Kubernetes Auth issuer mismatch in OpenBao during common-components v2.3.2 deployment (403 invalid iss claim)

Hi team,

While deploying common-components v2.3.2, I encountered an issue with OpenBao during the initialization phase — specifically related to the Kubernetes Auth configuration.

Some components (for example, vault-agent-init in Kafka pods) stayed stuck in the PodInitializing state.
In vault-agent-init logs, the following error appeared repeatedly:

Error making API request.
URL: PUT https://<bao-address>/v1/auth/kubernetes/login
Code: 403. Errors:
* invalid issuer (iss) claim

To check if it was environment-related, I tested the same deployment in two different Kubernetes clusters, both in AKS (is the infra where I work):

• One with OIDC enabled.
• Another without OIDC, using the internal API server issuer.

In both cases, Bao failed to authenticate via the Kubernetes Auth method and showed the same invalid issuer (iss) error.

Inspecting the initialization process (init-bao Job), I noticed that during setup Bao is configured as:

bao auth enable kubernetes || true
bao write auth/kubernetes/config kubernetes_host=https://10.3.0.1

but no issuer value is defined.

The configuration created in Bao looked as follows:

bao read auth/kubernetes/config 
Key                        Value 
disable_iss_validation     true 
disable_local_ca_jwt       false 
issuer 
kubernetes_ca_cert 
kubernetes_host            https://10.3.0.1 
pem_keys                   [] 
token_reviewer_jwt_set     false

I tried explicitly setting the cluster’s issuer (from kubectl get --raw /.well-known/openid-configuration) and then the authentication succeeded and all pending pods became healthy.

So I think this is some problem related to the initialization of Bao, and in this case it has nothing to do with the infrastructure where it’s deployed.

Should Bao’s initialization automatically fetch the cluster’s issuer instead of requiring it to be manually specified?

Thanks in advance,
Best regards.