fix(nebariapp): render auth and landingPage blocks via toYaml passthrough#94
Open
viniciusdc wants to merge 1 commit into
Open
fix(nebariapp): render auth and landingPage blocks via toYaml passthrough#94viniciusdc wants to merge 1 commit into
viniciusdc wants to merge 1 commit into
Conversation
…ough templates/nebariapp.yaml hand-rendered the auth block field-by-field, covering only 5 of the 14 fields the NebariApp.spec.auth CRD defines. The other 9 (enforceAtGateway, clientSecretRef, denyRedirect, deviceFlowClient, groups, issuerURL, keycloakConfig, spaClient, tokenExchange) were silently dropped if a user tried to set them via values, forcing post-hoc kubectl patches to communicate fields the chart didn't expose. The landingPage block had the same shape: every sub-field hand-rendered, so any CRD addition would be silently dropped until the template caught up. Switch both blocks to `toYaml | nindent 4` passthrough, matching what the neighboring `routing` block already does. Every CRD field is now addressable from values.yaml. The JupyterHub-specific defaults (enabled: true, redirectURI: /hub/oauth_callback, enforceAtGateway: false, forwardAccessToken: false, the standard scopes set, landingPage defaults, healthCheck config) all live in values.yaml already, so the default chain is unchanged for users who don't override. Verified with `helm template`: rendered NebariApp.spec matches the previous output field-for-field; only field ordering differs because toYaml emits sorted keys. Fixes #57.
Contributor
Author
|
@oren-openteams would you like to test this? and see if it helps bypass the need for the in-place patches? |
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #57.
templates/nebariapp.yamlhand-rendered theauthandlandingPageblocks field-by-field, covering only a subset of what the NebariApp CRD defines. Every CRD field the chart doesn't list explicitly is silently dropped — which is why deployments needingenforceAtGateway,groups,tokenExchange, etc. have been resorting to post-hockubectl patch.Switch both blocks to
toYaml | nindent 4passthrough, matching the neighboringroutingblock (which has done this sincenebari-operator#114addedrouting.tls.secretNameand the field was usable immediately, no chart change needed).What changes
{{- with .Values.nebariapp.auth }} auth: - enabled: {{ .enabled | default true }} - provider: {{ .provider | default "keycloak" }} - provisionClient: {{ .provisionClient | default true }} - redirectURI: {{ .redirectURI | default "/oauth2/callback" }} - {{- with .scopes }} - scopes: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if hasKey . "enforceAtGateway" }} - enforceAtGateway: {{ .enforceAtGateway }} - {{- end }} - ... + {{- toYaml . | nindent 4 }} {{- end }}Same transform for
landingPage. Net diff: -50 / +2.The JupyterHub-specific defaults that the template was carrying (
enabled: true,redirectURI: /hub/oauth_callback,enforceAtGateway: false,forwardAccessToken: false, the standard scope set, the full landingPage block including the healthCheck sub-object) all live invalues.yamlalready, so users who don't override anything get the exact same rendered output. The template-level| defaultclauses were only relevant in the edge case where a user explicitly removed those fields from their overrides — which would have been a user-driven choice anyway.Verification
helm template . --set nebariapp.hostname=test.localbefore vs after produces the same NebariApp resource, field-for-field. Only the field ordering insidespec.authandspec.landingPagediffers becausetoYamlemits keys alphabetically instead of in the order the hand-rendered template declared them — purely cosmetic. The deployed CRD doesn't care about field order.Rendered output of the new template (relevant excerpt):
Follow-up
This is the local fix. The broader question — that every NebariApp-using pack in the org (8–10 charts and counting) re-implements its own copy of
templates/nebariapp.yamland drifts independently from the CRD — is being tracked separately as a library-chart proposal innebari-dev/nebari-operator. The passthrough shape adopted here is intentionally a one-line{{ include "nebari.app.spec" . }}swap away from consuming such a library chart whenever one ships.Test plan
helm templaterenders the same NebariApp resource as before (verified locally)nebariapp.auth.enforceAtGateway: true, ornebariapp.auth.groups) and confirms it lands in the deployedNebariAppspec