Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate renewal logic fails because of the default behavior of Azure Key Vault #1387

Open
paf-dev opened this issue Oct 13, 2023 · 3 comments
Labels
kind/bug Some behavior is incorrect or out of spec

Comments

@paf-dev
Copy link

paf-dev commented Oct 13, 2023

What happened?

So, we have a certificate that is stored in the Azure Key Vault. For the certificate we have the following part of CertificateArgs

                    LifetimeActions = new[]
                    {
                        new CertificateCertificatePolicyLifetimeActionArgs
                        {
                            Action = new CertificateCertificatePolicyLifetimeActionActionArgs
                            {
                                ActionType = "AutoRenew",
                            },
                            Trigger = new CertificateCertificatePolicyLifetimeActionTriggerArgs
                            {
                                DaysBeforeExpiry = 10
                            },
                        },
                    }

Now is the time to triger that renewal logic. When we run Pulumi we see the following error

keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Certificate certmanager-***6110abac26 is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the certificate can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

Note: the name of the certificate was edited to hide sensitive data behind ***

The reason for the problem is clear, but doesn't it mean that the Certificate Lifetime Policy doesn't work at all when it collaborates with the Azure Key Vault?

Example

Everything is described in section "what happened"

Output of pulumi about

CLI
Version 3.79.0
Go Version go1.21.0
Go Compiler gc

Plugins
NAME VERSION
azure 5.16.0
azure-native 1.71.0
azuread 5.28.0
azuredevops 2.5.0
dotnet unknown
kubernetes 3.21.0
random 4.8.2
tls 4.6.0

Host
OS Microsoft Windows 10 Pro
Version 10.0.19045 Build 19045
Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='6.0.123'

Backend
Name pulumi.com


No dependencies found

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@paf-dev paf-dev added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Oct 13, 2023
@Frassle Frassle transferred this issue from pulumi/pulumi Oct 13, 2023
@mikhailshilkov
Copy link
Member

@paf-dev Could you please share the entire definition of the resource? (with sensitive info redacted) Thank you!

When we run Pulumi we see the following error

What are you changing in your program at this point?

@mikhailshilkov mikhailshilkov added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Oct 16, 2023
@paf-dev
Copy link
Author

paf-dev commented Oct 16, 2023

Hello @mikhailshilkov

What are you changing in your program at this point?

We added the piece of code that I mentioned in the first message. The part with LifetimeActions . So now, when we run our pipeline, the logic tries to replace the certificate with a new one. But it fails because of the error I mentioned above.

I'm not sure if I understand what the definition of the resource means. Is it the properties of the resource that I can see on the pulumi portal in Resources section? Or is it something different?

@paf-dev
Copy link
Author

paf-dev commented Nov 13, 2023

@mikhailshilkov is there any chance to get some progress with the issue?

@iwahbe iwahbe removed the awaiting-feedback Blocked on input from the author label Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Development

No branches or pull requests

3 participants