broaden default Quay OAuth scopes

[helsus]

Description

Adds user:admin and org:admin to the default scopes. oauth_setup.yaml skips org/app creation when quay-oauth-credentials exists and regenerates the token only when scopes drift. quay-oauth-sync tag in 06-day2.yaml covers existing clusters.

Open question

• Is 06-day2.yaml the right place to add sync for upgrading existing clusters or should it live in a standalone playbook?

Testing:

• Fresh install -- new scopes
• Existing cluster with old scopes -- sync regenerates
• Idempotency -- re-running is a no-op
• Order-insensitive scope match -- no regen
• Legacy Secret missing the scopes key -- sync handles it
• Token actually carries the new scopes/permissions

Summary by CodeRabbit

• New Features

  • Expanded Quay OAuth application scopes to include user administrator and organization administrator permissions.

• Documentation

  • Introduced new runbook documenting the process for updating Quay OAuth access tokens with verification and validation steps.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d6483462-cc09-42a4-970b-3937e0396e7a

📥 Commits

Reviewing files that changed from the base of the PR and between 764f895 and 2f0294d.

📒 Files selected for processing (1)

• docs/QUAY_OAUTH_TOKEN_REGEN.md

✅ Files skipped from review due to trivial changes (1)

• docs/QUAY_OAUTH_TOKEN_REGEN.md

---

Walkthrough

OAuth scopes for Quay are expanded to include user and organization admin permissions. A new documentation file provides a runbook for regenerating Quay OAuth access tokens after scope changes, including prerequisites, script steps, and verification procedures.

Changes

Cohort / File(s)	Summary
OAuth Configuration defaults/quay_operator.yaml	Updated quayOAuthApp.scopes to add user:admin and org:admin permissions alongside existing repository and user read scopes.
Documentation docs/QUAY_OAUTH_TOKEN_REGEN.md	New runbook documenting the process for regenerating Quay OAuth tokens after scope modifications, including prerequisite tools, token request script, Secret patching steps, and verification commands.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'broaden default Quay OAuth scopes' directly and clearly describes the main change: expanding the default Quay OAuth scopes to include user:admin and org:admin permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

playbooks/06-day2.yaml (1)

86-94: Consider making OAuth sync explicitly opt-in for Day-2 runs.

Lines 86-94 add a mutating credential/scope reconciliation step to the default Day-2 flow. Given the blast radius, a standalone playbook (or an extra opt-in var) would make operational intent clearer while keeping --tags quay-oauth-sync for targeted runs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playbooks/06-day2.yaml` around lines 86 - 94, The new "Sync Quay OAuth
credentials with desired scopes" task currently runs by default when
quayOAuthApp.enabled is true; change it to be explicit opt‑in by adding an
additional condition or variable (e.g., quayOAuthSyncEnabled default false) and
update the task's when to require both quayOAuthApp.enabled and
quayOAuthSyncEnabled, or extract the include_tasks
(../operators/quay-operator/oauth_setup.yaml) into a separate standalone
playbook that operators run intentionally; preserve the existing tag
quay-oauth-sync so targeted runs still work.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operators/quay-operator/oauth_setup.yaml`:
- Around line 27-33: The current set_fact uses direct indexing into
r_quay_oauth_secret_existing.resources[0].data which will error if the Secret is
present but missing keys; change those to safe lookups (e.g., use the dict .get
method or |default fallbacks) when assigning quay_oauth_client_id,
quay_oauth_client_secret, and quay_oauth_current_scopes so missing keys yield
empty strings rather than raising (for example:
r_quay_oauth_secret_existing.resources[0].data.get('client-id','') | b64decode
or r_quay_oauth_secret_existing.resources[0].data.get('scopes','') | default('')
| b64decode), keeping the quay_oauth_secret_exists guard unchanged.

