K8s: Strictly handle basicAuth.enabled in template

[VietND96]

User description

Thanks for contributing to the Docker-Selenium project!
A PR well described will help maintainers to quickly review and merge it

Before submitting your PR, please check our contributing guidelines, applied for this repository.
Avoid large PRs, help reviewers by making them as simple and short as possible.

Description

Motivation and Context

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

PR Type

Enhancement, Bug fix

---

Description

• Enforced strict handling of basicAuth.enabled in Kubernetes templates.

  • Added conditional checks for basicAuth.enabled to ensure secrets are only referenced when enabled.
  • Updated multiple deployment templates to include these conditional checks.

• Fixed topology spread constraints references in deployment templates.

  • Corrected component-specific topology spread constraints to avoid misconfigurations.

---

Changes walkthrough 📝

	Relevant files
Enhancement	3 files _helpers.tpl Added conditional checks for basicAuth.enabled in environment references +6/-0      distributor-deployment.yaml Added conditional checks for basicAuth.enabled in distributor deployment +2/-0      trigger-auth.yaml Added conditional checks for basicAuth.enabled in trigger-auth template +2/-0
Bug fix	6 files basic-auth-secret.yaml Added strict condition for creating basic auth secret        +1/-1      event-bus-deployment.yaml Fixed topology spread constraints and added basicAuth.enabled checks +4/-2      hub-deployment.yaml Fixed topology spread constraints and added basicAuth.enabled checks +4/-2      router-deployment.yaml Fixed topology spread constraints and added basicAuth.enabled checks +4/-2      session-map-deployment.yaml Fixed topology spread constraints and added basicAuth.enabled checks +4/-2      session-queue-deployment.yaml Fixed topology spread constraints and added basicAuth.enabled checks +4/-2

---

Need help?

Type /help how to ... in the comments thread for any questions about Qodo Merge usage.

Check out the documentation for more information.

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Authentication Issue The conditional check for basicAuth.enabled is added, but the authentication parameters might be required even when not using the secret. Verify if the trigger-auth.yaml should function without username/password when basicAuth is disabled. {{- if $.Values.basicAuth.enabled }} - parameter: username name: {{ template "seleniumGrid.basicAuth.secrets.fullname" $ }} key: SE_ROUTER_USERNAME - parameter: password name: {{ template "seleniumGrid.basicAuth.secrets.fullname" $ }} key: SE_ROUTER_PASSWORD {{- end }} Condition Change The condition for creating the secret has been changed to require both basicAuth.create and basicAuth.enabled. Verify this doesn't break existing deployments that might have only set basicAuth.create. {{- if and $.Values.basicAuth.create $.Values.basicAuth.enabled }} apiVersion: v1

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add missing secret creation check The conditional block for basic auth credentials in the trigger-auth.yaml should also check if basicAuth.create is true, similar to the basic-auth-secret.yaml template, to ensure consistency and prevent referencing a secret that might not exist. charts/selenium-grid/templates/trigger-auth.yaml [21-28] -{{- if $.Values.basicAuth.enabled }} +{{- if and $.Values.basicAuth.create $.Values.basicAuth.enabled }} - parameter: username name: {{ template "seleniumGrid.basicAuth.secrets.fullname" $ }} key: SE_ROUTER_USERNAME - parameter: password name: {{ template "seleniumGrid.basicAuth.secrets.fullname" $ }} key: SE_ROUTER_PASSWORD {{- end }} Apply this suggestion Suggestion importance[1-10]: 9 __ Why: This is a critical consistency issue. The trigger-auth.yaml only checks for basicAuth.enabled but not basicAuth.create, which could lead to referencing a secret that doesn't exist when basicAuth.enabled=true but basicAuth.create=false, causing deployment failures.	High
Update

[qodo-merge-pro]

CI Feedback 🧐

(Feedback updated until commit 8bba82d)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Rerun workflow when failure

Failed stage: Authenticate GitHub CLI for PR [❌]

Failure summary: The action failed because the GitHub CLI authentication token (GH_CLI_TOKEN_PR) is missing the required read:org scope. The error occurred during the gh auth login --with-token command, which requires this permission scope to function properly.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 22: Issues: write 23: Metadata: read 24: Models: read 25: Packages: write 26: Pages: write 27: PullRequests: write 28: RepositoryProjects: write 29: SecurityEvents: write 30: Statuses: write 31: ##[endgroup] 32: Secret source: Actions 33: Prepare workflow directory 34: Prepare all required actions 35: Getting action download info 36: Download action repository 'actions/checkout@main' (SHA:85e6279cec87321a52edac9c87bce653a07cf6c2) 37: Complete job name: Rerun workflow when failure 38: ##[group]Run actions/checkout@main ... 42: ssh-strict: true 43: ssh-user: git 44: persist-credentials: true 45: clean: true 46: sparse-checkout-cone-mode: true 47: fetch-depth: 1 48: fetch-tags: false 49: show-progress: true 50: lfs: false 51: submodules: false 52: set-safe-directory: true 53: env: 54: GH_CLI_TOKEN: *** 55: GH_CLI_TOKEN_PR: *** 56: RUN_ID: 14316464995 57: RERUN_FAILED_ONLY: true 58: RUN_ATTEMPT: 1 ... 113: Or undo this operation with: 114: git switch - 115: Turn off this advice by setting config variable advice.detachedHead to false 116: HEAD is now at e13ad8f Merge 8bba82d662db3e4752a80fcf00fa97421d6b670e into 5488f8c2ffdd98804ca9518cbad27e558a1c5f86 117: ##[endgroup] 118: [command]/usr/bin/git log -1 --format=%H 119: e13ad8f143c0119e8d26d1179aa9ccdfabf5a026 120: ##[group]Run sudo apt update 121: �[36;1msudo apt update�[0m 122: �[36;1msudo apt install gh�[0m 123: shell: /usr/bin/bash -e {0} 124: env: 125: GH_CLI_TOKEN: *** 126: GH_CLI_TOKEN_PR: *** 127: RUN_ID: 14316464995 128: RERUN_FAILED_ONLY: true 129: RUN_ATTEMPT: 1 ... 168: Reading state information... 169: 126 packages can be upgraded. Run 'apt list --upgradable' to see them. 170: WARNING: apt does not have a stable CLI interface. Use with caution in scripts. 171: Reading package lists... 172: Building dependency tree... 173: Reading state information... 174: gh is already the newest version (2.69.0). 175: 0 upgraded, 0 newly installed, 0 to remove and 126 not upgraded. 176: ##[group]Run echo "$GH_CLI_TOKEN_PR" | gh auth login --with-token 177: �[36;1mecho "$GH_CLI_TOKEN_PR" | gh auth login --with-token�[0m 178: shell: /usr/bin/bash -e {0} 179: env: 180: GH_CLI_TOKEN: *** 181: GH_CLI_TOKEN_PR: *** 182: RUN_ID: 14316464995 183: RERUN_FAILED_ONLY: true 184: RUN_ATTEMPT: 1 185: ##[endgroup] 186: error validating token: missing required scope 'read:org' 187: ##[error]Process completed with exit code 1. 188: Post job cleanup.

[Copilot]

Copilot reviewed 9 out of 10 changed files in this pull request and generated no comments.

Files not reviewed (1)

• charts/selenium-grid/templates/_helpers.tpl: Language not supported

Comments suppressed due to low confidence (1)

charts/selenium-grid/templates/trigger-auth.yaml:29

• There appears to be an extra closing '{{- end }}' at the end of the file which may lead to a mismatch in conditional blocks; remove it to ensure proper template logic.

{{- end }}