Skip to content

fix(vault-auth): end-to-end tested migration, OpenTofu HCL fix, doc updates#68

Merged
patrick-hermann-sva merged 1 commit intomainfrom
fix/vault-auth-opentofu-compat
Apr 13, 2026
Merged

fix(vault-auth): end-to-end tested migration, OpenTofu HCL fix, doc updates#68
patrick-hermann-sva merged 1 commit intomainfrom
fix/vault-auth-opentofu-compat

Conversation

@patrick-hermann-sva
Copy link
Copy Markdown
Contributor

@patrick-hermann-sva patrick-hermann-sva commented Apr 13, 2026

Summary

End-to-end verification of the vault-auth migration surfaced a few issues; this PR addresses them and bumps to the fixed library version.

Changes

  • Composition: bumped fn-kcl source to `xplane-vault-auth:0.4.1`, which carries the multi-line HCL `variable` block fix from fix: expand variable blocks to multi-line for opentofu compatibility kcl#33 (OpenTofu's HCL parser rejects single-line blocks with multiple arguments).
  • Composition: reverted function refs to the upstream-standard names `crossplane-contrib-function-kcl` / `crossplane-contrib-function-auto-ready`. chore(vault-auth): bump xplane-vault-auth OCI source to 0.4.0 #67 had shortened them while debugging a kind cluster that had ad-hoc function names; the standard names are what `examples/function.yaml` installs and what most clusters use.
  • README: new "Function names" note explaining the naming discrepancy and how to patch if your cluster uses different names.
  • README: new "`backendConfig` prerequisites" section documenting that the referenced Secret must exist before the XR is applied (the TF `data "kubernetes_secret"` returns `null` for missing Secrets, causing `tofu plan` to fail with `Attempt to index null value`), how to create a ServiceAccount token Secret on Kubernetes ≥1.24, and the RBAC the provider-opentofu pod needs.
  • examples/claim.yaml: dropped stale `spec.compositionRef` (moved in Crossplane v2), `backendConfig` blocks commented out with a pointer to the README, reverted to placeholder vault / k8s URLs for the committed example.

End-to-end verification

Against Crossplane v2 + provider-opentofu v1.0.3 + function-kcl v0.12.1 on a real k3s cluster:

  • `VaultK8sAuth` XR reconciles cleanly (`Synced=True, Ready=True`)
  • Two generated `Workspace` CRs reach `Ready=True`
  • Vault gains `auth/vcluster-tink2-dev/` and `auth/vcluster-tink2-cicd/` Kubernetes auth backends
  • Role under `auth/vcluster-tink2-dev/role/dev` shows the expected bound service accounts, token policies, and TTL

`backendConfig` path is not yet verified end-to-end — needs pre-existing SA token Secrets (documented in the README). Tracked in #66.

Refs: stuttgart-things/kcl#33, #66

Generated with Claude Code

@patrick-hermann-sva @claude
fix(vault-auth): end-to-end tested migration, OpenTofu HCL fix, doc u…
3d0d6e0 
…pdates

- Bump composition source to xplane-vault-auth:0.4.1 (carries the
  multi-line HCL variable block fix — OpenTofu rejects single-line
  blocks with multiple args).
- Revert function refs to the upstream standard names
  `crossplane-contrib-function-kcl` and
  `crossplane-contrib-function-auto-ready`. PR #67 had shortened them
  while debugging a local kind cluster that had ad-hoc function names;
  the standard names are what `examples/function.yaml` installs and
  what most clusters use. Added a README note explaining the naming
  discrepancy.
- examples/claim.yaml: drop the stale spec.compositionRef (that field
  moved in Crossplane v2), comment out backendConfig with a pointer
  to the new README section explaining its prerequisites, and revert
  to a placeholder vaultAddr / kubernetesHost.
- README: document the backendConfig prerequisites (SA token Secret
  must pre-exist, how to create one on k8s >= 1.24, RBAC hints).

Verified end-to-end on a Crossplane v2 + provider-opentofu v1.0.3 +
function-kcl v0.12.1 cluster: two Workspaces reconcile to Ready=True
and Vault gains the expected auth backends + roles.

Refs: stuttgart-things/kcl#33, #66

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@patrick-hermann-sva patrick-hermann-sva merged commit 60ebad9 into main Apr 13, 2026
@patrick-hermann-sva patrick-hermann-sva deleted the fix/vault-auth-opentofu-compat branch April 13, 2026 21:22
This was referenced Apr 13, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@patrick-hermann-sva