Sync template with nebari-operator v0.1.0-alpha.19#12
Merged
Conversation
The template was pinned to nebari-operator v0.1.0-alpha.5 (March 2026), but the operator is now at v0.1.0-alpha.19 (April 2026). 14 alpha releases of CRD additions and behavior changes had not been reflected here. Notable consequences before this change: - examples/auth-fastapi used routing.publicRoutes, a field added to the operator after alpha.5. Against the alpha.5 CI install, the field was silently dropped, so the documented "/health bypasses OIDC" behavior was not actually being tested. - docs/nebariapp-crd-reference.md was missing roughly ten spec fields, most status fields, and one condition reason. - README claimed CI installs the latest operator release; it actually pinned to alpha.5. - release.yaml force-pushed to gh-pages from a fresh git init on every release, silently overwriting prior chart releases in a multi-chart repo. Changes: - Bump operator pin to v0.1.0-alpha.19 in dev/Makefile and test-integration.yaml. URLs now derive from a single OPERATOR_REF variable so the next bump is one line. Update the README claim. - Regenerate docs/nebariapp-crd-reference.md against the alpha.19 types, adding serviceAccountName, service.namespace, routing.publicRoutes, routing.annotations, the new auth.* fields (forwardAccessToken, denyRedirect, spaClient, deviceFlowClient, keycloakConfig, tokenExchange), the landingPage block (with healthCheck), the missing status fields, and the GatewayListenerConflict condition reason. - Drop redirectURI: / from every example and let the operator default (/oauth2/callback) apply. Helm templates only emit redirectURI when the user sets it. Fix README cookie-suffix description (7-char to 8-char, FNV-32a). - Add a "NebariApp CRD vs Envoy Gateway SecurityPolicy" boundary section to docs/auth-flow.md so readers know which OIDC fields are surfaced on NebariApp and which require dropping enforceAtGateway and managing a SecurityPolicy directly. - Add a "Beyond the basics" feature list to README pointing at the CRD reference for each newer field. - Replace release.yaml's "init from scratch + force-push" with a fetch-existing + helm repo index --merge flow, so prior chart releases are preserved.
The integration test failure on the prior commit traced to a pre-existing bug masked by alpha.5: the wrap-existing-chart helm test uses release name 'test-podinfo', which matches podinfo's chart name and triggers the upstream chart's name-deduplication. The actual rendered Service is named 'test-podinfo' (not 'test-podinfo-podinfo'), but the chart's helper hardcodes '<release>-podinfo'. NebariApp pointed at a non-existent Service and the operator (correctly, in alpha.19) reported ServiceNotFound, blocking helm --wait until timeout. The same broken release name appears in two README walkthroughs, so end users following those would also fail. Rename the test/walkthrough release name to 'test-wrap' so the upstream dedup does not trigger; '<release>-podinfo' resolves to 'test-wrap-podinfo' and matches what the upstream chart actually creates. Also addresses PR review feedback: - Drop redirectURI: /oauth2/callback from the CRD reference Full Example so it is not cargo-culted into pack manifests; replace with a comment. - Scope the auth-flow.md SecurityPolicy boundary section explicitly to the OIDC filter fields, and call out that spaClient, deviceFlowClient, keycloakConfig, and tokenExchange are first-class NebariApp fields documented in the CRD reference. - Clarify in the CRD reference that spec.auth.clientSecretRef is a string (Secret name), not the object reference used by status.clientSecretRef. - Note that auth.denyRedirect pairs naturally with auth.spaClient so pack authors discover it for the right use case.
Podinfo's chart only applies app.kubernetes.io/name=<release>-podinfo to its pods, not app.kubernetes.io/instance. With the previous fix to the release name, helm install now succeeds, so this second pre-existing bug in the verify step (kubectl wait on a non-existent label selector) became the new failure point. Wait on the Deployment's Available condition instead of pods directly. The Deployment name is well-defined and the condition is the same thing helm install --wait already gates on, so the wait will return promptly on success.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/nebariapp-crd-reference.mdagainst the current types and surface new fields in the README (publicRoutes,forwardAccessToken,denyRedirect,spaClient,deviceFlowClient,keycloakConfig,tokenExchange,landingPage,serviceAccountName, cross-namespace service refs).redirectURI: /from every example and let the operator's default (/oauth2/callback) apply. Helm templates only emitredirectURIwhen the user sets it.docs/auth-flow.mdso readers know which OIDC fields are surfaced on NebariApp and which require droppingenforceAtGatewayand managing a SecurityPolicy directly.release.yamlso multi-chart releases don't silently overwrite each other on gh-pages: fetch existing +helm repo index --merge, no force-push.Why
The template was pinned to alpha.5 while the operator moved on. Things that broke as a result:
examples/auth-fastapisetsrouting.publicRoutes, which was added to the operator after alpha.5. Against the alpha.5 CI install, the field was being dropped, so the documented "/health bypasses OIDC" behavior in the example was not actually being tested.docs/nebariapp-crd-reference.mdwas missing roughly ten spec fields and most status fields.After this PR,
OPERATOR_REFis the single point of truth for the operator version in both the local dev Makefile and the integration test workflow, so the next bump is one line.Test plan
helm lintis clean for all three example chartshelm templaterenders cleanly withnebariapp.enabledtrue and false (no emptyredirectURIline)