feat: ingress configurations + external secrets

[zachspar]

Background

The chart right now does not support various ingress configurations, like adding hostname and tls. Additionally, when using a gitops pattern, folks need the ability to bring their own secrets as opposed to being rendered on the fly. Namely, AUTH_SECRET and AES_256_KEY should have the option of byos (bring your own secret).

What's Changed?

• additional ingress configurations for hostname and tls
• bring your own secret toggles and tweaks (for secret name + key)
• backward compatibility
• installation notes

Summary by CodeRabbit

• New Features
  • Centralized configurable secret management with optional external sourcing and reuse of existing secrets.
  • Ingress TLS, host, class and annotation handling improved for flexible host/rule rendering.
• Documentation
  • Updated release notes/help to reflect valueFrom secret patterns and secrets reporting.
• Tests
  • Added comprehensive Helm tests for ingress and secrets behaviors.
• Chores
  • Helm chart version bumped.

[coderabbitai]

Warning

Rate limit exceeded

@zachspar has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 22 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds conditional valueFrom support and reuse logic for encryption and auth secrets across Helm charts; guards secret creation when external secrets are used; enhances ingress with fqdn extraction, optional TLS/ingressClassName, and updates chart values and version.

Changes

Cohort / File(s)	Summary
Top-level secrets & metadata charts/ctrlplane/values.yaml, charts/ctrlplane/Chart.yaml	Introduce global.secrets (authSecret, encryptionKey) examples supporting valueFrom; add ingress.tls defaults; bump chart version to 0.11.0.
Central ctrlplane secret templates charts/ctrlplane/templates/secrets.yaml, charts/ctrlplane/charts/api/templates/secrets.yaml, charts/ctrlplane/charts/web/templates/secrets.yaml	Guard secret creation when valueFrom is used; lookup existing Secret ($existing) and reuse AUTH_SECRET/AES_256_KEY if present, otherwise generate 64-char values.
Deployments / StatefulSets env wiring charts/ctrlplane/charts/api/templates/deployment.yaml, charts/ctrlplane/charts/pty-proxy/templates/deployment.yaml, charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml	Conditionally source VARIABLES_AES_256_KEY and AUTH_SECRET from .Values.global.secrets.*.valueFrom when ctrlplane.isValueFrom is true; otherwise keep secretKeyRef fallback to in-chart secrets.
Ingress template & notes/tests charts/ctrlplane/templates/ingress.yaml, charts/ctrlplane/templates/NOTES.txt, charts/ctrlplane/tests/ingress_test.yaml	Add fqdn extraction (strip scheme/trailing slash), optional ingressClassName, conditional TLS block and host rule when fqdn present; update NOTES and add comprehensive ingress tests.
Secrets test coverage charts/ctrlplane/tests/secrets_test.yaml	Add tests covering auto-generation, reuse, suppression when valueFrom is provided, and deployment wiring for both encryptionKey and authSecret.

Sequence Diagram(s)

mermaid
sequenceDiagram
rect rgba(200,200,255,0.5)
participant Helm as Helm renderer
end
rect rgba(200,255,200,0.5)
participant K8s as Kubernetes API
end
rect rgba(255,200,200,0.5)
participant Deploy as Deployment/StatefulSet
end
Helm->>K8s: Evaluate values.yaml (global.secrets)\nRender templates (secrets/ingress/deployments)
alt secrets.valueFrom present
Helm->>K8s: Reference external Secret via valueFrom (no create)
K8s-->>Deploy: Env vars point to external secret (valueFrom)
else no valueFrom
Helm->>K8s: Render Secret resource (generate AES/AUTH if missing)
K8s-->>Deploy: Env vars use secretKeyRef to rendered Secret
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• zacharyblasczyk
• adityachoudhari26
• jsbroks

Poem

🐰 I nibbled templates under moonlit gleam,
ValueFrom whisked secrets into a dream.
Hosts and TLS now dance with grace,
Old keys reused, new ones take their place.
Hoppity-hop—charts ready to stream.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: ingress configurations + external secrets' accurately and concisely summarizes the main changes: adding ingress hostname/TLS support and external secrets management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

charts/ctrlplane/charts/api/templates/secrets.yaml (1)

1-17: Minor inconsistency with charts/ctrlplane/templates/secrets.yaml.

