Needs more information on linkOnRenewal

[peledins]

linkOnRenewal is barely documented (in code example). the page needs either a link on how to use that or full example.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: a52b0724-6b3b-0daf-7749-d18104d6a40b
• Version Independent ID: 56e5c7c4-f456-fc2e-99da-2771eb162947
• Content: Azure Key Vault VM Extension for Windows
• Content Source: articles/virtual-machines/extensions/key-vault-windows.md
• Service: virtual-machines-windows
• GitHub Login: @msmbaldwin
• Microsoft Alias: mbaldwin

[Karishma-Tiwari-MSFT]

Thanks for the feedback! I have assigned the issue to the content author to investigate further and update the document as appropriate.

[dragav]

@peledins https://keyvaultsdk.visualstudio.com/keyvault-vm-extension (internal link)

[ericsampson]

@dragav @msmbaldwin @peledins could someone please just paste the information from the internal document here in the meantime? We really need a better understanding of linkOnRenewal before the official documentation goes through the wait to be updated. And also if certificate auto-rotation works using the Linux KeyVault VM Extension, which is super unclear.

[dragav]

Certificate linking

Re: Linux - there is a KVVMext for Linux, and the SF runtime supports CN-based declarations of cluster certificates for both platforms.

[ericsampson]

Thanks @dragav. However we're not using SF just plain VMs, and I can't find any code/documentation for the Linux KVVM extension that would tell me how to hook into a cert renewal event notification in order to reload nginx so that the new SSL cert is picked up.

[dragav]

There is no such thing (re: notification). You'll probably need to set up a file watch and build your own. I'm not familiar with nginx, but most web server technologies have/should have provisions for plugging in a custom server cert loader.

[ericsampson]

Thanks @dragav , at least I know now that there isn't something available but not documented yet.

[mimckitt]

We are currently cleaning up old issues and closing out items that are greater than 90 days old. If an issue is still present, please open a new feedback item on the document so we can prioritize correctly.

please-close

[ericsampson]

@mimckitt why can't we just reopen this issue, instead of putting customers through the extra time of refiling a new issue?

[mimckitt]

Due to the number of open issues we opted to remove old ones to better prioritize. Additionally, this issue was open for nearly a year and has yet to been acted upon. At this point in time there are no updates planned related to this feedback. All feedback is appreciated however not all feedback will be implemented.

[ericsampson]

@mimckitt how can you choose to just not properly document a parameter?

[dragav]

@ericsampson I'm trying to understand which questions remain unaddressed in this thread. We provided the documentation for certificate linking, the Linux doc as well as the Windows counterpart for the KeyVault VM extension. We explained that certificate linking is not supported on Linux, and that there is no notification mechanism to indicate the event of installing a new certificate. Which parameter are you referring to as not being properly documented?

In any case, given that the original question raised with this GH issue has been addressed eventually with public documentation for both supported platforms, I am considering this thread closed. If you have additional questions, please open a new, specific issue.

[ericsampson]

@dragav that material from your first link is in the service fabric documentation. There's approximately zero chance that someone using the Windows KeyVault VM extension on non-SF standalone Windows VMs would find it there. What I'd recommend is that material from the SF documentation should be added to the extension doc page. Or single-sourced and linked to on both the extension and SF docs pages. Does that help?

[dragav]

That is a fair point, though the SF doc (to the paragraph) is the first result I get on Bing searching for "keyvault vm extension certificate linking".

I had already forwarded this thread (internally) to the owning team, I would expect them to follow up in the next day or so.

[jrmcdona]

Doesn't seem like this got addressed. Looking at the documentation. I am not sure if I need "linkOnRenewal" as true or false. No idea what is actually does.

Thanks

[andreabisconte]

The renewall is supported or not? In this section [https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?tabs=version3#azure-powershell-deployment] Please clarify the doc and explain if it can also true or only false.