Revert "Change TPA authentication integration name"

[xinredhat]

Reverts #319

Summary by CodeRabbit

• Bug Fixes
  • Updated authentication integration to reference correct configuration credentials and improved related error messaging.

[qodo-code-review]

Review Summary by Qodo

Revert TPA authentication integration name change

🐞 Bug fix

Walkthroughs

Description

• Reverts integration name from 'tssc-trustificationauth-integration' to
  'tssc-authentication-integration'
• Restores original secret name in Kubernetes client calls
• Updates error message to reflect correct integration name

Diagram

flowchart LR
  A["tssc-trustificationauth-integration<br/>(incorrect)"] -- "revert to" --> B["tssc-authentication-integration<br/>(correct)"]
  C["Error message<br/>with old name"] -- "update" --> D["Error message<br/>with correct name"]

Loading

File Changes

1. src/rhtap/core/integration/authentication/authentication.ts 🐞 Bug fix +2/-2

Revert authentication integration secret name

• Reverted Kubernetes secret name from 'tssc-trustificationauth-integration' to
 'tssc-authentication-integration' in loadSecret() method
• Updated error message to reference the correct integration secret name
• Restores original authentication integration naming convention

src/rhtap/core/integration/authentication/authentication.ts

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Secret rename breaks deployments 🐞 Bug ⛯ Reliability

Description

Authentication now only looks for tssc-authentication-integration; environments still using the
reverted secret name will fail during Authentication.initialize(), which is part of required
service initialization for post-creation commands.

Code

src/rhtap/core/integration/authentication/authentication.ts[33]

+    const secret = await this.kubeClient.getSecret('tssc-authentication-integration', 'tssc');

Evidence

The Authentication integration secret name is hardcoded and used during initialization. BaseCommand
always initializes Authentication as part of required services, so a missing/renamed secret will
fail command execution.

src/rhtap/core/integration/authentication/authentication.ts[32-37]
src/rhtap/postcreation/strategies/commands/baseCommand.ts[48-53]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`Authentication.loadSecret()` is hardcoded to a single secret name. This PR changes that name, which can break any environment that still provisions the previous secret name. Because `Authentication.initialize()` is invoked as part of required service initialization, this failure prevents post-creation workflows.

### Issue Context
The integration secret name is not defined elsewhere in this repo (no manifest/docs), so runtime compatibility depends on cluster provisioning.

### Fix Focus Areas
- src/rhtap/core/integration/authentication/authentication.ts[32-39]

### Implementation direction (one of)
1) **Configurable name**: read secret name from env/config with default `tssc-authentication-integration`.
2) **Fallback**: attempt `tssc-authentication-integration`, and if not found, try the previous name (and log a warning/deprecation). Ensure errors are explicit about which names were tried.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unreachable custom not-found error 🐞 Bug ✧ Quality

Description

Authentication.loadSecret() checks if (!secret) and throws a custom message, but
KubeClient.getSecret() throws on retrieval failures (including not-found). This makes the custom
message effectively unreachable and reduces the clarity/consistency of operator-facing errors.

Code

src/rhtap/core/integration/authentication/authentication.ts[R33-37]

+    const secret = await this.kubeClient.getSecret('tssc-authentication-integration', 'tssc');
    if (!secret) {
      throw new Error(
-        'Authentication integration secret tssc-trustificationauth-integration not found in the cluster. Please ensure the secret exists.'
+        'Authentication integration secret tssc-authentication-integration not found in the cluster. Please ensure the secret exists.'
      );

Evidence

KubeClient.getSecret() wraps the Kubernetes call in a try/catch and rethrows, so a missing secret
results in an exception rather than a falsy return. Therefore the if (!secret) branch won’t run
for the common failure mode (secret missing).

src/api/ocp/kubeClient.ts[44-65]
src/rhtap/core/integration/authentication/authentication.ts[32-39]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The intended friendly error message in `Authentication.loadSecret()` is effectively unreachable because `KubeClient.getSecret()` throws on failure instead of returning `null`/`undefined`. This leads to less actionable errors and duplicated error formatting.

### Issue Context
This impacts operator debugging when the secret is missing/misnamed.

### Fix Focus Areas
- src/rhtap/core/integration/authentication/authentication.ts[32-39]
- (optional) src/api/ocp/kubeClient.ts[44-65]

### Implementation direction
- Update `Authentication.loadSecret()` to:
 - `try { return await this.kubeClient.getSecret(...); } catch (e) { throw new Error('Authentication integration secret ... not found/failed to load ...', { cause: e }); }`
- Alternatively, remove the `if (!secret)` block if you decide `getSecret()` is the single source of truth for errors.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

📝 Walkthrough

Walkthrough

The authentication integration module's secret lookup has been updated to reference 'tssc-authentication-integration' instead of 'tssc-trustificationauth-integration'. The associated error message is updated to reflect this change. Control flow remains identical.

