Skip to content

feat: ingress configurations + external secrets #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jsbroks merged 7 commits into from
Feb 17, 2026
Merged

feat: ingress configurations + external secrets #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e457d21
feat: ingress configurations + external secrets
zachspar Feb 17, 2026
41c265f
chore: bump minor version
zachspar Feb 17, 2026
50fcedd
Merge branch 'main' into spar/feat/ingress-and-secrets
zachspar Feb 17, 2026
f6332ba
chore: align with patterns + incorporate suggestions
zachspar Feb 17, 2026
0c5828f
chore: add ingress + secret unit tests
zachspar Feb 17, 2026
8634d74
chore: apply suggestions from code review
zachspar Feb 17, 2026
03c6298
Merge branch 'main' into spar/feat/ingress-and-secrets
zachspar Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/ctrlplane/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: ctrlplane
description: Ctrlplane Helm chart for Kubernetes
type: application
version: 0.10.2
version: 0.11.0
appVersion: "1.0.0"

maintainers:
Expand Down
12 changes: 12 additions & 0 deletions charts/ctrlplane/charts/api/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,17 @@ spec:
- name: WORKSPACE_ENGINE_ROUTER_URL
value: http://{{ .Release.Name }}-workspace-engine-router.{{ .Release.Namespace }}.svc.cluster.local:9090

{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
- name: VARIABLES_AES_256_KEY
valueFrom:
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
{{- else }}
- name: VARIABLES_AES_256_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-encryption-key
key: AES_256_KEY
{{- end }}

# Auth providers with valueFrom support
{{- include "ctrlplane.authProviderEnvVars" . | nindent 12 }}
Expand All @@ -68,11 +74,17 @@ spec:
- name: KAFKA_BROKERS
value: {{ .Values.global.kafka.brokers | quote }}

{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret }}
- name: AUTH_SECRET
valueFrom:
{{- toYaml .Values.global.secrets.authSecret.valueFrom | nindent 16 }}
{{- else }}
- name: AUTH_SECRET
valueFrom:
secretKeyRef:
name: {{ include "api.fullname" . }}
key: AUTH_SECRET
{{- end }}

- name: GITHUB_URL
value: {{ include "ctrlplane.githubUrl" . }}
Expand Down
12 changes: 7 additions & 5 deletions charts/ctrlplane/charts/api/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,16 @@
{{- $secretName := (include "api.fullname" .) }}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret) }}
{{- $secretName := (include "api.fullname" .) }}
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "api.labels" . | nindent 4 }}
data:
{{- if $secret }}
AUTH_SECRET: {{ $secret.data.AUTH_SECRET }}
{{- if and $existing (hasKey $existing.data "AUTH_SECRET") }}
AUTH_SECRET: {{ index $existing.data "AUTH_SECRET" }}
{{- else }}
AUTH_SECRET: {{ randAlphaNum 64 | b64enc }}
{{- end }}
{{- end }}
{{- end }}
6 changes: 6 additions & 0 deletions charts/ctrlplane/charts/pty-proxy/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,11 +56,17 @@ spec:
port: http
env:
{{- include "ctrlplane.postgresqlEnvVars" . | nindent 12 }}
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
- name: VARIABLES_AES_256_KEY
valueFrom:
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
{{- else }}
- name: VARIABLES_AES_256_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-encryption-key
key: AES_256_KEY
{{- end }}
{{- include "ctrlplane.extraEnv" . | nindent 12 }}
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
resources:
Expand Down
12 changes: 7 additions & 5 deletions charts/ctrlplane/charts/web/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,16 @@
{{- $secretName := (include "web.fullname" .) }}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret) }}
{{- $secretName := (include "web.fullname" .) }}
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "web.labels" . | nindent 4 }}
data:
{{- if $secret }}
AUTH_SECRET: {{ $secret.data.AUTH_SECRET }}
{{- if and $existing (hasKey $existing.data "AUTH_SECRET") }}
AUTH_SECRET: {{ index $existing.data "AUTH_SECRET" }}
{{- else }}
AUTH_SECRET: {{ randAlphaNum 64 | b64enc }}
{{- end }}
{{- end }}
Comment on lines 11 to 15
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Secret reuse and generation logic is correct; minor style inconsistency with | quote.

index $existing.data "AUTH_SECRET" correctly returns the already-base64-encoded value from the live Secret, safe to assign directly to data:. The short-circuit and safely handles the nil case when lookup returns nothing (e.g., first install or --dry-run).

Minor: {{ randAlphaNum 64 | b64enc }} (line 14) omits | quote, while charts/ctrlplane/templates/secrets.yaml uses {{ randAlphaNum 64 | b64enc | quote }}. Both produce valid YAML since base64 is YAML-safe, but aligning would improve consistency.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@charts/ctrlplane/charts/web/templates/secrets.yaml` around lines 11 - 15, The
AUTH_SECRET generation is inconsistent: when reusing an existing Secret you
assign the base64 value via index $existing.data "AUTH_SECRET", but the
newly-generated branch uses {{ randAlphaNum 64 | b64enc }} without | quote;
update the generated branch to mirror the existing-template style by piping the
b64 output through | quote (i.e., change the randAlphaNum 64 | b64enc branch to
include | quote) so both branches produce consistent YAML for AUTH_SECRET.

