Describe the bug
User reconciliation can get stuck after the referenced Account was initially not ready. When an Account has no account.nauth.io/id label yet, the User reconcile fails with AccountNotReady. After the Account later reconciles successfully and receives an Account ID, dependent Users are not reliably retried.
This leaves Users in Ready=False even though their referenced Account is now usable.
To Reproduce
Steps to reproduce the behavior:
- Create an Account that initially fails reconciliation before
account.nauth.io/id is written.
- Create a User that references that Account.
- Observe that the User reconciliation fails with
AccountNotReady.
- Fix the Account so it reconciles successfully and receives
account.nauth.io/id.
- Observe that the User is not reliably reconciled again and stays not ready.
Versions
Which versions were used when the problem was observed?
- NAuth (chart & app): v0.6.1
- Kubernetes: N/A
- NATS: N/A
Expected behavior
Users should be reconciled automatically when their referenced Account becomes ready or receives its Account ID label.
Retrying User reconciliation must not create a new NATS User ID or rotate user credentials on every reconcile. Existing valid user credentials should be reused. If the existing credentials Secret is invalid or inconsistent with the User resource, reconciliation should fail with a clear error instead of silently rotating credentials.
Screenshots
Not applicable.
Additional context
The User controller gates reconciliation using the User generation and operator version, and it does not currently watch Account readiness changes. This is especially visible during disaster recovery or bulk restore flows where Accounts and Users are applied together and Accounts can become ready after dependent Users have already failed.
Describe the bug
User reconciliation can get stuck after the referenced Account was initially not ready. When an Account has no
account.nauth.io/idlabel yet, the User reconcile fails withAccountNotReady. After the Account later reconciles successfully and receives an Account ID, dependent Users are not reliably retried.This leaves Users in
Ready=Falseeven though their referenced Account is now usable.To Reproduce
Steps to reproduce the behavior:
account.nauth.io/idis written.AccountNotReady.account.nauth.io/id.Versions
Which versions were used when the problem was observed?
Expected behavior
Users should be reconciled automatically when their referenced Account becomes ready or receives its Account ID label.
Retrying User reconciliation must not create a new NATS User ID or rotate user credentials on every reconcile. Existing valid user credentials should be reused. If the existing credentials Secret is invalid or inconsistent with the User resource, reconciliation should fail with a clear error instead of silently rotating credentials.
Screenshots
Not applicable.
Additional context
The User controller gates reconciliation using the User generation and operator version, and it does not currently watch Account readiness changes. This is especially visible during disaster recovery or bulk restore flows where Accounts and Users are applied together and Accounts can become ready after dependent Users have already failed.