feat: create GitKB OIDC sync client

[patrickleet]

Summary

• add optional spec.auth.oidcClient so the GitKB stack creates its own Zitadel Project, Role, MachineUser, and Grant
• wire the observed GitKB Project ID into Istio RequestAuthentication audiences for sync traffic
• expose status.auth.oidcClient with client ID, project audience, credential Secret reference, and readiness fields
• keep auth.istioJwt as the mesh enforcement layer and document the GitKB CLI client credentials configuration

Validation

• make render
• make validate
• make test
• git diff --check
• hops config install --path /Users/patrickleet/dev/hops-ops/hops/xrs/stacks/k8s/gitkb --context colima
• kubectl --context colima apply -f local/gitkb.yaml

Local Control Plane Evidence

• local package installed as registry.crossplane-system.svc.cluster.local:5000/hops-ops/gitkb-stack:dev-63bfca26493c
• GitKB/default/gitkb is Ready=True
• status.auth.oidcClient.clientId is gitkb-sync
• status.auth.oidcClient.projectId is 376749978338467934
• GitKB-owned Zitadel Project, MachineUser, and Grant are Ready=True
• Istio RequestAuthentication uses issuer https://auth.ops.com.ai and audience 376749978338467934
• credential Secret contains expected keys only: attribute.client_id, attribute.client_secret

Notes

• This replaces the earlier test reuse of the OpenPanel admin client with a GitKB-owned OIDC client.
• Hops root/local control plane files remain uncommitted; this PR only contains the stack repo changes.

Summary by CodeRabbit

• New Features

  • OIDC client auth and Istio JWT enforcement options added to GitKB (new spec.auth and status.auth surfaces)
  • New example demonstrating Istio JWT authentication

• Defaults

  • Default chart version bumped to 0.2.1

• Documentation

  • README expanded with OIDC/Istio JWT setup and configuration guidance

• Tests

  • Updated/expanded tests covering auth rendering, status, and related resources

• Chores

  • Examples list updated in CI/Make targets to include the new example

[coderabbitai]

Warning

Review limit reached

@patrickleet, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 12 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8fbb002-cdb7-4d43-9712-c6d372ac284e

📥 Commits

Reviewing files that changed from the base of the PR and between 4181b53 and cbc1c1a.

📒 Files selected for processing (4)

• functions/render/200-helm-release-gitkb.yaml.gotmpl
• functions/render/450-auth-istio-jwt.yaml.gotmpl
• tests/test-render/main.k
• upbound.yaml

📝 Walkthrough

Walkthrough

Adds GitKB OIDC and Istio JWT support: CRD schema/status, render-time auth state and namespace labeling, Zitadel and Istio resource templates with deletion ordering, expanded readiness/status emission, updated tests, workflows, Makefile, README, and upbound metadata.

Changes

GitKB Istio JWT and OIDC Authentication

Layer / File(s)	Summary
Authentication schema contract apis/gitkbs/definition.yaml, examples/gitkbs/with-istio-jwt.yaml, README.md, upbound.yaml	CRD schema extended with spec.auth (oidcClient and istioJwt) and status.auth (observed/rendered state and readiness). Chart version default bumped to 0.2.1. Example manifest and docs updated to demonstrate and document auth configuration.
Auth state initialization and namespace labeling functions/render/000-state-init.yaml.gotmpl	State template computes OIDC and Istio JWT rendering flags, derives issuer/JWKS/audiences/waypoint names from spec.auth, initializes namespaceLabels with ambient dataplane mode when Istio JWT is rendered, and wires auth configuration into $state for downstream templates.
Readiness evaluation and status observation functions/render/010-state-status.yaml.gotmpl, functions/render/999-status.yaml.gotmpl	Status template derives Zitadel identifiers, computes effective JWT audiences, evaluates per-resource and usage readiness, merges labels when rendered, and emits $state.observed and $state.status with auth subtrees for OIDC and Istio JWT.
Namespace and Helm service label injection functions/render/100-namespace.yaml.gotmpl, functions/render/200-helm-release-gitkb.yaml.gotmpl	Namespace template uses $state.namespaceLabels. Helm release template conditionally augments chartDefaults.service.labels with Istio JWT service labels when istioJwt is rendered.
Zitadel OIDC client resource rendering functions/render/400-auth-zitadel-client.yaml.gotmpl	New template conditionally renders Zitadel Project, native Oidc device application, Role, MachineUser, conditional Grant, and Usage resources to enforce deletion ordering and output connection secrets.
Istio JWT authentication and authorization resource rendering functions/render/450-auth-istio-jwt.yaml.gotmpl	New template conditionally renders Istio ambient Gateway, RequestAuthentication (issuer/JWKS/audiences), and AuthorizationPolicy (request principals), plus Usage resources to enforce deletion ordering relative to Namespace and Helm Release.
Tests and CI / Build docs tests/test-render/main.k, .github/workflows/on-pr.yaml, .github/workflows/on-push-main.yaml, Makefile	Composition tests added/updated to validate istioJwt and OIDC rendering and readiness; workflows and Makefile updated to include the new example; tests updated to expect chartVersion 0.2.1.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I stitched a mesh of JWT and key,

