Skip to content

Sync template with nebari-operator v0.1.0-alpha.19#12

Merged
dcmcand merged 3 commits into
mainfrom
docs/sync-with-operator-alpha19
May 4, 2026
Merged

Sync template with nebari-operator v0.1.0-alpha.19#12
dcmcand merged 3 commits into
mainfrom
docs/sync-with-operator-alpha19

Conversation

@dcmcand

@dcmcand dcmcand commented May 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bring this template back in sync with the current nebari-operator. The pin moves from v0.1.0-alpha.5 (March 2026) to v0.1.0-alpha.19 (April 2026), 14 alpha releases of CRD changes.
  • Rewrite docs/nebariapp-crd-reference.md against the current types and surface new fields in the README (publicRoutes, forwardAccessToken, denyRedirect, spaClient, deviceFlowClient, keycloakConfig, tokenExchange, landingPage, serviceAccountName, cross-namespace service refs).
  • Drop the explicit redirectURI: / from every example and let the operator's default (/oauth2/callback) apply. Helm templates only emit redirectURI when the user sets it.
  • Fix README cookie-suffix description (was "7-char", should be "8-char, FNV-32a").
  • Add a "NebariApp CRD vs Envoy Gateway SecurityPolicy" boundary section to docs/auth-flow.md so readers know which OIDC fields are surfaced on NebariApp and which require dropping enforceAtGateway and managing a SecurityPolicy directly.
  • Fix release.yaml so multi-chart releases don't silently overwrite each other on gh-pages: fetch existing + helm repo index --merge, no force-push.

Why

The template was pinned to alpha.5 while the operator moved on. Things that broke as a result:

  • examples/auth-fastapi sets routing.publicRoutes, which was added to the operator after alpha.5. Against the alpha.5 CI install, the field was being dropped, so the documented "/health bypasses OIDC" behavior in the example was not actually being tested.
  • docs/nebariapp-crd-reference.md was missing roughly ten spec fields and most status fields.
  • README claimed the integration workflow installs the latest operator release; it actually pinned to alpha.5.
  • The release workflow re-initialized gh-pages from a fresh git init and force-pushed on every release, which would silently overwrite previously-released chart versions in a multi-chart repo.

After this PR, OPERATOR_REF is the single point of truth for the operator version in both the local dev Makefile and the integration test workflow, so the next bump is one line.

Test plan

  • helm lint is clean for all three example charts
  • helm template renders cleanly with nebariapp.enabled true and false (no empty redirectURI line)
  • kubeconform validates the kustomize overlays and the vanilla-yaml manifests
  • Integration workflow passes against the bumped operator pin
  • Spot-check that the new "Beyond the basics" README section and the auth-flow boundary section render correctly on GitHub

dcmcand added 3 commits May 4, 2026 13:49
The template was pinned to nebari-operator v0.1.0-alpha.5 (March 2026), but
the operator is now at v0.1.0-alpha.19 (April 2026). 14 alpha releases of
CRD additions and behavior changes had not been reflected here.

Notable consequences before this change:
- examples/auth-fastapi used routing.publicRoutes, a field added to the
  operator after alpha.5. Against the alpha.5 CI install, the field was
  silently dropped, so the documented "/health bypasses OIDC" behavior was
  not actually being tested.
- docs/nebariapp-crd-reference.md was missing roughly ten spec fields, most
  status fields, and one condition reason.
- README claimed CI installs the latest operator release; it actually
  pinned to alpha.5.
- release.yaml force-pushed to gh-pages from a fresh git init on every
  release, silently overwriting prior chart releases in a multi-chart repo.

Changes:
- Bump operator pin to v0.1.0-alpha.19 in dev/Makefile and
  test-integration.yaml. URLs now derive from a single OPERATOR_REF
  variable so the next bump is one line. Update the README claim.
- Regenerate docs/nebariapp-crd-reference.md against the alpha.19 types,
  adding serviceAccountName, service.namespace, routing.publicRoutes,
  routing.annotations, the new auth.* fields (forwardAccessToken,
  denyRedirect, spaClient, deviceFlowClient, keycloakConfig,
  tokenExchange), the landingPage block (with healthCheck), the missing
  status fields, and the GatewayListenerConflict condition reason.
- Drop redirectURI: / from every example and let the operator default
  (/oauth2/callback) apply. Helm templates only emit redirectURI when
  the user sets it. Fix README cookie-suffix description (7-char to
  8-char, FNV-32a).
- Add a "NebariApp CRD vs Envoy Gateway SecurityPolicy" boundary section
  to docs/auth-flow.md so readers know which OIDC fields are surfaced
  on NebariApp and which require dropping enforceAtGateway and managing
  a SecurityPolicy directly.
- Add a "Beyond the basics" feature list to README pointing at the CRD
  reference for each newer field.
- Replace release.yaml's "init from scratch + force-push" with a
  fetch-existing + helm repo index --merge flow, so prior chart releases
  are preserved.
The integration test failure on the prior commit traced to a pre-existing
bug masked by alpha.5: the wrap-existing-chart helm test uses release name
'test-podinfo', which matches podinfo's chart name and triggers the
upstream chart's name-deduplication. The actual rendered Service is
named 'test-podinfo' (not 'test-podinfo-podinfo'), but the chart's helper
hardcodes '<release>-podinfo'. NebariApp pointed at a non-existent
Service and the operator (correctly, in alpha.19) reported
ServiceNotFound, blocking helm --wait until timeout. The same broken
release name appears in two README walkthroughs, so end users following
those would also fail.

Rename the test/walkthrough release name to 'test-wrap' so the upstream
dedup does not trigger; '<release>-podinfo' resolves to 'test-wrap-podinfo'
and matches what the upstream chart actually creates.

Also addresses PR review feedback:
- Drop redirectURI: /oauth2/callback from the CRD reference Full Example
  so it is not cargo-culted into pack manifests; replace with a comment.
- Scope the auth-flow.md SecurityPolicy boundary section explicitly to
  the OIDC filter fields, and call out that spaClient, deviceFlowClient,
  keycloakConfig, and tokenExchange are first-class NebariApp fields
  documented in the CRD reference.
- Clarify in the CRD reference that spec.auth.clientSecretRef is a
  string (Secret name), not the object reference used by
  status.clientSecretRef.
- Note that auth.denyRedirect pairs naturally with auth.spaClient so
  pack authors discover it for the right use case.
Podinfo's chart only applies app.kubernetes.io/name=<release>-podinfo to
its pods, not app.kubernetes.io/instance. With the previous fix to the
release name, helm install now succeeds, so this second pre-existing bug
in the verify step (kubectl wait on a non-existent label selector)
became the new failure point.

Wait on the Deployment's Available condition instead of pods directly.
The Deployment name is well-defined and the condition is the same thing
helm install --wait already gates on, so the wait will return promptly
on success.
@dcmcand dcmcand merged commit 9a52b4f into main May 4, 2026
3 checks passed
@dcmcand dcmcand deleted the docs/sync-with-operator-alpha19 branch May 4, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant