[DSD-9381]Updated helm charts, pustrigger,and dockerfile from develop…

[bhumi46]

… branch

Summary by CodeRabbit

• New Features

  • Added Istio service mesh configuration enabling gateway routing for Keycloak service access with conditional host-based request routing.
  • Introduced multi-platform build support for Keycloak services.

• Chores

  • Updated build workflow with platform specifications for service builds.
  • Simplified Docker image build process by streamlining artifact handling.
  • Enhanced Helm configuration for managing internal and external host endpoints.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request adds platform specifications to the Keycloak build workflow, introduces a new Istio addon Helm chart for gateway and virtual service configuration, updates the keycloak-init chart with host configuration and label metadata, and simplifies the keycloak-artemis Dockerfile by removing theme deployments and build commands.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/push-trigger.yml	Adds PLATFORMS matrix field ("linux/amd64") for keycloak-jboss, keycloak-init, and keycloak-artemis services; threads PLATFORMS value to docker-build.yml reusable workflow via new input parameter.
Istio Addons Chart deploy/chart/istio-addons/Chart.yaml	New Helm chart descriptor defining istio-addons application chart (v0.1.0, appVersion 1.16.0) with standard metadata fields.
Istio Addons Chart Templates deploy/chart/istio-addons/templates/gateway.yaml, deploy/chart/istio-addons/templates/virtualservice.yaml	New Istio Gateway manifest exposing HTTP traffic on port 80 via internal ingress gateway; VirtualService template with conditional routing logic based on service type (oauth2-proxy or keycloak) with x-forwarded-proto header configuration.
Istio Addons Values deploy/chart/istio-addons/values.yaml	New values configuration with keycloakInternalHost, keycloakExternalHost, and service type for Keycloak access.
Keycloak-Init Chart Configuration helm/keycloak-init/templates/configmap.yaml	Adds keycloak-host ConfigMap with internal/external host and URL values; updates main ConfigMap metadata with formatted name, labels (including app.kubernetes.io/component), and conditional commonLabels/commonAnnotations.
Keycloak-Init Values helm/keycloak-init/values.yaml	Adds keycloakInternalHost and keycloakExternalHost configuration values; introduces view-realm client role for mosip-pms-client; reorders assign_client_scopes block.
Keycloak-Artemis Dockerfile keycloak-artemis/Dockerfile	Removes copying of mosip theme and deployments; removes Debian archive mirror patch and final CMD instruction.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Keycloak-init ConfigMap updates require verification of template variable substitution and label/annotation rendering logic
• Istio VirtualService conditional routing needs careful review of the Helm conditionals for correct traffic routing based on service type
• Dockerfile removals should be validated to confirm base image provides necessary CMD/ENTRYPOINT and theme resources are not critical

Possibly related PRs

• [MOSIP-43640] changes for GA release #192: Modifies overlapping Keycloak packaging files (keycloak-artemis/Dockerfile and helm/keycloak-init chart manifests), indicating related infrastructure or deployment changes.

Suggested reviewers

• ckm007

Poem

🐰 A gateway opens wide and true,
Platform paths now routed through,
Helm charts bloom in istio's light,
ConfigMaps dance, labels shine bright,
Clean Dockerfiles, simplified fare—
Keycloak's journey, handled with care! 🌱

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to updating helm charts, push trigger, and dockerfile, which align with actual changes in the PR. However, it is overly broad and lacks specificity about the main purpose of these updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

helm/keycloak-init/values.yaml (1)

413-418: Add documentation for assign_client_scopes.

The new assign_client_scopes field references client scopes defined earlier in the values file. Consider adding an inline comment to clarify this is linking to the scopes defined in the client_scopes section.

          assign_client_scopes:
+            # These must match names defined in client_scopes section
            - update_oidc_client
            - add_oidc_client
            - get_certificate
            - upload_certificate

helm/keycloak-init/templates/configmap.yaml (1)

7-11: Add validation or documentation for host format requirements.

The ConfigMap templates host values directly into URLs without format validation. If keycloakInternalHost or keycloakExternalHost are malformed (e.g., containing trailing slashes or missing domains), the resulting URLs will be invalid.

