Move SSO configuration to standard tasks#214
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
config/ssoas a standard hierarchicalopstask on branch0.9.1env,envFrom, volumes, volume mounts, and annotationsconfig.jsonArchitecture
All other public
ops configcommands are task-backed. SSO was the exception:main.gointerceptedops config ssoand executed release-specific orchestration embedded in the CLI. That required publishing a new CLI for every SSO workflow change and allowed task help to become inconsistent with the installed CLI.This pull request restores the standard architecture:
The YAML is declarative. Docopt values are passed through task environment variables, including the client secret, so they are not interpolated into a shell command line. The TypeScript runner invokes
ops -configonly as a stable local-config primitive.Companion CLI PR: apache/openserverless-cli#43
Safe Kubernetes behavior
The task reads the target StatefulSet and generates JSON Patch operations only for exact, prefix-free references to its managed ConfigMap and Secret. Removal operations include JSON Patch
testguards, preventing a concurrent list change from removing the wrong entry.Repeated disable does not patch or roll out the StatefulSet. ConfigMap and Secret deletion uses
--ignore-not-found. Removing anenvFromentry changes the pod template and starts the Kubernetes rollout naturally; the task waits for it unless--no-rolloutis set and does not add a redundant restart annotation.Validation
bun test config/sso/sso.test.tsbun build config/sso/sso.ts --target=bunconfig/opsfile.ymlandconfig/sso/opsfile.ymlwith yq 4.47.1ops config ssoandops config sso --helpthrough the normal CLI task dispatcherops config sso keycloak --enable ... --no-rolloutend-to-end with an isolated home and fake kubectltesting/tests/11-sso-mock.sh kindagainst the real Kind cluster (rc=0)503, successful retry, password login, user provisioning, hello action deployment, and cleanupenvFromprobe plus existing env, mounts, volumes, and annotations survived liveenable -> disable -> enableTests cover foreign direct environment variables, ConfigMap and Secret
envFromentries, volumes, volume mounts, annotations, idempotent repeated disable, and the fullenable -> disable -> enablecycle.