add -oidc-scopes parameter only if scopes are actually provided

[mikeywuu]

This pull request introduces a conditional check to the Helm chart deployment template for Headlamp, ensuring that the OIDC scopes argument is only included when the relevant value is set. This improves the flexibility and correctness of the deployment configuration.

Enhancement to OIDC configuration:

• charts/headlamp/templates/deployment.yaml: Added a conditional block so that the -oidc-scopes=$(OIDC_SCOPES) argument is only included if either $oidc.scopes or $scopes is not empty, preventing unnecessary or empty configuration arguments.## Summary

Related Issue

Fixes #4220

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mikeywuu / name: Mike (bd9200e)

[k8s-ci-robot]

Welcome @mikeywuu!

It looks like this is your first PR to kubernetes-sigs/headlamp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/headlamp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mikeywuu
Once this PR has been reviewed and has the lgtm label, please assign joaquimrocha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skoeva]

Hi, thanks for looking into this issue! If you can, please sign the CLA so we can review and merge any changes

[skoeva]

there's a failing test in the CI:

Test failed! To update expected templates to match current output:
  1. Review the differences above carefully
  2. If the changes are related to version, run:
     make helm-update-template-version
     This will update ALL expected templates with current Helm version
  3. Verify the changes and commit them

[mikeywuu]

After thinking about it, im not sure if this might break something for other people. With this change, it would no longer be possible to get the scopes (OIDC_SCOPES) from the externalSecret. Im not sure what has to be in the externalSecret and what not.

Maybe you have an opinion about that?

[illume]

I need some time to think about this, I assigned myself.
Also moved it to the next release milestone in the meantime.

[Copilot]

Pull request overview

This pull request fixes a bug in the Headlamp Helm chart where the -oidc-scopes argument was being added to the deployment even when OIDC scopes were not provided in the external secret configuration. This caused authentication failures with Azure Entra ID when using external secrets without the OIDC_SCOPES variable.

Changes:

• Added a conditional check to only include the -oidc-scopes argument when scopes are actually provided, matching the pattern already present in the non-externalSecret configuration branch

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

For consistency with the corresponding check in the non-externalSecret branch (line 259), consider adding a comment here explaining the conditional check. The comment at line 259 reads: "# Check if scopes are non empty either from env or oidc.config"

Suggested change

	{{- if or (ne $oidc.scopes "") (ne $scopes "") }}
	{{- if or (ne $oidc.scopes "") (ne $scopes "") }}
	# Check if scopes are non empty either from env or oidc.config