search

crossplane-contrib / provider-upjet-azure

Official Azure Provider for Crossplane by Upbound.
Apache License 2.0
57 stars 74 forks source link

[Bug]: Azure gov azure keyvault keys do not work #648

Closed waterfoul closed 3 weeks ago

waterfoul commented 7 months ago

Is there an existing issue for this?

Affected Resource(s)

Resource MRs required to reproduce the bug

apiVersion: keyvault.azure.upbound.io/v1beta1
kind: Key
metadata:
  name: --SNIP--
  annotations:
    crossplane.io/external-name: --SNIP--
spec:
  deletionPolicy: Orphan
  providerConfigRef:
    name: --SNIP--
  forProvider:
    name: --SNIP--
    keyVaultIdRef:
      name: --SNIP--
    keyOpts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
    keyType: "RSA"
    keySize: 4096

Steps to Reproduce

Create the resource while connected to azure gov. Example provider config:

apiVersion: azure.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: --SNIP--
spec:
  clientID: --SNIP--
  credentials:
    source: UserAssignedManagedIdentity
  environment: usgovernment
  subscriptionID: --SNIP--
  tenantID: --SNIP--

What happened?

It tries to use the public keyvault domain instead of the one for gov. The issue is here. Essentially it tries to use the public azure domain name (vault.azure.net) instead of the one for us gov (vault.usgovcloudapi.net). I suspect you will have the same issue in all non-public azure clouds

Relevant Error Output Snippet

Original Error: Get "https://--SNIP--.vault.azure.net/keys/--SNIP--/?api-version=7.4": dial tcp: lookup --SNIP--.vault.azure.net on --SNIP--: no such host  []}]

Crossplane Version

v1.14.5

Provider Version

v0.41.0

Kubernetes Version

1.28.3

Kubernetes Distribution

AKS

Additional Info

I don't know much about provider internals but the correct domain is located in status.atProvider.vaultUri in the Vault resource

turkenf commented 7 months ago

Hi @waterfoul,

Unfortunately, I cannot reproduce the error with the information you provided. Please ensure that the KeyVault resource you are using has the necessary access policies.

I did a quick search on your error message, maybe it might be helpful: https://learn.microsoft.com/en-us/answers/questions/819853/no-such-host-is-known-(kv-env-app-vault-azure-net

waterfoul commented 7 months ago

@turkenf which cloud were you using? This only happens in the azure government cloud Documentation: https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

waterfoul commented 6 months ago

As an FYI if you need some testing to happen in the gov environment I can pretty easily build a branch and test it out for you

github-actions[bot] commented 1 month ago

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

github-actions[bot] commented 3 weeks ago

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!