Two small differences compared to the parent chart's encryption-key secret template:

1. Missing type: Opaque — The parent chart's secrets.yaml includes type: Opaque. While omitting it is functionally equivalent (Kubernetes defaults to Opaque), it's inconsistent.
2. | quote on generated value — The parent chart uses {{ randAlphaNum 64 | b64enc | quote }} while this template (and web/secrets.yaml) omit | quote. Both work, but should be consistent.

Consider aligning both secret templates with the parent chart for maintainability.

Suggested alignment

 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $secretName }}
   labels:
     {{- include "api.labels" . | nindent 4 }}
+type: Opaque
 data:
 {{- if and $existing (hasKey $existing.data $secretKey) }}
   {{ $secretKey }}: {{ index $existing.data $secretKey }}
 {{- else }}
-  {{ $secretKey }}: {{ randAlphaNum 64 | b64enc }}
+  {{ $secretKey }}: {{ randAlphaNum 64 | b64enc | quote }}
 {{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/api/templates/secrets.yaml` around lines 1 - 17, The
Secret template omits the explicit "type: Opaque" and doesn't quote the base64
values, causing inconsistency with the parent chart; update the template that
builds the Secret (the block using $secretName, $secretKey and $existing) to
include a "type: Opaque" field under metadata and apply | quote to the base64
value usages so both branches use {{ index $existing.data $secretKey | quote }}
and {{ randAlphaNum 64 | b64enc | quote }}; make the same change in the sibling
web/secrets.yaml to keep templates consistent.

charts/ctrlplane/templates/ingress.yaml (1)

2-2: Consider also trimming a trailing slash from fqdn.

If a user sets global.fqdn to https://example.com/, the result after trimPrefix would be example.com/, which is not a valid ingress hostname. A defensive trimSuffix "/" would prevent this edge case.

Suggested fix

-{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" -}}
+{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/" -}}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/templates/ingress.yaml` at line 2, The fqdn pipeline that
assigns $fqdn currently uses trimPrefix to strip "https://" and "http://" but
doesn't remove a trailing slash, so update the pipeline that defines $fqdn (the
expression setting $fqdn in ingress.yaml) to also trimSuffix "/" (e.g. add |
trimSuffix "/" to the chain) so values like "https://example.com/" become
"example.com" for a valid ingress hostname.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@charts/ctrlplane/charts/web/templates/secrets.yaml`:
- Around line 1-17: The template for authSecret currently defaults $secretName
to include "web.fullname", causing a mismatch with the API chart which uses
"api.fullname"; update the default to use the same identifier as the API chart
(e.g., replace include "web.fullname" with include "api.fullname" or a shared
helper) so that $secretName resolves the same when
.Values.global.secrets.authSecret.secretName is empty; ensure references to
$secretName, authSecret, and the include helper are adjusted consistently so
both charts point to the same secret name.

---

Nitpick comments:
In `@charts/ctrlplane/charts/api/templates/secrets.yaml`:
- Around line 1-17: The Secret template omits the explicit "type: Opaque" and
doesn't quote the base64 values, causing inconsistency with the parent chart;
update the template that builds the Secret (the block using $secretName,
$secretKey and $existing) to include a "type: Opaque" field under metadata and
apply | quote to the base64 value usages so both branches use {{ index
$existing.data $secretKey | quote }} and {{ randAlphaNum 64 | b64enc | quote }};
make the same change in the sibling web/secrets.yaml to keep templates
consistent.

In `@charts/ctrlplane/templates/ingress.yaml`:
- Line 2: The fqdn pipeline that assigns $fqdn currently uses trimPrefix to
strip "https://" and "http://" but doesn't remove a trailing slash, so update
the pipeline that defines $fqdn (the expression setting $fqdn in ingress.yaml)
to also trimSuffix "/" (e.g. add | trimSuffix "/" to the chain) so values like
"https://example.com/" become "example.com" for a valid ingress hostname.

[coderabbitai]

🧹 Nitpick comments (2)

charts/ctrlplane/charts/api/templates/deployment.yaml (2)

52-56: Consider adding | quote to rendered secret name/key values.

If a user-supplied secretName or secretKey value contains YAML-special characters (e.g., :, {), the unquoted output would break YAML parsing. The defaults (printf "%s-encryption-key" .Release.Name and "AES_256_KEY") are safe, but external user values are not guaranteed to be.

