added guidance to rotate server secret

anraghun · anraghun · commit 01d7f4f5e152 · 2022-07-08T12:36:00.000+05:30
diff --git a/articles/azure-arc/kubernetes/azure-rbac.md b/articles/azure-arc/kubernetes/azure-rbac.md
@@ -57,7 +57,7 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
     az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
     ```
 
-1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster.
+1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster. Please note that this secret is valid for 1 year and will need to be [rotated after that](azure-rbac#refresh-the-secret-of-the-server-application). 
 
     ```azurecli
     az ad sp create --id "${SERVER_APP_ID}"
@@ -531,6 +531,19 @@ node-2    Ready    agent    6m42s    v1.18.14
 node-3    Ready    agent    6m33s    v1.18.14
 ```
 
+## Refresh the secret of the server application
+
+If the secret for the server application's service principal has expired, you will need to rotate it.
+
+```azurecli
+SERVER_APP_SECRET=$(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)
+```
+
+Update the secret on the cluster.
+```azurecli
+az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id "${SERVER_APP_ID}" --app-secret "${SERVER_APP_SECRET}"
+```
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/articles/azure-arc/kubernetes/troubleshooting.md b/articles/azure-arc/kubernetes/troubleshooting.md
@@ -155,7 +155,7 @@ To resolve this issue, try the following steps.
     cluster-metadata-operator-664bc5f4d-chgkl   2/2     Running            0          4m14s
     clusterconnect-agent-7cb8b565c7-wklsh       2/3     CrashLoopBackOff   0          1m15s
     clusteridentityoperator-76d645d8bf-5qx5c    2/2     Running            0          4m15s
-     config-agent-65d5df564f-lffqm               1/2     CrashLoopBackOff   0          1m14s
+    config-agent-65d5df564f-lffqm               1/2     CrashLoopBackOff   0          1m14s
      ```
 
 3. If the certificate below isn't present, the system assigned managed identity hasn't been installed.
@@ -172,6 +172,18 @@ To resolve this issue, try the following steps.
 
 4. If the `clusterconnect-agent` and the `config-agent` pods are running, but the `kube-aad-proxy` pod is missing, check your pod security policies. This pod uses the `azure-arc-kube-aad-proxy-sa` service account, which doesn't have admin permissions but requires the permission to mount host path.
 
+5. If the `kube-aad-proxy` pod is stuck in `ContainerCreating` state, check whether the kube-aad-proxy certificate has been downloaded onto the cluster.
+
+   ```console
+   kubectl get secret -n azure-arc -o yaml | grep name:
+   ```
+
+   ```output
+   name: kube-aad-proxy-certificate
+   ```
+
+   If the certificate is missing, please contact support.
+
 ### Helm validation error
 
 Helm `v3.3.0-rc.1` version has an [issue](https://github.com/helm/helm/pull/8527) where helm install/upgrade (used by the `connectedk8s` CLI extension) results in running of all hooks leading to the following error:
