Skip to main content

Azure Troubleshooting

Quick checks for common deployment issues on AKS. Database bootstrap guide: Database Bootstrap Troubleshooting.

External Secrets / Key Vault

kubectl describe secretstore azure-secret-store -n bh-control-plane
kubectl get externalsecret -n bh-control-plane
kubectl logs -n external-secrets-system -l app.kubernetes.io/name=external-secrets
IssueFix
Workload Identity auth failureVerify federated credentials; K8s SA annotation azure.workload.identity/client-id
Secret not foundKey Vault name must match global.remoteSecrets
Key Vault Forbidden (403)Grant Key Vault Secrets User to ESO managed identity; wait 60–120s for RBAC propagation
Stale secretESO refreshInterval; delete K8s secret to force resync
SecretStore not readykubectl describe secretstore — check vaultUrl, tenant ID, managed identity client ID

Restart ESO after RBAC changes:

kubectl rollout restart deployment external-secrets -n external-secrets-system

PostgreSQL

Full bootstrap and schema permission guide: Database Bootstrap Troubleshooting.

SymptomCauseFix
password authentication failed for bh_app_userbh-app-user-password ≠ PostgreSQL bh_app_user passwordAlign Key Vault secret with DB user
permission denied for schema / Alembic failsBootstrap not run, wrong schema owner, or wrong POSTGRES_USERRun create-dbs-azure.sh before deploy; use bh_dev_user + bh-dev-user-password
password authentication failed for bh_dev_userPOSTGRES_PASSWORD mapped to wrong Key Vault secretSet global.remoteSecrets.postgres.passwordbh-dev-user-password
Keycloak DB auth failureKC_DB_URL / KC_DB_USERNAME mismatch or wrong bh-kcdbpwdDatabase keycloak_db_<env>, user keycloak_db_user, Key Vault bh-kcdbpwd
Connection refused / timeoutFirewall, private endpoint, or VNet rulesAllow AKS egress to PostgreSQL; verify PGSSLMODE=require
SSL verify errorsServer CA not in Key VaultUpload bh-postgres-ssl-cert; set postgresSSLMode: require

Ingress / load balancer

SymptomFix
LB unhealthySet azure-load-balancer-health-probe-request-path: /healthz on ingress-nginx Service
No EXTERNAL-IPWait for Azure LB provisioning; check Service events
502 from nginxCheck backend pods; Keycloak logs for DB/TLS errors
kubectl describe ingress bh-ingress -n bh-control-plane
kubectl get svc -n ingress-nginx

TLS

SymptomFix
cert-manager challenge pendingDNS Zone Contributor on cert-manager identity; Azure DNS zone correct — TLS Options
Ingress TLS missingK8s secret global.ingress.tlsSecretName exists with tls.crt / tls.key
Private cert not appliedUpload to Key Vault keys in global.remoteSecrets.tls; recreate K8s TLS secret
PushSecret / Key Vault syncVerify PushSecret status; Key Vault secret names match global.remoteSecrets.tls

Workload Identity

SymptomFix
Federated credential creation failsCaller needs Managed Identity Contributor on target identity
Wrong identity nameaz identity list --output table
Pod cannot access Key VaultCheck SA annotations and federated credential subject

Images / registry

SymptomFix
ImagePullBackOffTag exists in ACR; kubelet identity has AcrPull
Wrong imageCheck global.image.repository and tag in values

Storage

SymptomFix
PV attachment timeoutVerify storage class (managed-csi, azurefile-csi); check node pool SKU
Blob CSI mount failsEnable Blob CSI add-on; verify Workload Identity + storage RBAC

Helm

helm dependency build .
helm lint . -f values.yaml -f values-<env>.yaml
IssueFix
Nil pointer in templatesEnable subchart in values (global.<svc>.enabled: true)
ExternalSecret not readyComplete Key Vault bootstrap before Helm install

Support escalation

Include: chart version, values overlay (redacted), kubectl get pods,externalsecret,ingress -n bh-control-plane, and relevant pod logs.

TopicLink
Database bootstrapDatabase Bootstrap Troubleshooting
Key Vault mappingKey Vault Secrets
GCP equivalentGCP Troubleshooting