feat: add PPM OIDC/SSO web UI configuration

[ian-flores]

Description

Enable OIDC authentication for the Package Manager web UI. Adds first-class OIDC configuration types and full typed coverage of all PPM authentication config fields from the PPM configuration reference.

When auth.type: oidc is set on the Site's packageManager spec, the operator automatically configures the [OpenIDConnect] and [Authentication] gcfg sections and mounts the OIDC client secret from the vault.

Issue

• PTDC-224: Configure SSO (OIDC) for Package Manager web UI

Follow-up

Connect/Workbench authenticated repos via Identity Federation is in #114.

Code Flow

Key Components

1. PPM Authentication Config Types (package_manager_config.go): New PackageManagerAuthenticationConfig and PackageManagerOIDCConfig structs with full field coverage from the PPM configuration reference. Extended GenerateGcfg() to emit [Authentication] and [OpenIDConnect] sections.

2. OIDC Client Secret Mount (packagemanager_types.go): Mounts the OIDC client secret at /etc/rstudio-pm/oidc-client-secret via SecretProviderClass (AWS) or K8s Secret volume (K8s).

3. Site Controller Propagation (site_controller_package_manager.go): Propagates OIDC config from Site spec to PackageManager, setting ClientSecretFile, Issuer, ClientId, RequireLogin, and Scope.

4. SecretProviderClass (package_manager.go): Adds OIDC client secret to the SecretProviderClass when OIDCClientSecretKey is configured.

SiteSpec Example

spec:
  packageManager:
    auth:
      type: oidc
      clientId: "ppm-client-id"
      issuer: "https://login.example.com"
    oidcClientSecretKey: "ppm-oidc-client-secret"

Testing

Tested end-to-end on ganso01-staging (main site) with adhoc image adhoc-ppm-auth-repos-v1.16.1-15-gedc6aaa.

Setup

• Keycloak: Created posit realm with ppm client (confidential, authorization code grant type)
• OIDC client secret: Stored in AWS Secrets Manager, mounted to PPM at /etc/rstudio-pm/oidc-client-secret

Results

Test	Status
PPM gcfg renders [OpenIDConnect] section with ClientSecretFile	✅
PPM gcfg renders [Authentication] section	✅
PPM OIDC web login redirects to Keycloak (/__login__ → 302 to Keycloak auth endpoint)	✅
OIDC client secret mounted at /etc/rstudio-pm/oidc-client-secret	✅

Note on repo authentication

PPM's OIDC redirect only activates when repos are configured as "Authenticated". The [OpenIDConnect] section enables the OIDC provider, but individual repos must be marked as authenticated (via rspm edit repo --name=<repo> --authenticated or creating repos with --authenticated flag). This is expected PPM behavior — unauthenticated repos remain accessible without login.

Category of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have run just test and all tests pass
• I have reviewed my own diff and added inline comments on lines I want reviewers to focus on or that I am uncertain about

[claude]

Claude finished @ian-flores's task —— View job

---

Review: feat: add PPM authenticated repos via Identity Federation

• Read review guidelines
• Analyze PR diff and changed files
• Review API types and CRD changes
• Review controller logic
• Review PPM config generation
• Review tests
• Submit review

---

Overall

Well-structured feature. The separation of concerns (shared helpers in ppm_auth.go, product integration in connect.go/workbench.go, site-level orchestration in site_controller*.go) follows existing patterns. The token exchange flow via init container + sidecar is a solid approach.

Below are findings organized by severity.

---

Critical: Audience mismatch between projected SA token and Identity Federation config

internal/controller/core/ppm_auth.go:170 — The projected SA token uses audience = ppmURL (e.g., https://ppm.example.com).

internal/controller/core/site_controller_package_manager.go:139-141 — The IdentityFederation entry uses site.Spec.OIDCAudience (defaulting to "sts.amazonaws.com").

These must match for the token exchange to succeed. If the PPM-side IdentityFederation.Audience is "sts.amazonaws.com" but the projected token's aud claim is "https://ppm.example.com", PPM will reject the token. Either:

• Pass the OIDC audience through to PPMAuthVolumes() instead of using the PPM URL, or
• Document explicitly why these are intentionally different values and explain how the PPM token endpoint resolves this.

---

Important: Shell script installs packages at runtime

internal/controller/core/ppm_auth.go:36 — apk add --no-cache curl jq runs on every container start.

1. Air-gapped environments: This will always fail if the Alpine mirror is unreachable.
2. Supply chain risk: Pulls unsigned packages at runtime on each pod start.
3. Startup latency: Adds network dependency to pod initialization.

