Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vault] crossplane resource: no handler for route #1074

Open
jkleinlercher opened this issue Feb 21, 2025 · 2 comments
Open

[vault] crossplane resource: no handler for route #1074

jkleinlercher opened this issue Feb 21, 2025 · 2 comments

Comments

@jkleinlercher
Copy link
Contributor

when specifying crossplane argocd health checks, we see this problem in https://github.com/suxess-it/kubriX/actions/runs/13464710776/job/37627885561

- group: jwt.vault.upbound.io
    health:
      message: "apply failed: error writing JWT auth backend role \"auth/oidc/role/default\":
        Error making API request.\n\nURL: PUT [http://sx-vault-active.vault.svc.cluster.local:8200/v1/auth/oidc/role/default\nCode:](http://sx-vault-active.vault.svc.cluster.local:8200/v1/auth/oidc/role/default/nCode:)
        404. Errors:\n\n* no handler for route \"auth/oidc/role/default\". route entry
        not found.: "
      status: Degraded
    kind: AuthBackendRole
    name: oidc-backend-role
    status: Synced
    syncWave: 4
    version: v1alpha1
jkleinlercher added a commit that referenced this issue Feb 21, 2025
@jkleinlercher
needs to run later, because of #1074
9e9685c 
Signed-off-by: Johannes Kleinlercher <[email protected]>
@jkleinlercher
Copy link
Contributor Author

due to upbound/provider-vault#45 the depending resource

kubriX/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml

Lines 16 to 38 in 955ee03

{{- if not (contains "nip.io" .Values.eso.oidcDiscoveryUrl) }}
apiVersion: jwt.vault.upbound.io/v1alpha1
kind: AuthBackend
metadata:
name: oidc-backend
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "3"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
oidcDiscoveryUrl: "{{ .Values.eso.oidcDiscoveryUrl }}"
oidcClientId: vault
defaultRole: default
oidcClientSecretSecretRef:
name: sx-vault-demosecret
key: demosecret
namespace: vault
type: oidc
path: oidc
# oidcDiscoveryCaPem: "/vault/userconfig/vault-ca/ca.crt"
{{- end }}
needs to get created in

kubriX/platform-apps/charts/vault/values-k3d.yaml

Lines 171 to 175 in 955ee03

# due to #405
if [ ! $(vault read auth/oidc/config) ]; then
vault auth enable oidc
vault write auth/oidc/config oidc_discovery_url="https://keycloak-127-0-0-1.nip.io/realms/kubrix" oidc_client_id="vault" oidc_client_secret="demosecret" default_role="default" oidc_discovery_ca_pem=@/vault/userconfig/vault-ca/ca.crt
fi

however, this code is executed after sync-wave 6

kubriX/platform-apps/charts/vault/templates/crossplane/cp-group-sx-cnp-oss.yaml

Line 7 in 955ee03

argocd.argoproj.io/sync-wave: "6" # last item - for initcontainer check, until accessor id is available via crossplane plugin
), so we try to execute

kubriX/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml

Lines 41 to 66 in 955ee03

apiVersion: jwt.vault.upbound.io/v1alpha1
kind: AuthBackendRole
metadata:
name: oidc-backend-role
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "4"
spec:
providerConfigRef:
name: vault-crossplane-providerconfig
forProvider:
allowedRedirectUris:
- {{ .Values.eso.callbackUri }}/ui/vault/auth/oidc/oidc/callback
- http://localhost:8250/oidc/callback
roleName: default
userClaim: sub
groupsClaim: groups
tokenPolicies:
- default
tokenNoDefaultPolicy: true
tokenType: service
verboseOidcLogging: true
oidcScopes:
- groups
roleType: oidc
backend: oidc
at sync-wave 7

@jkleinlercher
Copy link
Contributor Author

jkleinlercher commented Feb 21, 2025
edited
Loading

still with sync-wave 7: see https://github.com/suxess-it/kubriX/actions/runs/13466966711/job/37634646266?pr=1055#step:6:2134

- group: jwt.vault.upbound.io
    health:
      message: "apply failed: error writing JWT auth backend role \"auth/oidc/role/default\":
        Error making API request.\n\nURL: PUT [http://sx-vault-active.vault.svc.cluster.local:8200/v1/auth/oidc/role/default\nCode:](http://sx-vault-active.vault.svc.cluster.local:8200/v1/auth/oidc/role/default/nCode:)
        404. Errors:\n\n* no handler for route \"auth/oidc/role/default\". route entry
        not found.: "
      status: Degraded
    kind: AuthBackendRole
    name: oidc-backend-role
    status: Synced
    syncWave: 7
    version: v1alpha1

and also other resources with lower sync-wave are still progressing as you can see in the log above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkleinlercher