azure-key-vault-to-kubernetes: [BUG] Controller crashes when syncing certificates

Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting

Components and versions Select which component(s) the bug relates to with [X].

[X ] Controller, version: x.x.x (docker image tag) [ ] Env-Injector (webhook), version: x.x.x (docker image tag) [ ] Other

Describe the bug A clear and concise description of what the bug is. When syncing a certificate following this tutorial the controller crashes while trying to get the certificate for azure.

To Reproduce Steps to reproduce the behavior: Try syncing a pem certificate signed by digicert from an azure keyvault.

Expected behavior A clear and concise description of what you expected to happen. I would expect the controller not to crash

Logs If applicable, add logs to help explain your problem.

Crash output

I0318 20:40:56.302415       1 main.go:92] "log settings" format="text" level="2"
I0318 20:40:56.302482       1 version.go:31] "version info" version="1.2.1" commit="a7b2d04" buildDate="2021-03-11T07:33:23Z" component="controller"
W0318 20:40:56.302637       1 client_config.go:614] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0318 20:40:56.303937       1 main.go:129] "Creating event broadcaster"
I0318 20:40:56.315899       1 controller.go:167] "setting up event handlers"
I0318 20:40:56.316066       1 controller.go:178] "starting azurekeyvaultsecret controller"
I0318 20:40:56.316313       1 reflector.go:219] Starting reflector *v1.Secret (30s) from pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167
I0318 20:40:56.316328       1 reflector.go:219] Starting reflector *v1.ConfigMap (30s) from pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167
I0318 20:40:56.316770       1 reflector.go:219] Starting reflector *v2beta1.AzureKeyVaultSecret (30s) from pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167
I0318 20:40:56.416321       1 controller.go:196] "starting azure key vault secret queue"
I0318 20:40:56.416459       1 controller.go:199] "starting azure key vault deleted secret queue"
I0318 20:40:56.416579       1 controller.go:202] "starting azure key vault queue"
I0318 20:40:56.416756       1 controller.go:205] "started workers"
E0318 20:40:56.568845       1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 87 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x184ca20, 0x2713ba0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/runtime/runtime.go:74 +0x95
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/runtime/runtime.go:48 +0x89
panic(0x184ca20, 0x2713ba0)
	/usr/local/go/src/runtime/panic.go:969 +0x1b9
github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/keyvault/client.(*azureKeyVaultService).GetCertificate(0xc0001a2160, 0xc0001d4118, 0xc0001c2368, 0x0, 0x0, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/keyvault/client/service.go:125 +0x2fa
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*azureCertificateHandler).HandleSecret(0xc0002bab20, 0xc0002bab20, 0x0, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/secret_handler.go:183 +0xe2
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).getSecretFromKeyVault(0xc000338410, 0xc0001d4000, 0x1a54143, 0x8, 0x1c4d720)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/azureKeyVaultSecret.go:369 +0x190
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).getOrCreateKubernetesSecret(0xc000338410, 0xc0001d4000, 0x22, 0xc0001d4000, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/secret.go:116 +0xca7
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).syncAzureKeyVaultSecret(0xc000338410, 0xc0002d14d0, 0x22, 0xc0001fa330, 0xc0002baa00)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/azureKeyVaultSecret.go:168 +0x67b
kmodules.xyz/client-go/tools/queue.(*Worker).processNextEntry(0xc000470380, 0x203000)
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:84 +0xec
kmodules.xyz/client-go/tools/queue.(*Worker).processQueue(0xc000470380)
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:67 +0x2b
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc000292f10)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155 +0x5f
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc000292f10, 0x1c4d8a0, 0xc0001fed80, 0x1b0f901, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156 +0xad
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc000292f10, 0x3b9aca00, 0x0, 0x1b0ec01, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133 +0x98
k8s.io/apimachinery/pkg/util/wait.Until(0xc000292f10, 0x3b9aca00, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:90 +0x4d
created by kmodules.xyz/client-go/tools/queue.(*Worker).Run
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:53 +0x89
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x16bb73a]

goroutine 87 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/runtime/runtime.go:55 +0x10c
panic(0x184ca20, 0x2713ba0)
	/usr/local/go/src/runtime/panic.go:969 +0x1b9
github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/keyvault/client.(*azureKeyVaultService).GetCertificate(0xc0001a2160, 0xc0001d4118, 0xc0001c2368, 0x0, 0x0, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/keyvault/client/service.go:125 +0x2fa
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*azureCertificateHandler).HandleSecret(0xc0002bab20, 0xc0002bab20, 0x0, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/secret_handler.go:183 +0xe2
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).getSecretFromKeyVault(0xc000338410, 0xc0001d4000, 0x1a54143, 0x8, 0x1c4d720)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/azureKeyVaultSecret.go:369 +0x190
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).getOrCreateKubernetesSecret(0xc000338410, 0xc0001d4000, 0x22, 0xc0001d4000, 0x0)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/secret.go:116 +0xca7
github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller.(*Controller).syncAzureKeyVaultSecret(0xc000338410, 0xc0002d14d0, 0x22, 0xc0001fa330, 0xc0002baa00)
	/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-controller/controller/azureKeyVaultSecret.go:168 +0x67b
kmodules.xyz/client-go/tools/queue.(*Worker).processNextEntry(0xc000470380, 0x203000)
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:84 +0xec
kmodules.xyz/client-go/tools/queue.(*Worker).processQueue(0xc000470380)
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:67 +0x2b
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc000292f10)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155 +0x5f
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc000292f10, 0x1c4d8a0, 0xc0001fed80, 0x1b0f901, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156 +0xad
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc000292f10, 0x3b9aca00, 0x0, 0x1b0ec01, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133 +0x98
k8s.io/apimachinery/pkg/util/wait.Until(0xc000292f10, 0x3b9aca00, 0xc0001f20c0)
	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:90 +0x4d
created by kmodules.xyz/client-go/tools/queue.(*Worker).Run
	/go/pkg/mod/kmodules.xyz/client-go@v0.0.0-20200521013203-6fe0a448d053/tools/queue/worker.go:53 +0x89

Additional context Add any other context about the problem here.

We noticed this happening on certificates that were previously getting synced. The last sync date for the certificate causing the crash was 2021-03-02.

We haven’t updated the certificate in the keyvault nor had we touched our azure key vault controller config so I suspect its a bug or a change to Azure’s api.

About this issue

Original URL
State: open
Created 3 years ago
Comments: 17

Commits related to this issue

Fix null pointer when secret has no owner Resolves #166 — committed to SparebankenVest/azure-key-vault-to-kubernetes by 181192 3 years ago
Fix null pointer when secret has no owner (#168) Resolves #166 — committed to SparebankenVest/azure-key-vault-to-kubernetes by 181192 3 years ago

Most upvoted comments

Released in controller 1.2.3, chart version 2.0.10 😊 Thanks for the help @jonescobedo!

181192 on Mar 25, 2021