search

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps
MIT License
356 stars 27 forks source link

ACA in version 1.12.5, fails to start : Sentry token is required for TokenReview in authentication #1098

Open jpiquot opened 4 months ago

jpiquot commented 4 months ago

This issue is a:

Issue description

Container App cannot start anymore :

`2024-02-23T10:08:07.131004547Z time="2024-02-23T10:08:07.130923946Z" level=info msg="Fetching initial identity certificate from dapr-sentry.k8se-system.svc.cluster.local:443" app_id=dynamics365finance instance=chr-stg-hex-dynamics365finance--023bltd-5cd56b5f74-t5gxw scope=dapr.runtime.security type=log ver=1.12.5

2024-02-23T09:44:56.055250222Z time="2024-02-23T09:44:56.055035019Z" level=fatal msg="Fatal error from runtime: failed to retrieve the initial identity certificate: error from sentry SignCertificate: rpc error: code = PermissionDenied desc = token review failed: token is required for TokenReview in authentication" app_id=dynamics365finance instance=chr-stg-hex-dynamics365finance--023bltd-5cd56b5f74-t5gxw scope=dapr.runtime type=log ver=1.12.5 `

Steps to reproduce

  1. Deploy .NET application with DAPR SDK 1.12.0 in ACA

Expected behavior Application should start without errors

Actual behavior Application fails to start

Additional context

Was working yesterday before Microsoft upgrade of Azure container apps this night (1.11.6 => 1.12.5)

jpiquot commented 4 months ago

It seems that the ACA environment has been rollbacked by Microsoft from DAPR 1.12.5 to 1.11.6. Issues with Dapr 1.12 version in Azure?

berndverst commented 3 months ago

@jpiquot apologies nobody had responded here. Yes, we had attempted to rollout 1.12.5 in ACA but ran into a problem with how the security tokens for Sentry are mounted into the sidecar. Indeed, the release was rolled back.

Why this happened: Dapr 1.12 saw several changes to Sentry and tokens that made it complex to bring this version to ACA. When rolling out Dapr 1.12 we encountered an edge case of which we were unaware.

What we did since: We immediately rolled back Dapr 1.12. We then extensively investigated the rollout problem and were able to fix this in our upcoming 1.12.X release for ACA. This will be deployed again to ACA very soon.

berndverst commented 3 months ago

@greenie-msft @anthonychu this issue can be closed.