From 1e2432ee8124b87f3d5e6a1ce6e444f3efdc3417 Mon Sep 17 00:00:00 2001 From: Vincent Moudy Date: Fri, 6 Feb 2026 10:52:03 -0800 Subject: [PATCH 1/5] Move the cookieSigningKey to a secret --- charts/kellnr/templates/_helpers.tpl | 4 ++-- charts/kellnr/templates/config.yaml | 4 ---- charts/kellnr/templates/deployment.yaml | 5 +++++ charts/kellnr/templates/secret-config.yaml | 6 ------ charts/kellnr/templates/secret-cookie.yml | 9 +++++++++ charts/kellnr/values.yaml | 9 +++++++-- 6 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 charts/kellnr/templates/secret-cookie.yml diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl index 4dd3368..7d6b3f8 100644 --- a/charts/kellnr/templates/_helpers.tpl +++ b/charts/kellnr/templates/_helpers.tpl @@ -80,10 +80,10 @@ Cookie signing key used by Kellnr. Note: Helm templates don't have a "bytes" unit here; we can only validate string length. */}} {{- define "kellnr.cookieSigningKey" -}} -{{- $key := default "" .Values.kellnr.registry.cookieSigningKey -}} +{{- $key := default "" .Values.kellnr.registry.cookieSecret.cookieSigningKey -}} {{- if ne $key "" -}} {{- if lt (len $key) 64 -}} - {{- fail "kellnr.registry.cookieSigningKey must be at least 64 characters" -}} + {{- fail "kellnr.registry.cookieSecret.cookieSigningKey must be at least 64 characters" -}} {{- end -}} {{- $key -}} {{- else -}} diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml index 243cce8..77e5bbd 100644 --- a/charts/kellnr/templates/config.yaml +++ b/charts/kellnr/templates/config.yaml @@ -17,11 +17,7 @@ data: KELLNR_REGISTRY__TOKEN_CACHE_MAX_CAPACITY: {{ .Values.kellnr.registry.token.cache.maxCapacity | quote }} KELLNR_REGISTRY__TOKEN_DB_RETRY_COUNT: {{ .Values.kellnr.registry.token.db.retryCount | quote }} KELLNR_REGISTRY__TOKEN_DB_RETRY_DELAY_MS: {{ .Values.kellnr.registry.token.db.retryDelayMs | quote }} -{{- if .Values.kellnr.registry.cookieSigningKey }} - KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ .Values.kellnr.registry.cookieSigningKey | quote }} -{{- end }} {{- if .Values.kellnr.registry.requiredCrateFields }} - KELLNR_REGISTRY__REQUIRED_CRATE_FIELDS: {{ .Values.kellnr.registry.requiredCrateFields | quote }} {{- end }} KELLNR_REGISTRY__NEW_CRATES_RESTRICTED: {{ .Values.kellnr.registry.newCratesRestricted | quote }} diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml index c358edf..19512e9 100644 --- a/charts/kellnr/templates/deployment.yaml +++ b/charts/kellnr/templates/deployment.yaml @@ -82,6 +82,11 @@ spec: valueFrom: secretKeyRef: {{ toYaml .Values.kellnr.postgres.pwdSecretRef | nindent 16 }} {{- end }} + {{- if .Values.kellnr.registry.cookieSecret.enabled }} + - name: KELLNR_REGISTRY__COOKIE_SECRET + valueFrom: + secretKeyRef: {{ toYaml .Values.kellnr.registry.cookieSecret.cookieSecretRef | nindent 16 }} + {{- end }} envFrom: {{- if .Values.secret.enabled }} - secretRef: diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml index 15e2fa6..65bff9f 100644 --- a/charts/kellnr/templates/secret-config.yaml +++ b/charts/kellnr/templates/secret-config.yaml @@ -18,12 +18,6 @@ stringData: KELLNR_REGISTRY__TOKEN_CACHE_MAX_CAPACITY: {{ .Values.kellnr.registry.token.cache.maxCapacity | quote }} KELLNR_REGISTRY__TOKEN_DB_RETRY_COUNT: {{ .Values.kellnr.registry.token.db.retryCount | quote }} KELLNR_REGISTRY__TOKEN_DB_RETRY_DELAY_MS: {{ .Values.kellnr.registry.token.db.retryDelayMs | quote }} -{{- $cookieKey := include "kellnr.cookieSigningKey" . -}} -{{- if ne $cookieKey "" }} - KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ $cookieKey | quote }} -{{- end }} - - KELLNR_DOCS__ENABLED: {{ .Values.kellnr.docs.enabled | quote }} KELLNR_DOCS__MAX_SIZE: {{ .Values.kellnr.docs.maxSize | quote }} KELLNR_PROXY__ENABLED: {{ .Values.kellnr.proxy.enabled | quote }} diff --git a/charts/kellnr/templates/secret-cookie.yml b/charts/kellnr/templates/secret-cookie.yml new file mode 100644 index 0000000..49a7a08 --- /dev/null +++ b/charts/kellnr/templates/secret-cookie.yml @@ -0,0 +1,9 @@ +{{- $cookieKey := include "kellnr.cookieSigningKey" . -}} +{{ if and .Values.kellnr.registry.cookieSecret.enabled (not (empty $cookieKey)) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.kellnr.registry.cookieSecret.cookieSecretRef.name }} +stringData: + {{ .Values.kellnr.registry.cookieSecret.cookieSecretRef.key }}: {{ $cookieKey | quote }} +{{- end }} diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml index 71f0436..4fb527e 100644 --- a/charts/kellnr/values.yaml +++ b/charts/kellnr/values.yaml @@ -88,8 +88,13 @@ kellnr: # Used to sign the session cookie. Must be at least 64 bytes. # If empty, a random 64-byte value is generated by the chart (when `secret.enabled: true`). - # When `secret.enabled: false`, you should set this to a fixed value. - cookieSigningKey: "" + # When `secret.enabled: false`, set cookieSecret.enable to true and set cookieSecret.cookieSigningKey to a fixed value. + cookieSecret: + enabled: false + cookieSigningKey: "" + cookieSecretRef: + name: kellnr-cookie-secret + key: cookieSigningKey docs: enabled: false From 118d2c93045f10500968ebe2c3c97bd6df6bd0cc Mon Sep 17 00:00:00 2001 From: Vincent Moudy Date: Fri, 6 Feb 2026 10:54:08 -0800 Subject: [PATCH 2/5] bump chart version --- charts/kellnr/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kellnr/Chart.yaml b/charts/kellnr/Chart.yaml index a20b007..6654b1d 100644 --- a/charts/kellnr/Chart.yaml +++ b/charts/kellnr/Chart.yaml @@ -13,7 +13,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 5.0.0-rc.1 +version: 5.1.0-rc.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. From f1dae2c36819a56e8179e6b3fac2537f422d3921 Mon Sep 17 00:00:00 2001 From: Vincent Moudy Date: Thu, 12 Feb 2026 09:07:15 -0800 Subject: [PATCH 3/5] consistent file naming --- charts/kellnr/templates/{secret-cookie.yml => secret-cookie.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename charts/kellnr/templates/{secret-cookie.yml => secret-cookie.yaml} (100%) diff --git a/charts/kellnr/templates/secret-cookie.yml b/charts/kellnr/templates/secret-cookie.yaml similarity index 100% rename from charts/kellnr/templates/secret-cookie.yml rename to charts/kellnr/templates/secret-cookie.yaml From 255ee0f48075a6a579a430f7ef09594c80d46413 Mon Sep 17 00:00:00 2001 From: Vincent Moudy Date: Thu, 19 Feb 2026 15:16:09 -0800 Subject: [PATCH 4/5] remove newlines --- charts/kellnr/templates/config.yaml | 2 +- charts/kellnr/templates/secret-config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml index ef2f5a5..132386c 100644 --- a/charts/kellnr/templates/config.yaml +++ b/charts/kellnr/templates/config.yaml @@ -3,4 +3,4 @@ kind: ConfigMap metadata: name: {{ .Values.configMap.name | quote }} data: -{{- include "kellnr.envVars" . | nindent 2 }} +{{- include "kellnr.envVars" . | nindent 2 }} \ No newline at end of file diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml index 0d8cfd3..caffcae 100644 --- a/charts/kellnr/templates/secret-config.yaml +++ b/charts/kellnr/templates/secret-config.yaml @@ -6,4 +6,4 @@ metadata: type: Opaque stringData: {{- include "kellnr.envVars" . | nindent 2 }} -{{- end }} +{{- end }} \ No newline at end of file From 62f596c0afd6353c7eae4db5b3240573901a6682 Mon Sep 17 00:00:00 2001 From: Vincent Moudy Date: Wed, 25 Feb 2026 14:12:49 -0800 Subject: [PATCH 5/5] fix add cookie secret in deployment --- charts/kellnr/templates/_helpers.tpl | 4 ---- charts/kellnr/templates/deployment.yaml | 5 +++++ 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl index 072d2ac..5b8239b 100644 --- a/charts/kellnr/templates/_helpers.tpl +++ b/charts/kellnr/templates/_helpers.tpl @@ -139,10 +139,6 @@ KELLNR_REGISTRY__TOKEN_DB_RETRY_COUNT: {{ .Values.kellnr.registry.token.db.retry {{ if not (eq .Values.kellnr.registry.token.db.retryDelayMs nil) }} KELLNR_REGISTRY__TOKEN_DB_RETRY_DELAY_MS: {{ .Values.kellnr.registry.token.db.retryDelayMs | quote }} {{ end }} -{{ $cookieKey := include "kellnr.cookieSigningKey" . }} -{{ if ne $cookieKey "" }} -KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ $cookieKey | quote }} -{{ end }} {{ if .Values.kellnr.registry.requiredCrateFields }} KELLNR_REGISTRY__REQUIRED_CRATE_FIELDS: {{ .Values.kellnr.registry.requiredCrateFields | quote }} {{ end }} diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml index 3e37772..574f64c 100644 --- a/charts/kellnr/templates/deployment.yaml +++ b/charts/kellnr/templates/deployment.yaml @@ -90,6 +90,11 @@ spec: valueFrom: secretKeyRef: {{ toYaml .Values.kellnr.postgres.pwdSecretRef | nindent 16 }} {{- end }} + {{- if .Values.kellnr.registry.cookieSecret.enabled }} + - name: KELLNR_REGISTRY__COOKIE_SECRET + valueFrom: + secretKeyRef: {{ toYaml .Values.kellnr.registry.cookieSecret.cookieSecretRef | nindent 16 }} + {{- end }} {{- if and .Values.kellnr.oauth2.enabled .Values.kellnr.oauth2.clientSecretRef.name }} - name: KELLNR_OAUTH2__CLIENT_SECRET valueFrom: