GroupAlias mountAccessorRef & mountAccessorSelector do not support AuthBackend as a target

[andrewseling]

What happened?

The GroupAlias Kind can take a mountAccessor value in three ways:

1. Direct input (mountAccessor)
2. Name reference (mountAccessorRef)
3. Selector reference (mountAccessorSelector)

All three options work with the Backend Kind.

Vault also uses various AuthBackend Kinds, such as the JWT AuthBackend, which enables SSO auth via OIDC.

Passing the accessor ID of the AuthBackend directly to GroupAlias works as expected.

Passing the accessor ID via either:

2. Name reference
3. Selector reference

Does not work, as the provider looks for the regular Backend Kind rather than AuthBackend.

I've created a small composition using the go-templating composition function to retrieve the value of the AuthBackend accessor and pass it to the GroupAlias mountAccessor field directly as a workaround.

I would like GroupAlias to support both Backend and AuthBackend Kinds for reference lookups, to eliminate the need for this composition and simplify the user experience.

How can we reproduce it?

1. Create an AuthBackend in Vault. Take note of the accessor ID in the GUI/CLI.
2. Create a GroupAlias resource, passing the accessor ID directly to the mountAccessor field. This should work.
3. Update the GroupAlias to use mountAccessorRef and receive an error. Note that the missing reference is to the regular Backend kind instead of AuthBackend.

What environment did it happen in?

Crossplane: v1.18
Vault provider: 2.0.1