Skip to content

NebariApp template drops most AuthConfig fields, duplicates auth block #13

Description

@oren-openteams

Summary

The chart's chart/templates/nebariapp.yaml has two compounding issues:

  1. The auth: block drops most of the operator's AuthConfig fields. Helm values set under nebariapp.auth.* for unrendered fields are silently dropped before reaching the NebariApp CR.

  2. The chart emits two NebariApp manifests — one for Ray Serve, one for the dashboard — with the auth: block duplicated inline. Both copies have the same gaps.

The current auth: block (inside each NebariApp) renders only:

  • enabled (hardcoded true), provider, provisionClient, redirectURI, scopes

Missing relative to the operator's AuthConfig (in api/v1/nebariapp_types.go):

  • enforceAtGateway
  • forwardAccessToken
  • denyRedirect
  • clientSecretRef
  • groups
  • issuerURL
  • spaClient
  • deviceFlowClient
  • keycloakConfig
  • tokenExchange

That's 10 missing fields. Most-visible consequence: enforceAtGateway: false cannot be set, so applications that want to do OIDC themselves (instead of via Envoy's gateway-level filter) cannot disable the gateway-level enforcement. (Discovered while auditing chart auth coverage after hitting the same issue in nebari-nebi-pack#20.)

Proposed fix — two parts

1. Replace the hand-curated subset with a toYaml passthrough

Matches the routing: precedent used elsewhere in the codebase:

{{- with .Values.nebariapp.auth }}
auth:
  {{- toYaml . | nindent 4 }}
{{- end }}

Move the chart-side defaults (enabled: true, provider: keycloak, provisionClient: true, redirectURI: /oauth2/callback) into values.yaml so they still apply.

2. Extract the duplicated auth: block into a helper template

Define it once in _helpers.tpl, reuse from both NebariApps. Prevents future drift between the serve and dashboard copies:

{{/* _helpers.tpl */}}
{{- define "nebari-rayserve.nebariappAuth" -}}
{{- with .Values.nebariapp.auth }}
auth:
  {{- toYaml . | nindent 2 }}
{{- end }}
{{- end -}}

{{/* nebariapp.yaml — same include in both NebariApps */}}
{{- include "nebari-rayserve.nebariappAuth" . | indent 2 }}

Definition of Done

  • chart/templates/nebariapp.yaml renders all nebariapp.auth.* helm values without dropping fields, on BOTH the serve and dashboard NebariApps
  • The auth: block is defined once via a helper template, not duplicated inline
  • Defaults (enabled: true, provider: keycloak, provisionClient: true, redirectURI: /oauth2/callback) preserved via values.yaml
  • Helm test asserts enforceAtGateway: false propagates from helm values to BOTH rendered NebariApp manifests
  • Helm test repeated for previously-dropped fields

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions