Authbackend creation fails with path already in use at oidc

[mustafaStakater]

What happened?

Creating AuthBackend fails initially with the both 'oidc_client_id' and 'oidc_client_secret' must be set for OIDC and then error changes to * path is already in use at oidc/ . In vault, oidc path is present with empty configuration.

How can we reproduce it?

• Get a openshift cluster and Deploy vault and crossplane on openshift.
• Access pods cli and Initialize vault using vault operator init. Save the unseal keys and root token.
• Login to vault with root token using vault login and create a token for crossplane.
• Create a crossplane provider for vault.

  apiVersion: pkg.crossplane.io/v1
  kind: Provider
  metadata:
  name: provider-vault
  spec:
  package: 'xpkg.upbound.io/upbound/provider-vault:v0.1.0'
  controllerConfigRef:
    name: vault-controller
  ---
  apiVersion: pkg.crossplane.io/v1alpha1
  kind: ControllerConfig
  metadata:
  name: vault-controller
  spec:
  securityContext: {}
  podSecurityContext: {}
  args:
    - "--leader-election"
  replicas: 1

• Create a provider config and secret with token to vault

  apiVersion: vault.upbound.io/v1beta1
  kind: ProviderConfig
  metadata:
  name: provider-vault
  spec:
  address: 'http://vault.apps-crc.testing/'
  credentials:
    secretRef:
      key: credentials
      name: vault-creds
      namespace: crossplane
    source: Secret
  ---
  kind: Secret
  apiVersion: v1
  metadata:
  name: vault-creds
  namespace: crossplane
  data:
  credentials: "hvs.alshdabuoac"
  type: Opaque
  

• Create authbackend resource

  apiVersion: jwt.vault.upbound.io/v1alpha1
  kind: AuthBackend
  metadata:
  name: vault-config-fb77r
  spec:
  deletionPolicy: Delete
  forProvider:
    defaultRole: defaultrole
    oidcClientId: vault
    oidcClientSecretSecretRef:
      key: secret
      name: vault-sso-client-secret
      namespace: vault
    oidcDiscoveryUrl: >-
      https://sso-/auth/realms/vault-realm
    path: oidc
    type: oidc
  managementPolicy: FullControl
  providerConfigRef:
    name: provider-vault
  ---
  kind: Secret
  apiVersion: v1
  metadata:
  name: vault-sso-client-secret
  namespace: vault
  data:
  secret: ckFuRG9NMTIz
  type: Opaque
  

  What environment did it happen in?

• Crossplane and Vault running in Openshift
• Vault Version : 1.12.1
• Crossplane Version : 1.14.5

[mustafaStakater]

The issue was a wrong secret name being used, but provider shouldnt partially create an empty oidc configuration and then endup in unhealthy state.

[uwefreidank]

Also happen with

• Vault Version 1.15.7
• Crossplane Version: 1.15.2
• Provider vault: 0.0.4

Even worse, if i apply several AuthBackends in parallel (in my case, 55), the 1st reconciled AuthBackend can successfully be created in Vault, but all other AuthBackends are failing with path is already in use at oidc. Work around: applying the AuthBackends CRs one by one and waiting in between.