fix disable oidc

[klinch0]

Summary by CodeRabbit

• Bug Fixes
  • Improved conditional logic for OIDC functionality, ensuring accurate deployment of related components.
• Chores
  • Updated dependencies for the keycloak release to ensure proper operation with the postgres-operator.
• New Features
  • Enhanced configuration handling for OIDC, affecting the inclusion of related components based on strict equality checks.

[coderabbitai]

Walkthrough

The changes in the pull request involve a modification to the conditional logic in both the paas-full.yaml and paas-hosted.yaml configuration files. The check for the oidcEnabled variable has been updated from a simple existence check to a strict equality check against the string "true". This adjustment affects the deployment of components such as keycloak, keycloak-operator, and keycloak-configure, which are now conditionally included based on this precise condition. Additionally, the dependsOn field for the keycloak release has been updated to depend on the postgres-operator.

Changes

File Path	Change Summary
packages/core/platform/bundles/paas-full.yaml, packages/core/platform/bundles/paas-hosted.yaml	Updated conditional logic for oidcEnabled to check for strict equality with "true". Adjusted dependsOn for keycloak to depend on postgres-operator in paas-full.yaml. The dashboard release in paas-hosted.yaml now depends on keycloak-configure when OIDC is enabled.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Deployment
    participant Keycloak
    participant Dashboard
    participant PostgresOperator

    User->>Deployment: Initiate deployment
    Deployment->>Keycloak: Check oidcEnabled
    alt oidcEnabled is "true"
        Deployment->>Keycloak: Include Keycloak components
        Keycloak->>PostgresOperator: Check dependency
        PostgresOperator-->>Keycloak: Dependency satisfied
        Deployment->>Dashboard: Include Dashboard with Keycloak
    else oidcEnabled is not "true"
        Deployment->>Keycloak: Exclude Keycloak components
        Deployment->>Dashboard: Exclude Dashboard dependencies
    end

Loading

• Refactor Keycloak #502: The changes in this PR involve the integration of OIDC configuration and its handling, which is directly related to the modifications made in the main PR regarding the conditional logic for the oidcEnabled variable in the paas-full.yaml and paas-hosted.yaml files.

Suggested labels

enhancement, size:L

🐇 "In the code where the logic flows,
A check for truth, now clearly shows.
With Keycloak's fate in strict embrace,
Dependencies dance in their rightful place.
OIDC's tale, now told with care,
In the YAML fields, we find our share!" 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

packages/core/platform/bundles/paas-full.yaml (1)

Line range hint 226-234: Inconsistent OIDC enablement checks detected

While this section correctly uses eq $oidcEnabled "true" for strict comparison, the keycloak components section at the bottom still uses the old existence check if $oidcEnabled. This inconsistency could lead to unexpected behavior when trying to disable OIDC.

Apply this diff to make the checks consistent:

-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}
- name: keycloak
  releaseName: keycloak
  chart: cozy-keycloak

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 3ff1709 and 0431974.

📒 Files selected for processing (1)

• packages/core/platform/bundles/paas-full.yaml (1 hunks)

🔇 Additional comments (1)

packages/core/platform/bundles/paas-full.yaml (1)

Line range hint 226-234: Verify the impact on dashboard authentication

The dashboard's dependency on keycloak-configure and the conditional loading of kubeapps-auth-config values need verification to ensure proper authentication behavior when OIDC is disabled.

✅ Verification successful

Let me generate another script to gather more specific information about the authentication configuration:

The previous search was too broad and included many unrelated auth configurations. This script will help us focus on the specific components mentioned in the review comment.

---

Based on the gathered information, I can now provide the final response:

Dashboard authentication configuration is properly handled based on OIDC state

The code correctly manages the dashboard's authentication configuration through conditional logic:

• When OIDC is enabled ($oidcEnabled = "true"):
  • Adds dependency on keycloak-configure
  • Loads authentication values from kubeapps-auth-config ConfigMap
• When OIDC is disabled:
  • Removes the Keycloak dependency
  • Skips loading OIDC configuration

The implementation ensures proper authentication behavior in both OIDC and non-OIDC scenarios, with no issues found.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential authentication configuration issues

# Check if kubeapps-auth-config exists and its content
kubectl get configmap kubeapps-auth-config -o yaml 2>/dev/null

# Check for any dashboard-related authentication configurations
rg -A 5 'auth|authentication|oidc' --type yaml

Length of output: 129856

---

Script:

#!/bin/bash
# Check for OIDC and authentication related configurations in the codebase

# Search for kubeapps-auth-config references and OIDC configuration
rg -l "kubeapps-auth-config|oidc|keycloak-configure" --type yaml

