Okay I have azure kubernetes service with running dockerized app, with ingress(I used creating ingress (preview))
everything works fine except certificate, I created key vault, inside uploaded certificate to use for domain, I have "Azure role-based access control (recommended)" checked, in access controll I added my cluster in roles like this, Assign access to Managed identity > cluster > role => "Key Vault Certificates Officer".
from terminal I can access that certificate, I checked everything and all is ok. but it just keeps saying
Error getting SSL certificate "default/keyvault-ingress": local SSL certificate default/keyvault-ingress was not found. Using default certificate
and running this: kubectl describe ingress django-ingress -n default I get
Warning FailedMount 9m9s aks-app-routing-operator MountVolume.SetUp failed for volume "secrets" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod default/keyvault-ingress-dvljx, err: rpc error: code = Unknown desc = failed to mount objects, error: failed to get objectType:secret, objectName:keyvault-ingress, objectVersion:: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=64131d23-3521-43b2-b65e;oid=4f40e8b1-d304-4c31;iss=https://sts.windows.net/91837362-3258/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/SUB/resourcegroups/myresource/providers/microsoft.keyvault/vaults/keyvaults/secrets/keyvault-ingress'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: GAKEY;location=eastus\r\n" InnerError={"code":"ForbiddenByRbac"}
I even granted OWNER as role to that cluster in that key vault but with no success, and when I change Permission model to Vault access policy then it starts working