Error often comes up when reading secret

[pascalnaber]

I've configured the Keyvault flex using MSI. Deployment:

 ``` options:
    usepodidentity: "true"         # [OPTIONAL] if not provided, will default to "false"
    keyvaultname: "my-secrets-dev"               # the name of the KeyVault
    keyvaultobjectnames: "Secret1;Secret2"        # list of KeyVault object names (semi-colon separated)
    keyvaultobjecttypes: "secret;secret"    # list of KeyVault object types: secret, key or cert (semi-colon separated)
    keyvaultobjectversions: ""     # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty
    resourcegroup: "my-dev-keyvault"              # the resource group of the KeyVault
    subscriptionid: "000000000000000"             # the subscription ID of the KeyVault
    tenantid: "000000000"                   # the tenant ID of the KeyVault

I've configured 2 secrets. Reading one of the secrets I get an exception now and then together with the value. Once I had the 'use of closed connection' message.

It happens especially when executing the commands fast after each other. But not always.

The commands below are executed right after each other.

• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecret
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecretE0104 15:22:49.282352 422 v3.go:79] EOF
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecret
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecretE0104 15:22:56.725635 446 v3.go:79] EOF
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecret
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecretE0104 15:32:40.761018 531 v3.go:79] EOF
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecretE0104 15:20:44.649605 331 v3.go:79] tls: use of closed connection
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecret
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecret
• kubectl exec -it nginx-flex-kv-podid cat /kvmnt/Secret1 TopSecretE0104 15:32:52.378853 567 v3.go:79] EOF

[ritazh]

@pascalnaber Thanks for reporting this. The error you are receiving might be resulted from network issue when exec into the pod from outside of the cluster. Is this on AKS? Is the process able to get the value of the secret from inside of the container?

[pascalnaber]

I'm using AKS. It looks like the error indeed doesn't come up when the secrets are read from inside the container. Although it's easy to reproduce the error using exec. I've also reproduced it on a different cluster.

[ritazh]

Confirming I can also reproduce this connection issue on AKS on any of the running pods. Clusters running aks-engine seem to be fine.

[ritazh]

Closing this issue as the error is resulted from the platform, not this solution. Feel free to reopen if you have further questions about this.

[pascalnaber]

Wouldn't it be good that the code doesn't give an exception to something that is going wrong, despite being caused by the platform? I see an exception which shows a line of code from this project. Solving this makes the code more robust if you ask me.

[ritazh]

Is this the error you are referring to E0104 15:22:49.282352 422 v3.go:79] EOF If so, that is not coming from this project.

[pascalnaber]

Ah I See. I made the assumption the error came from the project. Sorry. It's absolutely clear why the issue is closed. Thanks!