Zitadel hums a secret tune for me,
Namespaces wear labels, waypoints stand tall,
Policies guard each incoming call,
GitKB now syncs behind a guarded wall.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: create GitKB OIDC sync client' accurately reflects the main feature added: creation of a GitKB-owned OIDC client for authenticated sync via Zitadel MachineUser, which is the primary objective across all changeset files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/istio-jwt-auth

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Published Crossplane Package

The following Crossplane package was published as part of this PR:

Package: ghcr.io/hops-ops/gitkb-stack:pr-1-fcd0156a586dc83c35e32714e1eb1916240797d4

View Package

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@functions/render/200-helm-release-gitkb.yaml.gotmpl`:
- Around line 17-19: The Istio waypoint labels set when
$state.auth.istioJwt.rendered are currently merged into $chartDefaults via
mergeOverwrite and can be clobbered by user-supplied
$state.values.service.labels or by overrideAllValues; update the template so
Istio labels are applied after any user merge (i.e., ensure the final labels on
service are produced by merging user labels first and then merging/enforcing the
Istio labels into $chartDefaults or the final service.labels) and also ensure
the overrideAllValues path still injects/enforces the istio.io/use-waypoint and
istio.io/ingress-use-waypoint labels; reference $chartDefaults, mergeOverwrite,
$state.values.service.labels, overrideAllValues and
$state.auth.istioJwt.rendered when making the change.
- Around line 17-19: The Istio waypoint labels from
$state.auth.istioJwt.serviceLabels are currently merged into $chartDefaults but
can be clobbered by later mergeOverwrite with $state.values or bypassed when
$state.overrideAllValues is true; update
functions/render/200-helm-release-gitkb.yaml.gotmpl to ensure those Istio label
keys are re-applied after user merges (i.e., perform a final merge that overlays
$state.auth.istioJwt.serviceLabels onto the merged result) and also re-apply
them in the branch where $state.overrideAllValues is set, so the
istio.io/use-waypoint and istio.io/ingress-use-waypoint keys from
$state.auth.istioJwt.serviceLabels cannot be accidentally removed by
user-provided service.labels or by overrideAllValues.

In `@functions/render/450-auth-istio-jwt.yaml.gotmpl`:
- Around line 106-112: The template renders requestPrincipals directly from
auth.requestPrincipals which can be an explicitly empty list and produce an
empty matcher; update the logic in
functions/render/450-auth-istio-jwt.yaml.gotmpl to detect an empty or unset
auth.requestPrincipals and fall back to rendering a single entry "*" (the same
default used in functions/render/000-state-init.yaml.gotmpl) instead of emitting
an empty list—i.e., change the section around requestPrincipals to check for
emptiness and render ["*"] when auth.requestPrincipals is nil or has length
zero, otherwise range over auth.requestPrincipals as before.

In `@upbound.yaml`:
- Around line 44-47: Remove the stray sentence fragment "This" that ends the
first sentence so the paragraph reads smoothly; update the text mentioning
`git-kb serve` and the following sentence about `auth.oidcClient` and
`auth.istioJwt` (Zitadel MachineUser / Istio project audience) by deleting the
orphaned "This" to join the sentences correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e0e565f-0dcc-49e1-a5dc-49e151eb32c4

📥 Commits

Reviewing files that changed from the base of the PR and between 1609180 and 56ef372.

📒 Files selected for processing (15)

• .github/workflows/on-pr.yaml
• .github/workflows/on-push-main.yaml
• Makefile
• README.md
• apis/gitkbs/definition.yaml
• examples/gitkbs/with-istio-jwt.yaml
• functions/render/000-state-init.yaml.gotmpl
• functions/render/010-state-status.yaml.gotmpl
• functions/render/100-namespace.yaml.gotmpl
• functions/render/200-helm-release-gitkb.yaml.gotmpl
• functions/render/400-auth-zitadel-client.yaml.gotmpl
• functions/render/450-auth-istio-jwt.yaml.gotmpl
• functions/render/999-status.yaml.gotmpl
• tests/test-render/main.k
• upbound.yaml

[coderabbitai]

♻️ Duplicate comments (1)

upbound.yaml (1)

44-45: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix sentence fragment.

