Skip to content

Correct template rendering for authentication options #2808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 21, 2025
Merged

Correct template rendering for authentication options #2808

merged 3 commits into from
Oct 21, 2025

Conversation

@MonkeyCanCode
Copy link
Contributor

@MonkeyCanCode MonkeyCanCode commented Oct 14, 2025
edited
Loading

The Helm chart installation was failing with a type error when processing authentication values. This was caused by the tpl function being incorrectly used on string literals instead of templates.

This commit resolves the issue by removing the unnecessary tpl calls from the polaris.configVolumeAuthenticationOptions helper template.

Sample error reference:

➜  polaris git:(main) ✗ helm upgrade --install --namespace polaris \
  --values helm/polaris/ci/persistence-values.yaml \
  polaris helm/polaris
Release "polaris" does not exist. Installing it now.
Error: template: polaris/templates/deployment.yaml:130:12: executing "polaris/templates/deployment.yaml" at <include "polaris.configVolume" .>: error calling include: template: polaris/templates/_helpers.tpl:179:10: executing "polaris.configVolume" at <include "polaris.configVolumeAuthenticationOptions" (list "" .Values.authentication)>: error calling include: template: polaris/templates/_helpers.tpl:351:29: executing "polaris.configVolumeAuthenticationOptions" at <.>: wrong type for value; expected chartutil.Values; got []interface {}

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Oct 14, 2025
@dimas-b
Copy link
Contributor

dimas-b commented Oct 14, 2025

I'll defer to @adutra for reviewing this change... maybe there was a use case for tpl, of which I'm not aware 🤔

@adutra
Copy link
Contributor

adutra commented Oct 20, 2025
edited
Loading

Hi @MonkeyCanCode thanks for spotting this issue!

I don't think the root cause is the usage of tpl. The issue seems to be with the . parameter. In this context, it does not point to the global .Values object, that's why the template rendering is failing.

I think that a more correct approach would be to pass the global .Values as a parameter to this function, just like we do in polaris.authenticationOptions. Something like:

{{- define "polaris.configVolumeAuthenticationOptions" -}}
{{- $realm := index . 0 -}}
{{- $auth := index . 1 -}}
{{- $global := index . 2 -}}
...
- secret:
    name: {{ tpl $secretName $global }}

The choice of templetizing every value exposed in the chart is a bit opinionated, but at the same time it allows for a lot of flexibility when defining values. For example, the secret name could be defined as:

authentication.tokenBroker.secret.name: {{ .Release.Namespace }}-auth-secret

I don't mind having a broader discussion about whether it makes sense to templetize everything, but here, my feeling is that we are trying to fix a wrong template function, so imho we shouldn't remove the tpl function call, but instead fix its invocation.

WDYT?

@MonkeyCanCode
Copy link
Contributor Author

MonkeyCanCode commented Oct 21, 2025

Hi @MonkeyCanCode thanks for spotting this issue!

I don't think the root cause is the usage of tpl. The issue seems to be with the . parameter. In this context, it does not point to the global .Values object, that's why the template rendering is failing.

I think that a more correct approach would be to pass the global .Values as a parameter to this function, just like we do in polaris.authenticationOptions. Something like:

{{- define "polaris.configVolumeAuthenticationOptions" -}}
{{- $realm := index . 0 -}}
{{- $auth := index . 1 -}}
{{- $global := index . 2 -}}
...
- secret:
    name: {{ tpl $secretName $global }}

The choice of templetizing every value exposed in the chart is a bit opinionated, but at the same time it allows for a lot of flexibility when defining values. For example, the secret name could be defined as:

authentication.tokenBroker.secret.name: {{ .Release.Namespace }}-auth-secret

I don't mind having a broader discussion about whether it makes sense to templetize everything, but here, my feeling is that we are trying to fix a wrong template function, so imho we shouldn't remove the tpl function call, but instead fix its invocation.

WDYT?

@adutra thanks for the review. I am fine with making everything templatize. Updated the PR with the fix. Please take another look when you have time.

@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Oct 21, 2025
@MonkeyCanCode MonkeyCanCode merged commit e6b27e7 into apache:main Oct 21, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this from Ready to merge to Done in Basic Kanban Board Oct 21, 2025
snazy added a commit to snazy/polaris that referenced this pull request Nov 20, 2025
@snazy @renovate-bot
@jbonofre @XN137 @CodingBangboo @dimas-b @MonkeyCanCode @HonahX @adutra @flyrain @collado-mike
Dremio merge 2025 10 24 09 32 (apache#147)
bc6e76c 
* Update Quarkus Platform and Group to v3.28.4 (apache#2786)

* Update dependency org.testcontainers:testcontainers-bom to v2.0.1 (apache#2830)

* Build/polaris-core: Remove outdated `constraint`s (apache#2818)

The `:polaris-core` build scripts contains (soft) version-constraints for some dependencies with a vague reason "Vulnerability detected in ..." (concrete CVE/reason not mentioned) referencing specific dependency versions. The mentioned versions are all quite outdated, some are even not transitively referenced. Hence, removing those constraings, as those seem no longer relevant.

Effective dependency versions can be inspected via `./gradlew :polaris-core:dependencies --configuration runtimeClasspath`.

* Add Community Meetings for 2025-10-02 and 2025-10-16 (apache#2832)

* Update docker.io/prom/prometheus Docker tag to v3.7.1 (apache#2834)

* testcontainers v2: tackle deprecation warnings (apache#2835)

* Add findPrincipalById helper (apache#2810)

* Add findPrincipalById helper

this simplifies frequent usage of the lower level `loadEntity` api (similar to the
existing `findPrincipalByName` helper)

* [Python] Add more tests cases for policy CLI (apache#2831)

* Update dependency software.amazon.awssdk:bom to v2.35.10 (apache#2840)

* Update dependency ch.qos.logback:logback-classic to v1.5.20 (apache#2839)

* Reproducible builds: make parent pom content reproducible (apache#2826)

The parent pom contains the `<developer>` and `<contributor>` elements. The former is populated from ASF people information including role information (champion, mentor, chair, (P)PMC member, committer). The latter is retrieved from a GitHub API endpoint, ordered by number contributions. Especially the latter list is prone to vary between builds, which makes the parent pom not reproducible as the locally built one is likely different from the one that was built by the release managed (staged artifact).

This change removes both lists, leaving a single static `<developer>` entry pointing to `https://polaris.apache.org/community/`. Related build-script code has been updated and no longer retrieves people information.

* Log root cause exceptions in mappers (apache#2837)

Fix `IcebergExceptionMapper` and `PolarisExceptionMapper` to pass exceptions as "cause" to the logger (as opposed to unreferenced log parameters).

* Remove credential flag from `StorageAccessProperty.CLIENT_REGION` (apache#2838)

`CLIENT_REGION` is not a credential value, which is in line with
Iceberg's `VendedCredentialsProvider` code.

Cf. apache/iceberg#11389

* CI: Let all workflows use GitHub's docker.io mirror (apache#2841)

* Correct template rendering for authentication options (apache#2808)

* Correct template rendering for authentication options

* Added tpl back

* Increase javadoc visibility in `:polaris-async-vertx` (apache#2745)

This is to fix javadoc error: `No public or protected classes found to document`

* Update slack invite url (apache#2846)

* Remove unused ConcurrentLinkedQueueWithApproximateSize (apache#2849)

* Merge AwsCloudWatchConfiguration and QuarkusAwsCloudWatchConfiguration (apache#2848)

For some reason, these two classes weren't properly merged when the runtime-service and service-common modules were merged. This PR fixes that.

This PR also adds some examples of AWS Cloud Watch configuration to the default application.properties file.

* Move TestPolarisEventListener to test fixtures (apache#2850)

* Update dependency com.google.cloud:google-cloud-storage-bom to v2.59.0 (apache#2857)

* Update actions/stale digest to e46bbab (apache#2856)

* Servcie: Remove a duplicated config (apache#2854)

* Update docker.io/prom/prometheus Docker tag to v3.7.2 (apache#2858)

* Update Quarkus Platform and Group to v3.28.5 (apache#2859)

* Update dependency com.google.errorprone:error_prone_core to v2.43.0 (apache#2860)

* Add --no-sts to CLI (apache#2855)

* Add --no-sts to CLI

Following up on apache#2672, add new `--no-sts` option to CLI to allow
configuring `stsUnavailable` in `AwsStorageConfigInfo`

* Use AccessConfigProvider.getAccessConfig in DefaultFileIOFactory (apache#2852)

* CLI: Remove the trailing comma (apache#2863)

* Update dependency pip-licenses-cli to v3 (apache#2842)

* Update dependency pip-licenses-cli to v3

* Update pip-licenses-cli version format

* Fix pip-licenses-cli version specification

---------

Co-authored-by: Yong Zheng <yongzheng0809@gmail.com>

* Update quay.io/keycloak/keycloak Docker tag to v26.4.2 (apache#2868)

* Bump main to 1.3.0-SNAPSHOT (apache#2870)

* Add properties from TableMetadata into Table entity internalProperties (apache#2735)

* Add properties from TableMetadata into Table entity internalProperties

* Made table properties constants and pulled out static utility method

* Update dependency io.smallrye:jandex to v3.5.1 (apache#2872)

* Fix exec flags on getting-started scripts (apache#2878)

* Add `+x` to script source files
* Remove (unnecessary) `chmod` from docs

* Update plugin jcstress to v0.9.0 (apache#2882)

* Update registry.access.redhat.com/ubi9/openjdk-21-runtime Docker tag to v1.23-6.1761164966 (apache#2874)

* Update dependency openapi-generator-cli to v7.16.0 (apache#2703)

* Update Gradle to v9 (apache#2226)

* Update Gradle to v9

* adopt gradlew

---------

Co-authored-by: Robert Stupp <snazy@snazy.de>

* Last merged commit 7892540

---------

Co-authored-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: JB Onofré <jbonofre@apache.org>
Co-authored-by: Christopher Lambert <xn137@gmx.de>
Co-authored-by: Nuoya Jiang <98131931+NuoyaJiang@users.noreply.github.com>
Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com>
Co-authored-by: Yong Zheng <yongzheng0809@gmail.com>
Co-authored-by: Honah (Jonas) J. <honahx@apache.org>
Co-authored-by: Alexandre Dutra <adutra@apache.org>
Co-authored-by: Yufei Gu <yufei@apache.org>
Co-authored-by: Nuoya Jiang <98131931+CodingBangboo@users.noreply.github.com>
Co-authored-by: Michael Collado <40346148+collado-mike@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adutra adutra adutra approved these changes

@dimas-b dimas-b Awaiting requested review from dimas-b

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MonkeyCanCode @dimas-b @adutra