Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT AuthBackend update loop #56

Open
cosimomeli opened this issue Jan 24, 2025 · 1 comment
Open

JWT AuthBackend update loop #56

cosimomeli opened this issue Jan 24, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@cosimomeli
Copy link

What happened?

After upgrading from 1.0.0 to 2.1.0 I found the provider looping continuously on a OIDC AuthBackend:
2025/01/24 13:28:14 [INFO] JWT/OIDC Auth '"azure"' tune configuration changed

From the metrics I can see on version 1.0.0 there were no reconciliations.

My resource is the following:

apiVersion: jwt.vault.upbound.io/v1alpha1
kind: AuthBackend
spec:
  deletionPolicy: Delete
  providerConfigRef:
    name: default
  forProvider:
    jwtSupportedAlgs:
      - RS256
    oidcClientId: vault
    oidcClientSecretSecretRef:
      key: client_secret
      name: vault-auth
      namespace: crossplane-secrets
    oidcDiscoveryUrl: https://login.microsoftonline.com/{{ .Values.global.azure.tenant }}/v2.0
    path: azure
    tune:
      - listingVisibility: unauth
    type: oidc
    defaultRole: default

To fix it I had to copy the tune config from the status, changing it from:

 tune:
      - listingVisibility: unauth

to:

tune:
    - defaultLeaseTtl: 768h
      listingVisibility: unauth
      maxLeaseTtl: 768h
      tokenType: default-service

How can we reproduce it?

Just create a JWT/OIDC AuthBackend and set a tune configuration with a single value.

What environment did it happen in?

Vault 1.15.5.
Provider 2.1.0
@cosimomeli cosimomeli added the bug Something isn't working label Jan 24, 2025
@ymatsiuk
Copy link

Not sure if that helps, but we actually don't set any tune since it's not required according to the CRD, yet drift detection thinks this configuration should be constantly synced..

2025/01/29 12:04:56 [INFO] JWT/OIDC Auth '"oidc"' tune configuration changed
2025/01/29 12:04:56 [DEBUG] Writing oidc auth tune to '"oidc"'
2025/01/29 12:04:56 [INFO] Written oidc auth tune to "oidc"
2025/01/29 12:04:56 [DEBUG] Reading auth oidc from Vault
2025/01/29 12:04:56 [DEBUG] Reading jwt auth tune from "oidc/tune"
2025/01/29 12:04:56 [DEBUG] Reading auth oidc from Vault
2025/01/29 12:04:56 [DEBUG] Reading jwt auth tune from "oidc/tune"
2025/01/29 12:04:56 [DEBUG] Updating auth oidc in Vault

This repeats about 10 times per second rendering the auth backend unusable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cosimomeli @ymatsiuk