# Check the specific file content
cat packages/core/platform/bundles/paas-full.yaml

# Look for any keycloak-configure related files
fd -t f keycloak-configure

Length of output: 8653

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

packages/core/platform/bundles/paas-hosted.yaml (1)

Based on the search results, I can now generate the final response:

Strict OIDC condition check is correct, but needs to be consistent across files

The strict equality check eq $oidcEnabled "true" in the dashboard section is actually the correct approach, and the loose check if $oidcEnabled in the keycloak section should be updated to match. This is because:

• The value comes from ConfigMap data field oidc-enabled, which stores strings
• The same pattern appears in both paas-hosted.yaml and paas-full.yaml
• The keycloak section in keycloakgroups.yaml also uses this value

Apply these changes:

• In packages/core/platform/bundles/paas-hosted.yaml:

-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}

• Make the same change in packages/core/platform/bundles/paas-full.yaml
• Update packages/apps/tenant/templates/keycloakgroups.yaml for consistency

🔗 Analysis chain

Line range hint 156-163: Inconsistent OIDC condition checks may cause security issues

The dashboard section uses a strict equality check eq $oidcEnabled "true", while the keycloak section below uses a loose check if $oidcEnabled. This inconsistency could lead to scenarios where keycloak components are deployed but the dashboard isn't properly configured for OIDC, or vice versa.

Apply this diff to maintain consistency:

{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}

Also, verify the behavior of these conditions with different values:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check how $oidcEnabled is set across the codebase
# Test different values and their impact on OIDC deployment

# Search for all occurrences of oidcEnabled in yaml files
echo "Searching for oidcEnabled usage patterns:"
rg --type yaml 'oidcEnabled|oidc-enabled' -B 2 -A 2

# Search for ConfigMap definitions that might set this value
echo -e "\nSearching for related ConfigMap definitions:"
rg --type yaml 'kind:\s+ConfigMap.*cozystack|oidc-enabled'

Length of output: 3240

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0431974 and ce8e613.

📒 Files selected for processing (1)

• packages/core/platform/bundles/paas-hosted.yaml (1 hunks)

🔇 Additional comments (1)

packages/core/platform/bundles/paas-hosted.yaml (1)

Line range hint 165-183: Verify namespace handling for keycloak components

The keycloak components are deployed to the cozy-keycloak namespace, but there's no explicit verification that the namespace exists or is created. While this might be handled elsewhere, it's worth verifying to prevent deployment issues.

✅ Verification successful

Let me gather more information about how namespaces are handled in the Helm charts.

---

Let me check the core platform templates to understand how namespaces are handled.

---

Based on the findings, I can now provide the final response:

Namespace handling for keycloak components is properly managed

The namespace cozy-keycloak is automatically created by the platform's namespace management system. The namespaces.yaml template collects all unique namespaces from the bundle releases and creates them with appropriate security settings. Since keycloak components are defined in the bundle with namespace cozy-keycloak, this namespace will be created before the components are deployed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check namespace handling for keycloak components

# Search for namespace creation/handling
echo "Searching for cozy-keycloak namespace handling:"
rg --type yaml 'kind:\s+Namespace.*cozy-keycloak'

# Check for potential namespace-related issues in deployment
echo -e "\nSearching for namespace-related patterns in deployment:"
rg --type yaml 'namespace:\s+cozy-keycloak' -B 3 -A 3

Length of output: 4782

---

Script:

#!/bin/bash
# Check if namespace creation is handled in the Helm charts

# Search for namespace creation in the keycloak charts
echo "Searching for namespace handling in keycloak charts:"
fd -e yaml -e tpl cozy-keycloak | xargs rg -l 'kind:\s*Namespace|\.Release\.Namespace'

# Check for any namespace creation templates or patterns
echo -e "\nSearching for namespace creation patterns:"
rg --type yaml 'kind:\s*Namespace' -B 2 -A 2

# Check if there's any pre-install hooks that might create namespaces
echo -e "\nSearching for pre-install hooks:"
rg --type yaml 'helm.sh/hook:\s*pre-install' -B 3 -A 3

Length of output: 46915

---

Script:

#!/bin/bash
# Check core platform namespace handling

# Check the platform namespaces template
echo "Checking platform namespaces template:"
cat packages/core/platform/templates/namespaces.yaml

# Check if cozy-keycloak namespace is defined in platform templates
echo -e "\nSearching for cozy-keycloak namespace definition:"
rg -A 5 'cozy-keycloak' packages/core/platform/templates/namespaces.yaml

Length of output: 1830

[kvaps]

LGTM