Upgrade TPA, set annotations and small update to TAS

[smatula]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Corrected a typo in configuration documentation.

• Configuration Updates

  • Enhanced security settings for client authentication with SSL/TLS requirements.
  • Updated TPA Helm chart to version 1.2.0.
  • Added TLS termination and SSL redirection configurations for improved secure communications.

[coderabbitai]

Walkthrough

This pull request includes a typo correction in a comment, updates Keycloak client configuration settings for the trusted-artifact-signer client (making it non-public and requiring external SSL), and bumps the TPA Helm version with additional ingress/route annotations for TLS termination and SSL redirection.

Changes

Cohort / File(s)	Summary
Documentation app-of-apps/trust-apps.yaml	Corrects comment typo: "Isuer" → "Issuer" in Fulcio config path.
Keycloak Configuration components/trust-apps/keycloak-config/tas_realm.yaml	Updates trusted-artifact-signer client: sets publicClient to false and sslRequired to external for enhanced security configuration.
TPA Deployment components/trust-apps/tpa/tpa-release.yaml	Bumps Helm targetRevision from 1.1.1 to 1.2.0 and adds three ingress annotations for TLS termination, CA certificate policy, and SSL redirection.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• rhads-services-gitops#20: Directly modifies the same Keycloak realm manifest file (components/trust-apps/keycloak-config/tas_realm.yaml) for trusted-artifact-signer client configuration.

Suggested reviewers

• rhopp

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: TPA Helm upgrade, annotation additions, and TAS configuration updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

components/trust-apps/keycloak-config/tas_realm.yaml (1)

1117-1118: Pre-existing: wildcard redirectUris is overly permissive.

The "*" redirect URI allows any URL as a redirect target, which is an open-redirect risk that could be leveraged for token theft. Now that the client is confidential, the impact is reduced compared to a public client, but it's still best practice to restrict redirect URIs to known endpoints. Consider tightening this in a follow-up.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}