Accounts are not reconciled if missing in NATS

[kejne]

NAuth only validates the status fields as a first step to avoid that the operator calls NATS often. Any changes that are not done by NAuth will therefore be missed by the operator.

NAuth should validate the jwt of the server during reconciliation.

Workaround to trigger accounts to be re-applied is to set some configuration on all the accounts to make them re-apply. (not a good production scenario...)

kubectl get accounts.nauth.io --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name --no-headers | while read -r namespace name; do
    kubectl patch accounts.nauth.io "$name" --namespace "$namespace" --type='merge' -p '{"spec":{"accountLimits":{"conn":101}}}'
done

updated

[choufraise]

@kejne , how often would be considered "too often"? We do have the reconcileTimestamp in the Status which we could utilize to refresh the reconciliation I guess. Do you know of any other Kube magic that could be utilized?

Please note that we already check both ObservedGeneration and OperatorVersion. Regarding the OperatorVersion check, if we would support more fields in the CRDs, then the operator version should trigger a reconciliation. So maybe this is no longer an issue? When/why would this be a problem?