Description
Is your feature request related to a problem? Please describe.
During a troubleshooting call with MS support, an AKS engineer was engaged. The ticket number is 2504080040007299
The AKS engineer explained that KMS makes use of what I will refer to as "key slots" in the sidecar attached to the API server and that if the key in either key slot expires in Keyvault, then the cluster can encounter problems.
We are looking for a way to identify for certain which key is in the "previous key" field. Azure Support is able to see this field, but we are unable to see it from any of the following:
az aks show -g <resource group name> -n <cluster name>- JSON output for the cluster via the Azure Portal
- Terraform output and terraform state
- Export Template feature in the portal for the cluster, to generate an ARM template of the cluster
Because of this, it is impossible for users to know if an expired key or one which has been deleted from Key vault is still in-use within a cluster, and this leads to confusion and downtime despite the documentation around the use of 2 keys at the same time.
Describe the solution you'd like
It would be incredibly helpful for us to have peace-of-mind that our keys in-use on a KMS enabled cluster are not going to cause problems if we were able to view the Previous Key field in any of the above.
Describe alternatives you've considered
There is no alternative. We have no method to view this for ourselves, and must engage Azure Support to check this for us.
Additional context
Our clusters experienced multiple days of downtime due to the lack of clarity. We had extended our existing KMS key to allow us to change the key, and added a new key in its place, but when the old key expired, it still caused us to have an outage. If we had been able to see that the "previous key" was the expired key, we could have avoided contacting support and instead just rotated the key without needing assistance from both support and an AKS engineer.