OIDC issuer no longer validated without trailing slash #1700
Description
Describe the bug
Federated credentials with matching service account name and namespace are no longer validated on azure side, if managed identity is missing trailing slash in the OIDC issuer configuration
Steps To Reproduce
Create a federated credential on the managed identity side, omit trailing slash from the AKS oidc issuer
Deploy a service to AKS with matching namespace and service account, and test federation (try to obtain the token)
Federated credential does not match even though all of the attributes are correct
Expected behavior
Federated credential is matched even without trailing slash, that should not be a breaking change
Logs
Environment
- Kubernetes version (use
kubectl version): 1.33.5 - Cloud provider or hardware configuration: Managed AKS
Additional context
This is a sudden shift in behavior, we have a fully automated deployment of both the managed identities and federated credentials. Usually we do have trailing slashes added, however, on one environment it was missed even though the URL is correct for the cluster's OIDC issuer. Federated authentication that was working for 6 months suddenly halted the entire environment because no matching federated credential was found (no changes on our side, simply the validation no longer works without the trailing slash)