🛡️ Proposed fix

-                  name: {{ .Values.global.secrets.encryptionKey.secretName | default (printf "%s-encryption-key" .Release.Name) }}
-                  key: {{ .Values.global.secrets.encryptionKey.secretKey | default "AES_256_KEY" }}
+                  name: {{ .Values.global.secrets.encryptionKey.secretName | default (printf "%s-encryption-key" .Release.Name) | quote }}
+                  key: {{ .Values.global.secrets.encryptionKey.secretKey | default "AES_256_KEY" | quote }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/api/templates/deployment.yaml` around lines 52 - 56,
The YAML output for secretKeyRef under the env var VARIABLES_AES_256_KEY can
break if user-supplied .Values.global.secrets.encryptionKey.secretName or
.Values.global.secrets.encryptionKey.secretKey contain YAML-special characters;
update the template so the rendered secret name and key are piped through the
Helm quote function (add | quote) where
.Values.global.secrets.encryptionKey.secretName and
.Values.global.secrets.encryptionKey.secretKey are used (inside the secretKeyRef
block for VARIABLES_AES_256_KEY) to ensure the values are properly quoted in the
generated deployment.yaml.

---

71-75: Same | quote gap as the encryption key block above.

Same reasoning applies: user-supplied authSecret.secretName or authSecret.secretKey values aren't protected against YAML-special characters.

🛡️ Proposed fix

-                  name: {{ .Values.global.secrets.authSecret.secretName | default (include "api.fullname" .) }}
-                  key: {{ .Values.global.secrets.authSecret.secretKey | default "AUTH_SECRET" }}
+                  name: {{ .Values.global.secrets.authSecret.secretName | default (include "api.fullname" .) | quote }}
+                  key: {{ .Values.global.secrets.authSecret.secretKey | default "AUTH_SECRET" | quote }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/api/templates/deployment.yaml` around lines 71 - 75,
The AUTH_SECRET env var block uses unquoted Helm template expansions for the
secret name and key (.Values.global.secrets.authSecret.secretName and
.Values.global.secrets.authSecret.secretKey with defaults including (include
"api.fullname" .) and "AUTH_SECRET"); wrap both template expressions with the
Helm | quote function so the rendered YAML escapes any special characters (i.e.,
apply | quote to the name and to the key defaults in the AUTH_SECRET
secretKeyRef).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/ctrlplane/charts/api/templates/deployment.yaml`:
- Around line 52-56: The YAML output for secretKeyRef under the env var
VARIABLES_AES_256_KEY can break if user-supplied
.Values.global.secrets.encryptionKey.secretName or
.Values.global.secrets.encryptionKey.secretKey contain YAML-special characters;
update the template so the rendered secret name and key are piped through the
Helm quote function (add | quote) where
.Values.global.secrets.encryptionKey.secretName and
.Values.global.secrets.encryptionKey.secretKey are used (inside the secretKeyRef
block for VARIABLES_AES_256_KEY) to ensure the values are properly quoted in the
generated deployment.yaml.
- Around line 71-75: The AUTH_SECRET env var block uses unquoted Helm template
expansions for the secret name and key
(.Values.global.secrets.authSecret.secretName and
.Values.global.secrets.authSecret.secretKey with defaults including (include
"api.fullname" .) and "AUTH_SECRET"); wrap both template expressions with the
Helm | quote function so the rendered YAML escapes any special characters (i.e.,
apply | quote to the name and to the key defaults in the AUTH_SECRET
secretKeyRef).

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml (1)

46-50: ⚠️ Potential issue | 🔴 Critical

AES_256_KEY will reference a non-existent secret when using external secrets — pod crash.

templates/secrets.yaml is now guarded by {{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey) }}. When an external secret is configured, {{ .Release.Name }}-encryption-key is never created, but this env var still unconditionally references it. The workspace-engine pod will fail to start with an Error: secret "...-encryption-key" not found event.

VARIABLES_AES_256_KEY at lines 74–84 is already guarded correctly; AES_256_KEY needs the same treatment.

