Redact the body of failed authentication requests #6683
Conversation
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
|
/cherry-pick release-1.14 |
|
@inteon: once the present PR merges, I will cherry-pick it on top of release-1.14 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
I've tested 3 scenarios:
- No federated identity credential;
- Non-existent client id;
- No "DNS Zone Contributor" role assigned.
In all 3 cases, the behaviour for "Challenge" resource was stable meaning no early reconciliations. So, I think we should be good to go now :)
|
Thanks @weisdd I also tested this branch by partially following the AKS tutorial: https://cert-manager.io/docs/tutorials/getting-started-aks-letsencrypt/#create-a-clusterissuer-for-lets-encrypt-staging Observed a Certificate being issued successfully. Deleted the federated identity: Then renewed the certificate and observed it fail and the error message on the challenge was redacted Unfortunately, the redacted error on the Challenge is not sufficient for the user to know what the problem is.
The cert-manager logs contain both the redacted and the unredacted errors, which is annoying, but I suppose that was always the case: $ kubectl -n cert-manager logs deployments/cert-manager --follow
...
> logger="cert-manager.challenges" key="default/www-3-3709051279-258319704"
E0131 11:19:14.993095 1 azuredns.go:189] "Error creating TXT" err=<
WorkloadIdentityCredential authentication failed
POST https://login.microsoftonline.com/f99bd6a4-665c-41cf-aff1-87a89d5c62d4/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
{
"error": "invalid_client",
"error_description": "AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://eastus2.oic.prod-aks.azure.com/f99bd6a4-665c-41cf-aff1-87a89d5c62d4/cddd5247-a9c7-4ee4-be19-f64d5a994dd7/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: be215318-cd3a-467f-b0a1-30569c3bb000 Correlation ID: 6d2634ea-fd27-4b6f-aedd-8adef7a84f57 Timestamp: 2024-01-31 11:19:14Z",
"error_codes": [
700211
],
"timestamp": "2024-01-31 11:19:14Z",
"trace_id": "be215318-cd3a-467f-b0a1-30569c3bb000",
"correlation_id": "6d2634ea-fd27-4b6f-aedd-8adef7a84f57"
}
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#workload
> logger="cert-manager.azure-dns" zone="azure-tutorial.richard-gcp.jetstacker.net" domain="_acme-challenge.www.azure-tutorial.richard-gcp.jetstacker.net." resource group="jetstack-dev"
E0131 11:19:14.993300 1 controller.go:167] "re-queuing item due to error processing" err=<
WorkloadIdentityCredential authentication failed
POST https://login.microsoftonline.com/f99bd6a4-665c-41cf-aff1-87a89d5c62d4/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
<REDACTED>
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#workload
> logger="cert-manager.challenges" key="default/www-3-3709051279-258319704"
For the sake of releasing 1.14 on time, I will approve this now. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj, weisdd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
@inteon: new pull request created: #6688 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
#6676 did not cover all error cases.
This PR fixes an additional error type reported by @weisdd, we did not solve the problem for the
azidentity.AuthenticationFailedErrorerrors (#5452 (comment)).Additionally, I tried to simplify the
stabilizeErrorfunction and added new tests for this new error type.Kind
/kind bug
Release Note