[BUG] Azure KeyVault Logs are filled with Unauthorized (401) events when using Controller Certificate-Sync

[plang3r]

Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting

Components and versions
Select which component(s) the bug relates to with [X].

[X] Controller, version: 1.7.3 (docker image tag)
[ ] Env-Injector (webhook), version: x.x.x (docker image tag)
[ ] Other

When using Certificate-Sync on the Controller node (not tested on Env Injector node) using Environment Authentication (other methods of authentication not tested), certificates are syncing as expected, however, there are multiple 401 Unauthorized log entries being generated in the KeyVault's logs in Azure Portal. Additionally there is nothing in the AKS Controller logs indicating the occurrence of a 401 event. After removing the AzureKeyVaultSecret CRD, the 401 log entries disappear.

To Reproduce
Steps to reproduce the behavior:

1. Create an App Registration in Azure which will be used for Authentication

2. Generate a Client Secret for the App Registration and save the token value for later

3. Assign the following permissions to the App Registration for the KeyVault that will be used with akv2k8s:

   a) Using RBAC - Assign "Key Vault Certificate User" and "Key Vault Secrets User" to the App Registration
   b) Using Access policies - Assign "Secret Permissions - Get" and "Certificate Permissions - Get" to the App Registration

4. Install akv2k8s with authentication type = environment

    kubectl create ns akv2k8s

    kubectl config set-context --current --namespace=akv2k8s

    helm repo add spv-charts https://charts.spvapi.no
    helm repo update

    helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s

    kubectl create secret generic service-principal-auth --from-literal AZURE_TENANT_ID='<tenant-id-of-AppRegistration>' --from-literal AZURE_CLIENT_ID='<client-id-of-AppRegistration>' --from-literal AZURE_CLIENT_SECRET='<client-secret-generated-in-AppRegistration>' 

    helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set global.keyVaultAuth=environment --set global.envFromSecret[0].name=service-principal-auth --set env_injector.enabled=false --set global.logLevel=trace

5. Upload a PFX certificate to the KeyVault (my-pfxcert)

6. Create a new AzureKeyVaultSecret in a namespace other than akv2k8s

kubectl create ns my-namespace

7. Create the following file my-akv.yaml

apiVersion: spv.no/v2beta1
        kind: AzureKeyVaultSecret
        metadata:
            name: certificate-sync
            namespace: my-namespace
        spec:
        vault:
            name: my-keyvault
            object:
                name: my-pfxcert
                type: certificate
        output: 
            secret: 
                name: my-pfxsecret
                type: kubernetes.io/tls

8. Apply the file

kubectl apply -f .\my-akv.yaml

9. Wait 5 - 10 minutes for Logs to start generating in Azure

10. Check the Azure Logs of my-keyvault in the Azure Portal

    a) Go to my-keyvault > Monitoring > Logs

    b) Run the following query (Time range = Last 30 minutes):

    AzureDiagnostics 
    | where ResultSignature != "OK"
    | top 50 by TimeGenerated desc 
    

Result: You will see a bunch of Unauthorized 401 attempts coming from the IP Address of your Controller node in AKS. my-pfxcert will be syncing as expected and no logs appear in the Controller indicating a reason for the 401 Unauthorized KeyVault logs.

Expected behavior
my-pfxcert syncs as expected and the Azure KeyVault logs for my-keyvault are not spammed with 401 Log entries.

Logs
If applicable, add logs to help explain your problem.

paste log here...

Additional context
Add any other context about the problem here.