I have a Function App that is running in a container in Kubernetes. One of my endpoints is an httptrigger with anonymous access. However the query string contains a parameter code (supplied by a 3rd party vendor with no control over its name) that causes the app to throw a 500 error with no log indicating what happened. The odd part is if I deploy the same function to an Azure Function App everything works as expected. So my question is what configuration or environment variables need to be set in order for this to behave correctly?
Related to this as a follow up question - Azure Function running in AKS throws 500 on query string parameter for http trigger function
The issue turned out that the runtime tries to write files to the azure-functions-host/Secrets directory for anonymous functions where code is a parameter in the query string. Due to the way Kubernetes mounts volumes for secrets when it creates the directory it sets the permissions in a read only fasion even if readonly is false.
As a work-around I ended up creating the directory in the docker file
# To enable ssh & remote debugging on app service change the base image to the one below
# FROM mcr.microsoft.com/azure-functions/dotnet:3.0-appservice
FROM mcr.microsoft.com/azure-functions/dotnet:3.0
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
FUNCTIONS_WORKER_RUNTIME=dotnet
EXPOSE 80 443
RUN mkdir azure-functions-host/Secrets
COPY . /home/site/wwwroot
In the kubernetes deployment file I mounted the specific file to that directory so that the mount action did not mess with the directory permissions.
volumeMounts:
- name: functionhostkeys-store
mountPath: "/azure-functions-host/Secrets/host.json"
subPath: "host.json"
readOnly: false
This approach allowed the runtime to still write to that directory as needed but allowed me to manage my function keys in Azure KeyVault and mount them at runtime in a known configuration.