Skip to content

feat: add sso cookie domain to helm values #2444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wilsonrivera wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add sso cookie domain to helm values #2444

wilsonrivera wants to merge 4 commits into from
+9 −0

Conversation

@wilsonrivera
Copy link
Contributor

@wilsonrivera wilsonrivera commented Jan 9, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Added a new SSO cookie domain configuration (default ".wundergraph.local") to the control plane chart and documentation to ensure SSO cookies are scoped correctly across domains.

✏️ Tip: You can customize this high-level summary in your review settings.

Checklist

  • I have discussed my proposed changes in an issue and have received approval to proceed.
  • I have followed the coding standards of the project.
  • Tests or benchmarks have been added or updated.
  • Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
  • I have read the Contributors Guide.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 9, 2026
edited
Loading

Walkthrough

Adds a configurable SSO cookie domain to the controlplane Helm chart: a new Helm value configuration.authSsoCookieDomain, a corresponding secret key, and an AUTH_SSO_COOKIE_DOMAIN container environment variable sourced from that secret.

Changes

Cohort / File(s) Change Summary
SSO Cookie Domain Configuration
helm/cosmo/charts/controlplane/templates/deployment.yaml, helm/cosmo/charts/controlplane/templates/secret.yaml, helm/cosmo/charts/controlplane/values.yaml, helm/cosmo/charts/controlplane/README.md		 Added configuration.authSsoCookieDomain to values (default '.wundergraph.local'); added authSsoCookieDomain to Secret template; added AUTH_SSO_COOKIE_DOMAIN env var in Deployment sourced from that secret; documented new value in README.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately and clearly describes the main change: adding an SSO cookie domain configuration to Helm values. It is concise, specific, and directly reflects the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e3b1317 and 3330936.

📒 Files selected for processing (1)
  • helm/cosmo/charts/controlplane/README.md
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: StarpTech
Repo: wundergraph/cosmo PR: 2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.
📚 Learning: 2025-08-15T10:21:45.838Z 
Learnt from: StarpTech
Repo: wundergraph/cosmo PR: 2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.

Applied to files:

  • helm/cosmo/charts/controlplane/README.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
  • GitHub Check: build_test
🔇 Additional comments (2)
helm/cosmo/charts/controlplane/README.md (2)

22-22: Documentation entry is well-formatted and correctly positioned.

The new configuration value is properly documented with a clear description, matching the existing table format and alphabetical ordering.

1-124: All related files have been consistently updated.

Verification confirms that authSsoCookieDomain is properly implemented across all three files:

  • values.yaml (line 205): Defines configuration.authSsoCookieDomain: '.wundergraph.local' with appropriate documentation
  • secret.yaml (line 24): Sources the value from {{ .Values.configuration.authSsoCookieDomain }}
  • deployment.yaml (line 107): Defines AUTH_SSO_COOKIE_DOMAIN environment variable sourced from the secret key authSsoCookieDomain

The field naming conventions and references are consistent across all templates.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
helm/cosmo/charts/controlplane/templates/deployment.yaml (1)

107-111: Verify if this environment variable should be conditional.

The AUTH_SSO_COOKIE_DOMAIN environment variable is always set, unlike optional environment variables such as OPENAI_API_KEY (lines 367-373) or CDN_BASE_URL (lines 374-380) which are wrapped in conditionals.

If SSO authentication is an optional feature, consider making this conditional to match the pattern:

♻️ Suggested conditional pattern 
            - name: AUTH_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "controlplane.secretName" . }}
                  key: jwtSessionSecret
+            {{- if .Values.configuration.authSsoCookieDomain }}
            - name: AUTH_SSO_COOKIE_DOMAIN
              valueFrom:
                secretKeyRef:
                  name: {{ include "controlplane.secretName" . }}
                  key: authSsoCookieDomain
+            {{- end }}
            - name: DB_URL
              valueFrom:

However, if SSO is a core required feature and the application expects this environment variable to always be present, then the current implementation is correct. The naming and placement are appropriate.

This verification relates to the same concern flagged in secret.yaml. Please run the verification script provided in that review comment to confirm the application's expectations.

helm/cosmo/charts/controlplane/templates/secret.yaml (1)

24-24: Wrap authSsoCookieDomain in a conditional to match the pattern for optional fields.

The code treats AUTH_SSO_COOKIE_DOMAIN as optional (it's marked .optional() in env.schema.ts and the application handles undefined values gracefully with a nullish coalescing operator). However, the Helm template unconditionally sets it in the secret, which is inconsistent with how other optional fields like smtpUsername and s3AccessKeyId are handled.

♻️ Suggested fix 
  jwtSessionSecret: "{{ .Values.global.controlplane.jwtSecret }}"
+  {{- if .Values.configuration.authSsoCookieDomain }}
  authSsoCookieDomain: "{{ .Values.configuration.authSsoCookieDomain }}"
+  {{- end }}
  keycloakAdminUser: "{{ .Values.global.keycloak.adminUser }}"
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb0be1 and e3b1317.

📒 Files selected for processing (3)
  • helm/cosmo/charts/controlplane/templates/deployment.yaml
  • helm/cosmo/charts/controlplane/templates/secret.yaml
  • helm/cosmo/charts/controlplane/values.yaml
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings 
Learnt from: StarpTech
Repo: wundergraph/cosmo PR: 2142
File: helm/cosmo/Chart.yaml:0-0
Timestamp: 2025-08-15T10:21:45.838Z
Learning: In the WunderGraph Cosmo project, helm chart version upgrades and README badge synchronization are handled in separate helm release PRs, not in the initial version bump PRs.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
  • GitHub Check: build_test
🔇 Additional comments (1)
helm/cosmo/charts/controlplane/values.yaml (1)

204-205: LGTM! Consider documenting production configuration.

The new authSsoCookieDomain configuration is well-placed and the comment clearly explains its purpose. The leading dot in the default value .wundergraph.local correctly allows the cookie to be shared across subdomains.

Note that users will need to override this default value for production deployments to match their actual domain (e.g., .yourdomain.com).

@StarpTech
Copy link
Contributor

StarpTech commented Jan 18, 2026

@wilsonrivera did you test it end to end?

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@github-actions github-actions bot added the Stale label Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Noroth Noroth Awaiting requested review from Noroth Noroth is a code owner

@StarpTech StarpTech Awaiting requested review from StarpTech StarpTech is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wilsonrivera @StarpTech