🐛 Proposed fix

-            - name: AES_256_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-encryption-key
-                  key: AES_256_KEY
+            {{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
+            - name: AES_256_KEY
+              valueFrom:
+                {{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
+            {{- else }}
+            - name: AES_256_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-encryption-key
+                  key: AES_256_KEY
+            {{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml` around
lines 46 - 50, The AES_256_KEY env var in workspace-engine statefulset
unconditionally references {{ .Release.Name }}-encryption-key which is not
created when using external secrets; wrap the AES_256_KEY env var block in the
same guard used for templates/secrets.yaml (the conditional that checks include
"ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey) so the AES_256_KEY
entry is only emitted when the chart is creating the secret (mirror the guard
used around VARIABLES_AES_256_KEY).

🧹 Nitpick comments (1)

charts/ctrlplane/tests/secrets_test.yaml (1)

2-6: Missing deployment templates for web and pty-proxy block wiring test coverage.

template: used at the test job level must be included in the suite-level templates: list — omitting charts/web/templates/deployment.yaml and charts/pty-proxy/templates/deployment.yaml makes it impossible to write wiring assertions for those components in this suite.

The PR modifies pty-proxy/templates/deployment.yaml to conditionally source VARIABLES_AES_256_KEY and AUTH_SECRET from external secrets, yet there are zero tests verifying that wiring. The same gap exists for the web deployment's AUTH_SECRET env binding.

🧪 Proposed fix — add the missing templates and representative wiring tests

 templates:
   - templates/secrets.yaml
   - charts/api/templates/secrets.yaml
   - charts/web/templates/secrets.yaml
   - charts/api/templates/deployment.yaml
+  - charts/web/templates/deployment.yaml
+  - charts/pty-proxy/templates/deployment.yaml

Then add test jobs such as:

  - it: points the web at the auto-generated auth secret
    template: charts/web/templates/deployment.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: AUTH_SECRET
            valueFrom:
              secretKeyRef:
                name: ctrlplane-web
                key: AUTH_SECRET
          any: true

  - it: wires the web to an external auth secret via valueFrom
    template: charts/web/templates/deployment.yaml
    set:
      global:
        secrets:
          authSecret:
            valueFrom:
              secretKeyRef:
                name: my-ext-auth
                key: MY_AUTH
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: AUTH_SECRET
            valueFrom:
              secretKeyRef:
                name: my-ext-auth
                key: MY_AUTH
          any: true

  - it: points pty-proxy at the auto-generated encryption-key secret
    template: charts/pty-proxy/templates/deployment.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: VARIABLES_AES_256_KEY
            valueFrom:
              secretKeyRef:
                name: ctrlplane-encryption-key
                key: AES_256_KEY
          any: true

  - it: wires pty-proxy to an external encryption key via valueFrom
    template: charts/pty-proxy/templates/deployment.yaml
    set:
      global:
        secrets:
          encryptionKey:
            valueFrom:
              secretKeyRef:
                name: my-ext-aes
                key: MY_AES
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: VARIABLES_AES_256_KEY
            valueFrom:
              secretKeyRef:
                name: my-ext-aes
                key: MY_AES
          any: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/tests/secrets_test.yaml` around lines 2 - 6, The suite-level
templates list in charts/ctrlplane/tests/secrets_test.yaml is missing
charts/web/templates/deployment.yaml and
charts/pty-proxy/templates/deployment.yaml, so add those two entries to the
top-level templates: array; then add test jobs that target those templates to
assert the env wiring: for charts/web/templates/deployment.yaml add tests
asserting container env contains name: AUTH_SECRET bound via
valueFrom.secretKeyRef to the auto-generated ctrlplane-web/AUTH_SECRET and a
second test that sets global.secrets.authSecret.valueFrom (e.g., name:
my-ext-auth, key: MY_AUTH) and asserts the ARTIFACT uses that secret; for
charts/pty-proxy/templates/deployment.yaml add tests asserting
VARIABLES_AES_256_KEY is wired to ctrlplane-encryption-key/AES_256_KEY and a
counterpart that sets global.secrets.encryptionKey.valueFrom (e.g.,
my-ext-aes/MY_AES) and asserts the valueFrom binding is used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/ctrlplane/charts/web/templates/secrets.yaml`:
- Around line 11-15: The AUTH_SECRET generation is inconsistent: when reusing an
existing Secret you assign the base64 value via index $existing.data
"AUTH_SECRET", but the newly-generated branch uses {{ randAlphaNum 64 | b64enc
}} without | quote; update the generated branch to mirror the existing-template
style by piping the b64 output through | quote (i.e., change the randAlphaNum 64
| b64enc branch to include | quote) so both branches produce consistent YAML for
AUTH_SECRET.

