fix: configmap generation with no-config mode for external secret management#402
fix: configmap generation with no-config mode for external secret management#402
no-config mode for external secret management#402Conversation
tuunit
force-pushed
the
fix/configmap-generation
branch
from
5a2b3b6 to
ad9a277
Compare
There was a problem hiding this comment.
Pull request overview
Reintroduces support for running the chart without a generated/mounted legacy ConfigMap when alphaConfig.enabled=false and config.forceLegacyConfig=false, enabling externally-managed configuration.
Changes:
- Add
no-configas a new legacy-config mode and use it to skip legacy ConfigMap generation. - Update Deployment template to conditionally skip legacy config volume/volumeMount in
no-configmode. - Add a
modelabel to generated legacy ConfigMaps and update values documentation; bump chart version + changelog entry.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
helm/oauth2-proxy/values.yaml |
Documents the new no-config behavior for legacy config handling. |
helm/oauth2-proxy/templates/deployment.yaml |
Adds mode-aware conditional mounting of the legacy config volume/volumeMount. |
helm/oauth2-proxy/templates/configmap.yaml |
Skips rendering the legacy ConfigMap in existing-configmap and no-config modes; adds a mode label. |
helm/oauth2-proxy/templates/_helpers.tpl |
Introduces no-config as a possible value for legacy-config.mode. |
helm/oauth2-proxy/Chart.yaml |
Bumps chart version and updates Artifact Hub changelog annotation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tuunit
force-pushed
the
fix/configmap-generation
branch
2 times, most recently
from
71b2bf9 to
4d0756a
Compare
…anagement Signed-off-by: Jan Larwig <jan@larwig.com>
tuunit
force-pushed
the
fix/configmap-generation
branch
from
4d0756a to
39eabb4
Compare
|
@pierluigilenoci this whole config handling is getting quite messy... We need to find a better solution |
tuunit
force-pushed
the
fix/configmap-generation
branch
from
4c8e399 to
afddb2a
Compare
tuunit
force-pushed
the
fix/configmap-generation
branch
from
afddb2a to
8ece5f7
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # when the chart generates the alpha config itself. | ||
| configFile: "" | ||
| # Use an existing config map (see secret-alpha.yaml for required fields) | ||
| # Use an existing config map (see secret-alpha.yaml for required fields). |
There was a problem hiding this comment.
The comment for alphaConfig.existingConfig points to secret-alpha.yaml for required fields, but that template defines a Secret (base64-encoded data:), not a ConfigMap. This is misleading for users providing an external ConfigMap; consider documenting the required key directly (e.g., data.oauth2_proxy.yml) or referencing a ConfigMap-specific example/template instead.
| # Use an existing config map (see secret-alpha.yaml for required fields). | |
| # Use an existing ConfigMap containing the alpha config file (for example, | |
| # with a key like `oauth2_proxy.yml` under `.data`). |
| Keep the following in mind: | ||
|
|
||
| - The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config) | ||
| Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false` |
There was a problem hiding this comment.
This line references forceLegacyConfig without the config. prefix. Since the value is config.forceLegacyConfig, the current wording is ambiguous and could confuse readers; please change it to config.forceLegacyConfig for consistency with the rest of the document.
| Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false` | |
| Unless both `alphaConfig.enabled` and `config.forceLegacyConfig` are set to `false` |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{- $legacySource := include "oauth2-proxy.legacy-config.source" . }} | ||
| {{- if not (has $legacySource (list "existing-configmap" "no-config")) }} | ||
| apiVersion: v1 | ||
| kind: ConfigMap |
There was a problem hiding this comment.
PR description mentions adding a mode label to generated ConfigMaps for debugging, but this template currently only changes the generation condition and does not add any label reflecting $legacySource. Consider adding a label (e.g., legacy-config/source or mode) under metadata.labels when the ConfigMap is rendered so users can identify which legacy config source was used.
| {{- else -}} | ||
| generated-alpha-compatible | ||
| {{- end -}} | ||
| {{- else if not .Values.config.forceLegacyConfig -}} | ||
| no-config | ||
| {{- else if .Values.config.existingConfig -}} |
There was a problem hiding this comment.
The new no-config legacy-config source (when alphaConfig.enabled=false and config.forceLegacyConfig=false) changes rendered manifests by removing the legacy ConfigMap, --config arg, and volume mounts, but there is no chart-testing install case in helm/oauth2-proxy/ci/ covering this mode. Add a CI values file exercising no-config to prevent regressions (e.g., ensure configmap.yaml is skipped and the Deployment no longer references configmain).
|
Hi! I've opened #404 as a minimal, surgical fix for the same issue reported by @MattiasGees. The key difference is that #404 only adds a I think the structural improvements in this PR (alpha-config helpers, deprecation guards, better naming) are valuable, but they'd be better suited as a separate follow-up refactor PR after the core fix lands, to keep the blast radius small and review straightforward. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{/* | ||
| If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. | ||
| If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. | ||
| If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. | ||
| If `config.forceLegacyConfig=false` and `alphaConfig.enabled=false`, the chart renders no config map and does not mount a file. | ||
| */}} |
There was a problem hiding this comment.
The helper doc comment says config.forceLegacyConfig=false “only generates a minimal necessary legacy config”, but the new no-config path means no legacy config is rendered/mounted when alphaConfig.enabled=false and config.forceLegacyConfig=false. Update the comment to reflect the two different behaviors (alphaConfig-enabled vs alphaConfig-disabled).
| {{- if $legacyConfigEnabled }} | ||
| - --config=/etc/oauth2_proxy/oauth2_proxy.cfg | ||
| {{- end }} |
There was a problem hiding this comment.
New no-config mode changes runtime behavior (skips legacy ConfigMap generation/mount and omits the --config arg), but there is no chart-testing install scenario covering alphaConfig.enabled=false + config.forceLegacyConfig=false. Add a helm/oauth2-proxy/ci/*-values.yaml case to ensure templates render and install correctly for this mode.
| # 2. When alphaConfig.enabled=true and forceLegacyConfig=false, | ||
| # both configFile and existingConfig are ignored and the chart | ||
| # generates a minimal legacy config from emailDomains only. | ||
| # 3. If configFile is empty/not set, the config is auto-generated | ||
| # from emailDomains and, when alphaConfig is disabled, upstreams. | ||
| # 4. When alphaConfig.enabled=false and forceLegacyConfig=false | ||
| # no ConfigMap is generated and mounted |
There was a problem hiding this comment.
The newly documented alphaConfig.enabled=false + config.forceLegacyConfig=false “no ConfigMap” behavior means forceLegacyConfig now also has an effect when alphaConfig is disabled. Later in this section the comment says “This flag only has an effect when alphaConfig.enabled is true…”, which is now inconsistent—please update that wording to include the no-config mode case.
|
Following up on my previous comment — I've now split the work across two PRs:
Intentionally left out from #405:
This way the bug fix can land quickly (#404) and the refactor improvements can be reviewed independently (#405). Thanks for the original work on this PR — it was a great starting point! |
|
@pierluigilenoci I have to disagree with all three points that have been left out in the split. I don't understand why the split into two more PRs is necessary. We could just work in this PR to figure out a final solution. I think renaming to source will not breaking anything. The AI isn't aware of when the release was done and in my opinion no one will have built custom templating based on the new helpers in the last 3 days... Furthermore, why wouldn't we want the annotations for the type of config used? It a quick insight and doesn't hurt anyone. One other possible route we could take, is revert the original PR and take more time to fully rework this mess to have a clean state even if it means introducing a breaking change |
Description
Add back support for running without generated/mounted ConfigMap when
alphaConfig.enabled=falseandforceLegacyConfig=false. This enables users to manage oauth2-proxy configuration entirely via external secrets or other means as was previously possible as mentioned by #385 (comment)no-configlegacy-config modeno-configmodemodelabel to generated ConfigMaps for debuggingChecklist: