diff --git a/pkg/argocd/templates/apps/nebari-landingpage.yaml b/pkg/argocd/templates/apps/nebari-landingpage.yaml index 70b31e40..ce9ffa65 100644 --- a/pkg/argocd/templates/apps/nebari-landingpage.yaml +++ b/pkg/argocd/templates/apps/nebari-landingpage.yaml @@ -15,20 +15,25 @@ spec: source: repoURL: https://github.com/nebari-dev/nebari-landing - targetRevision: v0.1.0-alpha.4 + targetRevision: v0.1.0-alpha.5 path: charts/nebari-landing helm: releaseName: nebari-landing values: | frontend: + # Pin the image tag to the chart release. The chart defaults to + # ":latest", which floats with every upstream release and would + # silently change the running image on the next pod restart. + image: + tag: "0.1.0-alpha.5" keycloak: # External public Keycloak URL - used by the browser for OIDC login. url: "{{ .KeycloakIssuerURL }}" realm: "{{ .KeycloakRealm }}" - oauth2Proxy: - oidcIssuerUrl: "{{ .KeycloakIssuerURL }}/realms/{{ .KeycloakRealm }}" webapi: + image: + tag: "0.1.0-alpha.5" keycloak: # In-cluster URL for JWK fetching (fast, no TLS hop). url: "{{ .KeycloakServiceURL }}" diff --git a/pkg/argocd/writer.go b/pkg/argocd/writer.go index e745cc76..772e7aa8 100644 --- a/pkg/argocd/writer.go +++ b/pkg/argocd/writer.go @@ -133,15 +133,6 @@ func NewTemplateData(cfg *config.NebariConfig, settings provider.InfraSettings) // Only set when a real domain is configured. When no domain is provided // (e.g. cloud deployments using a bare LoadBalancer IP), KeycloakIssuerURL // is left empty and KEYCLOAK_ISSUER_URL is not injected into workloads. - // - // NOTE: The nebari-landingpage template uses KeycloakIssuerURL to construct - // oidcIssuerUrl for oauth2-proxy (rendered as "/realms/"). - // If KeycloakIssuerURL is empty this collapses to a relative path like - // "/realms/nebari", which oauth2-proxy would reject. In practice this - // function defaults Domain to "nebari.local" (see above), so - // KeycloakIssuerURL is always populated through normal code paths. However, - // if bare-LB-IP deployments (cfg.Domain == "") are ever supported, the - // template will need a guard or a separate value for the OIDC issuer URL. if cfg.Domain != "" { data.KeycloakIssuerURL = fmt.Sprintf("https://keycloak.%s%s", data.Domain, settings.KeycloakBasePath) } diff --git a/pkg/argocd/writer_test.go b/pkg/argocd/writer_test.go index 0a3b6bf9..f1fb9ea4 100644 --- a/pkg/argocd/writer_test.go +++ b/pkg/argocd/writer_test.go @@ -445,22 +445,19 @@ func TestHTTPToHTTPSRedirectRoute(t *testing.T) { func TestLandingPageTemplate(t *testing.T) { tests := []struct { - name string - keycloakBasePath string - wantIssuerURL string - wantOIDCIssuerURL string + name string + keycloakBasePath string + wantIssuerURL string }{ { - name: "no base path", - keycloakBasePath: "", - wantIssuerURL: "https://keycloak.test.example.com", - wantOIDCIssuerURL: "https://keycloak.test.example.com/realms/nebari", + name: "no base path", + keycloakBasePath: "", + wantIssuerURL: "https://keycloak.test.example.com", }, { - name: "auth base path included in issuer URL", - keycloakBasePath: "/auth", - wantIssuerURL: "https://keycloak.test.example.com/auth", - wantOIDCIssuerURL: "https://keycloak.test.example.com/auth/realms/nebari", + name: "auth base path included in issuer URL", + keycloakBasePath: "/auth", + wantIssuerURL: "https://keycloak.test.example.com/auth", }, } @@ -495,9 +492,6 @@ func TestLandingPageTemplate(t *testing.T) { if !strings.Contains(output, tt.wantIssuerURL) { t.Errorf("expected issuer URL %q in rendered output, got:\n%s", tt.wantIssuerURL, output) } - if !strings.Contains(output, tt.wantOIDCIssuerURL) { - t.Errorf("expected OIDC issuer URL %q in rendered output, got:\n%s", tt.wantOIDCIssuerURL, output) - } if !strings.Contains(output, data.KeycloakServiceURL) { t.Errorf("expected in-cluster service URL %q in rendered output, got:\n%s", data.KeycloakServiceURL, output) }