Azure / Azure-Spring-Apps

Azure Spring Cloud
MIT License
8 stars 6 forks source link

Custom Domain Certificate not updated after KV update certificate rotation #13

Open ezYakaEagle442 opened 2 years ago

ezYakaEagle442 commented 2 years ago

https://learn.microsoft.com/en-us/azure/spring-apps/tutorial-custom-domain?tabs=Azure-portal#import-certificate show how to import a Certificate from KV when setting up Custom Domain in KV. However While KV supports certificate rotation, the Certificate is not updated then in ASA.

To Reproduce Steps to reproduce the behavior:

  1. Deploy ASA
  2. Setup custom Domain following the above doc, usin,g a certificate expiring after 1 day
  3. Wait the 2 days and check the Certificate self rotation in KV
  4. Verify in ASA that the certificate used for the custom domain is still the old one, not the renewed one.

Expected behavior The Custom Domain Certificate should be updated in ASA

Screenshots N/A

Additional context None

zmssp commented 1 year ago

Currently, asa does not support cert auto renewal. Since the cert is stored in user's keyvault, asa does not know the status of the cert and may also cannot access to the resource. We've backlog this request and may plan it in future.

Customer need to manual update the cert. Firstly, import the cert "newcert", then update the cert by "az spring-cloud app custom-domain update -s {serviceName} -g {resourceGroup} --app {appName} --domain-name {domainName} --certificate newcert"

julienbourgoin-maif commented 1 year ago

Hi, Even if asa isn't aware of the original certificate in the keyvault, we should be able to update the certificate which is stored in asa under the same name, at least, with a command like:

az spring certificate add -g resourcegroup -s asaname --name cert-name-in-asa --vault-uri https://kv-name.vault.azure.net --vault-certificate-name cert-name-in-kv

But, as the certificate already exists with the name cert-name-in-asa in the azure spring apps it will fail with the message: ERROR: Certificate with name 'cert-name-in-asa' already exists, even if the certificate in the keyvault has changed, it won't update it

But it would of course be great that asa autmatically update his certificate from the original one from the keyvault :)

taoxu0903 commented 1 year ago

@allxiao , I suppose updating same cert is surely supported to override the old one with same name. Could you please ask corresponding engineer to comment here?