Ensure chains in authservice don't get reordered and cause checksum changes

[brianrexrode]

Environment

Device and OS: Linux x86_64
App version: v0.28.0
Kubernetes distro being used: 1.30.1
Other:

Steps to reproduce

1. Deploy 2 or more missions app that use authservice (via a uds-package for keycloak client and authservice chain creation)
2. Restart the pepr-watcher pod

Expected result

pepr-watcher only updates the authservice-uds secret if something has changed and restart authservice pods accordingly

Actual Result

pepr-watcher may or may not reorder the chains in the authservice-uds secret regardless if any changes were made which causes the watcher to restart the authservice pod(s) for no reason.

This results in any active users being required to generate a new session token.

Visual Proof (screenshots, videos, text, etc)

slack thread here

Severity/Priority

Additional Context

Add any other context or screenshots about the technical debt here.

[rjferguson21]

I believe an easy fix would be to deterministically sort the chains of the authservice config so the checksum was consistent even if the Pepr watcher pod restarted.

See this function -

uds-core/src/pepr/operator/controllers/keycloak/authservice/authservice.ts

Lines 78 to 94 in 2f63db2

	export function buildConfig(config: AuthserviceConfig, event: AuthServiceEvent) {
	let chains: Chain[];
	if (event.action == Action.Add) {
	// Add the new chain to the existing authservice config
	chains = config.chains.filter(chain => chain.name !== event.name);
	chains = chains.concat(buildChain(event));
	} else if (event.action == Action.Remove) {
	// Search in the existing chains for the chain to remove by name
	chains = config.chains.filter(chain => chain.name !== event.name);
	} else {
	throw new Error(`Unhandled Action: ${event.action satisfies never}`);
	}
	// Add the new chains to the existing authservice config
	return { ...config, chains } as AuthserviceConfig;
	}

I frequently use this one liner to take a quick peak at which chains are currently stored in the secret if its helpful -

kubectl get secrets -n authservice authservice-uds -o json | jq -r '.data["config.json"]' | base64 --decode | jq '.chains[].name

[catsby]

I opened #969 which should hopefully address this going forward by sorting the chains when they're added.

[catsby]

Hey @brianrexrode - we recently merged #969 to consistently sort the chains, which should address this issue going forward. Note that updating to the version that eventually contains this fix will still cause the issue as the current sorting of the chains would then be re-done, but after that there shouldn't be an issue. Thanks!