chore: bump nebari-landing chart to v0.1.0-alpha.5#299
Conversation
The landing chart at v0.1.0-alpha.5 dropped the oauth2-proxy sidecar, so our values block no longer renders the <issuer>/realms/<realm> concatenation that this assertion was checking. The remaining wantIssuerURL and realm checks already cover what stays in the template.
|
Tested end-to-end on the Hetzner cluster ( Post-deploy state matches what alpha.5 promises:
Logs are clean. Frontend serves The orphan oauth2-proxy confidential client I flagged in the PR description is confirmed on the live deploy. Filed separately as nebari-dev/nebari-landing#81. Not blocking this PR. |
The nebari-landing chart defaults both frontend.image.tag and webapi.image.tag to "latest". The release workflow tags every published image with the chart version, semver minor, semver major, sha, AND latest, so :latest content floats with every upstream release. Pinning to 0.1.0-alpha.5 here makes the rendered Application reproducible and decouples image churn from chart version. Tracked upstream for a chart-side default fix.
dcmcand
left a comment
There was a problem hiding this comment.
Approving.
Highlights:
- Inline comment in
nebari-landingpage.yamlexplaining why the image tag is pinned (chart defaults to:latest, would silently float on pod restart) is exactly the kind of "non-obvious why" comment worth keeping. - Stale NOTE block in
writer.goaboutoidcIssuerUrlcollapsing to a relative path is correctly removed alongside upstream's drop of oauth2-proxy. - PR body is excellent - links the upstream release and PR, enumerates exactly which value-block keys change, and explicitly flags an out-of-scope item.
- Test diff is symmetric with the template change.
One sanity check (non-blocking): chart targetRevision uses v0.1.0-alpha.5 (with v) while image tags use 0.1.0-alpha.5 (no v). That mirrors how upstream tags git releases vs container images, so it's almost certainly correct - just worth confirming the published image tags exist if you haven't already deployed.
Stylistic (not blocking): the version literal is duplicated three times across the template. A TemplateData.LandingChartVersion field would keep chart revision and image tags in lockstep on future bumps.
Follow-up: the out-of-scope NebariApp.auth.enabled: true item in the PR body is worth a separate issue so it doesn't get lost.
|
I will close this one, since I will be opening a follow-up PR with a newer release of the landing page app, just waiting on finishing the review of nebari-dev/nebari-landing#84. |
Description
Upgrades the nebari-landing helm chart to v0.1.0-alpha.5.
Full changelog: nebari-dev/nebari-landing@v0.1.0-alpha.4...v0.1.0-alpha.5
Notes on upstream changes that affect us
The headline change in alpha.5 is dropping the oauth2-proxy sidecar in favor of a pure SPA PKCE/S256 flow handled client-side by
keycloak-js(see nebari-landing#72). The chart no longer renders anoauth2-proxycontainer or a confidential OIDC client; the frontendServicenow points directly at nginx on port8080.Concrete effects on this Application's values block:
frontend.oauth2Proxy.oidcIssuerUrl— the entirefrontend.oauth2Proxy.*key is gone from the chart in alpha.5, so this override is dead config.frontend.keycloak.{url,realm}is unchanged — still rendered into/config.jsonfor the browser.webapi.*,nebariApp.enabled: true,httpRoute.*, andredis.auth.existingSecretare unchanged.Out of scope (worth a separate look)
NebariApptemplate still setsauth.enabled: true, so the operator continues to provision the primary (formerly oauth2-proxy) OIDC client even though nothing consumes it anymore. The SPA client provisioned viaspaClient.enabledis the one actually used.