---

Nitpick comments:
In `@playbooks/06-day2.yaml`:
- Around line 86-94: The new "Sync Quay OAuth credentials with desired scopes"
task currently runs by default when quayOAuthApp.enabled is true; change it to
be explicit opt‑in by adding an additional condition or variable (e.g.,
quayOAuthSyncEnabled default false) and update the task's when to require both
quayOAuthApp.enabled and quayOAuthSyncEnabled, or extract the include_tasks
(../operators/quay-operator/oauth_setup.yaml) into a separate standalone
playbook that operators run intentionally; preserve the existing tag
quay-oauth-sync so targeted runs still work.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c1ee4e63-ba29-4d9d-9503-5a7e4f72aec8

📥 Commits

Reviewing files that changed from the base of the PR and between 992b189 and 764f895.

📒 Files selected for processing (3)

• defaults/quay_operator.yaml
• operators/quay-operator/oauth_setup.yaml
• playbooks/06-day2.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Handle incomplete existing OAuth Secrets defensively.

At Line 31 and Line 32, direct key indexing (data['client-id'], data['client-secret']) will fail hard if the Secret exists but is incomplete. This blocks recovery paths during upgrades/drift scenarios.

Suggested hardening

 - name: Reuse credentials from existing Secret
   no_log: true
   when: quay_oauth_secret_exists
   ansible.builtin.set_fact:
-    quay_oauth_client_id: "{{ r_quay_oauth_secret_existing.resources[0].data['client-id'] | b64decode }}"
-    quay_oauth_client_secret: "{{ r_quay_oauth_secret_existing.resources[0].data['client-secret'] | b64decode }}"
-    quay_oauth_current_scopes: "{{ r_quay_oauth_secret_existing.resources[0].data['scopes'] | default('') | b64decode }}"
+    quay_oauth_client_id: "{{ (r_quay_oauth_secret_existing.resources[0].data | default({})).get('client-id', '') | b64decode }}"
+    quay_oauth_client_secret: "{{ (r_quay_oauth_secret_existing.resources[0].data | default({})).get('client-secret', '') | b64decode }}"
+    quay_oauth_current_scopes: "{{ (r_quay_oauth_secret_existing.resources[0].data | default({})).get('scopes', '') | b64decode }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operators/quay-operator/oauth_setup.yaml` around lines 27 - 33, The current
set_fact uses direct indexing into
r_quay_oauth_secret_existing.resources[0].data which will error if the Secret is
present but missing keys; change those to safe lookups (e.g., use the dict .get
method or |default fallbacks) when assigning quay_oauth_client_id,
quay_oauth_client_secret, and quay_oauth_current_scopes so missing keys yield
empty strings rather than raising (for example:
r_quay_oauth_secret_existing.resources[0].data.get('client-id','') | b64decode
or r_quay_oauth_secret_existing.resources[0].data.get('scopes','') | default('')
| b64decode), keeping the quay_oauth_secret_exists guard unchanged.

[pgodowski]

@oourfali @maorfr can you please take a look?
thanks

[maorfr]

/ok-to-test

[maorfr]

this PR introduces a configuration change together with somewhat of a migration to put it in place.

not sure this is a desired pattern at this point.

i suggest to submit the configuration change only (together with a document perhaps). generally speaking, i think quay-oauth would be a nice plugin (as in, extract this entire functionality to a plugin).

[maorfr]

what happens to current token if scopes have changed?

[helsus]

It will remain in Quay. I haven't found a reliable way to revoke it via automation, so I'll document how to revoke it manually via UI.

[chunlongliang-ibm]

is the oauth token only available to MSP admin users, and NOT accessible to tenant?

[helsus]

is the oauth token only available to MSP admin users, and NOT accessible to tenant?

Yes, it is only available to MSP admins.

[helsus]

this PR introduces a configuration change together with somewhat of a migration to put it in place.

not sure this is a desired pattern at this point.

i suggest to submit the configuration change only (together with a document perhaps). generally speaking, i think quay-oauth would be a nice plugin (as in, extract this entire functionality to a plugin).

Good idea. I've updated the PR to include only the config and doc on how to reissue the token on live clusters.