Skip to content

CSP Invalid controller defaults to Unknown unless is certain of a credential failure #4453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ehvs wants to merge 6 commits into
base: master
Choose a base branch
from
Open

CSP Invalid controller defaults to Unknown unless is certain of a credential failure #4453

ehvs wants to merge 6 commits into from
+37 −14

Conversation

@ehvs
Copy link
Collaborator

@ehvs ehvs commented Nov 4, 2025
edited
Loading

Which issue this PR addresses:

https://issues.redhat.com/browse/ARO-22432

Test plan for issue:

  • Unit tests
  • e2e
  • Operator local tests

Is there any documentation that needs to be updated for this PR?

Indirectly updated the testing steps for ARO Operator:
#4496

How do you know this will function as expected in production?

By changing the azure-credentials secret in kube-system , upon the operator Reconciliation the state was set to ServicePrincipalInvalid


Attempted credentials:
  ClientSecretCredential authentication failed.

  POST https://login.microsoftonline.com/[redacted]/oauth2/v2.0/token
  --------------------------------------------------------------------------------
  RESPONSE 400: 400 Bad Request
  --------------------------------------------------------------------------------
  {
    "error": "unauthorized_client",
    "error_description": "AADSTS700016: Application with identifier '[redacted]' was not found in the directory '[redacted]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: Correlation ID: Timestamp: 2025-12-02 09:11:24Z",
    "error_codes": [
      700016
    ],
    "timestamp": "2025-12-02 09:11:24Z",
    "trace_id": "xxx",
    "correlation_id": "xxx",
    "error_uri": "https://login.microsoftonline.com/error?code=700016"
  }
  --------------------------------------------------------------------------------
  To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#client-secret

reason: Service Principal invalid
status: "False"
type: ServicePrincipalValid

When the error was not a known error. it sets to Unknown

    status: Unknown
    type: ServicePrincipalValid

@ehvs ehvs marked this pull request as ready for review December 1, 2025 09:41
kimorris27
kimorris27 previously approved these changes Dec 3, 2025
View reviewed changes
Copy link
Contributor

@kimorris27 kimorris27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I left two small, non-blocking suggestions.

mociarain
mociarain approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@mociarain mociarain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mociarain mociarain mociarain approved these changes

@kimorris27 kimorris27 kimorris27 left review comments

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@mrWinston mrWinston Awaiting requested review from mrWinston mrWinston is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant fahlmant is a code owner

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes is a code owner

@wanghaoran1988 wanghaoran1988 Awaiting requested review from wanghaoran1988 wanghaoran1988 is a code owner

@pepedocs pepedocs Awaiting requested review from pepedocs pepedocs is a code owner

Assignees

No one assigned

Labels

ready-for-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ehvs @mociarain @kimorris27