Bugfix/fix kk configure reconciliation

[klinch0]

Summary by CodeRabbit

• Configuration Update
  • Added a new configHash field in the keycloak-configure release for both paas-full and paas-hosted configurations.
  • Introduced a SHA256 checksum mechanism for the cozyConfig data to enhance configuration integrity checks.

[coderabbitai]

Walkthrough

The pull request introduces a new values field under the keycloak-configure release in two YAML files (paas-full.yaml and paas-hosted.yaml). This field includes a new key configHash, which is assigned a value generated by converting the $cozyConfig data to JSON format and applying a SHA256 checksum to it. The existing logic for conditional inclusion of the keycloak related releases based on the oidcEnabled variable remains unchanged.

Changes

File	Change Summary
packages/core/platform/bundles/paas-full.yaml	Added values field with configHash for SHA256 hash of $cozyConfig data
packages/core/platform/bundles/paas-hosted.yaml	Added values field with configHash for SHA256 hash of cozyConfig derived from cozystack ConfigMap

Poem

🐰 A Rabbit's Configuration Ode 🔒
In YAML's realm, a hash takes flight,
Cozystack's secrets sealed up tight,
SHA256, my crypto friend,
Ensuring data won't pretend!
A checksum dance of pure delight! 🔐

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/core/platform/bundles/paas-full.yaml (1)

302-304: Consider extracting common code to a template.

The cozyValues implementation is identical in both paas-hosted.yaml and paas-full.yaml. To maintain consistency and ease maintenance, consider extracting this to a shared template.

Create a new template file (e.g., _keycloak_helpers.tpl):

{{- define "keycloak.cozyValues" -}}
{{- $config := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
{{- if not $config }}
{{- fail "ERROR: cozystack ConfigMap not found in cozy-system namespace" }}
{{- end }}
{{ $config.data | toJson | sha256sum }}
{{- end -}}

Then use it in both files:

  values:
    cozyValues: |
-      {{ (lookup "v1" "ConfigMap" "cozy-system" "cozystack").data | toJson | sha256sum }}
+      {{ include "keycloak.cozyValues" . }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cfb171b and 7afb85e.

📒 Files selected for processing (2)

• packages/core/platform/bundles/paas-full.yaml (1 hunks)
• packages/core/platform/bundles/paas-hosted.yaml (1 hunks)

🔇 Additional comments (2)

packages/core/platform/bundles/paas-hosted.yaml (1)

198-200: Verify the impact on Keycloak configuration reconciliation.

The SHA256 checksum of the ConfigMap data is used to trigger reconciliation. Let's verify if this approach effectively solves the configuration update issue.

✅ Verification successful

The SHA256 checksum approach effectively triggers Keycloak configuration reconciliation

The implementation correctly uses Helm's value injection mechanism to detect ConfigMap changes and trigger reconciliation. Recent PRs (#508, #509) have addressed configuration drift issues, and ongoing improvements (#589) demonstrate active maintenance of this functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if there are any reported issues or discussions about Keycloak configuration not updating
# when ConfigMap changes.

# Search for related issues or discussions
gh issue list --search "keycloak configuration update" --state all
gh pr list --search "keycloak configuration" --state all

# Check for patterns indicating configuration update issues
rg -i "keycloak.*config.*update" 
rg -i "keycloak.*reconcil"

Length of output: 2795

---

Script:

#!/bin/bash
# Search for Keycloak configuration and reconciliation implementation
rg -i "configmap.*cozystack" -A 5
rg -i "sha256.*config" -A 5

# Find Keycloak controller or reconciliation logic
ast-grep --pattern 'func $_($$$ *Reconcile* $$$) {
  $$$
}'

# Check for any Helm templates or values files related to Keycloak configuration
fd -e yaml -e tpl . packages/system/keycloak --exec grep -l -i "config"

Length of output: 19366

packages/core/platform/bundles/paas-full.yaml (1)

302-304: Verify template usage across the codebase.

Let's check if there are other similar patterns that could benefit from templating.

✅ Verification successful

Template usage is consistent and follows best practices

The codebase already demonstrates a consistent pattern of storing the ConfigMap lookup in $cozyConfig variable across multiple files, and the SHA256 usage is appropriately limited to bundle files where needed. No additional templating improvements are required.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Look for similar patterns of ConfigMap lookups that could be templated

# Search for ConfigMap lookups
rg 'lookup.*ConfigMap.*cozystack'

# Search for SHA256 usage
rg 'toJson \| sha256sum'

# Look for existing template patterns
rg '{{- define.*}}'

Length of output: 3500

[coderabbitai]

🛠️ Refactor suggestion

Add error handling for ConfigMap lookup.

