Skip to content

fix(apps): make actual-budget chart-schema satisfaction offline-resolvable (existingSecret instead of valuesFrom clientSecret)Β #2385

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Problem. The actual-budget HelmRelease satisfies the chart's login.openid values-schema (oneOf) via a valuesFrom Secret injection (actual-budget-oidc β†’ login.openid.clientSecret, branch 1 of the oneOf). That only resolves on-cluster: any offline render (ksail's in-process Helm render in CI, once re-enabled by #2273) can't read the Secret, so the chart template fails schema validation and ksail downgrades to a render-skip warning β€” CI never actually validates actual-budget's rendered resources.

Proposed direction. Switch the schema-satisfaction to the statically-resolvable oneOf branch 3: in k8s/bases/apps/actual-budget/helm-release.yaml set

login:
  openid:
    existingSecret:
      name: actual-budget-oidc
      clientSecretKey: client-secret

and remove the valuesFrom block (mandatory: with both present at live-upgrade time, oneOf matches branches 1 and 3 β†’ "exactly one" fails and wedges the upgrade).

Verified runtime-inert (chart 1.9.0 pulled and inspected):

  • The chart's entire OpenID surface β€” the existingSecret env block and templates/secret.yaml β€” is gated on ingress.enabled (disabled here; we use an HTTPRoute), so nothing rendered changes.
  • The live OIDC config is entirely the postRenderer-injected ACTUAL_OPENID_* env (client secret already via secretKeyRef), independent of values.
  • oneOf branch 3 requires discoveryUrl (present) + existingSecret.name/clientSecretKey only; the empty clientSecret keeps branch 1 unmatched β†’ exactly one branch matches, offline and live.

Acceptance criteria.

  • ksail workload validate (both overlays) emits no skipped Helm render for HelmRelease actual-budget/actual-budget warning on a branch with in-process render enabled (e.g. ci: re-enable in-process Helm render in validate (revert --skip-helm-render)Β #2273's).
  • Rendered prod manifests are byte-identical apart from the HelmRelease spec itself (no Deployment/Secret diff).
  • Live prod helm upgrade still succeeds (schema branch 3), OIDC login still works.

Rough size. S (one file, but prod-values blast radius β†’ careful promotion).

Context: #2273 (render re-enable, where the warning surfaces), #2359 (the original schema-filler fix this refines).

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions