Summary
The chart's chart/templates/nebariapp.yaml has two compounding issues:
-
The auth: block drops most of the operator's AuthConfig fields. Helm values set under nebariapp.auth.* for unrendered fields are silently dropped before reaching the NebariApp CR.
-
The chart emits two NebariApp manifests — one for Ray Serve, one for the dashboard — with the auth: block duplicated inline. Both copies have the same gaps.
The current auth: block (inside each NebariApp) renders only:
enabled (hardcoded true), provider, provisionClient, redirectURI, scopes
Missing relative to the operator's AuthConfig (in api/v1/nebariapp_types.go):
enforceAtGateway
forwardAccessToken
denyRedirect
clientSecretRef
groups
issuerURL
spaClient
deviceFlowClient
keycloakConfig
tokenExchange
That's 10 missing fields. Most-visible consequence: enforceAtGateway: false cannot be set, so applications that want to do OIDC themselves (instead of via Envoy's gateway-level filter) cannot disable the gateway-level enforcement. (Discovered while auditing chart auth coverage after hitting the same issue in nebari-nebi-pack#20.)
Proposed fix — two parts
1. Replace the hand-curated subset with a toYaml passthrough
Matches the routing: precedent used elsewhere in the codebase:
{{- with .Values.nebariapp.auth }}
auth:
{{- toYaml . | nindent 4 }}
{{- end }}
Move the chart-side defaults (enabled: true, provider: keycloak, provisionClient: true, redirectURI: /oauth2/callback) into values.yaml so they still apply.
2. Extract the duplicated auth: block into a helper template
Define it once in _helpers.tpl, reuse from both NebariApps. Prevents future drift between the serve and dashboard copies:
{{/* _helpers.tpl */}}
{{- define "nebari-rayserve.nebariappAuth" -}}
{{- with .Values.nebariapp.auth }}
auth:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end -}}
{{/* nebariapp.yaml — same include in both NebariApps */}}
{{- include "nebari-rayserve.nebariappAuth" . | indent 2 }}
Definition of Done
Related
Summary
The chart's
chart/templates/nebariapp.yamlhas two compounding issues:The
auth:block drops most of the operator'sAuthConfigfields. Helm values set undernebariapp.auth.*for unrendered fields are silently dropped before reaching theNebariAppCR.The chart emits two
NebariAppmanifests — one for Ray Serve, one for the dashboard — with theauth:block duplicated inline. Both copies have the same gaps.The current
auth:block (inside each NebariApp) renders only:enabled(hardcodedtrue),provider,provisionClient,redirectURI,scopesMissing relative to the operator's
AuthConfig(inapi/v1/nebariapp_types.go):enforceAtGatewayforwardAccessTokendenyRedirectclientSecretRefgroupsissuerURLspaClientdeviceFlowClientkeycloakConfigtokenExchangeThat's 10 missing fields. Most-visible consequence:
enforceAtGateway: falsecannot be set, so applications that want to do OIDC themselves (instead of via Envoy's gateway-level filter) cannot disable the gateway-level enforcement. (Discovered while auditing chart auth coverage after hitting the same issue in nebari-nebi-pack#20.)Proposed fix — two parts
1. Replace the hand-curated subset with a
toYamlpassthroughMatches the
routing:precedent used elsewhere in the codebase:Move the chart-side defaults (
enabled: true,provider: keycloak,provisionClient: true,redirectURI: /oauth2/callback) intovalues.yamlso they still apply.2. Extract the duplicated
auth:block into a helper templateDefine it once in
_helpers.tpl, reuse from both NebariApps. Prevents future drift between the serve and dashboard copies:Definition of Done
chart/templates/nebariapp.yamlrenders allnebariapp.auth.*helm values without dropping fields, on BOTH the serve and dashboard NebariAppsauth:block is defined once via a helper template, not duplicated inlineenabled: true,provider: keycloak,provisionClient: true,redirectURI: /oauth2/callback) preserved viavalues.yamlenforceAtGateway: falsepropagates from helm values to BOTH rendered NebariApp manifestsRelated
enforceAtGateway+forwardAccessToken)