fix: use *bool for RegisterOnFirstLogin to preserve Connect default#91
fix: use *bool for RegisterOnFirstLogin to preserve Connect default#91ian-flores merged 2 commits intomainfrom
Conversation
When the field was bool, the zero value (false) was always written to gcfg as RegisterOnFirstLogin = false, silently overriding Connect's native default of true for all existing OIDC deployments. Changing to *bool means nil is not written to the config, letting Connect use its own default. Users can still explicitly set false to disable the behavior.
|
Claude finished @ian-flores's task —— View job PR Review: fix: use *bool for RegisterOnFirstLogin to preserve Connect default
Review submitted. The
|
There was a problem hiding this comment.
Good fix — the bool → *bool change is the correct approach for preserving Connect's native default. The gcfg reflection-based serializer correctly skips nil pointers (lines 234-243 in connect_config.go), so this works end-to-end. The deepcopy changes are properly generated and the Site → Connect propagation is a clean pointer pass-through.
A few items:
Missing test for explicit false (important)
api/core/v1beta1/connect_config_test.go — There's no test for ptr.To(false). The PR description says "Users who explicitly want to disable the behavior can set registerOnFirstLogin: false", but there's no coverage verifying that ptr.To(false) writes RegisterOnFirstLogin = false to the generated gcfg. This is worth adding since it's the key opt-out path.
Misleading test name
internal/controller/core/site_test.go:1039 — TestSiteReconciler_RegisterOnFirstLoginDefaultFalse now asserts Nil, not False. Consider renaming to TestSiteReconciler_RegisterOnFirstLoginDefaultNil to match the new semantics.
Duplicated nil-guard in controller logic (suggestion)
internal/controller/core/connect.go:271-273 — The c.Spec.RegisterOnFirstLogin != nil && *c.Spec.RegisterOnFirstLogin check is repeated across two branches. Consider:
if regOnFirst := c.Spec.RegisterOnFirstLogin; regOnFirst != nil && *regOnFirst {
if c.Spec.Auth.Type == "" {
l.Info("registerOnFirstLogin is set but no auth type is configured; ...")
} else if c.Spec.Auth.Type != positcov1beta1.AuthTypeOidc {
l.Info("registerOnFirstLogin is set but auth type is not oidc; ...", "authType", c.Spec.Auth.Type)
}
}This avoids evaluating the nil check twice and makes intent clearer.
Checklist (API changes)
- New field has sensible default (nil = omit → Connect uses its own default)
-
omitemptytag present on JSON serialization - DeepCopy generated correctly for pointer field
- Config flows from Site → Product correctly (line 149 in
site_controller_connect.go)
Checklist (Controller changes)
- Reconciliation remains idempotent
- Unit tests exist for set/unset/ignored-auth scenarios
- Missing: test for explicit
falsevalue
- Add test for ptr.To(false) to cover the explicit opt-out path - Rename TestSiteReconciler_RegisterOnFirstLoginDefaultFalse to ...DefaultNil to match the actual assertion semantics - Deduplicate nil-guard in controller warning logic using a local var
stevenolen
left a comment
There was a problem hiding this comment.
thanks @ian-flores! lgtm.
@statik -- i think your pr in #87 was only intended to set this value as false for a small set of environments, rather than all, right?
|
@stevenolen @ian-flores thanks for fixing! yes, it was intending to preserve the product default :( |
## [1.11.1](v1.11.0...v1.11.1) (2026-02-19) ### Bug Fixes * use *bool for RegisterOnFirstLogin to preserve Connect default ([#91](#91)) ([ba13701](ba13701))
Summary
RegisterOnFirstLogin booldefaulted tofalse, causing the zero value to always be written asRegisterOnFirstLogin = falsein the generated gcfgtruefor all existing OIDC deployments*boolacrossConnectOAuth2Config,ConnectSpec, andInternalConnectSpecso thatnil(unset) produces no entry in the config, letting Connect use its own defaultregisterOnFirstLogin: falseTest plan
TestConnectConfig_RegisterOnFirstLogin— verifiesptr.To(true)writes the value; nil omits it entirelyTestSiteReconciler_RegisterOnFirstLoginPropagation— verifies explicit true propagates through Site → ConnectTestSiteReconciler_RegisterOnFirstLoginDefaultFalse— verifies unset field stays nil (not false)