Changes

Cohort / File(s)	Summary
Authentication Secret Configuration src/rhtap/core/integration/authentication/authentication.ts	Updated secret name from 'tssc-trustificationauth-integration' to 'tssc-authentication-integration' with corresponding error message update.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• redhat-appstudio/tssc-test#319: Modifies the same secret name string in the authentication module but reverses the naming direction.

Suggested labels

integration, configuration, security

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reverting a previous commit that changed the TPA authentication integration name.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-319-change-integration-name

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

1. Secret rename breaks deployments 🐞 Bug ⛯ Reliability

Authentication now only looks for tssc-authentication-integration; environments still using the
reverted secret name will fail during Authentication.initialize(), which is part of required
service initialization for post-creation commands.

Agent Prompt

### Issue description
`Authentication.loadSecret()` is hardcoded to a single secret name. This PR changes that name, which can break any environment that still provisions the previous secret name. Because `Authentication.initialize()` is invoked as part of required service initialization, this failure prevents post-creation workflows.

### Issue Context
The integration secret name is not defined elsewhere in this repo (no manifest/docs), so runtime compatibility depends on cluster provisioning.

### Fix Focus Areas
- src/rhtap/core/integration/authentication/authentication.ts[32-39]

### Implementation direction (one of)
1) **Configurable name**: read secret name from env/config with default `tssc-authentication-integration`.
2) **Fallback**: attempt `tssc-authentication-integration`, and if not found, try the previous name (and log a warning/deprecation). Ensure errors are explicit about which names were tried.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/rhtap/core/integration/authentication/authentication.ts`:
- Around line 33-36: The method currently hardcodes the secret identity string
twice ("tssc-authentication-integration" and "tssc") which risks configuration
drift; extract the secret name and namespace into class-level static constants
(e.g., SECRET_NAME and SECRET_NAMESPACE) and use those constants in the
this.kubeClient.getSecret call and in the thrown Error message via a template
literal so there is a single source of truth; apply the same refactor pattern
for analogous constants in tpa.ts and other integration files for consistency
across the integration module.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b0b897b0-d828-4250-a67b-74d1c8fd6010

📥 Commits

Reviewing files that changed from the base of the PR and between 968f56a and 2be2a94.

📒 Files selected for processing (1)

• src/rhtap/core/integration/authentication/authentication.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the authentication file
find . -name "authentication.ts" -type f | head -20

Repository: redhat-appstudio/tssc-test

Length of output: 131

---

🏁 Script executed:

# Check if the file exists and view the relevant lines
if [ -f "src/rhtap/core/integration/authentication/authentication.ts" ]; then
  echo "=== File found. Showing lines 25-45 for context ==="
  sed -n '25,45p' src/rhtap/core/integration/authentication/authentication.ts
else
  echo "File not found at specified path"
  git ls-files | grep -i authentication | head -20
fi

Repository: redhat-appstudio/tssc-test

Length of output: 858

---

🏁 Script executed:

# Search for secret name references across the repository
echo "=== Searching for tssc-authentication-integration references ==="
rg -n "tssc-authentication-integration" --max-count=50

echo ""
echo "=== Searching for tssc-trustificationauth-integration references ==="
rg -n "tssc-trustificationauth-integration" --max-count=50

Repository: redhat-appstudio/tssc-test

Length of output: 560

---

🏁 Script executed:

# Look for manifest files that might define this secret
echo "=== Searching for secret definitions in manifests ==="
find . -type f \( -name "*.yaml" -o -name "*.yml" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/.git/*" | head -50 | xargs grep -l "tssc-authentication-integration\|authentication-integration" 2>/dev/null | head -20

Repository: redhat-appstudio/tssc-test

Length of output: 123

---

🏁 Script executed:

# Check the tpa.ts file mentioned in the review for comparison
echo "=== Checking similar pattern in tpa.ts ==="
if [ -f "src/rhtap/core/integration/tpa/tpa.ts" ]; then
  sed -n '30,50p' src/rhtap/core/integration/tpa/tpa.ts
fi

Repository: redhat-appstudio/tssc-test

Length of output: 809

---

🏁 Script executed:

# Check for test files that might reference the authentication secret
echo "=== Searching for test files referencing authentication secret ==="
find . -type f \( -name "*.test.ts" -o -name "*.spec.ts" -o -name "*test*.ts" \) ! -path "*/node_modules/*" | xargs grep -l "tssc-authentication-integration\|Authentication" 2>/dev/null | head -20

