"Function.ValidateToken.User": "Trace",
"Function.UserAuthRequest.User": "Trace",
"Function.UserAuthRedirect.User": "Trace",
"Function.GetUserInfo.User": "Trace",
"Function.UserAuthRenew.User": "Trace",
"Function.UserAuthRevoke.User": "Trace",
"Function.Version.User": "Trace"
}
},
"extensions": {
"http": {
"routePrefix": ""
}
}
}
I have updated the runtime to dotnet 8, and also changed from an in-process model to a worker process model. I still get the same 500s and the same errors
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
dbug: Microsoft.AspNetCore.Routing.RouteBase[1]
Request successfully matched the route with name 'UserAuthRedirect' and template 'api/v3/auth/user/redirect'
UPDATE: I found the cause. Turns out it has nothing to do with the runtime. It has to do with the function app keys that I had designated for my application.
As deployed into the cluster, I have this configuration value set up...
AzureWebJobsSecretStorageType=kubernetes
The documentation here says that this is only supported when running the container in k8s, which I am.
I have a secret defined in my cluster where i've got the keys stored. Here's the manifest with the relevant values highlighted.
apiVersion: v1
data:
functions.userauthredirect.default: ++++++++
host.master: ++++++++
kind: Secret
immutable: true <----- this is what caused the problems
metadata:
annotations:
ecosystem: dotnet
owning-team: vrbe
pillar: VR
runtime: Azure functions host runtime in docker
creationTimestamp: '2025-03-25T18:57:09Z'
labels:
app: vrbe-auth
argocd.argoproj.io/instance: vrbe-auth
helm.sh/chart: common-1.0.0
name: vrbe-auth-fn-keys
namespace: vrbe
resourceVersion: '336197458'
uid: 26460870-c4a2-409c-aab6-0ea21fdd5d3b
type: Opaque
Once I removed the immutable key out of the secret, I was able to make the request and get a response that wasn't just a flat 500.
It is worth noting that there is next to no documentation about how to structure the kubernetes secret in the Microsoft documentation. I had been under the impression that you set the keys once and then that the function app runtime wouldn't need to access it for writes, only for reads.
Welp, I certainly was wrong.
I'll be filing a documentation request agains the azure functions repo reporting this huge hole in the documentation.
Thanks for the update Landon Hemsley and for sharing the root cause — I’ve reviewed your latest findings, and you’re absolutely right. The issue in your case wasn't related to routing, host.json, or runtime compatibility — it was caused by the AzureWebJobsSecretStorageType=kubernetes configuration combined with an immutable: true setting on the Kubernetes secret. Kindly accept your own answer as a documented fix for this issue. Anyone searching for similar issue on QnA forum can refer to both of our answers and an work accordingly based on whichever usecase works for them. This should be good for the community. Thanks
I would like to select my own answer, but it doesn't appear I can. There is no "Accept answer" option on my own answer like there are others...
I have pinged you on private message. Lets connect there
Thanks to Landon Hemsley, the root cause of the issue lied in Immutable Kubernetes Secret. In Landon's initial configuration, he had enabled the following setting
AzureWebJobsSecretStorageType=kubernetes
Created a kubernetes secret as below-
apiVersion: v1
kind: Secret
metadata:
name: vrbe-auth-fn-keys
namespace: vrbe
type: Opaque
immutable: true # This is what caused the issue
data:
host.master: <base64-key>
functions.userauthredirect.default: <base64-key>
However, in this case the Azure Functions runtime attempted to write to the Kubernetes secret when initializing function keys even if the keys already exist.
Why?- When the secret is marked immutable, the runtime fails silently resulting in a 500 Internal Server Error and no function execution.
what was done to fix this issue?
Updated the secret as below-
Once the user removed the immutable key out of the secret, the user was able to make the request and get a response.
apiVersion: v1
kind: Secret
metadata:
name: vrbe-auth-fn-keys
namespace: vrbe
type: Opaque
data:
host.master: <base64-key>
functions.userauthredirect.default: <base64-key>
It’s worth noting that there is very little official documentation about how to properly structure Kubernetes secrets for Azure Functions when using AzureWebJobsSecretStorageType=kubernetes. A request has been taken to update the documentation for the same.
Thanks to everyone who took a look. Hopefully this helps the community to avoid the same pitfall.