{{- end }}
12 changes: 12 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,17 @@ spec:
containerPort: 8081
protocol: TCP
env:
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
- name: AES_256_KEY
valueFrom:
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
{{- else }}
- name: AES_256_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-encryption-key
key: AES_256_KEY
{{- end }}
- name: KAFKA_BROKERS
value: {{ .Values.global.kafka.brokers | quote }}
- name: KAFKA_GROUP_ID
Expand All @@ -71,11 +77,17 @@ spec:

{{- include "ctrlplane.postgresqlEnvVars" . | nindent 12 }}
{{- include "ctrlplane.githubBotEnvVars" . | nindent 12 }}
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
- name: VARIABLES_AES_256_KEY
valueFrom:
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
{{- else }}
- name: VARIABLES_AES_256_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-encryption-key
key: AES_256_KEY
{{- end }}
{{- include "ctrlplane.extraEnv" . | nindent 12 }}
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
resources:
Expand Down
54 changes: 39 additions & 15 deletions charts/ctrlplane/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.create }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/" }}
{{- if $fqdn }}
http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ $fqdn }}
{{- else }}
Ingress is enabled but no host is configured (global.fqdn is empty).
Access the service via the ingress IP or configure global.fqdn.
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ctrlplane.fullname" . }})
Expand All @@ -30,6 +32,18 @@
⚠ Password configured directly in values (less secure for production)
{{- end }}

Secrets:
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
✓ Encryption key (AES_256_KEY) configured via secret reference
{{- else }}
⚠ Encryption key auto-generated by chart (consider using ExternalSecrets for production)
{{- end }}
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret }}
✓ Auth secret configured via secret reference
{{- else }}
⚠ Auth secret auto-generated by chart (consider using ExternalSecrets for production)
{{- end }}

Auth Providers:
{{- if include "ctrlplane.isValueFrom" .Values.global.authProviders.google.clientSecret }}
✓ Google OAuth configured via secret reference
Expand Down Expand Up @@ -58,20 +72,30 @@

3. Using valueFrom pattern for secrets:

Instead of:
postgresql:
password: "my-secret-password"
Instead of auto-generated secrets:
global:
secrets:
authSecret: ""
encryptionKey: ""

Use:
postgresql:
password:
valueFrom:
secretKeyRef:
name: "postgresql-secret"
key: "password"
Reference externally managed secrets:
global:
secrets:
authSecret:
valueFrom:
secretKeyRef:
name: "my-auth-secret"
key: "AUTH_SECRET"
encryptionKey:
valueFrom:
secretKeyRef:
name: "my-encryption-secret"
key: "AES_256_KEY"

This pattern works for all sensitive configuration values including:
- Encryption key (AES_256_KEY)
- Auth secret (AUTH_SECRET)
- PostgreSQL password
- OAuth client secrets (Google, Okta)
- GitHub bot credentials
- Azure app credentials
- Azure app credentials
33 changes: 23 additions & 10 deletions charts/ctrlplane/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,39 +1,52 @@
{{- if .Values.ingress.create }}
{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/" -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "ctrlplane.fullname" . }}
labels:
{{- if .Values.ingress.labels -}}
{{- toYaml .Values.ingress.labels | nindent 4 }}
{{- include "ctrlplane.labels" . | nindent 4 }}
{{- with .Values.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.ingress.annotations }}
annotations:
{{- if .Values.ingress.annotations -}}
{{- toYaml .Values.ingress.annotations | nindent 4 }}
{{- end }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.class }}
ingressClassName: {{ .Values.ingress.class }}
{{- end }}
{{- if and $fqdn .Values.ingress.tls.enabled }}
tls:
- hosts:
- {{ $fqdn }}
secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" (include "ctrlplane.fullname" .)) }}
{{- end }}
defaultBackend:
service:
name: {{ .Release.Name }}-webservice
name: {{ .Release.Name }}-web
port:
number: 3000
rules:
- http:
- {{- if $fqdn }}
host: {{ $fqdn }}
{{- end }}
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: {{ .Release.Name }}-web
port:
port:
number: 3000
- pathType: Prefix
path: /api
backend:
service:
name: {{ .Release.Name }}-api
port:
port:
number: 8081
- pathType: Prefix
path: /api/v1/resources/proxy
Expand All @@ -42,4 +55,4 @@ spec:
name: {{ .Release.Name }}-pty-proxy
port:
number: 4000
{{- end }}
{{- end }}
10 changes: 6 additions & 4 deletions charts/ctrlplane/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey) }}
---
{{- $secretName := (printf "%s-encryption-key" .Release.Name) }}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,8 +10,9 @@ metadata:
{{- include "ctrlplane.labels" . | nindent 4 }}
type: Opaque
data:
{{- if $secret }}
AES_256_KEY: {{ $secret.data.AES_256_KEY }}
{{- if and $existing (hasKey $existing.data "AES_256_KEY") }}
AES_256_KEY: {{ index $existing.data "AES_256_KEY" }}
{{- else }}
AES_256_KEY: {{ randAlphaNum 64 | b64enc | quote }}
AES_256_KEY: {{ randAlphaNum 64 | b64enc }}
{{- end }}
{{- end }}
Loading