Consider using a Posit-owned image with curl and jq pre-installed as the default. The PPMAuthImage override field is already there, so this is mainly about a better default. At minimum, document this requirement.

---

Important: Sidecar exits on transient token refresh failure

internal/controller/core/ppm_auth.go:74-79 — The script uses set -e, so if exchange_token fails during a sidecar refresh cycle (e.g., PPM temporarily unavailable), the entire sidecar dies. The token will expire and auth will break with no recovery.

Consider:

if [ "${MODE}" = "sidecar" ]; then
    while true; do
        sleep "$REFRESH_INTERVAL"
        exchange_token || echo "WARNING: token refresh failed, will retry" >&2
    done
fi

---

Important: Connect sets AutomountServiceAccountToken: false

internal/controller/core/connect.go:653 — Connect explicitly sets AutomountServiceAccountToken: ptr.To(false). The PPM auth flow uses a projected SA token volume (not the default automounted one), so this should still work. However, if the projected volume projection depends on the SA token being available at the kubelet level, verify this works correctly in testing. Workbench sets it to true (line 815), so there's no issue there.

---

Important: PPM URL computed without https:// prefix in site controller

internal/controller/core/site_controller_connect.go:159 and site_controller_workbench.go:261 — PPMUrl is set to prefixDomain(...) which returns a bare domain like ppm.example.com (no scheme). This gets passed to SanitizePPMUrl() in the product reconcilers which prepends https://. This works but is fragile — the PPM URL meaning shifts between layers. Consider adding the scheme at the site controller level for clarity.

---

Suggestion: Remove committed .claude/tsc-cache/ files

.claude/tsc-cache/3a39c930-cf12-4be4-a2f2-eae1467b53c6/ — These are local roborev tool artifacts (the edited-files.log contains macOS temp paths). They should be removed from this PR and .claude/tsc-cache/ added to .gitignore.

---

Suggestion: Unused constant

internal/controller/core/ppm_auth.go:20 — ppmAuthCurlrcPath is defined but never referenced in Go code (the shell script uses its own CURLRC_PATH variable). Remove to avoid confusion.

---

Suggestion: Default audience assumption

internal/controller/core/site_controller_package_manager.go:141 — Defaulting audience to "sts.amazonaws.com" is AWS-specific. The field comment mentions AKS, but the default is EKS-only. Consider requiring this field when AuthenticatedRepos is enabled instead of silently defaulting to an AWS value.

---

API Checklist

• Kubebuilder annotations present (+optional)
• New fields have sensible defaults (booleans default to false, strings to empty)
• No validation rules for PPMUrl or OIDCIssuerURL — consider adding URL format validation
• Non-breaking (additive only)

Controller Checklist

• Reconciliation is idempotent (ConfigMap uses CreateOrUpdate, cleanup handles NotFound)
• Error handling reports status
• Config flows from Site → Product correctly
• Unit tests for ppm_auth.go helpers and package_manager_config.go
• No integration/controller tests for the end-to-end auth flow (ConfigMap creation, product reconciliation with AuthenticatedRepos=true)

Helm Chart

• CRDs are up to date (both config/crd and dist/chart match)

[claude]

Review posted via comment due to tool permissions. See the Claude comment on this PR for detailed feedback.

[ian-flores]

This pattern is where I'd like more input on the review

[stevenolen]

This is a pretty big PR. Looking at the parts that relate to PTDC-224, that looks pretty standard/good. Is it possible to put a separate PR for that piece in first and then follow up with some discussion on connect+workbench integration to focus our discussion on the pros/cons of that part?

[ian-flores]

Done! I've split this PR to only contain the OIDC/SSO web UI config (PTDC-224). The Connect/Workbench authenticated repos piece is now in #114 as a separate draft PR — happy to discuss the approach there.

[stevenolen]

This is a pretty interesting idea overall. Do you have any suggestions or paths for RStudio or Positron desktop user support with oidc+package manager (and do you think the magic-ness of relegates those users in desktop environments?

I'd also be super curious for some input from @jstruzik + team on the use of this pattern for integrating ppm oidc with workbench and connect. is this a direction that feels natural and worth of documentation outside of team-operator-land? do you have a preferred means of integration on the way that we should maybe make use of instead?

[ian-flores]

Do you have any suggestions or paths for RStudio or Positron desktop user support with oidc+package manager (and do you think the magic-ness of relegates those users in desktop environments?

Team Operator users won't have that problem though...

I'd also be super curious for some input from @jstruzik + team on the use of this pattern for integrating ppm oidc with workbench and connect. is this a direction that feels natural and worth of documentation outside of team-operator-land? do you have a preferred means of integration on the way that we should maybe make use of instead?

I think this is for PR #114?