fix(deploy): use JSON patch instead of merge patch for OIDC AuthPolicy

Merge patch (--type=merge) cannot reliably delete "when" arrays or replace
"selector" with "expression" inside CRD objects. The live AuthPolicy showed
both the base policy's when clause (restricting to sk-oai-*) AND the OIDC
expression coexisting, causing X-MaaS-Username to be empty for OIDC tokens
→ 500 AUTH_FAILURE refId 003.

Switch to JSON patch (--type=json) with op=replace on /spec/rules. This
atomically replaces the entire rules block — no field merging, no stale
when-clauses. Remove when:null and selector:null from the OIDC template
since they are no longer needed.

Signed-off-by: Wen Liang <liangwen12year@gmail.com>

Author: liangwen12year

scripts/data/maas-api-authpolicy-external-oidc-patch.yaml

@@ -1,4 +1,7 @@
-# Merge patch applied when EXTERNAL_OIDC=true (see configure_maas_api_authpolicy in deploy.sh).
+# OIDC rules applied when EXTERNAL_OIDC=true (see configure_maas_api_authpolicy in deploy.sh).
+# Applied via JSON patch (--type=json, op=replace on /spec/rules) to atomically replace
+# the entire rules block. Merge patch cannot reliably delete "when" arrays or replace
+# "selector" with "expression" inside CRD objects.
 #
 # Authentication order (lower priority number = earlier block; Authorino tries the next
 # block when the previous identity method does not validate the token):
@@ -72,45 +75,29 @@ spec:
     response:
       success:
         headers:
-          # Override the base X-MaaS-Username / X-MaaS-Group headers so they
-          # handle API keys, OIDC JWT, and OpenShift TokenReview.
-          #
-          # API keys (Bearer sk-oai-*): identity comes from apiKeyValidation metadata — the
-          # base policy used plain selectors here. OIDC-only expressions omit that path and
-          # yield empty username → maas-api HTTP 500 AUTH_FAILURE refId 001 on /v1/models.
-          # Order: apiKeyValidation → OIDC claims → OpenShift TokenReview.
-          # No "when" clause — these headers must apply to ALL token types (API keys,
-          # OIDC JWT, OpenShift TokenReview). The three-way expression handles each case.
-          # The base policy restricts these to sk-oai-* only; merge patch must explicitly
-          # null the "when" to clear the base's restriction.
+          # Three-way CEL expressions handle API keys, OIDC JWT, and OpenShift
+          # TokenReview without any "when" clause. JSON patch replaces the entire
+          # rules block, so base policy fields (when, selector) are not inherited.
           X-MaaS-Username:
-            when: null
             plain:
-              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 auth.metadata.apiKeyValidation.username :
                 (has(auth.identity.preferred_username) ?
                 auth.identity.preferred_username :
                 (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))
-          # Never call .join on a missing path — that stringifies nil as "<nil>"
-          # and breaks maas-api JSON parsing.
           X-MaaS-Group:
-            when: null
             plain:
-              selector: null
               expression: >-
                 (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ?
                 (size(auth.metadata.apiKeyValidation.groups) > 0 ?
                 '["' + auth.metadata.apiKeyValidation.groups.join('","') + '"]' :
                 '["system:authenticated"]') :
                 (has(auth.identity.groups) && size(auth.identity.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.groups.join('","') + '"]' :
-                (has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
+                (has(auth.identity.user) && has(auth.identity.user.groups) && size(auth.identity.user.groups) > 0 ?
                 '["system:authenticated","' + auth.identity.user.groups.join('","') + '"]' :
                 '["system:authenticated"]'))
-          # Subscription: from API key validation (must be preserved from base policy).
-          # /v1/models reads this header to filter by subscription.
           X-MaaS-Subscription:
             when:
               - selector: request.headers.authorization

scripts/deploy.sh

@@ -1492,17 +1492,31 @@ patch_authpolicy_from_template() {
   local oidc_issuer_url="${4:-}"
   local oidc_client_id="${5:-}"
 
-  local rendered_patch
-  rendered_patch="$(mktemp)"
-
+  # Render placeholders in the YAML template.
+  local rendered_yaml
+  rendered_yaml="$(mktemp)"
   sed \
     -e "s|__MAAS_NAMESPACE__|${maas_namespace}|g" \
     -e "s|__OIDC_ISSUER_URL__|${oidc_issuer_url}|g" \
     -e "s|__OIDC_CLIENT_ID__|${oidc_client_id}|g" \
-    "$template_file" > "$rendered_patch"
-
-  kubectl patch authpolicy "$authpolicy_name" -n "$NAMESPACE" --type=merge --patch-file "$rendered_patch"
-  rm -f "$rendered_patch"
+    "$template_file" > "$rendered_yaml"
+
+  # Use JSON patch (--type=json) with op=replace on /spec/rules to atomically
+  # replace the entire rules block. Merge patch (--type=merge) cannot reliably
+  # delete fields like "when" arrays or replace "selector" with "expression"
+  # inside CRD objects, causing stale when-clauses to persist and break OIDC.
+  local rules_json
+  rules_json=$(python3 -c "
+import sys, json, yaml
+with open('$rendered_yaml') as f:
+    doc = yaml.safe_load(f)
+rules = doc.get('spec', {}).get('rules', {})
+patch = [{'op': 'replace', 'path': '/spec/rules', 'value': rules}]
+json.dump(patch, sys.stdout)
+")
+  rm -f "$rendered_yaml"
+
+  kubectl patch authpolicy "$authpolicy_name" -n "$NAMESPACE" --type=json -p "$rules_json"
 }
 
 # configure_maas_api_authpolicy