vault-config-operator icon indicating copy to clipboard operation
vault-config-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-cop

JWTOIDCAuthEngineConfig does not Reconcile correctly after creating CR without OIDCCredentials

Open dabelenda opened this issue 1 year ago • 9 comments

Hello,

As a followup for https://github.com/redhat-cop/vault-config-operator/issues/165 and the fix https://github.com/redhat-cop/vault-config-operator/pull/167 there are two (tightly coupled) issues I found.

When creating a CR of Kind JWTOIDCAuthEngineConfig without OIDCCredentials, for example:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineConfig
metadata:
  name: gitlab-oidc-config
  namespace: vault-config-operator
spec:
  path: gitlab
  boundIssuer: 'https://gitlab.example.com'
  OIDCDiscoveryURL: 'https://gitlab.example.com'

The vault-config-operator creates the equivalent configuration in vault, but injects default values in the CR, which results in CR being:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineConfig
metadata:
  name: gitlab-oidc-config
  namespace: vault-config-operator
spec:
  path: gitlab
  boundIssuer: 'https://gitlab.example.com'
  OIDCDiscoveryURL: 'https://gitlab.example.com'
  OIDCCredentials:
    passwordKey: password
    usernameKey: username
  JWKSURL: ''
  OIDCResponseMode: ''
  OIDCClientID: ''
  namespaceInState: true
  defaultRole: ''

In the new state of the CR, any modification will perform unwanted changes in vault, and when trying to remove the OIDCCredentials field the following errors are written in the vault-config-operator:

2024-01-22T14:30:57Z DEBUG reconcile {"controller": "jwtoidcauthengineconfig", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "JWTOIDCAuthEngineConfig", "JWTOIDCAuthEngineConfig": {"name":"gitlab-oidc-config","namespace":"vault-config-operator"}, "namespace": "vault-config-operator", "name": "gitlab-oidc-config", "reconcileID": "4c94d7b6-57d2-4892-abd4-c119ea6207c4", "instance": {"apiVersion": "redhatcop.redhat.io/v1alpha1", "kind": "JWTOIDCAuthEngineConfig", "namespace": "vault-config-operator", "name": "gitlab-oidc-config"}}
2024-01-22T14:30:57Z ERROR unable to prepare internal values {"controller": "jwtoidcauthengineconfig", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "JWTOIDCAuthEngineConfig", "JWTOIDCAuthEngineConfig": {"name":"gitlab-oidc-config","namespace":"vault-config-operator"}, "namespace": "vault-config-operator", "name": "gitlab-oidc-config", "reconcileID": "4c94d7b6-57d2-4892-abd4-c119ea6207c4", "instance": {"apiVersion": "redhatcop.redhat.io/v1alpha1", "kind": "JWTOIDCAuthEngineConfig", "namespace": "vault-config-operator", "name": "gitlab-oidc-config"}, "error": "no means of retrieving a secret was specified"}
github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller.(*VaultResource).manageReconcileLogic
/home/runner/work/vault-config-operator/vault-config-operator/controllers/vaultresourcecontroller/vaultresourcereconciler.go:95
github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller.(*VaultResource).Reconcile
/home/runner/work/vault-config-operator/vault-config-operator/controllers/vaultresourcecontroller/vaultresourcereconciler.go:65
github.com/redhat-cop/vault-config-operator/controllers.(*JWTOIDCAuthEngineConfigReconciler).Reconcile
/home/runner/work/vault-config-operator/vault-config-operator/controllers/jwtoidcauthengineconfig_controller.go:80
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226
2024-01-22T14:30:57Z ERROR unable to complete reconcile logic {"controller": "jwtoidcauthengineconfig", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "JWTOIDCAuthEngineConfig", "JWTOIDCAuthEngineConfig": {"name":"gitlab-oidc-config","namespace":"vault-config-operator"}, "namespace": "vault-config-operator", "name": "gitlab-oidc-config", "reconcileID": "4c94d7b6-57d2-4892-abd4-c119ea6207c4", "instance": {"apiVersion": "redhatcop.redhat.io/v1alpha1", "kind": "JWTOIDCAuthEngineConfig", "namespace": "vault-config-operator", "name": "gitlab-oidc-config"}, "error": "no means of retrieving a secret was specified"}
github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller.(*VaultResource).Reconcile
/home/runner/work/vault-config-operator/vault-config-operator/controllers/vaultresourcecontroller/vaultresourcereconciler.go:67
github.com/redhat-cop/vault-config-operator/controllers.(*JWTOIDCAuthEngineConfigReconciler).Reconcile
/home/runner/work/vault-config-operator/vault-config-operator/controllers/jwtoidcauthengineconfig_controller.go:80
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226
2024-01-22T14:30:57Z DEBUG events no means of retrieving a secret was specified {"type": "Warning", "object": {"kind":"JWTOIDCAuthEngineConfig","namespace":"vault-config-operator","name":"gitlab-oidc-config","uid":"b412ea66-5990-4589-b301-d0e3dfef3205","apiVersion":"redhatcop.redhat.io/v1alpha1","resourceVersion":"88217988"}, "reason": "ProcessingError"}
2024-01-22T14:30:57Z ERROR Reconciler error {"controller": "jwtoidcauthengineconfig", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "JWTOIDCAuthEngineConfig", "JWTOIDCAuthEngineConfig": {"name":"gitlab-oidc-config","namespace":"vault-config-operator"}, "namespace": "vault-config-operator", "name": "gitlab-oidc-config", "reconcileID": "4c94d7b6-57d2-4892-abd4-c119ea6207c4", "error": "no means of retrieving a secret was specified"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226

dabelenda avatar Jan 23 '24 07:01 dabelenda