Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authbackend creation fails with path already in use at oidc #25

Open
mustafaStakater opened this issue Jan 17, 2024 · 2 comments
Open

Authbackend creation fails with path already in use at oidc #25

mustafaStakater opened this issue Jan 17, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@mustafaStakater
Copy link

mustafaStakater commented Jan 17, 2024
edited
Loading

What happened?

Creating AuthBackend fails initially with the both 'oidc_client_id' and 'oidc_client_secret' must be set for OIDC and then error changes to * path is already in use at oidc/ . In vault, oidc path is present with empty configuration.

How can we reproduce it?

  • Get a openshift cluster and Deploy vault and crossplane on openshift.
  • Access pods cli and Initialize vault using vault operator init. Save the unseal keys and root token.
  • Login to vault with root token using vault login and create a token for crossplane.
  • Create a crossplane provider for vault. 
    apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-vault
spec:
  package: 'xpkg.upbound.io/upbound/provider-vault:v0.1.0'
  controllerConfigRef:
    name: vault-controller
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: vault-controller
spec:
  securityContext: {}
  podSecurityContext: {}
  args:
    - "--leader-election"
  replicas: 1
  • Create a provider config and secret with token to vault 
    apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: provider-vault
spec:
  address: 'http://vault.apps-crc.testing/'
  credentials:
    secretRef:
      key: credentials
      name: vault-creds
      namespace: crossplane
    source: Secret
---
kind: Secret
apiVersion: v1
metadata:
  name: vault-creds
  namespace: crossplane
data:
  credentials: "hvs.alshdabuoac"
type: Opaque
  • Create authbackend resource 
    apiVersion: jwt.vault.upbound.io/v1alpha1
kind: AuthBackend
metadata:
  name: vault-config-fb77r
spec:
  deletionPolicy: Delete
  forProvider:
    defaultRole: defaultrole
    oidcClientId: vault
    oidcClientSecretSecretRef:
      key: secret
      name: vault-sso-client-secret
      namespace: vault
    oidcDiscoveryUrl: >-
      https://sso-/auth/realms/vault-realm
    path: oidc
    type: oidc
  managementPolicy: FullControl
  providerConfigRef:
    name: provider-vault
---
kind: Secret
apiVersion: v1
metadata:
  name: vault-sso-client-secret
  namespace: vault
data:
  secret: ckFuRG9NMTIz
type: Opaque

What environment did it happen in?

  • Crossplane and Vault running in Openshift
  • Vault Version : 1.12.1
  • Crossplane Version : 1.14.5
@mustafaStakater mustafaStakater added the bug Something isn't working label Jan 17, 2024
@mustafaStakater
Copy link
Author

mustafaStakater commented Jan 19, 2024
edited
Loading

The issue was a wrong secret name being used, but provider shouldnt partially create an empty oidc configuration and then endup in unhealthy state.

@uwefreidank
Copy link

Also happen with

  • Vault Version 1.15.7
  • Crossplane Version: 1.15.2
  • Provider vault: 0.0.4

Even worse, if i apply several AuthBackends in parallel (in my case, 55), the 1st reconciled AuthBackend can successfully be created in Vault, but all other AuthBackends are failing with path is already in use at oidc.
Work around: applying the AuthBackends CRs one by one and waiting in between.

@phac008 phac008 mentioned this issue Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uwefreidank @mustafaStakater