You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem. The actual-budget HelmRelease satisfies the chart's login.openid values-schema (oneOf) via a valuesFrom Secret injection (actual-budget-oidc β login.openid.clientSecret, branch 1 of the oneOf). That only resolves on-cluster: any offline render (ksail's in-process Helm render in CI, once re-enabled by #2273) can't read the Secret, so the chart template fails schema validation and ksail downgrades to a render-skip warning β CI never actually validates actual-budget's rendered resources.
Proposed direction. Switch the schema-satisfaction to the statically-resolvable oneOf branch 3: in k8s/bases/apps/actual-budget/helm-release.yaml set
and remove the valuesFrom block (mandatory: with both present at live-upgrade time, oneOf matches branches 1 and 3 β "exactly one" fails and wedges the upgrade).
Verified runtime-inert (chart 1.9.0 pulled and inspected):
The chart's entire OpenID surface β the existingSecret env block andtemplates/secret.yaml β is gated on ingress.enabled (disabled here; we use an HTTPRoute), so nothing rendered changes.
The live OIDC config is entirely the postRenderer-injected ACTUAL_OPENID_* env (client secret already via secretKeyRef), independent of values.
oneOf branch 3 requires discoveryUrl (present) + existingSecret.name/clientSecretKey only; the empty clientSecret keeps branch 1 unmatched β exactly one branch matches, offline and live.
Problem. The actual-budget HelmRelease satisfies the chart's
login.openidvalues-schema (oneOf) via avaluesFromSecret injection (actual-budget-oidcβlogin.openid.clientSecret, branch 1 of the oneOf). That only resolves on-cluster: any offline render (ksail's in-process Helm render in CI, once re-enabled by #2273) can't read the Secret, so the chart template fails schema validation and ksail downgrades to a render-skip warning β CI never actually validates actual-budget's rendered resources.Proposed direction. Switch the schema-satisfaction to the statically-resolvable oneOf branch 3: in
k8s/bases/apps/actual-budget/helm-release.yamlsetand remove the
valuesFromblock (mandatory: with both present at live-upgrade time, oneOf matches branches 1 and 3 β "exactly one" fails and wedges the upgrade).Verified runtime-inert (chart 1.9.0 pulled and inspected):
existingSecretenv block andtemplates/secret.yamlβ is gated oningress.enabled(disabled here; we use an HTTPRoute), so nothing rendered changes.ACTUAL_OPENID_*env (client secret already viasecretKeyRef), independent of values.discoveryUrl(present) +existingSecret.name/clientSecretKeyonly; the emptyclientSecretkeeps branch 1 unmatched β exactly one branch matches, offline and live.Acceptance criteria.
ksail workload validate(both overlays) emits noskipped Helm render for HelmRelease actual-budget/actual-budgetwarning on a branch with in-process render enabled (e.g. ci: re-enable in-process Helm render in validate (revert --skip-helm-render)Β #2273's).helm upgradestill succeeds (schema branch 3), OIDC login still works.Rough size. S (one file, but prod-values blast radius β careful promotion).
Context: #2273 (render re-enable, where the warning surfaces), #2359 (the original schema-filler fix this refines).