The stray "This" at the end of line 44 creates a sentence fragment. This issue was previously flagged and remains unresolved.

📝 Proposed fix

     The HTTPRoute strips that prefix before forwarding traffic to
-    `git-kb serve`, so many GitKB repos can share one Gateway domain. This
-    For authenticated sync traffic, enable `auth.oidcClient` and
+    `git-kb serve`, so many GitKB repos can share one Gateway domain.
+    For authenticated sync traffic, enable `auth.oidcClient` and

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@upbound.yaml` around lines 44 - 45, The sentence fragment is caused by the
stray word "This" at the end of the line in upbound.yaml; remove the stray
"This" (or complete the sentence by moving it to or merging with the following
line) so the paragraph reads coherently — specifically edit the lines containing
"`git-kb serve`, so many GitKB repos can share one Gateway domain. This" and
"For authenticated sync traffic, enable `auth.oidcClient` and" to either drop
"This" or join it into a complete sentence that links to the `auth.oidcClient`
instruction.

🧹 Nitpick comments (1)

upbound.yaml (1)

45-48: ⚡ Quick win

Clarify the run-on sentence structure.

The sentence spanning lines 45-48 is grammatically awkward with mixed subjects ("GitKB gets" and "Istio validates"). Consider restructuring for clarity.

📝 Suggested rewording

     For authenticated sync traffic, enable `auth.oidcClient` and
-    `auth.istioJwt` so GitKB gets its own Zitadel device-flow client for human
-    login, MachineUser client for automation, and Istio validates the shared
-    project audience.
+    `auth.istioJwt` so GitKB provisions its own Zitadel device-flow client for
+    human login and MachineUser client for automation, while Istio validates
+    the shared project audience.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@upbound.yaml` around lines 45 - 48, The sentence describing authenticated
sync traffic mixes subjects and reads as a run-on; rewrite it to separate the
actions and clarify who does what. Update the text to explicitly state that
enabling auth.oidcClient creates Zitadel clients for GitKB (a device-flow client
for human login and a MachineUser client for automation) and that enabling
auth.istioJwt causes Istio to validate the shared project audience, e.g., two
short sentences or a semicolon-separated pair referencing auth.oidcClient,
auth.istioJwt, GitKB, Zitadel/MachineUser, and Istio so each responsibility is
clear.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@upbound.yaml`:
- Around line 44-45: The sentence fragment is caused by the stray word "This" at
the end of the line in upbound.yaml; remove the stray "This" (or complete the
sentence by moving it to or merging with the following line) so the paragraph
reads coherently — specifically edit the lines containing "`git-kb serve`, so
many GitKB repos can share one Gateway domain. This" and "For authenticated sync
traffic, enable `auth.oidcClient` and" to either drop "This" or join it into a
complete sentence that links to the `auth.oidcClient` instruction.

---

Nitpick comments:
In `@upbound.yaml`:
- Around line 45-48: The sentence describing authenticated sync traffic mixes
subjects and reads as a run-on; rewrite it to separate the actions and clarify
who does what. Update the text to explicitly state that enabling auth.oidcClient
creates Zitadel clients for GitKB (a device-flow client for human login and a
MachineUser client for automation) and that enabling auth.istioJwt causes Istio
to validate the shared project audience, e.g., two short sentences or a
semicolon-separated pair referencing auth.oidcClient, auth.istioJwt, GitKB,
Zitadel/MachineUser, and Istio so each responsibility is clear.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9363cb6d-19d7-4111-9387-aefcabb0f41b

📥 Commits

Reviewing files that changed from the base of the PR and between 56ef372 and e3d474f.

📒 Files selected for processing (9)

• README.md
• apis/gitkbs/definition.yaml
• examples/gitkbs/with-istio-jwt.yaml
• functions/render/000-state-init.yaml.gotmpl
• functions/render/010-state-status.yaml.gotmpl
• functions/render/400-auth-zitadel-client.yaml.gotmpl
• functions/render/999-status.yaml.gotmpl
• tests/test-render/main.k
• upbound.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• functions/render/999-status.yaml.gotmpl
• examples/gitkbs/with-istio-jwt.yaml
• README.md
• apis/gitkbs/definition.yaml
• functions/render/010-state-status.yaml.gotmpl
• functions/render/000-state-init.yaml.gotmpl