Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AzureKeyVaultSecretsHealthCheck shouldn't return Healthy when a Key Vault has been soft deleted #2279

Open
eerhardt opened this issue Aug 6, 2024 · 0 comments
Open

AzureKeyVaultSecretsHealthCheck shouldn't return Healthy when a Key Vault has been soft deleted #2279

eerhardt opened this issue Aug 6, 2024 · 0 comments

Comments

@eerhardt
Copy link
Collaborator

eerhardt commented Aug 6, 2024

Please, fill the following sections to help us fix the issue

What happened:

The keyvault we were health checking got "soft deleted", but the health check still returns "Healthy"

What you expected to happen:

I expect the health check should return "Unhealthy" in this case

How to reproduce it (as minimally and precisely as possible):

  1. Create a key vault
  2. Soft delete it
  3. Use the AzureKeyVaultSecretsHealthCheck and check the health

Source code sample:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using HealthChecks.Azure.KeyVault.Secrets;
using Microsoft.Extensions.Diagnostics.HealthChecks;

SecretClient client = new SecretClient(new Uri("https://aspiretests.vault.azure.net/"), new DefaultAzureCredential());
AzureKeyVaultSecretsHealthCheck c = new AzureKeyVaultSecretsHealthCheck(client, new AzureKeyVaultSecretsHealthCheckOptions());
HealthCheckResult result = await c.CheckHealthAsync(new HealthCheckContext());

Console.WriteLine(result.Status);

Anything else we need to know?:

AspNetCore.Diagnostics.HealthChecks/src/HealthChecks.Azure.KeyVault.Secrets/AzureKeyVaultSecretsHealthCheck.cs

Lines 48 to 59 in 65ab619

catch (RequestFailedException azureEx) when (azureEx.Status == 404) // based on https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/README.md#reporting-errors-requestfailedexception
{
if (_options.CreateWhenNotFound)
{
// When this call fails, the exception is caught by upper layer.
// From https://learn.microsoft.com/aspnet/core/host-and-deploy/health-checks#create-health-checks:
// "If CheckHealthAsync throws an exception during the check, a new HealthReportEntry is returned with its HealthReportEntry.Status set to the FailureStatus."
await _secretClient.SetSecretAsync(name: secretName, value: secretName, cancellationToken).ConfigureAwait(false);
}
// The secret was not found, but it's fine as all we care about is whether it's possible to connect.
return new HealthCheckResult(HealthStatus.Healthy);

This code needs to change to also check for ErrorCode VaultNotFound.

Environment:

  • .NET Core version
  • Healthchecks version
  • Operative system:
  • Others:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eerhardt