feat: add sso cookie domain to helm values

[wilsonrivera]

Summary by CodeRabbit

• New Features

  • Added new configuration option to specify the domain for SSO authentication cookies, enabling flexible cookie scope management.

• Documentation

  • Updated Helm chart documentation and configuration values with the new SSO cookie domain setting (default: .wundergraph.local).

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3330936 and b2e8480.

📒 Files selected for processing (2)

• helm/cosmo/charts/controlplane/templates/config-map.yaml
• helm/cosmo/charts/controlplane/templates/deployment.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• helm/cosmo/charts/controlplane/templates/deployment.yaml

---

Walkthrough

Added SSO cookie domain configuration to the Helm chart. Introduces AUTH_SSO_COOKIE_DOMAIN environment variable with default domain of .wundergraph.local across deployment template, values, config-map template, and documentation files.

Changes

Cohort / File(s)	Summary
SSO Cookie Domain Configuration helm/cosmo/charts/controlplane/templates/deployment.yaml, helm/cosmo/charts/controlplane/templates/config-map.yaml, helm/cosmo/charts/controlplane/values.yaml, helm/cosmo/charts/controlplane/README.md	Added new configuration for SSO cookie domain. Deployment template now references AUTH_SSO_COOKIE_DOMAIN from configMap; config-map template includes authSsoCookieDomain field; values.yaml defines default (.wundergraph.local); README.md documents the new configuration parameter.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately summarizes the main change: adding an SSO cookie domain configuration to Helm values, which is directly reflected in all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

helm/cosmo/charts/controlplane/templates/deployment.yaml (1)

107-111: Verify if this environment variable should be conditional.

The AUTH_SSO_COOKIE_DOMAIN environment variable is always set, unlike optional environment variables such as OPENAI_API_KEY (lines 367-373) or CDN_BASE_URL (lines 374-380) which are wrapped in conditionals.

If SSO authentication is an optional feature, consider making this conditional to match the pattern:

♻️ Suggested conditional pattern

            - name: AUTH_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "controlplane.secretName" . }}
                  key: jwtSessionSecret
+            {{- if .Values.configuration.authSsoCookieDomain }}
            - name: AUTH_SSO_COOKIE_DOMAIN
              valueFrom:
                secretKeyRef:
                  name: {{ include "controlplane.secretName" . }}
                  key: authSsoCookieDomain
+            {{- end }}
            - name: DB_URL
              valueFrom:

However, if SSO is a core required feature and the application expects this environment variable to always be present, then the current implementation is correct. The naming and placement are appropriate.

This verification relates to the same concern flagged in secret.yaml. Please run the verification script provided in that review comment to confirm the application's expectations.

helm/cosmo/charts/controlplane/templates/secret.yaml (1)

24-24: Wrap authSsoCookieDomain in a conditional to match the pattern for optional fields.

The code treats AUTH_SSO_COOKIE_DOMAIN as optional (it's marked .optional() in env.schema.ts and the application handles undefined values gracefully with a nullish coalescing operator). However, the Helm template unconditionally sets it in the secret, which is inconsistent with how other optional fields like smtpUsername and s3AccessKeyId are handled.

♻️ Suggested fix

  jwtSessionSecret: "{{ .Values.global.controlplane.jwtSecret }}"
+  {{- if .Values.configuration.authSsoCookieDomain }}
  authSsoCookieDomain: "{{ .Values.configuration.authSsoCookieDomain }}"
+  {{- end }}
  keycloakAdminUser: "{{ .Values.global.keycloak.adminUser }}"

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb0be1 and e3b1317.

📒 Files selected for processing (3)

• helm/cosmo/charts/controlplane/templates/deployment.yaml
• helm/cosmo/charts/controlplane/templates/secret.yaml
• helm/cosmo/charts/controlplane/values.yaml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: StarpTech
Repo: wundergraph/cosmo PR: 2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: build_test

🔇 Additional comments (1)

helm/cosmo/charts/controlplane/values.yaml (1)

204-205: LGTM! Consider documenting production configuration.

The new authSsoCookieDomain configuration is well-placed and the comment clearly explains its purpose. The leading dot in the default value .wundergraph.local correctly allows the cookie to be shared across subdomains.

Note that users will need to override this default value for production deployments to match their actual domain (e.g., .yourdomain.com).

[StarpTech]

@wilsonrivera did you test it end to end?

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[StarpTech]

@wilsonrivera ready to merge?

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[pepol]

LGTM

[StarpTech]

LGTM