Repository: redhat-appstudio/tssc-test

Length of output: 199

---

🏁 Script executed:

# Verify the refactor suggestion is syntactically aligned with the file's class structure
echo "=== Checking Authentication class structure ==="
sed -n '1,30p' src/rhtap/core/integration/authentication/authentication.ts

Repository: redhat-appstudio/tssc-test

Length of output: 1155

---

🏁 Script executed:

# Check what the test files actually contain regarding authentication secrets
echo "=== Content of component.test.ts ==="
grep -n -C3 "tssc-authentication-integration\|Authentication.*secret\|getSecret" ./tests/ui/component.test.ts | head -30

echo ""
echo "=== Content of gitopsResource.test.ts ==="
grep -n -C3 "tssc-authentication-integration\|Authentication.*secret\|getSecret" ./tests/ui/gitopsResource.test.ts | head -30

Repository: redhat-appstudio/tssc-test

Length of output: 149

---

🏁 Script executed:

# Also verify this is the correct pattern to follow by checking if there are any constants already defined elsewhere
echo "=== Checking if constants are defined elsewhere in integration classes ==="
rg -n "private static readonly.*=.*'" src/rhtap/core/integration/ | head -20

Repository: redhat-appstudio/tssc-test

Length of output: 298

---

Hoist the authentication secret identity into static constants to eliminate configuration drift risk.

The secret name tssc-authentication-integration appears twice in this method—once in the lookup and again in the error message. Since this PR reverts a prior configuration change, duplicating the literal makes it easy to update one location inconsistently on future changes. Extract both the name and namespace as static constants, and use a template literal in the error message for a single source of truth across the class.

Suggested refactor

export class Authentication implements IntegrationSecret {
  private static instance: Authentication | null = null;
+  private static readonly SECRET_NAME = 'tssc-authentication-integration';
+  private static readonly SECRET_NAMESPACE = 'tssc';
  private readonly logger: Logger;
  private kubeClient: KubeClient;
  private secret: Record<string, string> = {};

  private async loadSecret(): Promise<Record<string, string>> {
-    const secret = await this.kubeClient.getSecret('tssc-authentication-integration', 'tssc');
+    const secret = await this.kubeClient.getSecret(
+      Authentication.SECRET_NAME,
+      Authentication.SECRET_NAMESPACE
+    );
     if (!secret) {
       throw new Error(
-        'Authentication integration secret tssc-authentication-integration not found in the cluster. Please ensure the secret exists.'
+        `Authentication integration secret ${Authentication.SECRET_NAME} not found in the cluster. Please ensure the secret exists.`
       );
     }
     return secret;
   }

The same pattern exists in tpa.ts and other integration files; consider standardizing this across the integration module for consistent configuration management and reduced maintenance burden on future reverts.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const secret = await this.kubeClient.getSecret('tssc-authentication-integration', 'tssc');
	if (!secret) {
	throw new Error(
	'Authentication integration secret tssc-trustificationauth-integration not found in the cluster. Please ensure the secret exists.'
	'Authentication integration secret tssc-authentication-integration not found in the cluster. Please ensure the secret exists.'
	export class Authentication implements IntegrationSecret {
	private static instance: Authentication | null = null;
	private static readonly SECRET_NAME = 'tssc-authentication-integration';
	private static readonly SECRET_NAMESPACE = 'tssc';
	private readonly logger: Logger;
	private kubeClient: KubeClient;
	private secret: Record<string, string> = {};
	private async loadSecret(): Promise<Record<string, string>> {
	const secret = await this.kubeClient.getSecret(
	Authentication.SECRET_NAME,
	Authentication.SECRET_NAMESPACE
	);
	if (!secret) {
	throw new Error(
	`Authentication integration secret ${Authentication.SECRET_NAME} not found in the cluster. Please ensure the secret exists.`
	);
	}
	return secret;
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/rhtap/core/integration/authentication/authentication.ts` around lines 33
- 36, The method currently hardcodes the secret identity string twice
("tssc-authentication-integration" and "tssc") which risks configuration drift;
extract the secret name and namespace into class-level static constants (e.g.,
SECRET_NAME and SECRET_NAMESPACE) and use those constants in the
this.kubeClient.getSecret call and in the thrown Error message via a template
literal so there is a single source of truth; apply the same refactor pattern
for analogous constants in tpa.ts and other integration files for consistency
across the integration module.

[konflux-ci-qe-bot]

@xinredhat: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
e2e-4.20-ph7qr	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/rhtap-team/rhtap-cli:e2e-4.20-ph7qr

Test results analysis

<not enabled>

OCI Artifact Browser URL

<not enabled>