Vault PKI: operator generate Root CA certificates infinitely

[AmisGit]

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.
• I agree to follow the Code of Conduct.

Operator Version

1.23.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

v1.34.1-eks-3025e55

Kubernetes Distribution/Provisioner

EKS

Expected Behavior

Hi, we use the Valt PKI infrastructure to create and store certificates within Kubernetes. Vault v1.20.4
To configure it, I specified the following parameters in the Vault yaml:

externalConfig:
  secrets:
        - type: pki
          description: Vault PKI Backend
          config:
            default_lease_ttl: 262800h
            max_lease_ttl: 262800h
          configuration:
            config:
            - name: urls
              issuing_certificates: https://vault.svc.cluster.local:8200/v1/pki/ca
              crl_distribution_points: https://vault.svc.cluster.local:8200/v1/pki/crl
            root/generate:
            - name: internal
              common_name: Vault Root Certificate Authority
            roles:
            - name: default
              allowed_domains: cluster.local
              allow_subdomains: true
              generate_lease: true
              allow_ip_sans: true
              key_type: ec
              key_bits: 0
              organization: XXXXX
              country: XXX
              province: XXX
              locality: XXXX
              ou: XX
              ttl: 4380h

Here's what I expect to happen after applying these settings:

1. Enable the Vault PKI storage engine
2. Create an internal Root CA Issuer
3. Create a default role

Actual Behavior

But here's what we have in the end:
All the steps are completed except step 2. Specifically, we create an Root CA Issuer, but after some time, when the operator reconciling, it generates a new Root CA Issuer. And so on ad infinitum.
So far, we have created 88 root ca's, all with the same name Vault Root Certificate Authority, but with new certificates.

As far as I understand, this happens because the repository operator is trying to generate a root certificate with an incorrect parameter that should not be there "allowed_domains":.

And as result we will see next response:

I think this warning doesn't let the operator know that the certificate was created successfully and doesn't need to be recreated again, but he tries to do it again every time.

Steps To Reproduce

1.Deploy Vault Operator from original helm chart
2.Deploy kind: Vault object with next settings

externalConfig:
  secrets:
        - type: pki
          description: Vault PKI Backend
          config:
            default_lease_ttl: 262800h
            max_lease_ttl: 262800h
          configuration:
            config:
            - name: urls
              issuing_certificates: https://vault.svc.cluster.local:8200/v1/pki/ca
              crl_distribution_points: https://vault.svc.cluster.local:8200/v1/pki/crl
            root/generate:
            - name: internal
              common_name: Vault Root Certificate Authority
            roles:
            - name: default
              allowed_domains: cluster.local
              allow_subdomains: true
              generate_lease: true
              allow_ip_sans: true
              key_type: ec
              key_bits: 0
              organization: XXXXX
              country: XXX
              province: XXX
              locality: XXXX
              ou: XX
              ttl: 4380h

3. Wait few days, and check your issuers in vault pki storage engine

Configuration

externalConfig:
  secrets:
        - type: pki
          description: Vault PKI Backend
          config:
            default_lease_ttl: 262800h
            max_lease_ttl: 262800h
          configuration:
            config:
            - name: urls
              issuing_certificates: https://vault.svc.cluster.local:8200/v1/pki/ca
              crl_distribution_points: https://vault.svc.cluster.local:8200/v1/pki/crl
            root/generate:
            - name: internal
              common_name: Vault Root Certificate Authority
            roles:
            - name: default
              allowed_domains: cluster.local
              allow_subdomains: true
              generate_lease: true
              allow_ip_sans: true
              key_type: ec
              key_bits: 0
              organization: XXXXX
              country: XXX
              province: XXX
              locality: XXXX
              ou: XX
              ttl: 4380h

Logs

Additional Information

No response

[AmisGit]

@bonifaido please check this

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.