Remove backwards-compatible authentication config

[ambient-code]

Summary

• Remove the legacy authentication configmap key and authenticationConfig Helm value that were kept for backwards compatibility, with TODO comments saying "remove in 0.7.0"
• Remove the now-unused oidc.LoadAuthenticationConfiguration function and its helper newJWTAuthenticator (the config package has its own equivalent implementations that remain in use)
• Remove the legacy authentication fallback from extractOIDCConfigs() in controller/cmd/main.go so it only reads from the config key
• Update Dex documentation to reference spec.authentication.jwt on the Jumpstarter resource instead of the removed jumpstarter-controller.authenticationConfiguration Helm value

Test plan

• go build ./... passes in the controller module with no errors
• Verify Helm chart renders correctly without authenticationConfig value
• Verify existing deployments using the new config key continue to work

Closes #530

Generated with Claude Code

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c3af5a4f-facc-43bd-80ff-b1b50478ddcd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ambient-fix/530-remove-auth-compat

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	892b7bf
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/69d7ccccceb40500089fcc96
😎 Deploy Preview	https://deploy-preview-537--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ambient-code]

CI Status Update

The pytest failure in jumpstarter/exporter/hooks_test.py::TestHookExecutor::test_exec_bash appears to be unrelated to this PR's changes.

This PR only modifies:

• Go controller code (config.go, oidc/config.go)
• Helm templates and values
• Documentation

The failing test is a macOS-specific Python test that validates bash substring syntax in hook execution. This is not touched by any of the authentication config removal changes.

The test expects the output BASH_OK: world from the bash command V="hello_world"; echo "BASH_OK: ${V:6:5}" but it's not appearing in the mock logger calls on macOS-15 with Python 3.11.

Is this a known flaky test on macOS, or should we investigate further?

[raballew]

[CRITICAL] While this documentation update is correct, the removal of the legacy authentication config path is incomplete. The extractOIDCConfigs() function in controller/cmd/main.go (around lines 353-359) still has a fallback block that reads configmap.Data["authentication"]. This was missed during cleanup. A stale or maliciously crafted authentication key in the ConfigMap could still influence the login endpoint's OIDC issuer discovery, creating an inconsistency with the authenticator path.

Suggestion: Remove the legacy fallback block in extractOIDCConfigs() in controller/cmd/main.go as well. After removal, that function should return nil if the config key is not found or cannot be parsed.

---

[MEDIUM] There are no tests covering extractOIDCConfigs() in controller/cmd/main.go to verify it only reads from the config key. The missed legacy fallback mentioned above is exactly the kind of thing a regression test would have caught.

Suggestion: Add a test for extractOIDCConfigs() that provides a ConfigMap with only the config key and verifies correct behavior. A negative test confirming that a ConfigMap with only the legacy authentication key does NOT produce OIDC configs would also be valuable.

AI-generated, human reviewed

[ambient-code]

Good catch on the [CRITICAL] finding -- the legacy authentication fallback in extractOIDCConfigs() was indeed missed. Fixed in 7adea6f: the function now only reads from the config key and returns nil if it is not found or cannot be parsed. I also improved the error handling so parse failures are logged rather than silently swallowed.

Regarding the [MEDIUM] test suggestion: I agree this would be valuable coverage. However, extractOIDCConfigs lives in package main and takes a client.Reader (Kubernetes API reader), so testing it properly requires either extracting it to a separate package or setting up a fake client. I think that refactoring is worthwhile but would be better addressed in a follow-up to keep this PR focused on the cleanup. I'll open a tracking issue for it.