scaleway_k8s_cluster: creating cluster with trailing slash in open_id_connect_config.issuer_url fails

[syphernl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

OpenTofu v1.11.5 / scaleway provider v2.69.0

Affected Resource(s)

• scaleway_k8s_cluster

Terraform Configuration Files

resource "scaleway_k8s_cluster" "this" {
  name               = "example-cluster"
  type               = "kapsule"
  version            = "1.34"
  region             = "nl-ams"
  cni                = "cilium"
  private_network_id = "<pn_id>"

  open_id_connect_config {
    issuer_url     = "https://authentik.example.com/application/o/kubernetes/"
    client_id      = "84e6c57f-73e1-4941-9c2c-09796366d043"
    username_claim = "email"
    groups_claim   = ["groups"]
    groups_prefix  = "example:"
  }
}

Expected Behavior

terraform apply creates the cluster successfully when issuer_url ends with a trailing slash. Trailing slashes are valid per the OIDC spec; the issuer identifier must exactly match the iss claim in tokens, and providers such as Authentik emit issuer URLs with a trailing slash by default.

Actual Behavior

terraform apply fails during cluster creation when issuer_url has a trailing slash. The Scaleway SDK rejects the request.

However, when the cluster already exists (with no OIDC config, or with OIDC already configured including the trailing slash), a subsequent terraform apply with the same configuration succeeds - the update path accepts the value but the create path does not.

Error shown:

Error: scaleway-sdk-go: invalid argument(s): open_id_connect_config.issuer_url is wrongly formatted, https://authentik.example.com/application/o/kubernetes/ is not a valid HTTPS URL

This means:

• First apply with trailing slash in issuer_url results in error, cluster not created.
• Pre-existing cluster -> apply to add/update OIDC with the same URL -> succeeds.

The only workaround is to strip the trailing slash from issuer_url, but this causes a mismatch with the actual OIDC issuer identifier, which Kubernetes validates against the iss claim in tokens.

Steps to Reproduce

• Define a scaleway_k8s_cluster with open_id_connect_config.issuer_url ending in / (e.g. https://authentik.example.com/application/o/my-app/).
• Run terraform apply where the cluster does not yet exist.
• Apply fails with an SDK error on cluster creation.
• Remove the trailing slash, terraform apply, cluster is created
• Add the trailing slash, terraform apply, cluster updated (and OIDC is working

Important Factoids

• OIDC provider is Authentik, which always emits issuer URLs with a trailing slash.
• The Kubernetes API server itself accepts trailing slashes in --oidc-issuer-url; the rejection is specific to the Scaleway SDK.
• The create/update discrepancy suggests different validation between the POST (create) and PUT/PATCH (update) handlers in the API or provider.

References

• OIDC Discovery spec - issuer identifier: the issuer value must exactly match the iss claim, trailing slash included if that's what the provider emits.