In `@charts/ctrlplane/templates/secrets.yaml`:
- Around line 13-16: The AES_256_KEY value paths are inconsistently quoted — the
reuse path uses index $existing.data "AES_256_KEY" without | quote while the
generate path uses randAlphaNum 64 | b64enc | quote; make them consistent by
applying the same quoting style to both branches (either add | quote to the
reuse branch that uses index $existing.data "AES_256_KEY" or remove | quote from
the generate branch), updating the conditional block around AES_256_KEY so both
the reuse and generate expressions use the same pipeline (refer to AES_256_KEY,
index $existing.data "AES_256_KEY", randAlphaNum, b64enc, and quote).

In `@charts/ctrlplane/values.yaml`:
- Around line 131-133: The default of tls.enabled is currently true which can
introduce a spec.tls entry on upgrades for users who only set global.fqdn;
change the default to false so TLS is opt-in: update the tls block in
values.yaml (the tls.enabled key) to false (and keep secretName behavior
unchanged), ensuring existing deployments without a TLS secret won’t get an
unexpected spec.tls on helm upgrade.

---

Outside diff comments:
In `@charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml`:
- Around line 46-50: The AES_256_KEY env var in workspace-engine statefulset
unconditionally references {{ .Release.Name }}-encryption-key which is not
created when using external secrets; wrap the AES_256_KEY env var block in the
same guard used for templates/secrets.yaml (the conditional that checks include
"ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey) so the AES_256_KEY
entry is only emitted when the chart is creating the secret (mirror the guard
used around VARIABLES_AES_256_KEY).

---

Duplicate comments:
In `@charts/ctrlplane/charts/api/templates/secrets.yaml`:
- Around line 11-15: The AUTH_SECRET block in api/templates/secrets.yaml uses
the same pattern as web/templates/secrets.yaml but the generated or injected
secret value isn't wrapped with | quote; update the template so the branch that
outputs the existing secret (index $existing.data "AUTH_SECRET") and the branch
that generates a new secret (randAlphaNum 64 | b64enc) are both piped to | quote
to match the style in templates/secrets.yaml and avoid YAML parsing issues.

---

Nitpick comments:
In `@charts/ctrlplane/tests/secrets_test.yaml`:
- Around line 2-6: The suite-level templates list in
charts/ctrlplane/tests/secrets_test.yaml is missing
charts/web/templates/deployment.yaml and
charts/pty-proxy/templates/deployment.yaml, so add those two entries to the
top-level templates: array; then add test jobs that target those templates to
assert the env wiring: for charts/web/templates/deployment.yaml add tests
asserting container env contains name: AUTH_SECRET bound via
valueFrom.secretKeyRef to the auto-generated ctrlplane-web/AUTH_SECRET and a
second test that sets global.secrets.authSecret.valueFrom (e.g., name:
my-ext-auth, key: MY_AUTH) and asserts the ARTIFACT uses that secret; for
charts/pty-proxy/templates/deployment.yaml add tests asserting
VARIABLES_AES_256_KEY is wired to ctrlplane-encryption-key/AES_256_KEY and a
counterpart that sets global.secrets.encryptionKey.valueFrom (e.g.,
my-ext-aes/MY_AES) and asserts the valueFrom binding is used.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Secret reuse and generation logic is correct; minor style inconsistency with | quote.

index $existing.data "AUTH_SECRET" correctly returns the already-base64-encoded value from the live Secret, safe to assign directly to data:. The short-circuit and safely handles the nil case when lookup returns nothing (e.g., first install or --dry-run).

Minor: {{ randAlphaNum 64 | b64enc }} (line 14) omits | quote, while charts/ctrlplane/templates/secrets.yaml uses {{ randAlphaNum 64 | b64enc | quote }}. Both produce valid YAML since base64 is YAML-safe, but aligning would improve consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/web/templates/secrets.yaml` around lines 11 - 15, The
AUTH_SECRET generation is inconsistent: when reusing an existing Secret you
assign the base64 value via index $existing.data "AUTH_SECRET", but the
newly-generated branch uses {{ randAlphaNum 64 | b64enc }} without | quote;
update the generated branch to mirror the existing-template style by piping the
b64 output through | quote (i.e., change the randAlphaNum 64 | b64enc branch to
include | quote) so both branches produce consistent YAML for AUTH_SECRET.