The code assumes that the cozystack ConfigMap exists in the cozy-system namespace. While this is likely true given the context, it's better to handle potential errors gracefully.

Consider adding a check:

  values:
    cozyValues: |
-      {{ (lookup "v1" "ConfigMap" "cozy-system" "cozystack").data | toJson | sha256sum }}
+      {{- $config := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+      {{- if not $config }}
+      {{- fail "ERROR: cozystack ConfigMap not found in cozy-system namespace" }}
+      {{- end }}
+      {{ $config.data | toJson | sha256sum }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	values:
	cozyValues: |
	{{ (lookup "v1" "ConfigMap" "cozy-system" "cozystack").data | toJson | sha256sum }}
	values:
	cozyValues: |
	{{- $config := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
	{{- if not $config }}
	{{- fail "ERROR: cozystack ConfigMap not found in cozy-system namespace" }}
	{{- end }}
	{{ $config.data | toJson | sha256sum }}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/core/platform/bundles/paas-full.yaml (1)

302-304: Consider restructuring the values section as previously suggested.

The current structure differs from the previously suggested format. Consider using the nested structure to maintain consistency:

   values:
-    cozystack:
-      configHash: {{ $cozyConfig | toJson | sha256sum }}
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}

This maintains better alignment with Helm's value structure conventions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7afb85e and b33d348.

📒 Files selected for processing (2)

• packages/core/platform/bundles/paas-full.yaml (1 hunks)
• packages/core/platform/bundles/paas-hosted.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/core/platform/bundles/paas-hosted.yaml

🔇 Additional comments (1)

packages/core/platform/bundles/paas-full.yaml (1)

302-304: Review impact on dependent services.

The addition of the configHash will trigger reconciliation of the keycloak-configure release whenever the ConfigMap changes. This could cascade to dependent services like dashboard. Ensure this is the intended behavior and that the hash computation only includes configuration fields that should trigger a reconciliation.

Let's check the dependency chain:

✅ Verification successful

Implementation follows configuration management best practices

The configHash implementation is consistent across files and properly scoped to $cozyConfig. The dependency chain is well-structured with explicit declarations and appropriate conditional logic for OIDC-enabled scenarios. The cascading reconciliation behavior is intentional and follows standard Kubernetes configuration management patterns.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check services that depend on keycloak-configure

# Find all releases that depend on keycloak-configure
rg -l "dependsOn.*keycloak-configure" --type yaml

Length of output: 145

---

Script:

#!/bin/bash
# Get the dependency context and configHash usage

# Show dependencies on keycloak-configure with context
rg "dependsOn.*keycloak-configure" --type yaml -B 2 -A 2

# Check for similar configHash patterns
rg "configHash.*sha256sum" --type yaml

Length of output: 1398

[coderabbitai]

💡 Codebase verification

Consider using a deterministic approach for configuration hashing

The current implementation hashes the entire ConfigMap using toJson, which may lead to inconsistent hashes due to non-deterministic key ordering in JSON serialization. This could trigger unnecessary reconciliations of the keycloak-configure release.

Recommended solutions:

• Extract and sort only the relevant configuration fields before hashing
• Use a template function to create an ordered string representation of the required fields

Example approach:

configHash: {{ printf "%s:%s:%s" $cozyConfig.data.oidc-enabled $cozyConfig.data.root-host $cozyConfig.data.api-server-endpoint | sha256sum }}

🔗 Analysis chain

Verify the hash computation's stability across reconciliations.

The toJson conversion of the entire ConfigMap might lead to inconsistent hashes if the fields are not ordered consistently. Consider either:

1. Sorting the keys before hashing
2. Hashing only specific fields that affect the Keycloak configuration

Let's verify the ConfigMap structure and potential hash variations:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check the ConfigMap structure and field ordering

# Get the ConfigMap structure
kubectl get configmap cozystack -n cozy-system -o yaml

# Check if there are any other consumers of this hash
rg -l "configHash" --type yaml

Length of output: 279

---

Script:

#!/bin/bash
# Check how $cozyConfig is constructed and used
rg -A 5 -B 5 "\$cozyConfig" --type yaml

# Look for any helper functions or templates that might handle JSON processing
fd "helpers|functions" --type yaml --exec cat {}

# Get full content of both files to compare usage
cat packages/core/platform/bundles/paas-hosted.yaml packages/core/platform/bundles/paas-full.yaml

Length of output: 13942

[kvaps]

LGTM