Consider adding inline comments documenting the expected format:

data:
  keycloak-internal-host: {{ .Values.keycloakInternalHost }}
+  # Expected format: service.namespace or service.namespace.svc.cluster.local
  keycloak-internal-url: {{ printf "http://%s" .Values.keycloakInternalHost }}
  keycloak-external-host: {{ .Values.keycloakExternalHost }}
+  # Expected format: fully qualified domain name (FQDN)
  keycloak-external-url: {{ printf "https://%s" .Values.keycloakExternalHost }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81f49a3 and f77fcf9.

📒 Files selected for processing (8)

• .github/workflows/push-trigger.yml (2 hunks)
• deploy/chart/istio-addons/Chart.yaml (1 hunks)
• deploy/chart/istio-addons/templates/gateway.yaml (1 hunks)
• deploy/chart/istio-addons/templates/virtualservice.yaml (1 hunks)
• deploy/chart/istio-addons/values.yaml (1 hunks)
• helm/keycloak-init/templates/configmap.yaml (1 hunks)
• helm/keycloak-init/values.yaml (2 hunks)
• keycloak-artemis/Dockerfile (0 hunks)

💤 Files with no reviewable changes (1)

• keycloak-artemis/Dockerfile

🧰 Additional context used

🪛 YAMLlint (1.37.1)

deploy/chart/istio-addons/templates/virtualservice.yaml

[error] 13-13: syntax error: could not find expected ':'

(syntax)

🔇 Additional comments (7)

deploy/chart/istio-addons/Chart.yaml (1)

1-24: Verify appVersion alignment.

The chart descriptor looks standard and correct. However, confirm that appVersion: "1.16.0" aligns with the version of the application or Istio being deployed.

.github/workflows/push-trigger.yml (1)

28-45: Verify that the referenced docker-build.yml workflow accepts the PLATFORMS input parameter.

The push-trigger workflow now passes a PLATFORMS input to the docker-build.yml workflow located in the external mosip/kattu repository. Ensure that docker-build.yml is configured to accept this parameter and uses it correctly. Review the mosip/kattu repository's docker-build.yml workflow definition to confirm that PLATFORMS is defined as a valid input parameter.

helm/keycloak-init/templates/configmap.yaml (2)

18-27: All template helpers are properly defined or inherited. keycloak-init.fullname is defined locally in _helpers.tpl, while common.labels.standard and common.tplvalues.render come from the declared Bitnami common chart dependency (version 1.x.x in Chart.yaml). No action needed.

---

1-11: The review comment is based on incorrect file content. The actual configmap.yaml does not create a keycloak-host ConfigMap as shown in the snippet. Instead, it creates a keycloak-init-configuration ConfigMap containing input.yaml with realm configuration, which is properly mounted and used by the Job in job.yaml (line 76).

Likely an incorrect or invalid review comment.

deploy/chart/istio-addons/templates/virtualservice.yaml (2)

11-14: File does not exist in repository.

The file deploy/chart/istio-addons/templates/virtualservice.yaml referenced in this review comment does not exist in the repository. No chart/ or istio-addons/ directory structure was found. This review comment cannot be applied to this codebase.

Likely an incorrect or invalid review comment.

---

21-24: This review comment references files that do not exist in this repository.

The file deploy/chart/istio-addons/templates/virtualservice.yaml and related gateway.yaml do not exist in the mosip/keycloak codebase. This review appears to have been intended for a different repository or has been applied to the wrong codebase. No verification of the TLS architecture claims is possible against non-existent files.

Likely an incorrect or invalid review comment.

deploy/chart/istio-addons/templates/gateway.yaml (1)

8-12: Configure TLS/HTTPS for the Gateway.

The Gateway currently exposes only HTTP on port 80. For production deployments, HTTPS should be explicitly configured unless TLS termination is handled by an upstream proxy or load balancer.

Verify that TLS is terminated upstream and confirm this is the intended architecture. If TLS should be configured at the Gateway level, add a TLS section with certificate references:

  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - {{ .Values.keycloakExternalHost }}
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      credentialName: keycloak-tls-cert
+    hosts:
+    - {{ .Values.keycloakExternalHost }}