Mount Volume Fails for EC certs while Key is selected to be eported.

[bhardwahnitish19]

Describe the bug Mount volume always fails if I choose keys in flex volume for EC certificates. Logs:

Events:
  Type     Reason       Age                   From                               Message
  ----     ------       ----                  ----                               -------
  Normal   Scheduled    5m15s                 default-scheduler                  Successfully assigned default/mysql-keyvault-sp to aks-agentpool-50967501-3
  Warning  FailedMount  56s (x2 over 3m12s)   kubelet, aks-agentpool-50967501-3  Unable to mount volumes for pod "mysql-keyvault-sp_default(b5d4efb8-8604-11ea-bc3e-624e96f1e750)": timeout expired waiting for volumes to attach or mount for pod "default"/"mysql-keyvault-sp". list of unmounted volumes=[private-key-volume]. list of unattached volumes=[mysql-persistent-storage private-public-key-volume private-key-volume public-key-volume cert-volume default-token-xh4x6]
  Warning  FailedMount  55s (x10 over 5m13s)  kubelet, aks-agentpool-50967501-3  MountVolume.SetUp failed for volume "private-key-volume" : mount command failed, status: Failure, reason: /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, /Users/anishramasekar/go/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/main.go:80 +0x129

Steps to generate Cert:

1. Created a CSR (where keyproperties.exportable is true, keyType": "EC")
2. Got this CSR signed by a third party CA
3. Merged the generated public key/cert in Key Vault.

Authentication used: SP

NOTE: Same flexVolume settings and steps to generate works perfectly for RSA certificate. Able to fetch Key for RSA certs, but for EC certs it fails.

Steps To Reproduce Create an EC, mark keys as exportable. Use SP to authenticate and try to fetch Key with Flex Volume

Expected behavior Shoule be able to fetch Keys for EC certificates in plain text

Access mode: service principal

Kubernetes version 1.15.x

[chintanr97]

Hi @bhardwahnitish19 , a quick question. When you say "I choose keys in flex volume for EC certificates" do you mean you just need private key in the pod?

What I understand is following:

1. You are creating an EC "certificate" object in key vault first. You get the CSR signed and enable the certificate by uploading the signed CSR. Right?
2. Now the certificate object in key vault is a combination of both, the public and the private part. You need this EC key alone into your application-specific pod (preferably in PEM format). Right? Also please correct me if you need it in "some other format"!

If this so, then @ritazh would this require some different enhancement to the csi-driver than the one mentioned here?

[bhardwahnitish19]

Hi @chintanr97

Please find my comments inline:

Do you mean you just need private key in the pod? I need both public & private key in pod. But, need them at different locations like /var/privatekey & /var/publickey. These must be in pem format so that the application can utilize easily without any type conversions. To achieve this, I am trying to export key and mount it at /var/privatekey and trying to export cert to /var/publickey. (Using 2 flex volume respectively)

1. You are creating an EC "certificate" object in key vault first. You get the CSR signed and enable the certificate by uploading the signed CSR. Right? Correct 2. Now the certificate object in key vault is a combination of both, the public and the private part. You need this EC key alone into your application-specific pod (preferably in PEM format). Right? Also please correct me if you need it in "some other format"! PEM format would be perfect for now.

[chintanr97]

Great! I understood! Hope the updated comments here help the project owners to create the required solutions.