Skip to content

fix: add missing auth.oidc validation in helm chart#528

Open
5rk7n wants to merge 3 commits intojonwiggins:mainfrom
5rk7n:main
Open

fix: add missing auth.oidc validation in helm chart#528
5rk7n wants to merge 3 commits intojonwiggins:mainfrom
5rk7n:main

Conversation

@5rk7n
Copy link
Copy Markdown

@5rk7n 5rk7n commented May 3, 2026

Summary

The Helm chart template is currently missing values validation for OIDC authentication. This MR updates the template helpers to correctly validate and support OIDC configuration.

Changes

Added an missing conditional check (OR logic) in the Helm template helpers to support and validate auth.oidc.clientId configurations.

Testing

  • Tests pass (pnpm turbo test)
  • Typechecks pass (pnpm turbo typecheck)
  • Helm validation (helm lint)
  • Local dry-run installation with OIDC enabled (helm install --dry-run --debug)

Related

Closes #

Screenshots

jonwiggins
jonwiggins requested changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@jonwiggins jonwiggins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this — the helm validator was definitely missing OIDC.

One blocker before this is ready: the validation should key on .Values.auth.oidc.issuerUrl, not .clientId. Everywhere else in the chart and runtime, OIDC presence is detected via issuerUrl:

  • helm/optio/templates/secrets.yaml:42 only emits OIDC_* env vars when auth.oidc.issuerUrl is set
  • apps/api/src/services/oauth/index.ts:35 activates the provider only when process.env.OIDC_ISSUER_URL is set

As-is, a user who sets only auth.oidc.clientId (without issuerUrl) would pass helm validation but get no actual OIDC provider at runtime — recreating the silent-misconfig class the validator exists to prevent. Your updated error message even hints at this with "with corresponding clientSecret/issuerUrl as needed".

Could you swap the check to .Values.auth.oidc.issuerUrl (or require both)? Once that's done it's good to go.

@5rk7n 5rk7n requested a review from jonwiggins May 4, 2026 11:49
jonwiggins
jonwiggins reviewed May 5, 2026
View reviewed changes
Comment thread helm/optio/templates/_helpers.tpl Outdated
{{- $hasProvider := or .Values.auth.github.clientId (or .Values.auth.google.clientId (or .Values.auth.gitlab.clientId .Values.auth.oidc.issuerUrl)) -}}
{{- if not $hasProvider -}}
{{- fail "At least one OAuth provider must be configured when auth is enabled. Set auth.github.clientId, auth.google.clientId, or auth.gitlab.clientId (with corresponding clientSecret)." -}}
{{- fail "At least one OAuth provider must be configured when auth is enabled. Set auth.github.clientId, auth.google.clientId, auth.gitlab.clientId, or auth.oidc.issuerUrl (with corresponding clinetId, clientSecret as needed)." -}}
Copy link
Copy Markdown
Owner

@jonwiggins jonwiggins May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny typo: clinetIdclientId in this user-facing error message.

Copy link
Copy Markdown
Author

@5rk7n 5rk7n May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh sorry for that. Fix typo in the messages now.

@5rk7n 5rk7n requested a review from jonwiggins May 5, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonwiggins jonwiggins Awaiting requested review from jonwiggins

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@5rk7n @jonwiggins