feat(t8s-cluster/management-cluster): add OIDC settings

[cwrau]

that way we can add the customers' OIDC server

Summary by CodeRabbit

• New Features
  • Dynamic OIDC provider support: configure multiple JWT issuers with per-provider audiences, claim mappings, and validation rules.
  • Per-provider TLS trust (certificate authority) support for issuer verification.
  • Authentication config and generated files are emitted only for non-hosted control planes.
  • Values schema and defaults added to validate and demonstrate oidcProviders configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f607bad-027a-4735-bd92-2d167471287a

📥 Commits

Reviewing files that changed from the base of the PR and between 33bf835 and f229971.

📒 Files selected for processing (5)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml
• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml
• charts/t8s-cluster/values.schema.json
• charts/t8s-cluster/values.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml
• charts/t8s-cluster/values.schema.json
• charts/t8s-cluster/values.yaml
• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl

---

📝 Walkthrough

Walkthrough

This PR refactors the Kubernetes API server OIDC authentication configuration from static issuer blocks into a data-driven model. OIDC providers are now defined in a structured Helm values schema and rendered dynamically into authentication configurations, with special handling for hosted versus non-hosted control planes.

Changes

OIDC Configuration Data-Driven Migration

Layer / File(s)	Summary
Schema and configuration values foundation charts/t8s-cluster/values.schema.json, charts/t8s-cluster/values.yaml	A new oidcProviders root-level schema property is defined (HTTPS issuer keys) with required audiences and claimMappings (username required, groups optional), optional certificateAuthority and claimValidationRules, and additionalProperties: false. Default values add two providers with kubernetes audience, username-from-email claim mapping, prefixed groups mapping, and email_verified validation rules.
Data-driven authentication config rendering charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml	Replaces the static JWT AuthenticationConfiguration with a Helm loop over .Values.oidcProviders, emitting per-provider issuer blocks (url, optional certificateAuthority, audiences, claimMappings, optional claimValidationRules).
Control plane deployment conditionals charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl, charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml	authentication-config kube-apiserver argument and dynamic file are emitted only when controlPlane.hosted is false; when oidcProviders is set it is passed into the hosted control plane spec for hosted deployments.

Sequence Diagram

sequenceDiagram
    participant HelmValues as Helm Values
    participant NonHostedTemplate as Non-Hosted Template
    participant HostedTemplate as Hosted Template
    participant ApiServerConfig as API Server Config
    HelmValues->>NonHostedTemplate: oidcProviders, controlPlane.hosted=false
    NonHostedTemplate->>NonHostedTemplate: Loop over oidcProviders
    NonHostedTemplate->>NonHostedTemplate: Render authenticationConfig
    NonHostedTemplate->>NonHostedTemplate: Add authentication-config argument
    NonHostedTemplate->>NonHostedTemplate: Generate dynamic auth file
    NonHostedTemplate->>ApiServerConfig: Complete manifest with auth config
    HelmValues->>HostedTemplate: oidcProviders, controlPlane.hosted=true
    HostedTemplate->>HostedTemplate: Pass oidcProviders to spec
    HostedTemplate->>ApiServerConfig: Hosted plane spec with oidcProviders

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• teutonet/teutonet-helm-charts#1703: Introduces the same two OIDC issuers (staff-auth.k8s.teuto.net, auth.k8s.teuto.net) with identical claim mappings and email verification validation rules that this PR generalizes to a parameterized structure.
• teutonet/teutonet-helm-charts#1498: Modifies the authentication config to produce groups claim mappings with the teuto.net: prefix behavior now parameterized here.
• teutonet/teutonet-helm-charts#2039: Updates the same _helpers.tpl dynamic files logic related to emitting authentication configuration artifacts.

Suggested reviewers

• tasches
• marvinWolff
• teutonet-bot

Poem

🐰 I stitched values to issuers, looped them neat and clever,
No more hardcoded blocks — now providers flow forever.
Hosted or not, the template knows the plan,
Values sing to manifests, as only rabbits can. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(t8s-cluster/management-cluster): add OIDC settings' accurately summarizes the main change in the pull request: adding OIDC provider configuration support to the t8s-cluster Helm chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/t8s-cluster/add-oidc-settings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml`:
- Around line 12-16: The CEL expression strings for the expression fields are
unquoted and can be mis-parsed as YAML scalars (e.g., true/false, numbers);
update the template where expression: {{ $provider.claimMappings.username }} and
expression: {{ . }} (inside the with $provider.claimMappings.groups block) to
apply the quote filter so both rendered expressions are emitted as YAML strings
(use the Helm quote filter on $provider.claimMappings.username and on the groups
expression placeholder) ensuring the expression values are always quoted in the
generated YAML.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b9012b0-b5b7-4fd3-a397-29d273a786ff

📥 Commits

Reviewing files that changed from the base of the PR and between 7af4f35 and 33bf835.

📒 Files selected for processing (5)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml
• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml
• charts/t8s-cluster/values.schema.json
• charts/t8s-cluster/values.yaml

[gemini-code-assist]

Code Review

This pull request introduces support for OIDC providers in the t8s-cluster chart, enabling structured JWT authentication. The changes include updates to the values schema, template files, and helper functions to dynamically render OIDC provider configurations. The review identified a bug regarding the argument order in the mustMerge function within _authenticationConfig.yaml and suggested an improvement to include the certificateAuthority field in the template.

[Copilot]

Pull request overview

This PR makes OIDC/JWT authentication provider configuration configurable via chart values so clusters can be pointed at customer-specific OIDC issuers, and wires those settings into both hosted and non-hosted control plane rendering.

Changes:

• Added oidcProviders defaults to values.yaml and validation to values.schema.json.
• Rendered oidcProviders into the hosted control plane spec when present.
• Updated api-server args and dynamic file generation to skip --authentication-config for hosted control planes, while generating an AuthenticationConfiguration from values for non-hosted clusters.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
charts/t8s-cluster/values.yaml	Introduces default oidcProviders configuration entries.
charts/t8s-cluster/values.schema.json	Adds schema/validation for oidcProviders (audiences, mappings, validation rules, CA).
charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml	Passes oidcProviders into the hosted control plane spec when configured.
charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl	Avoids generating/using authentication-config for hosted control planes.
charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml	Generates AuthenticationConfiguration jwt authenticators from .Values.oidcProviders.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.