Open oitTim opened 2 weeks ago
Hello! 👋
This is likely because of max-age
being set to 1 hour. Azurerator relies on the controller-runtime caching mechanisms for reconciliation. The default SyncPeriod
for these caches appears to be ~10 hours, so objects aren't reconciled until then unless they're modified.
As you've discovered, using the azure.nais.io/rotate: 'true'
annotation will force an immediate one-time rotation for the given AzureAdApplication
. Restarting Azurerator will reconcile all objects as the cache is no longer populated.
We haven't really considered the use case with such low max-age values before, but we could look into it if you want
Thanks for the response. I was just setting a low max-age to test the software. I will change it to 1d to see how it works :D
I updated the secret-rotation.max-age: 24h and we are experiencing the same issue? It's just been a tad over 48 hours .. so perhaps I just need to patient :P
{"level":"info","logger":"config","msg":"secret-rotation.max-age: 24h","time":"2024-09-04T17:50:15.380904613Z"}
{"level":"info","logger":"config","msg":"validations.tenant.required: false","time":"2024-09-04T17:50:15.380909261Z"}
{"level":"info","timestamp":"2024-09-04T17:50:15.804381225Z","logger":"setup","caller":"azurerator/main.go:143","msg":"starting metrics refresh goroutine"}
{"level":"info","timestamp":"2024-09-04T17:50:15.804554871Z","logger":"setup","caller":"azurerator/main.go:147","msg":"starting manager"}
{"level":"info","timestamp":"2024-09-04T17:50:15.805144924Z","logger":"controller-runtime.metrics","caller":"server/server.go:208","msg":"Starting metrics server"}
{"level":"info","timestamp":"2024-09-04T17:50:15.805807351Z","logger":"controller-runtime.metrics","caller":"server/server.go:247","msg":"Serving metrics server","bindAddress":":8080","secure":false}
{"level":"info","timestamp":"2024-09-04T17:50:15.92348925Z","caller":"controller/controller.go:175","msg":"Starting EventSource","controller":"azureadapplication","controllerGroup":"nais.io","controllerKind":"AzureAdApplication","source":"kind source: *nais_io_v1.AzureAdApplication"}
{"level":"info","timestamp":"2024-09-04T17:50:15.923572536Z","caller":"controller/controller.go:183","msg":"Starting Controller","controller":"azureadapplication","controllerGroup":"nais.io","controllerKind":"AzureAdApplication"}
{"level":"info","timestamp":"2024-09-04T17:50:16.029670653Z","caller":"controller/controller.go:217","msg":"Starting workers","controller":"azureadapplication","controllerGroup":"nais.io","controllerKind":"AzureAdApplication","worker count":15}
{"ClientID":"41cbddce-d8f3-463f-93ab-fa5bddcf19aa","CorrelationID":"aaf06575-ec3e-4d4f-b08a-386b5d33ecfb","ObjectID":"8cd928f4-ade1-4e81-b047-d1232f45415f","ServicePrincipalID":"243ae3ea-1978-4658-93c1-9702d05f6b37","application_name":"adp-azurerator-test-app","application_namespace":"ais-system","level":"debug","msg":"updated status fields with values from Azure","time":"2024-09-04T17:50:16.578183668Z"}
{"CorrelationID":"aaf06575-ec3e-4d4f-b08a-386b5d33ecfb","application_name":"adp-azurerator-test-app","application_namespace":"ais-system","level":"debug","msg":"resource is addressed to tenant 'catmail.ohio.edu', processing...","time":"2024-09-04T17:50:16.578232327Z"}
{"level":"info","msg":"metrics with namespace labels initialized","time":"2024-09-04T17:50:16.824499724Z"}
{"CorrelationID":"aaf06575-ec3e-4d4f-b08a-386b5d33ecfb","application_name":"adp-azurerator-test-app","application_namespace":"ais-system","level":"debug","msg":"existing credentials are valid and in sync with Azure","time":"2024-09-04T17:50:17.485806828Z"}
Hmm, might have something to do with the event filtering mechanism. I'll have a closer look into it
We have installed Azurerator, and to date love it, however we noticed that the reconciliation does not seem to honor the
secret-rotation.max-age
automatically.If we delete the Azure secrets associated with the AzureAdApplication, and wait an hour, nothing syncs or happens, however if we delete the pod and spawn another one, it reconciles and syncs.
If we add the annotation
azure.nais.io/rotate: 'true'
to the azureAdApplication, it will synchronize as well.Also, restarting the pod every hour, will honor the max-age and create new secrets.
Any insight or help is appreciated.
This is the deployment we used:
This is our azurerator.yaml:
And finally, our AzureAdApplication:
This is the log output on startup of pod: