fix: Resolve mountPath conflict when OIDC and JWT auth are both enabled#1272
fix: Resolve mountPath conflict when OIDC and JWT auth are both enabled#1272
Conversation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
@tuteng:Thanks for your contribution. For this PR, do we need to update docs? |
github-actions
Bot
added
the
doc-info-missing
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 261e3db227
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| {{- if .Values.auth.authentication.enabled }} | ||
| {{- if and .Values.auth.oauth.enabled .Values.auth.oauth.brokerClientCredentialSecret }} | ||
| - mountPath: /mnt/secrets | ||
| - mountPath: /mnt/secrets/oauth |
There was a problem hiding this comment.
Changing the OAuth secretRef mount from /mnt/secrets to /mnt/secrets/oauth unconditionally breaks existing deployments that already set auth.oauth.brokerClientAuthenticationParameters.privateKey to file:///mnt/secrets/broker_client_credential.json (the documented path in values.yaml). Because brokerClientAuthenticationParameters is passed through as-is, upgrading to this commit causes the broker/proxy OAuth client credential file lookup to fail unless users manually change their values, making this a backward-incompatible auth regression even when JWT is not enabled.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR updates the sn-platform-slim auth helper so OAuth broker credentials are mounted under a separate path, aiming to avoid the secret mount collision that occurs when OAuth/OIDC and JWT auth are enabled together.
Changes:
- Change the OAuth credential secret mount path in
sn-platform-slimfrom/mnt/secretsto/mnt/secrets/oauth. - Align the slim chart’s helper behavior with the corresponding helper in
charts/sn-platform.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{- if .Values.auth.authentication.enabled }} | ||
| {{- if and .Values.auth.oauth.enabled .Values.auth.oauth.brokerClientCredentialSecret }} | ||
| - mountPath: /mnt/secrets | ||
| - mountPath: /mnt/secrets/oauth |
Only use /mnt/secrets/oauth for OIDC when JWT is also enabled, so existing deployments that reference file:///mnt/secrets/... in their brokerClientAuthenticationParameters continue to work when JWT is not in use. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
(If this PR fixes a github issue, please add
Fixes #<xyz>.)Fixes #
(or if this PR is one task of a github issue, please add
Master Issue: #<xyz>to link to the master issue.)Master Issue: #
Motivation
Explain here the context, and why you're making that change. What is the problem you're trying to solve.
Modifications
Describe the modifications you've done.
Verifying this change
(Please pick either of the following options)
This change is a trivial rework / code cleanup without any test coverage.
(or)
This change is already covered by existing tests, such as (please describe tests).
(or)
This change added tests and can be verified as follows:
(example:)
Documentation
Check the box below.
Need to update docs?
doc-required(If you need help on updating docs, create a doc issue)
no-need-doc(Please explain why)
doc(If this PR contains doc changes)