HMAC secret envoy-gateway/envoy-oidc-hmac not found

[hollanbm]

I believe this to be similar to #2823

I upgraded from v0.6.0 There were No issues with the upgrade; just bumped the helm chart, and everything appeared to upgrade cleanly. I do not have any values defined, just the stock chart defaults.

However, when applying an OIDC security policy to an HTTP route, I am getting an error on the security policy. HMAC secret envoy-gateway/envoy-oidc-hmac not found

Based on #2823 I would have expected the secret to be created for me.

To attempt to debug this. I deleted the existing EnvoyProxy, GatewayClass, and Gateway resources from my cluster, then reapplied them. No change in behavior.

---

kubectl describe securitypolicy test

Status:
  Ancestors:
    Ancestor Ref:
      Group:      gateway.networking.k8s.io
      Kind:       Gateway
      Name:       eg
      Namespace:  envoy-gateway
    Conditions:
      Last Transition Time:  2024-03-15T05:15:23Z
      Message:               HMAC secret envoy-gateway/envoy-oidc-hmac not found
      Observed Generation:   1
      Reason:                Invalid
      Status:                False
      Type:                  Accepted
    Controller Name:         gateway.envoyproxy.io/gatewayclass-controller
Events:                      <none>

The only thing unique about my setup so far is that I'm using the cert-manager API gateway annotations to generate certificates for the gateway.

---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  name: eg
  namespace: envoy-gateway
spec:
  gatewayClassName: eg
  listeners:
    - allowedRoutes:
        namespaces:
          from: All
      hostname: '*.test.domain.org'
      name: test-domain-org
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
          - kind: Secret
            name: test-domain-org-tls
        mode: Terminate
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
  labels:
    app: test
  name: test
  namespace: test
spec:
  hostnames:
  - oidc.test.domain.org
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
    namespace: envoy-gateway
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: test
      port: 8080
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /
    timeouts:
      request: 300s
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: test
  namespace: test
  labels:
    app: test
spec:
  cors:
    allowOrigins:
      - https://*.test.domain.org
  oidc:
    clientID: mAkuenPENmJQfob32JkPqBZM1FU88Tbf1nwUXiNy
    clientSecret:
      name: oidc-client-secret
    logoutPath: /application/o/eg/end-session/
    provider:
      issuer: https://auth.test.domain.org/application/o/eg/
      authorizationEndpoint: https://auth.test.domain.org/application/o/authorize/
      tokenEndpoint: https://auth.test.domain.org/application/o/token/
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: test
    namespace: test

[zirain]

@zhaohuabing I recall this's created by pre-install Job, it won't run when upgrading?

[zhaohuabing]

@zhaohuabing I recall this's created by pre-install Job, it won't run when upgrading?

Yeas, I believe that's the problem. Should we include a pre-upgrade annotation?

[zirain]

@zhaohuabing I recall this's created by pre-install Job, it won't run when upgrading?

Yeas, I believe that's the problem. Should we include a pre-upgrade annotation?

I'm thinking should check/create this when eg controller start(after win leader election)?

[zhaohuabing]

IMO, we'd better keep the secrets creation at the same place. If EG needs more secrets in the future, we'll also face the same problem. WDYT?

[zirain]

Not a must for this problem, but we can move all things to there.

[hollanbm]

@zirain @zhaohuabing thanks for the quick turnaround on this.

Will there be another release of the helm chart including this fix?

I would prefer not to switch to v0.0.0-latest

Or, should I completely remove my existing helm chart, and reinstall?